Slashdot Mirror

← Back to Stories (view on slashdot.org)

New rsync Released to Fix Vulnerability

Posted by CowboyNeal on from the better-safe-than-sorry dept.

cshields2 writes "Today the rsync developers have released a new version that fixes an exploitable security vulnerability when running rsync as an 'rsync server.' Any server out there running rsync should check this out and upgrade if necessary. (which is every open source mirror server out there, and many mirrors themselves)"

10 of 226 comments (clear)

  1. Gentoo by lisany · · Score: 5, Informative

    This is what got the cracker in (plus the brk kernel thing) into the Gentoo Rsync server. All fixed now tho!

    1. Re:Gentoo by TheIzzy · · Score: 5, Insightful
      Hello?

      Security breaches happen. Even on OpenBSD and other "secure" systems. If you looked into the event at all, you would see that Gentoo did indeed have excellent security counter measures in place. No amount of firewalling is going to stop an *unknown* vulnerability from being exploited. No amount of security auditing is going to find *every* exploit in code as complex as gentoo's. The fact that the compromised server could be restored, and the compromising code be analysed and fixed within twenty-four hours is very impressive. If anything, this is a testiment to the security at gentoo.

      If I were a CTO or someone who was checking to make a switch, this would be very impressive. I don't, however, think this is gentoo's target audience. But I do know that Microsoft definitely does not have turn-around times that impressive.

  2. rsync by Anonymous Coward · · Score: 5, Funny

    News Flash:

    rsync releases a patch and changes its name to r'sync. The change is noted to increase its name recognition in the teenybopper script kiddie market. At this point, no pimply-faced l337 d00dz will dare deface r'sync for fear that they will be further alienated by the female species.

    Unfortunately, timberlake and FatOne continue to be backdoored.

    1. Re:rsync by prog-guru · · Score: 5, Funny

      Rsync is also the preferred transfer method of pirates, software and treasure hunting ('arrr sync').

      --

      chris@xanadu:~$ whatis /.
      /.: nothing appropriate.

  3. Re:Eh? by uncleFester · · Score: 5, Informative

    Nobody runs rsync as a publicly accessible service anymore.

    oh really?

    i rsync my local copy of slacware-current from carroll.cac.psu.edu. probably half the listed servers on the slack mirrors list (many of which host many other projects besides slack) do rsync. gentoo uses rsync for portage. kernel.org supports rsync for kernel/patch transfers.. as does sourceforge.

    me thinks thou should pull thine head out of thine ass before making such silly comments. for a number of read-only connections, rsync is still quite popular.

    --
    -'fester
  4. FSF Savannah Server Compromised by molo · · Score: 5, Informative

    The FSF Savannah server has been hacked. The statement indicates a similar attack vector as the exploit against the Debian systems. However, it had been hacked nearly a month ago and was not detected until December 1st. For those that are not familar with it, Savannah is the FSF version of Sourceforge, hosting both GNU and non-GNU Free Software projects. It has not yet been determined whether any of the projects' source code has been modified. Read the full statement for details. One thing is certain though, with Debian, Gentoo and now the FSF being exploited in the same month, the open source/free software community is clearly under attack.

    --
    Using your sig line to advertise for friends is lame.
  5. Re:So... by Anonymous Coward · · Score: 5, Insightful
    It took the Debian developers over a *week* to find the cause of their servers being rooted, but Gentoo is able to accomplish the same in one day, *and* provide a fix?

    It seems obvious where the real talent in the Linux community lies today.

    In case you hadn't noticed, the Gentoo developers based their analysis on the Debian developers' work. The real talent in the Linux community lies in the community.

  6. Re:Rsync Protocol Was a Bad Idea by Qzukk · · Score: 5, Informative

    What's the point of another network protocol

    Unlike ssh, rsync daemon doesn't require a user on the host system. Unlike ftp or http, rsync updates by splitting files into blocks and updating changed blocks. Unlike scp, the config file can exclude/include certain files/paths/etc. without requiring the use of filesystem permissions. (it also has password protection).

    Does anyone know of a program similar to rsync

    Nah, there wasn't a point to it.

    --
    If I have been able to see further than others, it is because I bought a pair of binoculars.
  7. I would just like to say... by LnxAddct · · Score: 5, Informative

    For all you naysayers who always talk trash about Fedora, I run fedora and debian and fedora alerted me this morning about the problem and patched it in seconds. I updated debian too, but I usually dont update on a daily basis, usually like once a week or something, unless I see something in the news. I would have had no clue about this for about a 3 days if i hadn't read slashdot and didn't have Fedora to alert me. I personally like Debian better for other reasons, but I'm just saying dont bang on Fedora, its a damn good product.

  8. Some history.. by cras · · Score: 5, Interesting

    Two months ago I found the problem and gave a patch to fix it. Looks like the bad guys were smarter than I thought and figured out a way to exploit it. Lesson: release fixes for even potential security holes immediately :)