New rsync Released to Fix Vulnerability

cshields2 writes "Today the rsync developers have released a new version that fixes an exploitable security vulnerability when running rsync as an 'rsync server.' Any server out there running rsync should check this out and upgrade if necessary. (which is every open source mirror server out there, and many mirrors themselves)"

Re:Workaround

[pHDNgell]

or just don't run rsync as a server. There's no need to for most uses anyway - just install the client at both ends and connect with the "-e ssh" flag and you're laughing

What if I don't want system users for every rsync user? What if I need to run my connections through an http proxy server (yes, I really, really do)? What if I want standard mechanisms for listing available modules? What if I want to limit the number of simultaneous connections for a specific area? What if I want to limit the files available in a specific area? What if I want to transfer sensitive files on a system periodically from cron, but I don't want to have an ssh key that grants access to do this without a password on the recipient machine?

I think that pretty much sums up the ways I most commonly use rsync around the house. I do use it with the -e ssh option for one-off things sometimes as well, but not running a server is certainly no workaround for me.

Some history..

[cras]

Two months ago I found the problem and gave a patch to fix it. Looks like the bad guys were smarter than I thought and figured out a way to exploit it. Lesson: release fixes for even potential security holes immediately :)