New rsync Released to Fix Vulnerability

cshields2 writes "Today the rsync developers have released a new version that fixes an exploitable security vulnerability when running rsync as an 'rsync server.' Any server out there running rsync should check this out and upgrade if necessary. (which is every open source mirror server out there, and many mirrors themselves)"

ATTENTION

An incident has occurred today near the Slashdot compound, and several people have already been reported missing or dead. Do not panic. We are currently assessing the situation, and believe the deaths were caused by one of Rob "CmdrTaco" Malda's genetic experiments when it escaped from its holding cell. As of yet no photographs have been obtained, but several eyewitnesses have given descriptions that lead to the creation of this sketch. If you see this creature, do not attempt to subdue it yourself, and contact the appropriate authorities immediately. Thank you.

helo

hey retards this is news for nerds we dont care what n'sync is doing they are for homos

pls fix thx

Gentoo

[lisany]

This is what got the cracker in (plus the brk kernel thing) into the Gentoo Rsync server. All fixed now tho!

Re:Gentoo

[keesh]

That's, what, 24 hours or so from the attack to a full patch to a previously unknown exploit being released? Gotta give those Gentoo guys some credit, that's damned impressive...

Re:Gentoo

Gentoo? Isn't it the Samba team which develops Rsync?

Re:Gentoo

Look at the credits list. It was the Gentoo guys who tracked this one down.

Re:Gentoo

I'm disappointed, had this been redhat or microsoft this would have been posted 14 hours ago. Not even a mention of Gentoo's compromise *sigh*
talk about FUD. what about -FUD? NO fear no UNcertainty and NO doubt?

Re:Gentoo

and those fucktard debian guys still don't know exactly how they got r00ted... damn i need to change distro

Re:Gentoo

what would have been more impressive is, if it wouldn't have happened in the first place. I could understand maybe if a port slipped by someone, but shoddy security it's rather sad. Don't take this as a troll post my coworker is a Gentoo devel, and we've spoken about this back and forth.

What would be nice, would be if some of the developers focused on security from the jump, sort of OpenBSD'ish, and no I'm not making a comparison, sort of throwing an idea for devels to use preemptive strikes, assessing a situation beforehand. Regardless if there was a buffer overflow of stack/heap/$INSERT_VULN_HERE, what about the core concept of security. User accounts, firewall rules, checksums, etal.

If I were a CTO or someone who was checking into making a switch, sorry to say but right now it wouldn't be Gentoo. Sure its a nice little distribution, but the security lapse just threw them into an `I won't be using that distro any time soon` category.

Again not putting down Gentoo just adding my observations

Re:Gentoo

[placeclicker]

Oddly, i never saw the word "gentoo" mentioned in ANYTHING i read about this update. They only said "a public rsync server".

It must have been this exploit, though.

Re:Gentoo

Yes they do know, it was a weak password plub the 'brk' patch of 2.4.23... Stay with the news, and you can stop throwing flamebait out.

Re:Gentoo

[TheIzzy]

Hello?

Security breaches happen. Even on OpenBSD and other "secure" systems. If you looked into the event at all, you would see that Gentoo did indeed have excellent security counter measures in place. No amount of firewalling is going to stop an *unknown* vulnerability from being exploited. No amount of security auditing is going to find *every* exploit in code as complex as gentoo's. The fact that the compromised server could be restored, and the compromising code be analysed and fixed within twenty-four hours is very impressive. If anything, this is a testiment to the security at gentoo.

If I were a CTO or someone who was checking to make a switch, this would be very impressive. I don't, however, think this is gentoo's target audience. But I do know that Microsoft definitely does not have turn-around times that impressive.

Re:Gentoo

[keesh]

It was.

Re:Gentoo

[IWannaBeAnAC]

WTF are you talking about? It was a huge story a day or two ago: Gentoo Rsync server compromised

Re:Gentoo

[CaptKilljoy]

That's, what, 24 hours or so from the attack to a full patch to a previously unknown exploit being released? Gotta give those Gentoo guys some credit, that's damned impressive...

Um, wait, unless it was a really simple fix (the diffs are a 580k gzip file, but there's no way to tell how much of that is the security fix), what kind of of QA tests could they have done in 24 hours?

Re:Gentoo

[AstroDrabb]

I'd have to agree to this "trollish" post. Fedora Core 1 came out of the box with a kernel that was patched against this hole. The patch was out, Gentoo and Debian just didn't apply it. Though, the rsync hole did require an apt-get under Fedora to upgrade it.

Re:Gentoo

[broeman]

again! It was not Gentoo's server or anything ... it was a third-party rsync server mirror (there are many). Gentoo has told all their mirrors to update to rsync 2.5.7, but they cannot know how every machine is setup around the world. They can make some guidelines to the mirror-hosts, but it is up to them to comply to it, to be a official mirror-site.

Re:Gentoo

[grennis]

Wrong... Microsoft usually releases a patch months BEFORE any attack, yet it still happens because nobody bothers to patch. (i.e., code red, sql slammer). So, who has the lower tunaround time? Microsoft at -3 months or Gentoo at +1 day after you have been rooted?

Re:Gentoo

[Dr.+Manhattan]

Security breaches happen.

That's why I wrote Ostiary, because I can't afford to keep up with all the latest patches the instant they come out. It can be used to remotely enable and disable services (by starting/stopping, them, altering the hosts.allow/deny files, etc.)

The protocol it uses is so brick stupid it's effectively unhackable. It can still be DOSed, of course, but nobody's come up with a way to directly subvert it. It's very small and light, there's even a Palm client for it. No, it's not the answer to everything, but several people have found it useful already.

Re:Gentoo

Security breaches happen. Even on OpenBSD and other "secure" systems.

Well, technically no, this doesn't happen on truly "secure" systems that employ mandatory access control. I still fail to see why OpenBSD wants to claim to be the most secure free UNIX, yet totally ignores MAC. From what I've read it's just another one of Theo's pet peeves that he won't support.

Re:Gentoo

[AKnightCowboy]

If I were a CTO or someone who was checking to make a switch, this would be very impressive.

Not really. As I've been told time and time again by my management, IF we are to deploy Linux then it must be by a company with wide "ISV" support. Apparently Red Hat Enterprise Linux is the only Linux that fits that bill. So, Debian, Gentoo, Slackware, Mandrake, etc. Those are all out even though they're great distros. Oh well, hey, who doesn't like paying $800 for their server OS?

Re:Gentoo

[TwistedGreen]

...a full patch to a previously unknown exploit...

It certainly wasn't unknown to the cracker.

Re:Gentoo

[LinuxHam]

If you want to consider IBM's well-publicized support, then don't forget about SuSE.

Re:Gentoo

BS.
First of all, just because you haven't heard it on the news, doesn't mean that it hasn't been exploited.
Developers for open source software often fix these sorts of bugs immediatly, or very quickly after the initial code is developed because it is so heavily scrutinized by others who need to use the code. They just don't have to release a security patch because they just work it into the source before it gets released.
And you seem to be implying that there has never been a vulnerability that has been exploited on any microsoft system which was not already patched... ... ... Let me repeat that: you seem to be implying that there has never been a vulnerability that has been exploited on any microsoft system which was not already patched... we're talking about the Microsoft in Redmond right? The one that makes that WindowsNT program that has that exploit that they refuse to patch? We must be talking about a different microsoft.

Re:Gentoo

[rifter]

Wrong... Microsoft usually releases a patch months BEFORE any attack, yet it still happens because nobody bothers to patch. (i.e., code red, sql slammer). So, who has the lower tunaround time? Microsoft at -3 months or Gentoo at +1 day after you have been rooted?

OSS/Free software usually tries not to mess up in the first place. They also fix problems in the code before exploits. But everyone is human and shit happens. The fact is slashdot has reported on patches for vulnerabilities on many platforms which were released before there were any known exploits. This was a case where a known exploit does not exist, but someone did exploit the vulnerability. The story is big news only because of that. Developers fix problems like this every day.

As for SQL Slammer and Code Red, I know there was a patch for SQL Slammer 6 months before the worm went crazy, but by all accounts the patch did not work and in fact broke people's boxes. The patch which properly worked was roughly contemporaneous with the worm (either a wekk before or a week after, give or take some days, I forget). I am not so sure that the code red patch predated the worm, but I do know there was a new patch after the worm that fixed the problem exploited by the worm. But windowsupdate.com was infected by the worm and that made it pretty hard to patch.

Re:Gentoo

[AstroDrabb]

Ahh, ok. This story is a little trollish by making it sound as if it was a "official" Gentoo server. Though, one of the Gentoo guys should check the "official" rsync mirrors and pull them from the DNS round robin if they are not patched correctly. Of course if there are tons of rsync servers, that could be a little bit too much work.

fp

[RedHat_Linux_Man]

fp

Re:fp

if by 'fp' you mean 'fourth post', then yes, you are correct.

hmm has ./ effect worked on rsync yet...

guess we are about to find out in about 10 mins.

mirror

rsync 2.5.6 security advisory
December 4th 2003

Background
The rsync team has received evidence that a vulnerability in rsync was recently used in combination with a Linux kernel vulnerability to compromise the security of a public rsync server. While the forensic evidence we have is incomplete, we have pieced together the most likely way that this attack was conducted and we are releasing this advisory as a result of our investigations to date.

Our conclusions are that:

rsync version 2.5.6 and earlier contains a heap overflow vulnerability that can be used to remotely run arbitrary code.
While this heap overflow vulnerability could not be used by itself to obtain root access on a rsync server, it could be used in combination with the recently announced brk vulnerability in the Linux kernel to produce a full remote compromise.
The server that was compromised was using a non-default rsyncd.conf option "use chroot = no". The use of this option made the attack on the compromised server considerably easier. A successful attack is almost certainly still possible without this option, but it would be much more difficult.
Please note that this vulnerability only affects the use of rsync as a "rsync server". To see if you are running a rsync server you should use the netstat command to see if you are listening on TCP port 873. If you are not listening on TCP port 873 then you are not running a rsync server.

New rsync release
In response we have released a new version of rsync, version 2.5.7. This is based on the current stable 2.5.6 release with only the changes necessary to prevent this heap overflow vulnerability. There are no new features in this release.

We recommend that anyone running a rsync server take the following steps:

Update to rsync version 2.5.7 immediately.
If you are running a Linux kernel prior to version 2.4.23 then you should upgrade your kernel immediately. Note that some distribution vendors may have patched versions of the 2.4.x series kernel that fix the brk vulnerability in versions before 2.4.23. Check with your vendor security site to ensure that you are not vulnerable to the brk problem.
Review your /etc/rsyncd.conf configuration file. If you are using the option "use chroot = no" then remove that line or change it to "use chroot = yes". If you find that you need that option for your rsync service then you should disable your rsync service until you have discussed a workaround with the rsync maintainers on the rsync mailing list. The disabling of the chroot option should not be needed for any normal rsync server.
The patches and full source for rsync version 2.5.7 are available from http://rsync.samba.org/ and mirror sites. We expect that CmdrTaco will have anal sex with a twelve-year-old boy shortly.

Credits
The rsync team would like to thank the following individuals for their assistance in investigating this vulnerability and producing this response:

Timo Sirainen
Mike Warfield
Paul Russell
Andrea Barisani
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0962 to this issue.

Regards,

The rsync team

anon post

First post!!!! oh, anon coward user ... grrr gotta remember to log in next time :)

Eh?

Nobody runs rsync as a publicly accessible service anymore. It's almost always used in conjunction with ssh on untrusted networks. Doesn't the poster have any idea what he's posting about? This is a non-starter.

Re:Eh?

[uncleFester]

Nobody runs rsync as a publicly accessible service anymore.

oh really?

i rsync my local copy of slacware-current from carroll.cac.psu.edu. probably half the listed servers on the slack mirrors list (many of which host many other projects besides slack) do rsync. gentoo uses rsync for portage. kernel.org supports rsync for kernel/patch transfers.. as does sourceforge.

me thinks thou should pull thine head out of thine ass before making such silly comments. for a number of read-only connections, rsync is still quite popular.

Re:Eh?

[cshields2]

You obviously don't understand how open source mirroring networks propagate their data. Ask the admin of your favorite mirror how he gets his stuff..

Re:Eh?

[keesh]

Well, Gentoo does, for one...

Re:Eh?

[Tester]

Nobody runs rsync as a publicly accessible service anymore.

You should notice that the Gentoo Portage tree is distributed through rsync to all users.

chroot

[larry+bagina]

The server that was compromised was using a non-default rsyncd.conf option "use chroot = no". The use of this option made the attack on the compromised server considerably easier. A successful attack is almost certainly still possible without this option, but it would be much more difficult.

Maybe I can't see the forest for the trees, but why would you NOT want to be chrooted?

Re:chroot

[syntax]

How about complete remote backups of the root file system?

Re:chroot

perhaps they were saving themselves for chmarriage

*boomtish*

*ducks flying rotten fruit*

Re:chroot

[MacJedi]

Agreed. That's exactly what i use it for. (just updated to a patched version too; thank you security.debian.org!)

The only problem I have is that file permissions are not preserved. My solution is to run:

ls -Rl / | /usr/bin/bzip2 > /root/perms.txt.bz2

prior to each backup so that there is at least a record of the permissions. Does anyone know a better way?

Re:chroot

[toast0]

use the --perms option to rsync

from the manpage:

"This option causes rsync to update the remote permissions to be the same as the local permissions."

RTFM

Re:chroot

[Saganaga]

rsync --help

Options
...
-a, --archive archive mode, equivalent to -rlptgoD
...
-r, --recursive recurse into directories
-l, --links copy symlinks as symlinks
-p, --perms preserve permissions
-o, --owner preserve owner (root only)
-g, --group preserve group
-D, --devices preserve devices (root only)
-t, --times preserve times
-S, --sparse handle sparse files efficiently
...

So in other words, you want to use option -p. Or why not just use -a as the docs suggest?

Re:chroot

[hattmoward]

While your response is correct, you probably don't want to see the contents of your /etc/passwd or /etc/httpd/ssl.pem to be potentially advertised. A better bet would be to run a chrooted rsync mirror server (if that's your bag), and use a command-restricted public key to rsync over ssh for backups.

Re:chroot

you can restrict access to particular IPs.

Re:chroot

Why would you run rsync in daemon mode just for that? Or are we talking win32? I use rsync with RSYNC_RSH=ssh. (To be honest, it's actually 'lsh', but you get the idea.)

Re:chroot

Because our Corporate "Microsoft server security team" beleives that using chroot could be a security issue on the Unix/Linux servers. We argue that they need to look in the mirror, those that live in glass houses shouldn't throw stones, and stay the hell away from our Linux/Unix boxes, and please buy a Unix/Linux security book/read it -before- attempting to give us Linux server admins 'advice'.

Re:chroot

[hattmoward]

That doesn't take care of stopping unencrypted transmission of files, and IPs are easliy spoofed. OpenSSH is a very reliable product, and avoids both of these problems. Other than spoofing, if an attacker DOSes the unrestricted host, then assumes their IP, they still won't have your private key for rsync, and if they obtain the private key, they can only run rsync (password change time, though;).

Re:chroot

[stevey]

I use "rsync -e ssh" for this and don't install rsync itself as a server.

Mostly because I backup remote sites where the only think I can access is ssh.

Am I losing out by not running it standalone?

Workaround

[elvum]

...or just don't run rsync as a server. There's no need to for most uses anyway - just install the client at both ends and connect with the "-e ssh" flag and you're laughing.

Re:Workaround

[fifirebel]

Duh. There's no work-around if you want to connect anonymously.

Re:Workaround

[morelife]

don't run rsync as a server

is not a workaround -- it's throwing the baby and the server out with the bathwater!

Re:Workaround

cause encrypting all that data is slower then shit.

i've no need for encryption.

Re:Workaround

[brassman]

...connect with the "-e ssh" flag

That's how I use it, but I'm not running a site like Gentoo's.

If I were, I'd rather run an rsync server than give shell logins to every Tom Dick and Mary.

Re:Workaround

[pHDNgell]

or just don't run rsync as a server. There's no need to for most uses anyway - just install the client at both ends and connect with the "-e ssh" flag and you're laughing

What if I don't want system users for every rsync user? What if I need to run my connections through an http proxy server (yes, I really, really do)? What if I want standard mechanisms for listing available modules? What if I want to limit the number of simultaneous connections for a specific area? What if I want to limit the files available in a specific area? What if I want to transfer sensitive files on a system periodically from cron, but I don't want to have an ssh key that grants access to do this without a password on the recipient machine?

I think that pretty much sums up the ways I most commonly use rsync around the house. I do use it with the -e ssh option for one-off things sometimes as well, but not running a server is certainly no workaround for me.

Re:Workaround

[Trejkaz]

Other than, of course, a well-known public username and password, such as 'anonymous' and 'anonymous'. Or an anonymous account with no password but who is still permitted to login.

Re:Workaround

[timeOday]

Besides, the CPU load of ssh'ing all that non-sensitive data would be crushing.

rsync

News Flash:

rsync releases a patch and changes its name to r'sync. The change is noted to increase its name recognition in the teenybopper script kiddie market. At this point, no pimply-faced l337 d00dz will dare deface r'sync for fear that they will be further alienated by the female species.

Unfortunately, timberlake and FatOne continue to be backdoored.

Re:rsync

[prog-guru]

Rsync is also the preferred transfer method of pirates, software and treasure hunting ('arrr sync').

Re:rsync

or the bane of dishwashers everywhere ('our sink')

Credits

Credits
-------

The rsync team would like to thank the following individuals for their
assistance in investigating this vulnerability and producing this
response:

* Timo Sirainen

* Mike Warfield

* Paul Russell

* Andrea Barisani

Regards,

The rsync team

http://lwn.net/Articles/61541/

Re:Credits

I'd like to point out that Andrea Barisani is a member of the Gentoo Infrastructure team and has been the one coordinating Gentoo's efforts on that front and he has done great great work!

HOWTO

How to install software on Windows

1. Run installation program

How to install software on Linux

1. Download 'tarball'. If you dont know what that is then stop and go back to your wussy operating system, you pus.
2. Run gunzip on the file.
3. Run tar -xvf on the resulting file.
4. Type make config. Answer the questions. If you dont know how to answer the questions then stop and go back to your wussy operating system, you pus.
5. Type make.
6. Fix compilation errors by resolving dependencies or editing the code to fix the bugs.
7. Log bugs on sourceforge.net.
8. Type make install.
9. Run chmod 666 on the resulting file.
10. Attempt to execute the resulting file, and hope that you have the correct distro and the correct window system that the software author had in mind.

Re:HOWTO

[Old+Wolf]

Actually you can combine steps 2 and 3, saving keystrokes:

tar xzvf

This has been possible in every OS (except windows) I've ever used (except for old versions of sunos)

Re:HOWTO

Umm.. chmod 666 doesn't make it executable, dumbass. Meanwhile 'emerge programname'.

Re:HOWTO

[StarFace]

Corrected for Content Errors:

How to install software on Windows

1. Find software's homepage.
2. Try to figure out where their download link is amidst all of the marketing fluff.
3. Click the "Agree" on the download link, signing away everything you own.
4. Double-click the installation icon.
5. Click "Agree" to EULA; finish installation.
6. Reboot.
7. Get attacked by little balloons helpfully informing you that you have installed new software. Find software in the Start Menu.
8. Click "Use Trial"
9. Dialog box informs you that you have 30 days to try it, and that the save features have been disabled.
10. Cuss.
11. Load up browser software and search for a cracked version.
12. Get attacked by several hundred pop-ups.
13. Cuss profusely.
14. Download crack.
15. Double-click installation icon.
16. Reboot.
17. Two days later your broadband gets cut off by the ISP because you've been trojaned and are sending out 800,000 penis spam mails per minute.
18. Cuss. Reboot. Cuss.
19. Search for Windows XP installation CD.
20. [Insert five hundred step process for installation and reboots.]
...
520. Friendly balloon asks you to activate your software for your protection.
521. Your Internet is still offline, so you call Microsoft.
522. Wait 50 minutes. Cuss.
523. Relay the 255 digit long activiation sequence number to the Microsoft representive. He hears it wrong.
524. Repeat number slowly.
525. Representive informs you that you have already activated XP too many times, and you'll have to purchase another copy. Would you like to be transferred to the sales department?
526. Cuss.
527. Find Debian installation CDs.

How to install software on Linux

1. type: apt-get install [application name]

Re:HOWTO

dumbass, its a refrence to the number of satan.

Re:HOWTO

[Tyten]

(sigh). you know, it's funny that i didnt know that was standard procedure. here all this time i've simply been using install wizards that WORK. no recompiling the kernel, no compiling source. no dicking with console, wondering why it installed but didnt run, why i don't have x library installed, why the ATI display drivers STILL don't give me 3d acceleration, and my cd burning is jacked up. i KNOW that if i simply read and do some research i could figure out how to remedy ALL these situations, but here's the problem. i don't live in my parent's basement and have oodles of free time just trying to get my OS to work. i play with linux, but use windows extensively and don't complain. why?? because, unlike linux, it just WORKS. and it works when i need it to, so i can be productive with my two jobs and school and social life. ***EOF***

Re:HOWTO

well, I admit that I had to click the enter button a multitude of times (like 15), and I even had to change cds, but installing freebsd was pretty easy. cd-burning works. the nvidia drivers I got from the nvidia website work fine. my digital camera "just works". my sound works (I admit I had to goto www.freebsd.org and look at the "sound" section of the FreeBSD Handbook to figure out the command to make it work). my dvd player works. KDE is fast and well-integrated. when I need a piece of software I use this sweet piece of software called barry to find it and then I install it by going to the directory barry tells me to and typing "make install". damn, I guess freebsd is too much work. I have to type make install. perhaps I should contribute a script to automagically install packages for people.

Re:HOWTO

[Tyten]

yeah. that's a best case scenario. i've been dicking with linux since 96. it HAS made huge strides. but hasnt reached popularity that you zealots would like it achieve yet simply because it's not as user friendly as windows (don't get me wrong. windows like everything, has it's flaws). BUT linux's growing popularity will be it's undoing. in the effort to be more like windows, holes are going to open wider than an inmate's rectum.

Re:HOWTO

[GNDN]

WHAT is this you say? Linux becomeing unsecure?! you are a WINDOZE(see I am 133t I used the word WINDOZE instead of windows...I 133t yo!) zealot!!!How dare you bash my precious linux....my sweet sweet precious...your kernel is safe with me. ;)

Re:HOWTO

[deek]

• i play with linux, but use windows extensively and don't complain. why?? because, unlike linux, it just WORKS. and it works when i need it to, so i can be productive with my two jobs and school and social life.

Good for you. Glad you found something that works for you.

For me though, Linux for exactly the same reasons you gave for windows. It just WORKS. Plus, and this is the real clincher, it keeps on working. The thing with Windows is, if you have a problem, then you're, more often than not, completely stuffed. It's one of the most frustrating systems to fix. The Event Viewer usually has bugger all in it, or the error message is so damned cryptic that I (or Google) can't make heads or tails of it.

In contrast, most problem in Linux have been easy to figure out, easy to fix, and/or easy to work around. And there's the other clincher ... the Linux system is so nicely designed in a compartmental way, that solving problems in the system becomes a straight-forward task.

So you take your system that WORKS. I'll take a system that WORKS THE WAY I WANT.

OK, now that I've got that out of my system (excuse the pun :), I'll say that I do actually like Windows as a desktop. It's very well integrated together. Throw in gvim and Mozilla, and you've got a very handy desktop system (I really dislike I.E and notepad). I do shudder at using Windows for the server though.

Re:HOWTO

[GNDN]

You know I don't have anything personaly against linux. Its the tripe the zealots post all over the internet. If a linux user wants someone to take him seriously then DO NOT throw in the "WINDOZE" or "M$" or other anti-microsoft statements. Or like how this all started here by listing complete assinine steps it takes for windows to install an app. There have been several posters on slashdot that have started posting about how good linux is and what it can do and ect. They had my full attention but then they had to go and ruin it by INCLUDING: "Windoze can never do that! Billy cant make a secure OS" or some other tripe. That just makes their complete post turn into BS. Its that kinda addittude that keeps my interest in linux at a bare minimum. As for your reply, deek. All zealots should take from your lead. Post the facts and leave the tripe and name calling out of it.

Re:HOWTO

Oh please, you cannot be so thick to not see that that post was merely making fun of the parent which listed completely assinine steps on the Linux install. Modify the code and submit patches to sourceforge? Come one. I've been using Linux since '97 and I've never had to do that. I've done it when I wanted to. Big difference, and I could; bigger difference. I actually use, and am proficient, with a number of operating systems and platforms. I use whatever is best for the job.

Re:HOWTO

[AKnightCowboy]

tar xzvf

This has been possible in every OS (except windows) I've ever used (except for old versions of sunos)

Doesn't work on Solaris unless you've installed GNU tar. On Solaris you're stuck with:

gunzip -c packet.tar.gz | tar -xvf -

Or just install GNU tar and replace Sun's version.

Re:HOWTO

[Tyten]

it's not they he's so thick. it's that we run into those "zealots" every day at work, both Mac and Linux. and then we get on here, and fine the same posts. it just gets old.

Whoever modded this Informative...

Didn't see

The patches and full source for rsync version 2.5.7 are available from http://rsync.samba.org/ and mirror sites. We expect that CmdrTaco will have anal sex with a twelve-year-old boy shortly.

and is therefore an idiot.

Re:Whoever modded this Informative...

You didn't know that CmdrTaco is a gay pedophile?

Re:Whoever modded this Informative...

and is therefore an idiot.

I wouldn't go that far, buddy. Maybe uncareful and not deserving of moderator status, but not an idiot.

So...

It took the Debian developers over a *week* to find the cause of their servers being rooted, but Gentoo is able to accomplish the same in one day, *and* provide a fix?

It seems obvious where the real talent in the Linux community lies today.

Re:So...

It took the Debian developers over a *week* to find the cause of their servers being rooted, but Gentoo is able to accomplish the same in one day, *and* provide a fix?

It seems obvious where the real talent in the Linux community lies today.

In case you hadn't noticed, the Gentoo developers based their analysis on the Debian developers' work. The real talent in the Linux community lies in the community.

Advice for everybody:

For the LOVE OF EVERYTHING SACRED, please everyone patch every box on which you are root.

Re:Advice for everybody:

Also, patch every box which you root thanks to linux and rsync security problems.

Re:Advice for everybody:

While that's very funny, it's actually good advice. Sucks when you spend all day rooting a box only to have some other hax0r come along and root it because you left the system vulnerable to the attack you just used. Analogy: after storming the keep and setting up an occupation force, make sure to raise the drawbridge.

Please note: I do not approve of unauthorized systems access for malicious purposes, personal gain, or fraud.

who sync?

Am I the only one who read that as "NSync released to fix vulnerability"?

I know the one dude is interested in space, but trusted computing?

Re:who sync?

[ObviousGuy]

Baby I got the Trojans
And baby I got the disease
You've got me wide open, baby
You're bringin' me to my knees.

You've found my weak spot, child
I'm running the love facility
You've wormed your way into my heart baby
You've found my vulnerability

whoa oh ohhh baby baby

Why do we have unsecure webservers?

Webserving is an excruciatingly easy task: the server gets a request like "http://slashdot.org/about.shtml", the server sends that file. That's all. How someone can fail this is beyond me.

Yet another Linux failure.

Crow is starting to taste pretty good, eh Slashdot?

this is why i dont use any package management

[n0k14]

i do it the slack way.

Re:this is why i dont use any package management

You must not be very skilled with Slack since Slack does have package management.

Slack has REALLY REALLY SHITTY package management, yes of course, but it does have package management.

People who go around trying to act leet becuase they "use slack which doesn't use package management" just show what a big noob wanna be leet ass clown they are.

Re:this is why i dont use any package management

[quadelirus]

This is why I use package management. Hours before I read about this vulnerability on slashdot (read it just now) my redhat monitor had gone red and I had updated the rsync vulnerability without even a thought to when it was discovered. Its interesting that Redhat had the update so quickly though... good to know.

Re:this is why i dont use any package management

[subk]

The "slack way" is an oxymoron..

Any slacker worth his salt knows that use of rpm leads to much more time available to read slashdot!

Re:this is why i dont use any package management

real slackers use freebsd with an entry to crontab to do automated system updating via cvsup and the standard build system plus portupgrade. in the highly unlikely event of a kernel vunerability, I let the server cvsup, patch and rebuild the kernel, and then it is gently rebooted after a backup system is contacted and takes over the services.

Re:this is why i dont use any package management

[Pope+Raymond+Lama]

Please, do not think I intend to start any distro war, or whatever.

But since you mentioned RedHat already had a patch, I'd like to say that the updated Mandrake package is also avalilable. And yes, it works for everybody, not just for mandrake club subscribers.

The main reason I am posting this is for people to see that there are options among the "big distros" to remain with a secure system without having to worry about having an expensive subscription contract signed.

Re:this is why i dont use any package management

[quadelirus]

gotcha, and i wasn't out to start a distro war, i could care less what distro you or anyone else runs (plus the redhat service is free for one computer anyway) i just wouldn't have updated this myself probably for a few days had redhat not told me i needed too.

A distro is just a collection of programs, and I add so many programs that aren't on any distro I don't think it would make any difference to me what I was running.

Re:this is why i dont use any package management

No packages? So what was that .tgz thing I d/l'd from ftp.slackware.org?

Dammit. Pat rooted my box again!

arg.

[mikeee]

Of course, to patch this, you should go to your local mirror, which will be down until they patch the rsync vulnerablity...

Doh!

Re:arg.

No kidding! Fortunately, the problem only exists for running rsync as a daemon/server not as a command line utility.

Re:arg.

Of course, to patch this, you should go to your local mirror, which will be down until they patch the rsync vulnerablity...

Ever hear of FTP and HTTP? How many people really use rsync to download patches?

Package Download

[Hal+The+Computer]

Instructions on how to update Slackware to the latest and greatest rsync are at:
http://slackware.com/security/viewer.php?l=slackwa re-security&y=2003&m=slackware-security.399741
Of course if you're running a server you should theoretically be subscribing to the security mailing list. Right?

Re:Package Download

You mean slackware users don't just get a prompt in their taskbar that says "An update is available"?

Re:Package Download

No, some of us get a mail that says "rsync-2.5.7-i486-1.tgz: package is older than a patched version". That's because people who use Slackware have typically built tools to keep track of these things.

Besides, you'd have to have a taskbar in order to have a prompt in it.

Rsync Protocol Was a Bad Idea

[evilviper]

I don't know why they even invented an rsync protocol. Things like CVS are very commonly run over SSH, and are rather effecient that way. What's the point of another network protocol, with more bugs to work out, and more security issues to be concerned with? Wonderful... More duplication of effort.

Incidentally. Does anyone know of a program similar to rsync that is under a less restrictive license than the GPL? It would be very useful.

Re:Rsync Protocol Was a Bad Idea

[prog-guru]

rsync is very good for incremental updates of large files, like backups, and big dns zone files (I learned about it when setting up a slave for a dns blacklist).

BitTorrent might be worth a try too, I don't think it does incremental but should be faster than scp or ftp.

Re:Rsync Protocol Was a Bad Idea

[timeOday]

What's the point of another network protocol, with more bugs to work out, and more security issues to be concerned with? Wonderful... More duplication of effort.

Incidentally. Does anyone know of a program similar to rsync that is under a less restrictive license than the GPL? It would be very useful.

So you think rsync is redundant and unnecessary, and you want to start a new fork of rsync? That makes a lot of sense.

Re:Rsync Protocol Was a Bad Idea

[Qzukk]

What's the point of another network protocol

Unlike ssh, rsync daemon doesn't require a user on the host system. Unlike ftp or http, rsync updates by splitting files into blocks and updating changed blocks. Unlike scp, the config file can exclude/include certain files/paths/etc. without requiring the use of filesystem permissions. (it also has password protection).

Does anyone know of a program similar to rsync

Nah, there wasn't a point to it.

Re:Rsync Protocol Was a Bad Idea

[CheshireCat]

CVS and rsync are different applications with different uses.

CVS maintains a history of all revisions made to the files in the repository. It doesn't even have a means to synchronize clients without a versioned repository on the server, it relies on the server knowing all past revisions to determine which changes to send to the client.

Rsync works with plain files on the server, not RCS. if you *need* revision control, it's useless, but if you only want to be able to synchronize client files to match the files on the server, it's much better than CVS. The server saves space and complexity by not having to do revision control, and the client still gets the benfits of the server only needing to transmit the changed portions of files.

Re:Rsync Protocol Was a Bad Idea

[ari_j]

You might want to try Unison. It's basically a bidirectional rsync. It's GPL, but it does a great job. Much more reliable (when run over ssh, at least) than rsync and less of a hassle to train users how to get their files synchronized. I even have it working successfully in an all-Windows environment, including setting file ownership right (rsync did not do that for me when run as a daemon; SYSTEM owned all the files).

Re:Rsync Protocol Was a Bad Idea

[Zork+the+Almighty]

I don't know why they even invented an rsync protocol. - To efficiently synchronize a large amount of data over a slow connection. The algorithm is one of the fundamental gems of computing science, and I'm suprised you don't appreciate it.

Re:Rsync Protocol Was a Bad Idea

[evilviper]

So you think rsync is redundant and unnecessary, and you want to start a new fork of rsync? That makes a lot of sense.

No, your reding comprhension skills need work.

I like rsync very much, although I'm a bit limited by it's lincense.

What I DO NOT LIKE, is the rsync protocol...

Re:Rsync Protocol Was a Bad Idea

[evilviper]

Unlike ssh, rsync daemon doesn't require a user on the host system.

I fail to see how that is a disadvantage at all... FTP also requires "a user on the host system", but I don't see any complaints about that.

Re:Rsync Protocol Was a Bad Idea

[evilviper]

CVS and rsync are different applications with different uses.

Yes they are. I never said otherwise... Merely that rsync should stick to using SSH for it's network connections, instead of inventing a new, redundant, protocol (and I just pointed to CVS as an example--rsync already does work over ssh).

Re:Rsync Protocol Was a Bad Idea

[evilviper]

To efficiently synchronize a large amount of data over a slow connection.

All of that is done by the APPLICATIONS on the client and server... The network protocol it just something to get the (significantly reduced) data from point to point. There isn't too much a network protocol can do to speed up the process.

Re:Rsync Protocol Was a Bad Idea

Your spelling needs work.

Re:Rsync Protocol Was a Bad Idea

[evilviper]

I realized that after I posted it. If you look at my other comments, you'll see my typing is reasonable accurate... But once in a while, something like this happens, and I have no explanation for why.

Anyhow, typographical errors are completely irrelevant to the point of my post, so I'm not greatly concerned.

Re:Rsync Protocol Was a Bad Idea

[evilviper]

rsync is very good for incremental updates of large files, like backups, and big dns zone files

That is entirely because of what the rsync application does on the client and server ends, and has nothing to do with it's network protocol at all. By all means, you could do the same thing (using the rsync application) over rsh/ssh.

Re:Rsync Protocol Was a Bad Idea

[boots@work]

"I'm glad I don't put much basis on yammerings on slashdot"... "In fact, I'm real glad." --Theo de Raadt

Re:rsync Protocol Was a Bad Idea

[boots@work]

The network protocol it just something to get the (significantly reduced) data from point to point. There isn't too much a network protocol can do to speed up the process.

RTFM, idiot.

There are several things that a new network protocol can do to make a transfer faster. For example, rsync is heavily pipelined in both directions, and removes common information from headers of consecutive files. Neither of those optimizations would be possible in FTP or HTTP.

rsync was for years the only major application that aggressively utilized full duplex TCP sockets, and found several bugs in Linux, BSD, and Solaris kernels by doing so. Again this is a protocol design decision that gets more mileage out of the connection than is possible in other ways.

Have you ever even looked at an HTTP dump? The hundreds of bytes it takes to send the headers can accomodate several whole rsync-compressed files.
A recursive update of a changed tree is typically several times quicker with rsync than with either CVS or FTP. Nothing against those protocols; they were just designed with different purposes in mind.

Now you can reasonably question whether the space saving really justifies having a new protocol. If you're not convinced, don't run it. Many people do find it worthwhile. If you are super security-conscious then you probably shouldn't be offering anonymous or unencrypted service at all.

Re:Rsync Protocol Was a Bad Idea

[CheshireCat]

I would say there are still uses for rsync server protocol. Setting up an account for secure, anonymous SSH access to rsync sounds like a nightmare to me.

Re:Rsync Protocol Was a Bad Idea

[timeOday]

It wasn't me who complained about your spelling (honest).

Re:Rsync Protocol Was a Bad Idea

[BaldingByMicrosoft]

Well now... let me be the first, then! Having a real user account for FTP access is, in certain environments, a security risk.

Of course, if you're still using FTP for non-anonymous access instead of SCP/SFTP, I'd guess that security isn't one of your priorities.

Re:Rsync Protocol Was a Bad Idea

[evilviper]

Setting up an account for secure, anonymous SSH access to rsync sounds like a nightmare to me.

Then you simply must not know SSH very well.

Re:Rsync Protocol Was a Bad Idea

[evilviper]

Having a real user account for FTP access is, in certain environments, a security risk.

Of course, if you're still using FTP for non-anonymous access instead of SCP/SFTP, I'd guess that security isn't one of your priorities.

NO, no, no. I was not talking about full-access accounts. I was, in fact, talking about anonymous access.

Re:Rsync Protocol Was a Bad Idea

[evilviper]

I never thought it was.

Re:Rsync Protocol Was a Bad Idea

[CheshireCat]

Maybe this is easier than I expect it to be, but you still have all the problems you have with rsync server, and possibly more.

Suppose a previously unknown vulnerability is discovered in either sshd or rsync (the command line utility, not the rsync server) which allows the remote user to execute code. The only difference here is that it's a different piece of software that we're trusting to be secure.

Fortunately...

It doesn't look like ersync is open to this particular vulnerability. Although to my knowledge that doesn't run without chroot.

FSF Savannah Server Compromised

[molo]

The FSF Savannah server has been hacked. The statement indicates a similar attack vector as the exploit against the Debian systems. However, it had been hacked nearly a month ago and was not detected until December 1st. For those that are not familar with it, Savannah is the FSF version of Sourceforge, hosting both GNU and non-GNU Free Software projects. It has not yet been determined whether any of the projects' source code has been modified. Read the full statement for details. One thing is certain though, with Debian, Gentoo and now the FSF being exploited in the same month, the open source/free software community is clearly under attack.

Re:FSF Savannah Server Compromised

[Feztaa]

One thing is certain though, with Debian, Gentoo and now the FSF being exploited in the same month, the open source/free software community is clearly under attack.

While it can be somewhat distressing, these attacks can only make us stronger.

It's kinda sad, really. I mean, we're just a big happy group of people who write code for the fun of it, and then share it with everybody else. We're a decent bunch. What did we do to deserve all this hostility?

Re:FSF Savannah Server Compromised

now the FSF being exploited in the same month, the open source/free software community is clearly under attack.

Excuse me but how is the 'Open Source Community' being attacked? This seems to me (judging by your post) to possibly be the same person. A few instances does not make WWIII on the OS community. Sure it sucks but it's not the end of the world. Now I know I'm going to get mod'ed down so no one sees this from the zealots, but fact is, if they'd assessed security beforehand this definitely would not have happened.

Shockingly to hear FSF getting hit twice diminishes any argument one would be willing to lob at MS at least MS' sites themselves have not been '0wned'. Sadly this makes me wonder if Linux is really ready for prime time on the corporate level.

Wait before you call me a Windows whore, think again. Sad really is but this could have been avoided with the proper firewall, group, users, IDS info/lists in place.

Re:FSF Savannah Server Compromised

[the_mad_poster]

What makes you think the people that do this sort of thing care about what we 'deserve'?

They could do it for many motivations. On one extreme, there's the profit motivation of an attacker from a competing project (profit in money or recognition - whatever). On the other extreme there's the idiots who do this sort of thing for the hell of it.

There's any number of reasons people do this sort of thing, and some of them don't even involve a motivation!

Re:FSF Savannah Server Compromised

Welcome to Life 101. Now you're starting to realize there are some really f-upped people out there, who just want to tear you down. Just make sure you're not one of the ones doing the same sh*t to someone else.

Re:FSF Savannah Server Compromised

Well, (a) Microsoft's entire internal network had russians roaming about it for MONTHS in the Win2k era. (b) As a european, I'm far more worried about what MS ITSELF might be putting into ITS OWN CODE to serve its neofascist american masters - remember NSA_KEY?

Re:FSF Savannah Server Compromised

[Malcontent]

I hope whoever did this was stupid enough to leave some tracks on at least one of the servers. It would be interesting to know who was behind all this.

OSS has pissed off a lot of very rich and powerful people and those people could pay top dollar for a good cracker so they may never get caught.

Re:FSF Savannah Server Compromised

Why do people like you automatically assume that this attack is different from any other attack just because their happening to the servers of Linux distros and advocates? Is it too much for you to imagine that someone wants to put backdoors into Linux? Or hack the big sites for amusement? The irony of it is, people like you are the first to scream FUD whenever someone says something about Linux, and here you are sewing the same seeds against "them" (Microsoft, SCO, whoever else you hate at the moment).

Re:FSF Savannah Server Compromised

[Malcontent]

" Why do people like you automatically assume that this attack is different from any other attack just because their happening to the servers of Linux distros and advocates"

Why? Because they all used the same vulnaribility which was not known to anybody. They all attacked linux projects (no freebsd ones). They concentrated their attacks on repositories.

"Is it too much for you to imagine that someone wants to put backdoors into Linux?"

Again who would want to do such a thing? I would think that list would include lots of rich and powerful companies currently yelling and screaming about how Linux is un-american don't you?

"The irony of it is, people like you are the first to scream FUD whenever someone says something about Linux, and here you are sewing the same seeds against "them" (Microsoft, SCO, whoever else you hate at the moment)."

SCO and MS have a history of acting illegally and unethically. It's natural to look to them first. If a child was molested in your neigborhood would you first check to see if a known child molester did it? I would.

Re:FSF Savannah Server Compromised

Why? Because they all used the same vulnaribility which was not known to anybody.

What IS IT with you people!? You talk about open source like it's the savior of the freaking world and then you're surprised when someone finds an exploit? Even though they have full access to the source code?! Sheesh. Newsflash buddy: their are plenty of smart blackhatters around who are plenty smart enough to pull off something like this. The fact that the exploits weren't well known doesn't make this conspiracy material. And go and read the Debian.org report and give me your new definition of "not known"...

They all attacked linux projects (no freebsd ones).

Another weak as piss argument. Someone kill me now. MAYBE, just maybe, this is because Linux is more popular than bsd? Maybe the attacker has more experience with Linux? Maybe the Linux has more security holes than BSD? These are pretty obvious questions that you should have asked yourself before hitting submit.

They concentrated their attacks on repositories.

I am in awe of how completely ignorant you seem to be. Think about it junior: if you can put a backdoor into a popular OS that basically runs a huge slice of all the webservers in the world what could you do? Imagine you are a spammer? Or paid by spammers? Or you like to commit credit card fraud? Or you just wanna pull off a hack that affects the entire internet? If you could pull off that hack, wouldn't you?

Oh, and by the way, if you could provide me with evidence that they did in fact concentrate their attacks on repositories rather than only got sprung when they tried to attack repositories because the repository boxes have better security and auditing than most other boxes, I'd really be appreciative. Can't? Didn't think so.

Again who would want to do such a thing? I would think that list would include lots of rich and powerful companies currently yelling and screaming about how Linux is un-american don't you?

Only if you consider the phrase "lots of rich and powerful companies" to be semantically equivalent to "one, relatively small, litigious company called SCO". Microsoft toned down the rhetoric against Linux quite some time ago and inspite of what you and your tinfoil hat buddies say there's no evidence that Microsoft is the puppetmaster with his hand up Darl's rear end. All that aside, have you ever heard of Occam's Razor? Probably not given your clear conspiracist leanings. The simplist answer to a question is often the best. And their a plenty of simple solutions around just itching to hack any box they can.

SCO and MS have a history of acting illegally and unethically. It's natural to look to them first. If a child was molested in your neigborhood would you first check to see if a known child molester did it? I would.

You started badly, got worse, and then finished with this absolute turd of an argument. Yes. I just wrote the word "turd". Microsoft have been found guilty of anti-trust breaches. Commercial strongarming, illegally using their monopoly position, call it what you will. They have NOT been found guilty of commercial espionage. And SCO may be acting unethically, but I've yet to see them found guilty of anything except stupidity. To use your analogy, if a child was molested in your neighborhood, would you go chasing down the billionare convicted of white collar fraud, or point the finger at the whiny little kid from down the road who tattles on everyone? I wouldn't. And neither should you.

Re:FSF Savannah Server Compromised

[Malcontent]

"Microsoft have been found guilty of anti-trust breaches. Commercial strongarming, illegally using their monopoly position, call it what you will. They have NOT been found guilty of commercial espionage."

OK. But they have been found guilty. They have been sued many many times for stealing technology and backstabbing. Most were settled eventually by MS coughing up hundreds of millions of dollars.

"And SCO may be acting unethically, but I've yet to see them found guilty of anything except stupidity"

Then you are blind, or purposfully ignorant.

" To use your analogy, if a child was molested in your neighborhood, would you go chasing down the billionare convicted of white collar fraud, or point the finger at the whiny little kid from down the road who tattles on everyone? I wouldn't. And neither should you."

Neither. I would look in my neigborhood to see who was a convicted child molester, who had previous records of criminal behavior, who was hanging out by the park staring at children. In other words my first suspects would be the people most likely to commit such a crime.

In this case occams razor and common sense dictates the same thing. Sleazy unethical people do sleazy unethical things. People tend to attack their enemies. MS and SCO are sleazy unethical people. MS has said many times the linux and open source are their enemy.

Re:FSF Savannah Server Compromised

Then you are blind, or purposfully ignorant.

Blind or purposefully ignorant of what? What part of "And SCO may be acting unethically, but I've yet to see them found guilty of anything except stupidity" is factually incorrect? Has SCO been found guilty of breaking anti-trust laws? Has SCO been found guilty of commercial espionage? Because if they have, its news to me. Maybe you'd like to change your statement from "Then you are blind, or purposfully [sic] ignorant" to "Then you are 100% factually correct"?

Neither. I would look in my neigborhood to see who was a convicted child molester, who had previous records of criminal behavior, who was hanging out by the park staring at children. In other words my first suspects would be the people most likely to commit such a crime.

Except that:

1) Neither Microsoft nor SCO have been convicted of a the crime we are discussing here.
2) A record of criminal behavior is far too broad a criterion - a white collar criminal does not automatically become a pedophilia suspect.
3) There are plenty of blackhat hackers who do fit criteria but you don't even acknoweldge their existence.

In this case occams razor and common sense dictates the same thing.

No they don't. In a world where spam and online fraud are becoming increasingly more lucrative, and where spammers and online fraudsters are becoming increasingly more sophisticated, you would have us believe that Microsoft and SCO are too blame for a series of security breaches that could have netted a smart hacker buckets of money. We are supposed to believe that Microsoft and SCO - both of whom could be totally destroyed if it ever got out they were behind these attacks - are the "simplest" candidates? Pitiful.

Sleazy unethical people do sleazy unethical things. People tend to attack their enemies. MS and SCO are sleazy unethical people. MS has said many times the linux and open source are their enemy.

What you so conveniently ignore is that Microsoft has a monopoly position and huge cash reserves, while SCO has a cadre of money hungry lawyers. If they are going to "attack" Linux, it'll be on the business field and in the courts respectively, because that is where their strengths lie. Meanwhile, there are plenty of "sleazy, unethical" hackers out there looking to make a buck of anyone they can and whose strengths lie in - you guessed it - hacking. But you don't seem to think that matters. Your logic is tenuous, your evidence is shoddy, but I get the feeling that nothing will make you even consider the alternatives. And that's kind of sad.

Re:FSF Savannah Server Compromised

[Malcontent]

"but I get the feeling that nothing will make you even consider the alternatives. And that's kind of sad."

There is nothing sadder and a corporate apologist. When I was in High school many many years ago there were people who used to wear Nike shirts and shoes and thought they were superior to people wearing any other brand of shoes. There were guys who would pledge allegience to Ford or Chevy and put little bumber stickers on their cars denigrating the other manufacturer.

I always thought these people were suckers. Dupes who provided free advertising to big corporations for free. I never understood their motives nor did I ever ask. So let me ask you? why are you here astro turfing for MS? What do you get out of it? Does MS really need your help in defending themselves against little old me? Don't they already have a PR dept which spends millions of dollars a year on advertising?

BTW if your canned answer is that you fight FUD please provide a link to a post you made on gotdotnet.com or microsoft.com forums where you attacked MS fanboys for spreading FUD against linux.

Re:FSF Savannah Server Compromised

[boots@work]

They have NOT been found guilty of commercial espionage.

Actually, it has been established in court that Microsoft bugged their victim/competitor's hotel room to gather commercial intelligence. This was some time ago, perhaps in the early 90s. I don't know if they were found guilty or even if this was a crime in the relevant jurisdiction. It certainly indicates a willingness to descend to unethical tricks.

And SCO may be acting unethically, but I've yet to see them found guilty of anything except stupidity.

Well, they haven't even literally "been found guilt of stupidity", and it's not a crime. But they probably will be found guilty of market manipulation and commercial libel.

I'm sorry

[NoNine]

I tried very hard to find something funny to comment on in this announcement, but could not.

Feel free to mod me wayyy down! I have that syncing feeling.

ummm no

The Samba team thanks ONE, COUNT IT, ONE person from Gentoo.

The rest ARE NOT RELATED TO GENTOO.

Sheesh...way to be a zealot...

Re:ummm no

Wow? One person from Gentoo did all the work? That's even more spectacular.

Yes, Gentoo is impressive..

The Slashdot Song
by propstoalldeadhomiez

Rap with me, bitch

Boom, boom, boom!
Nigger WHAAAAA?

Fuck that shit!
Fuck Slashdot!
All you liberals try to censor me
But really you fucking suck Malda's dick
Fucking hypocrites
Back that shit up!

Boom, boom, boom!
Nigger WHAAAAA?
Boom, boom, boom, BOOM!
Nigger!
Boom, boom, boom!
Nigger WHAAAAA?

Fuck the moderators!
Fuck that shit!
Trackin' my username like a fucking dog tag!
Fuck privacy, fuck my rights
Go fucking hypocrisy!

Boom, boom, boom!
Nigger WHAAAAA?
Boom, boom, boom, BOOM!
Nigger!
Boom, boom, boom!
Nigger WHAAAAA?

Fuck that bullshit
Lie and say we want fucking privacy
But track every fucking troll
Banning them 'cause they don't spout liberal bullshit
Well fuck that shit!

Boom, boom, boom!
Nigger WHAAAAA?
Boom, boom, boom, BOOM!
Nigger!
Boom, boom, boom!
Nigger WHAAAAA?

Can't silence this you niggers!
Can't ban the truth!
The place is here!
The time is now!
FUCK SLASHDOT!

BOOM!
NIGGER!

Wow, that was fast

[Steve+'Rim'+Jobs]

I'd really like to take this opportunity to congratulate both the Gentoo devs and the rsync devs on a job well done. This is one of the many reasons why I continue to use and recommend Open Source to my friends, my boss, and my colleagues. The community simply does a first rate job of identifying and patching problems in their software. Most commercial software vendors wish they had a track record as good as most of the important open source projects out there.

Keep up the great work, guys! I'm definitely donating to the Gentoo project this Xmas ;) It has put the fun back in computing for me.

Re:Wow, that was fast

As things stand, we're apparently looking ahead to doubling or maybe even tripling the number of security flaws detected and fixed over the next year. Clearly, the system is working.

Re:Wow, that was fast

[Steve+'Rim'+Jobs]

Even so, their track record is still better than most proprietary software vendors. With OSS, at least no one is attempting a coverup - you know exactly how good or bad the software is. With proprietary software, you have to take their word for it. Not only that, but they often take months to patch known vulnerabilities; sometimes they've even threatned people who attempted to disclose these flaws to customers with fines or even jail.

Re:Wow, that was fast

Ooh ooh, me too, me too, not only do I recommend this open source stuff to friends, family, work colleagues, but also to each and every person I pass on the street, dudes who are walking on the street across the road, the good samaritans call centre people, people I speak to on the IRC channels, some dog who keeps peeing on my garden, and that Santa Claus dude in his grotto. I mean the linux community just rocks man, just rocks. I love the way they can patch each and every problem after some good guy has found a problem, I mean lets face it the many eyes approach just works man. I mean lets face it the fact that some bad, bad person managed to figure out a way to compromise the otherwise titanium security by looking at the freely available code months before it was generally known about is just a one off. A ONE OFF PEOPLE.

Keep up the great work Steve 'Rim' Jobs you really are a evangelist to be proud of. And remember everybody a group of disparate hobbyists are always more likely to be able to fix problems than highly paid corporate espionage types.

Re:Wow, that was fast

When you donate money to Free Software projects, not only does baby jesus cry, but you ruin the spirit of Open Source.

Nero to the rescue!

you might find some of these reports interesting

Los Binds Laborotories

Smegma University of Canada

Goa Tse Governmental Computing Center of Xia, China

Wow!

Wow, you mean Debian people know how to read source code? I thought they were all spoiled by using binaries all the time.

Re:Wow!

Well it's not like gentoo people read the source to their apps either they just had a lot more free time while they where waiting for X, KDE, and Mozilla to compile...

Seriously I don't know why people think they are special for compiling software. Wow, you figured out how to do "./configure, make, make install", wow, quick! Someone give this guy a CS masters!

PGP-sign everything

[Meat+Blaster]

I see too many packages out there that have no meaningful way to verify their contents. I've felt for a long time that this was something that was going to come back to haunt us.

I hope that this will provide more incentive for Open Source programmers and Linux distributors to properly secure their releases. This entails ensuring that from the time a package leaves a maintainer to the time it reaches a user there should be no possibility of tampering.

Authors/maintainers need to generate PGP keypairs and start signing their archives. MD5 checksum distributed alongside the package does not cut it -- how are we to know the package wasn't tampered with and a fresh checksum generated? No, the only way we can really feel secure is to have authors use PGP on a regular basis to verify their work, and to integrate public key/private key into CVS in order to have submitters automatically sign their changes to the source.

Then things like the Savannah hack and the various mirror compromises will only be a black eye instead of a serious threat to the Open Source methodology.

Re:PGP-sign everything

[giminy]

Hear, Hear. Along the same lines, it's pretty important that they sign with a key in the strongly connected set. I've seen a lot of projects that actually provide PGP sigs, but the keys used to generate the sigs don't have any signatures, or are part of closed (2-3 key) set! This is about as useless as MD5 checksums, imho. It's very easy to generate a key with Linus Torvalds as the name, but very difficult to get people in the strongly connected set to actually sign it...

Re:PGP-sign everything

[slamb]

Along the same lines, it's pretty important that they sign with a key in the strongly connected set. I've seen a lot of projects that actually provide PGP sigs, but the keys used to generate the sigs don't have any signatures, or are part of closed (2-3 key) set!

I agree that would be ideal, but it's easier said than done. I've got no other signatures on my GPG key now. I want to get some, but I don't know anyone else around here who does that sort of thing. How would I go about getting some? I know they have key signing parties at conventions and such, but I'm a college student, which means I have no money or time to attend such things.

A solely self-signed GPG key isn't worthless, though. Someone can download the public key from your website once. Assume it's good then. They can then tell if the website or the mirrors are compromised. That's better than MD5s posted on the website, which can only tell if the mirrors are compromised.

Re:PGP-sign everything

[JohnFluxx]

I just took them from linux kernel mailing lists..

sure they could be wrong, but you'd think the real author would notice someone posting technical messages in his name....

Re:PGP-sign everything

[AKnightCowboy]

It's very easy to generate a key with Linus Torvalds as the name, but very difficult to get people in the strongly connected set to actually sign it...

So wouldn't it make more sense to go to a PKI system and use user certificates issued by a trusted name like Verisign? (giggle).

Re:PGP-sign everything

[giminy]

I'd suggesting hitting up Big Lumber. You can search for local keysigning parties or start your own. I live in the middle of nowhere (Syracuse, NY) and there are even a few people registered around here. Pretty much any college town is going to have some biglumber people in or near it.

Whenever you travel to a big city, it can be useful to check the site, too. There's nothing like getting a cup of coffee with a crypto nerd to keep you from meeting women in a new city.

again NO you ZEALOT

ONE person from gentoo REPORTED it.

FOUR people NOT FROM GENTOO are the ones who actually FIXED IT.

You are the most pathetic zealot ever.

Re:again NO you ZEALOT

Actually... if you read the statement at gentoo there were a number of people involved.

SSR#4

This calls for Standard Slashdot Response #4:
Yay! This was so fast. Even when we suck we don't suck!

My money's on the shifty-eyed dog with the...

[pr0ntab]

SCO nametag.

I would just like to say...

[LnxAddct]

For all you naysayers who always talk trash about Fedora, I run fedora and debian and fedora alerted me this morning about the problem and patched it in seconds. I updated debian too, but I usually dont update on a daily basis, usually like once a week or something, unless I see something in the news. I would have had no clue about this for about a 3 days if i hadn't read slashdot and didn't have Fedora to alert me. I personally like Debian better for other reasons, but I'm just saying dont bang on Fedora, its a damn good product.

Re:I would just like to say...

[TrombaMarina]

I booted up this evening, got the up2date Red Hat Network notice, installed the Rsync patch in about 30 seconds, then surfed around. An hour later, I was reading /.. When I returned to the home page, I saw this article had just been posted. I'm glad to hear Fedora is on top of these things since I'll have to switch to it in a few months.

Re:I would just like to say...

[sportal]

Maybe you should subscribe to the debian security mailing list.

They posted an alert this morning.

http://lists.debian.org/debian-security-announce/d ebian-security-announce-2003/msg00213.html

Since the update servers were offline due to the recent security hacks, they gave you a direct link to update.

Re:I would just like to say...

[Mr.Ned]

> I would have had no clue about this for about a 3
> days if i hadn't read slashdot and didn't have
> Fedora to alert me.

Why don't you subscribe to the Debian security announcement list? It is a very low-traffice list and you will get an e-mail as soon as an updated package is available.

By the way, for your interest, here are the times on the rsync e-mails to bugtraq today (in my time zone):

Slackware: 2:50AM
Debian: 11:09AM
SuSE: 12:14PM
Gentoo: 3:13PM
Connectiva: 3:46PM
Red Hat: 4:14PM

Re:I would just like to say...

Huh? Relying on email is a shitty and unreliable way to get security alerts.. I'll take some type of up2date daemon anyday over security announcements in email. Of course, using both is good idea.

Re:I would just like to say...

[CentrX]

Of course, it is easy to use apt-get to discover security updates.

You're the zealot, zealot!

Ooooo ... look at the namby pamby Samba zealot. Tridge would be proud of you, sir.

Debian Security Advisory

[DSA 404-1] New rsync packages fix unauthorised remote code execution

Woot! Gentoo rule!

The Gentoo team found the fix a LOT faster than Debian would have, because they compiled everything from SOURCE, giving MASSIVE speed improvements!

THATS GENTOO PROPOGANDA, ZEALOT

Ya they were involved in figure out how some little script kiddie managed to own their server.

Then they reported it to samba who actually fixed it.

Wow, it took 5 leet gentoo doods to figure out how some little scrip kiddie owned their server.

Re:THATS GENTOO PROPOGANDA, ZEALOT

Last I checked, "little scrip kiddie" 's didn't exploit unknown vulnerabilities.

I think they did great. Thanks for playing though.

Re:THATS GENTOO PROPOGANDA, ZEALOT

Of course YOU think they did great, YOU're A GENTOO ZEALOT.

DUH.

APPLE TOOK 3 MONTHS TO FIX A SPLOIT ONCE AND THE MAC PEOPLE THOUGHT THEY DID A GREAT JOB TOO!

Gentoo's server still got owned. Haw haw.

Re:THATS GENTOO PROPOGANDA, ZEALOT

Nice caps. Panzy.

Re:THATS GENTOO PROPOGANDA, ZEALOT

[bleakcabal]

Actually you should get your story straight it wasn't gentoo's server that got owned. It was a third-party server that among many things provides a mirror for gentoo rsync servers. This server is administred and run by a third party which is not linked to Gentoo.

WOW "ATTACK VECTOR" WELL DONT U SOUND LEET

Wow, you sound like a cybersecurity super important guy!!!1

UR K00L!!!!

You forgot step 0...

[Trejkaz]

0. Smoke crack.

Probably Microsoft Mercenaries...

While Microsoft's right hand offers millions to hunt down Windows hackers, the left could easily pay Eastern European hackers to open holes in OSS. We would never know.

Re:Probably Microsoft Mercenaries...

Screw Microsoft. Everyone knows the NSA has already shown NP=P and therefore, technically speaking, can 0wnz0rs all of our boxen anytime they want.

The only thing you can do against those mofos is KEEP WEaRING YOUR TINFOIL UNDERGARMENTS! DON"T LET THEM PUT NANOBOTS IN YOUR SPERMATAZOA!!!!11

And in other news...

people running BSD continue on with their lives
not bothering to patch rsync because they don't need to.

Re:And in other news...

[boots@work]

I realize you're trolling, but BSD is equally vulnerable.

Snapshot-Style Backups with rsync

[Rescate]

You might want to take a look at Easy Automated Snapshot-Style Backups with Linux and Rsync posted by Mike Rubel. I think this is mentioned in the book Linux Server Hacks by O'Reilly (hack #42), although I don't have the book so I'm not sure.

Basically it uses rsync and cp to create a backup, but only changed files are actually copied; unchanged files are simply linked to. This saves a lot of disk space, and allows you to keep many backups on the system at one time, assuming most of your files don't change.

Some history..

[cras]

Two months ago I found the problem and gave a patch to fix it. Looks like the bad guys were smarter than I thought and figured out a way to exploit it. Lesson: release fixes for even potential security holes immediately :)

Re:Some history..

That's correct.
I run Gentoo and I stay on top of the patches on a daily basis. But I have been running rsync v.2.5.7 since BEFORE the gentoo rsync server was compromised.

I also run the 2.6.0-test11 kernel, and I wonder when the Gentoo community is going to go to 2.4.23 because the latest "stable" one that's in the tree is still based on 2.4.20.

But the bottom line is that Gentoo should have never been thought of as 'responsible' for this compromise.

Re:Some history..

[boots@work]

But I have been running rsync v.2.5.7 since BEFORE the gentoo rsync server was compromised.

Don't be ridiculous. There was no 2.5.7 release before the Gentoo compromise. I know because I was one of the team that responded to the intrusion and produced the patch. The machine was crashed on Tuesday and the patch came out on Thursday, about 36 hours later.

I suppose you're running kernel 2.7 as well?

Re:Some history..

I'm sorry, my bad.

It's just that I did an 'emerge -s rsync' as soon as I saw the gentoo-security e-mail on the topic, which I read at about 2:25pm CST, and discovered that I was already running 2.5.7. I just assumed that I had been running it for a while since I don't remember that particular package compiling that morning... but I'm probably wrong.

dumbass

This was a net loss for the cracker, he just lost a remote exploit, because he hacked a well-watched box.

im fucking amazed it was only hacked for about an hour

Thanks,

I'll try to incorporate your words into one of my future posts.
-- Steve

Order advisories were posted to BugTraq

1. Slackware
2. Trustix
3. OpenPKG
4. Debian
5. SuSE
6. EnGarde
7. Connectiva
8. Red Hat

Re:Order advisories were posted to BugTraq

The Red Hat updates were available before the emails were sent.

u must be a 133t linux user...

[GNDN]

I am stuck with WINDOZE and my boreing install wizards, clicking next, next, next, and finish. .............. have you even used windows? or are you wearing your rose colored sun glasses?

Re:u must be a 133t linux user...

[Trejkaz]

Actually, four clicks per program is still slower than a single command for the program you want, plus every single dependency.

Re:u must be a 133t linux user...

[Tyten]

only it's NOT the program i want. it's a LAME half-assed imitation of the program i want. the program i WANT runs in windows. when i want to run the GIMP i run linux. when i want PHOTOSHOP (which is more than i want GIMP) i run windows. but kudos for the guys who write the programs for linux, trying to get intercompatibility. it's just not there yet. it's closer than it was when i started running debian in 96, but not to the point of windows.

Re:u must be a 133t linux user...

[GNDN]

true,..... the extra five seconds I spend clicking just kills me....

Re:u must be a 133t linux user...

[Trejkaz]

It's a bit more than five seconds. From experience setting up my Windows machine from scratch numerous times (yes, I run both), the base install itself takes around 30 minutes, and getting all the applications installed takes around an hour while I have to be at the computer the entire time. (This is where a sane Windows administrator will use something like Ghost to take a complete copy of what is there, bringing the ease of deployment of Windows in line with the ease of deployment of Linux.)

On the other hand, if I were running debian, base install takes... well... not much less time admittedly, but getting all the applications I need installed is a single command, and whatever time it takes (which usually isn't much unless it goes off to download missing packages), is time I can be elsewhere. (Again, at this point you could use a similar technique as Ghost at this point, only since 'dd' is such a widespread command it won't require purchasing a glorified Norton copy utility.)

And of course the constant bitching about Linux and hardware support can be avoided by thinking before you buy.

Re:u must be a 133t linux user...

[Tyten]

why pick and choose my hardware when i can just buy what i WANT, install windows, use the driver cd...and ta-DA!!! 9/10 no hassle. i don't have to sit around and wait for a russian to write third party drivers (no offense to you russians, you're pretty cool guys...most of you) why can't you just admit linux has flaws...come on. say it. it hurts the first time i know. i swear you zealots are just like jehovah's witnesses. keep in mind i USE linux. hell, i kinda like it! but i'm not walking around spewing anti-microsoft propoganda because i KNOW that linux isnt perfect at all.

Re:u must be a 133t linux user...

[JCholewa]

> the extra five seconds I spend clicking just kills me....

Right. Five seconds. Hah.

The Mandrake way:
$ su
# urpmi --auto --no-verify-rpm mozilla evolution kmail OpenOffice.Org pan knode celestia kopete

And bam, you've just installed a web browser, an office suite, three mail programs, three newsgroup clients, one universal messaging client and a really cool 3D space navigating program. If you wanted to, you could put a hundred application names on that single command line, and everything gets automagically downloaded and installed. Other operating systems with similar capabilities include Debian, FreeBSD and probably Gentoo.

The Windows Way:
Browse to http://www.mozilla.org using some other web browser. Go to the download page. Click on the Mozilla for Windows download link. Click the button or checkbox that enables the installer to run after downloading. Click "Next" a few times, then "Finish". Browse to OpenOffice.org, go to the download page, tell the page's drop-down bars your language, OS and preferred download site, then click the download button (or, alternatively, drive to the store and buy some random office suite and put the install disk into your CD-ROM drive), then click through the component selection screen and click "Nex" a few times then "Finish".

Congratulations. You've just downloaded one web browser, one office suite, one email program, one newsgroup client, zero universal messaging programs and zero astronomy programs. You spent a *lot* more time installing this stuff, and you may have spent as much as four hundred dollars (and to programmers/sysadmins/webmasters like me, that's more than a whole week of work, pre-tax) during the process. And you ended up with fewer programs , because the amount of work that you have to expend is proportional -- O(n), I guess -- to the number of programs you want. Using tools like Mandrake's urpmi, the amount of work increase per application added to that one single command is trivial -- O(1), which is a rather nice thing to see in your daily algorithmic routine.

--
-JC
Novice Game Boy Advance Coder
http://www.jc-news.com/coding/gbadev/

Re:u must be a 133t linux user...

[Trejkaz]

Nobody said it was perfect. The only people I've ever heard call their OS perfect were BeOS, MacOSX, and Windows.

You forgot...

[benjamindees]

Unlike CVS, rsync works fine with binary files.

Re:You forgot...

[prog-guru]

Yes it does, run it with -kb. There is also a way to tell the server that all files that match a pattern are binary, it's in the docs. I use it to track revisions of excel files (rather than reinvent our procedures to use LaTeX).

Re:You forgot...

[boots@work]

CVS does not do *deltas* of binary files. It stores and transmits the whole thing every time. Therefore you lose the main advantage of rsync, which is that the network transfer is roughly proportional to the edit distance between the old and new files.

On Ethernet it makes little difference. On ADSL or modem or between continents rsync is enormously faster than CVS.

When I'm fetching a big CVS tree, it can be faster to do the initial checkout on a well-connected machine in the US and then move it by rsync back to my machine in Australia. In this case there is no delta of course but the pipelined and compressed network protocol is a big win by itself.

Only affects Rsync servers

[Blue+Booger]

(which is every open source mirror server out there, and many mirrors themselves)

No. This does not affect all the open source mirrors. It only affects rsync SERVERS. If you are not running rsync as a server, you are OK. If you are not accepting connections on 873 you are not running an rsync server. (Well, you could be, but you are probably running it over SSH, in which case you are still OK.)

Re:Only affects Rsync servers

If the servers are compromised, then everything that they serve should be considered to be compromised. Sure, you might not be vulnerable to direct attack with this exploit, but that doesn't matter when the server gives you a trojan.

Re:Only affects Rsync servers

[Blue+Booger]

We run several mirrors and are not in a habit of running the mirrored software on the machine that is doing the mirroring. It is just there as a service. When the main servers are cleared of infected code, the mirror will update and be clean as well.

RedHat RPMs for fix

[DDumitru]

RedHat has also released 2.5.7 RPMs for the fix.

When updating an older server (7.1, I think), the RH RPM failed with a GLIBC dependency. The updates for RH are identical for 7.1 - 9, so you might have a problem here.

My easiest workaround was to rebuild the rpm from source with:

Get the rsync-2.5.7-0.9.src.rpm from RedHat ftp server updates.redhat.com

Install the source rpm with:

rpm -ivh /tmp/rsync-2.5.7-0.9.src.rpm

Build a new complete, clean set of RPMs with:

cd /usr/src/redhat/SPECS
rpm -bb rsync.spec

The new installable binary for your current lib versions is in /usr/src/redhat/RPMS/i386, so you can install it with:

rpm -Fvh /usr/src/redhat/RPMS/i386/rsync-2.5.7-0.9.i386.rpm

---

For those that don't use rsync, this is easily one of the most useful utilities on the box. I particularily like "modules" mode over ssh. Setup an ssh key and have the key auto-run rynnc --daemon. You get modules and ssh. Really cool.

Re:RedHat RPMs for fix

Install the source rpm with:

rpm -ivh /tmp/rsync-2.5.7-0.9.src.rpm

Build a new complete, clean set of RPMs with:

cd /usr/src/redhat/SPECS rpm -bb rsync.spec

Or just:

rpm --rebuild rsync-2.5.7-0.9.src.rpm

Re:RedHat RPMs for fix

Don't be silly.

rpm --rebuild /tmp/rsync-2.5.7-0.9.src.rpm
rpm -Fvh /usr/src/redhat/RPMS/i386/rsync-2.5.7-0.9.i386.rpm

GET YOUR OWN STORY STRAIGHT ZEALOT

"This server is administred and run by a third party which is not linked to Gentoo."

Oh so it WASNT Gentoo people who caught this expoit then eh?

Gentoo's server still got owned, Haw Haw.

The "slack way" refers to developer effort

The developers of Slackware are the slackers.

If you are a sysadmin who uses slackware you definatly aren't a slacker since it's a real bitch to administrate such a shoddy distro...

Re:Rsync Protocol Was a Bad Idea (check cvsup src)

Rsync was such a bad idea that the cvsup source (suplib and client) has such crazy files as:
RsyncUpdater.m3, RsyncBlockArraySort.m3, RsyncBlock.m3 and RsyncFile.m3

<Warning> Compiling cvsup from source involves the download or compiling of ezm3 first <\Warning> ;-)

If you want a good read about the algorithim behind rsync go here:
http://olstrans.sourceforge.net/release/OLS 2000-rs ync/OLS2000-rsync.html

Mac OS X?

Have Apple released a patch for Mac OS X yet?

Apple's product security and security update pages don't mention it.

Whoa! I read that as Nsync!

[simetra]

Heh.

New version of rsync

Good I never really liked Justin Timberlake anyway.

Kharma Whore Troll -Read His Journal

Here

And using MS is your choice any time soon?

Remember last summer? With the worms and all?

Anything, ANYTHING, is better than anything from Microsoft. Be it Gentoo, RedHat, Debian, or whatever. Pick one that fits you, you can't lose.

Remote backups using rsync.

[Nurf]

Have a look at rdiff-backup. It uses ssh to login and to run the server on the other side, and runs through the SSH tunnel. Nice from a security perspective. I use it for all of my backup needs. Along with careful use of ssh and private/public key pairs, you can automate it and still keep it fairly secure.

Kharma Whore Troll -Read His Journal

Here

Slackware Security Advisory

rsync security update (SSA:2003-337-01)

Advisory from the rsync team

[gfilion]

here the security advisory of rsync.samba.org:

rsync 2.5.6 security advisory
December 4th 2003

Background
The rsync team has received evidence that a vulnerability in rsync was
recently used in combination with a Linux kernel vulnerability to compromise
the security of a public rsync server. While the forensic evidence we have is
incomplete, we have pieced together the most likely way that this attack was
conducted and we are releasing this advisory as a result of our
investigations to date.

Our conclusions are that:

rsync version 2.5.6 and earlier contains a heap overflow vulnerability that
can be used to remotely run arbitrary code.
While this heap overflow vulnerability could not be used by itself to obtain
root access on a rsync server, it could be used in combination with the
recently announced brk vulnerability in the Linux kernel to produce a full
remote compromise.
The server that was compromised was using a non-default rsyncd.conf option
"use chroot = no". The use of this option made the attack on the compromised
server considerably easier. A successful attack is almost certainly still
possible without this option, but it would be much more difficult.
Please note that this vulnerability only affects the use of rsync as a "rsync
server". To see if you are running a rsync server you should use the netstat
command to see if you are listening on TCP port 873. If you are not listening
on TCP port 873 then you are not running a rsync server.

New rsync release
In response we have released a new version of rsync, version 2.5.7. This is
based on the current stable 2.5.6 release with only the changes necessary to
prevent this heap overflow vulnerability. There are no new features in this
release.

We recommend that anyone running a rsync server take the following steps:

Update to rsync version 2.5.7 immediately.
If you are running a Linux kernel prior to version 2.4.23 then you should
upgrade your kernel immediately. Note that some distribution vendors may have
patched versions of the 2.4.x series kernel that fix the brk vulnerability in
versions before 2.4.23. Check with your vendor security site to ensure that
you are not vulnerable to the brk problem.
Review your /etc/rsyncd.conf configuration file. If you are using the option
"use chroot = no" then remove that line or change it to "use chroot = yes".
If you find that you need that option for your rsync service then you should
disable your rsync service until you have discussed a workaround with the
rsync maintainers on the rsync mailing list. The disabling of the chroot
option should not be needed for any normal rsync server.
The patches and full source for rsync version 2.5.7 are available from http://
rsync.samba.org/ and mirror sites. We expect that vendors will produce
updated packages for their distributions shortly.

Credits
The rsync team would like to thank the following individuals for their
assistance in investigating this vulnerability and producing this response:

Timo Sirainen
Mike Warfield
Paul Russell
Andrea Barisani
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned
the name CAN-2003-0962 to this issue.

Regards,

The rsync team

MOD PARENT DOWN! Repost troll!

This is a repost troll who reposts other people's comments. MOD HIM DOWN - JUST READ HIS JOURNAL!

I dont see "Security breaches happen" posts when..

MS has a security fix released. At least, they dont get modded up to +5 that is for sure.

"Security breaches happen"... yeah, good attitude Lunix community! Keep that up !!

That WAS Informative. He deserved the mod up.

I thought eight years old was Malda's limit. His post INFORMED me otherwise.

Thus, he deserved the "Informative" mod.

ya

Well it just goes to show how academia is totally divorced from the real world.

Nice algorithm or not if the security fucking blows ass then it sucks.

Organize a local key-signing party!

[Deven]

I agree that would be ideal, but it's easier said than done. I've got no other signatures on my GPG key now. I want to get some, but I don't know anyone else around here who does that sort of thing. How would I go about getting some? I know they have key signing parties at conventions and such, but I'm a college student, which means I have no money or time to attend such things.

People take advantage of conventions to organize key-signing parties because diverse groups of people from many geographic locales end up at conventions, and having people sign each other's keys strengthens the PGP "web of trust". However, you don't need geographic diversity for this to be useful.

Organize a local key-signing party. Surely there are many other computer geeks at your college interested in using PGP/GPG. Start getting the geeks together and sign each other's keys. If you can, try to get someone to join the party who is already connected to the worldwide web of trust that most well-known PGP keys are part of. If you can't get anyone well-connected to your key-signing party, don't worry! Creating a local web of trust at your college is a good start, and all it takes is one person who signed your key to get a signature from a well-connected key to get you well-connected yourself. And that can happen after the fact.

The PGP web of trust is a beautiful thing. You start out by creating little webs of trust amongst people you know. Over time, the little webs get linked together into larger webs, eventually getting linked into a global web of trust. Even if you don't know anyone in the global web of trust now, remember the "six degrees of separation" thing. If your friend signs your key, and his friend signs his key, and so on, sooner or later a signature is bound to create a path from the global web of trust to you, and bang! Now you're part of the global web of trust too, and can help link other people into it. Actually, it's better than that, because nobody needs to be your friend to sign your key -- just anyone who can verify your identity, whether friend, enemy or complete stranger.

When you create your local web of trust from scratch, take it seriously and do it right. Remember, you sign someone's key to indicate that you've verified their identity and that it's truly their key -- it's not an endorsement of the person in any way. If you despise the person and everything they stand for, but you're certain they are who they say they are and that the key you're asked to sign is their key and not another, then go ahead and sign the key. If you admire and respect a person who asks you to sign a key, but you can't be 100% certain of the person's identity and the true ownership of the key, don't sign it.

Key signatures aren't a popularity contest, it's all about verifying identity, nothing more. Don't sign a key just because someone you know appeared to email it to you; that email could be forged. Verify the key with that person through real-world mechanisms first, to make sure you aren't duped into signing the wrong key. This is where key-signing parties are helpful -- people can gather in a room, look at ID cards (e.g. driver's licenses), get a verified key fingerprint from the person, and sign the key, fairly confident that the identity they're signing is correct -- even if the key belongs to a complete stranger.

By the way, next time you complain that you can't get anyone to sign your key, you might specify your geographical location. Someone in the global web of trust with a well-connected key might offer to sign your key (especially if you'll organize a local key-signing party to "share the wealth"), but such a person is likely not to know you personally, so they'd have to meet you in person to verify your identity. And without knowing where you are located, nobody is likely to offer...

Re:Organize a local key-signing party!

[slamb]

Organize a local key-signing party. Surely there are many other computer geeks at your college interested in using PGP/GPG. Start getting the geeks together and sign each other's keys. If you can, try to get someone to join the party who is already connected to the worldwide web of trust that most well-known PGP keys are part of. If you can't get anyone well-connected to your key-signing party, don't worry! Creating a local web of trust at your college is a good start, and all it takes isone person who signed your key to get a signature from a well-connected key to get you well-connected yourself. And that can happen after the fact.

Maybe I'll mention that to our ACM president. I don't have a lot of time for organization, either, but they're already a group that meets regularly (so it should be easy), and as likely as anyone to be interested in key-signing. With luck, maybe a couple of them will go to a convention and get keys signed there.

By the way, next time you complain that you can't get anyone to sign your key, you might specify your geographical location.

Iowa City, Iowa

Thanks for the response. I'll give that a shot.

YOU FAIL IT

[Zork+the+Almighty]

What a pathetic troll. You have to START with a relevant remark, and WORK TOWARDS your offtopic, inflammitory position. You got it completely backwards.