Slashdot Mirror

← Back to Stories (view on slashdot.org)

New rsync Released to Fix Vulnerability

Posted by CowboyNeal on from the better-safe-than-sorry dept.

cshields2 writes "Today the rsync developers have released a new version that fixes an exploitable security vulnerability when running rsync as an 'rsync server.' Any server out there running rsync should check this out and upgrade if necessary. (which is every open source mirror server out there, and many mirrors themselves)"

8 of 226 comments (clear)

  1. Re:Gentoo by keesh · · Score: 4, Insightful

    That's, what, 24 hours or so from the attack to a full patch to a previously unknown exploit being released? Gotta give those Gentoo guys some credit, that's damned impressive...

  2. chroot by larry+bagina · · Score: 4, Insightful
    The server that was compromised was using a non-default rsyncd.conf option "use chroot = no". The use of this option made the attack on the compromised server considerably easier. A successful attack is almost certainly still possible without this option, but it would be much more difficult.

    Maybe I can't see the forest for the trees, but why would you NOT want to be chrooted?

    --
    Do you even lift?

    These aren't the 'roids you're looking for.

    1. Re:chroot by syntax · · Score: 4, Insightful

      How about complete remote backups of the root file system?

  3. Re:So... by Anonymous Coward · · Score: 5, Insightful
    It took the Debian developers over a *week* to find the cause of their servers being rooted, but Gentoo is able to accomplish the same in one day, *and* provide a fix?

    It seems obvious where the real talent in the Linux community lies today.

    In case you hadn't noticed, the Gentoo developers based their analysis on the Debian developers' work. The real talent in the Linux community lies in the community.

  4. PGP-sign everything by Meat+Blaster · · Score: 4, Insightful
    I see too many packages out there that have no meaningful way to verify their contents. I've felt for a long time that this was something that was going to come back to haunt us.

    I hope that this will provide more incentive for Open Source programmers and Linux distributors to properly secure their releases. This entails ensuring that from the time a package leaves a maintainer to the time it reaches a user there should be no possibility of tampering.

    Authors/maintainers need to generate PGP keypairs and start signing their archives. MD5 checksum distributed alongside the package does not cut it -- how are we to know the package wasn't tampered with and a fresh checksum generated? No, the only way we can really feel secure is to have authors use PGP on a regular basis to verify their work, and to integrate public key/private key into CVS in order to have submitters automatically sign their changes to the source.

    Then things like the Savannah hack and the various mirror compromises will only be a black eye instead of a serious threat to the Open Source methodology.

    1. Re:PGP-sign everything by giminy · · Score: 4, Insightful

      Hear, Hear. Along the same lines, it's pretty important that they sign with a key in the strongly connected set. I've seen a lot of projects that actually provide PGP sigs, but the keys used to generate the sigs don't have any signatures, or are part of closed (2-3 key) set! This is about as useless as MD5 checksums, imho. It's very easy to generate a key with Linus Torvalds as the name, but very difficult to get people in the strongly connected set to actually sign it...

      --
      The Right Reverend K. Reid Wightman,
  5. Re:Gentoo by TheIzzy · · Score: 5, Insightful
    Hello?

    Security breaches happen. Even on OpenBSD and other "secure" systems. If you looked into the event at all, you would see that Gentoo did indeed have excellent security counter measures in place. No amount of firewalling is going to stop an *unknown* vulnerability from being exploited. No amount of security auditing is going to find *every* exploit in code as complex as gentoo's. The fact that the compromised server could be restored, and the compromising code be analysed and fixed within twenty-four hours is very impressive. If anything, this is a testiment to the security at gentoo.

    If I were a CTO or someone who was checking to make a switch, this would be very impressive. I don't, however, think this is gentoo's target audience. But I do know that Microsoft definitely does not have turn-around times that impressive.

  6. Re:Rsync Protocol Was a Bad Idea by Zork+the+Almighty · · Score: 4, Insightful

    I don't know why they even invented an rsync protocol. - To efficiently synchronize a large amount of data over a slow connection. The algorithm is one of the fundamental gems of computing science, and I'm suprised you don't appreciate it.

    --

    In Soviet America the banks rob you!