New rsync Released to Fix Vulnerability

← Back to Stories (view on slashdot.org)

New rsync Released to Fix Vulnerability

Posted by CowboyNeal on Thursday December 4, 2003 @02:31PM from the better-safe-than-sorry dept.

cshields2 writes "Today the rsync developers have released a new version that fixes an exploitable security vulnerability when running rsync as an 'rsync server.' Any server out there running rsync should check this out and upgrade if necessary. (which is every open source mirror server out there, and many mirrors themselves)"

5 of 226 comments (clear)

Min score:

Reason:

Sort:

Package Download by Hal+The+Computer · 2003-12-04 15:03 · Score: 3, Interesting

Instructions on how to update Slackware to the latest and greatest rsync are at:
http://slackware.com/security/viewer.php?l=slackwa re-security&y=2003&m=slackware-security.399741
Of course if you're running a server you should theoretically be subscribing to the security mailing list. Right?

--
int main(void){int x=01232;while(malloc(x));return x;}
Re:Workaround by pHDNgell · 2003-12-04 15:04 · Score: 4, Interesting

or just don't run rsync as a server. There's no need to for most uses anyway - just install the client at both ends and connect with the "-e ssh" flag and you're laughing

What if I don't want system users for every rsync user? What if I need to run my connections through an http proxy server (yes, I really, really do)? What if I want standard mechanisms for listing available modules? What if I want to limit the number of simultaneous connections for a specific area? What if I want to limit the files available in a specific area? What if I want to transfer sensitive files on a system periodically from cron, but I don't want to have an ssh key that grants access to do this without a password on the recipient machine?

I think that pretty much sums up the ways I most commonly use rsync around the house. I do use it with the -e ssh option for one-off things sometimes as well, but not running a server is certainly no workaround for me.

--
-- The world is watching America, and America is watching TV.
Re:FSF Savannah Server Compromised by Feztaa · 2003-12-04 15:13 · Score: 2, Interesting

One thing is certain though, with Debian, Gentoo and now the FSF being exploited in the same month, the open source/free software community is clearly under attack.

While it can be somewhat distressing, these attacks can only make us stronger.

It's kinda sad, really. I mean, we're just a big happy group of people who write code for the fun of it, and then share it with everybody else. We're a decent bunch. What did we do to deserve all this hostility?
Snapshot-Style Backups with rsync by Rescate · 2003-12-04 15:53 · Score: 2, Interesting

You might want to take a look at Easy Automated Snapshot-Style Backups with Linux and Rsync posted by Mike Rubel. I think this is mentioned in the book Linux Server Hacks by O'Reilly (hack #42), although I don't have the book so I'm not sure.

Basically it uses rsync and cp to create a backup, but only changed files are actually copied; unchanged files are simply linked to. This saves a lot of disk space, and allows you to keep many backups on the system at one time, assuming most of your files don't change.
Some history.. by cras · 2003-12-04 15:55 · Score: 5, Interesting

Two months ago I found the problem and gave a patch to fix it. Looks like the bad guys were smarter than I thought and figured out a way to exploit it. Lesson: release fixes for even potential security holes immediately :)