|
-
February 10th, 2002, 02:51 AM
#1
 Vulnerability:Caldera-Remote attack on rsync
Sebastian Krahmer of SuSE discovered a vulnerability in rsync that
allows an attacker to modify memory of the rsync server process. There
is no know exploit yet, but this vulernability could be used against
servers providing downloads via anonymous rsync. Note that the problem
can also be exploited by a rogue server, attacking a client who uses
rsync.
Vulnerable Versions
System Package
-----------------------------------------------------------
OpenLinux 2.3 All packages previous to
rsync-2.5.0-2
OpenLinux eServer 2.3.1 All packages previous to
and OpenLinux eBuilder rsync-2.5.0-2
OpenLinux eDesktop 2.4 All packages previous to
rsync-2.5.0-2
OpenLinux Server 3.1 All packages previous to
rsync-2.5.0-2
OpenLinux Workstation 3.1 All packages previous to
rsync-2.5.0-2
OpenLinux 3.1 IA64 All packages previous to
rsync-2.5.0-2
OpenLinux Server 3.1.1 All packages previous to
rsync-2.5.0-2
OpenLinux Workstation All packages previous to
3.1.1 rsync-2.5.0-2
3. Solution
Workaround
none
The proper solution is to upgrade to the latest packages.
4. OpenLinux 2.3
4.1 Location of Fixed Packages
The upgrade packages can be found on Caldera's FTP site at:
ftp://ftp.caldera.com/pub/updates/Op...3/current/RPMS
The corresponding source code package can be found at:
ftp://ftp.caldera.com/pub/updates/Op.../current/SRPMS
4.2 Verification
5f24a0ddccec6d227bda592e770770c5 RPMS/rsync-2.5.0-2.i386.rpm
53d246410dd62b6db36c1ff682193331 SRPMS/rsync-2.5.0-2.src.rpm
4.3 Installing Fixed Packages
Upgrade the affected packages with the following commands:
rpm -Fvh rsync-2.5.0-2.i386.rpm
5. OpenLinux eServer 2.3.1 and OpenLinux eBuilder for ECential 3.0
5.1 Location of Fixed Packages
The upgrade packages can be found on Caldera's FTP site at:
ftp://ftp.caldera.com/pub/updates/eS...3/current/RPMS
The corresponding source code package can be found at:
ftp://ftp.caldera.com/pub/updates/eS.../current/SRPMS
5.2 Verification
f1679a658eee7afc5cc5e223a0f019b4 RPMS/rsync-2.5.0-2.i386.rpm
53d246410dd62b6db36c1ff682193331 SRPMS/rsync-2.5.0-2.src.rpm
5.3 Installing Fixed Packages
Upgrade the affected packages with the following commands:
rpm -Fvh rsync-2.5.0-2.i386.rpm
6. OpenLinux eDesktop 2.4
6.1 Location of Fixed Packages
The upgrade packages can be found on Caldera's FTP site at:
ftp://ftp.caldera.com/pub/updates/eD...4/current/RPMS
The corresponding source code package can be found at:
ftp://ftp.caldera.com/pub/updates/eD.../current/SRPMS
6.2 Verification
319f52b332937a9ec9b6b3a84a1a2818 RPMS/rsync-2.5.0-2.i386.rpm
53d246410dd62b6db36c1ff682193331 SRPMS/rsync-2.5.0-2.src.rpm
6.3 Installing Fixed Packages
Upgrade the affected packages with the following commands:
rpm -Fvh rsync-2.5.0-2.i386.rpm
7. OpenLinux 3.1 Server
7.1 Location of Fixed Packages
The upgrade packages can be found on Caldera's FTP site at:
ftp://ftp.caldera.com/pub/updates/Op...r/current/RPMS
The corresponding source code package can be found at:
ftp://ftp.caldera.com/pub/updates/Op.../current/SRPMS
7.2 Verification
6edac1d41d34f694ff64a9b363f76be0 RPMS/rsync-2.5.0-2.i386.rpm
53d246410dd62b6db36c1ff682193331 SRPMS/rsync-2.5.0-2.src.rpm
7.3 Installing Fixed Packages
Upgrade the affected packages with the following commands:
rpm -Fvh rsync-2.5.0-2.i386.rpm
8. OpenLinux 3.1 Workstation
8.1 Location of Fixed Packages
The upgrade packages can be found on Caldera's FTP site at:
ftp://ftp.caldera.com/pub/updates/Op...n/current/RPMS
The corresponding source code package can be found at:
ftp://ftp.caldera.com/pub/updates/Op.../current/SRPMS
8.2 Verification
6edac1d41d34f694ff64a9b363f76be0 RPMS/rsync-2.5.0-2.i386.rpm
53d246410dd62b6db36c1ff682193331 SRPMS/rsync-2.5.0-2.src.rpm
8.3 Installing Fixed Packages
Upgrade the affected packages with the following commands:
rpm -Fvh rsync-2.5.0-2.i386.rpm
9. OpenLinux 3.1 IA64
9.1 Location of Fixed Packages
The upgrade packages can be found on Caldera's FTP site at:
ftp://ftp.caldera.com/pub/updates/Op...4/current/RPMS
The corresponding source code package can be found at:
ftp://ftp.caldera.com/pub/updates/Op.../current/SRPMS
9.2 Verification
35254e165135c1e1d08816432a04f132 RPMS/rsync-2.5.0-2.ia64.rpm
53d246410dd62b6db36c1ff682193331 SRPMS/rsync-2.5.0-2.src.rpm
9.3 Installing Fixed Packages
Upgrade the affected packages with the following commands:
rpm -Fvh rsync-2.5.0-2.ia64.rpm
10. OpenLinux 3.1.1 Server
10.1 Location of Fixed Packages
The upgrade packages can be found on Caldera's FTP site at:
ftp://ftp.caldera.com/pub/updates/Op...r/current/RPMS
The corresponding source code package can be found at:
ftp://ftp.caldera.com/pub/updates/Op.../current/SRPMS
10.2 Verification
bc2612d7b204fbeef936e24ec8afe0b6 RPMS/rsync-2.5.0-2.i386.rpm
53d246410dd62b6db36c1ff682193331 SRPMS/rsync-2.5.0-2.src.rpm
10.3 Installing Fixed Packages
Upgrade the affected packages with the following commands:
rpm -Fvh rsync-2.5.0-2.i386.rpm
11. OpenLinux 3.1.1 Workstation
11.1 Location of Fixed Packages
The upgrade packages can be found on Caldera's FTP site at:
ftp://ftp.caldera.com/pub/updates/Op...n/current/RPMS
The corresponding source code package can be found at:
ftp://ftp.caldera.com/pub/updates/Op.../current/SRPMS
11.2 Verification
bc2612d7b204fbeef936e24ec8afe0b6 RPMS/rsync-2.5.0-2.i386.rpm
53d246410dd62b6db36c1ff682193331 SRPMS/rsync-2.5.0-2.src.rpm
11.3 Installing Fixed Packages
Upgrade the affected packages with the following commands:
rpm -Fvh rsync-2.5.0-2.i386.rpm
12. References
This and other Caldera security resources are located at:
http://www.caldera.com/support/security/index.html
This security fix closes Caldera's internal Problem Report 11350.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote