Sent: Thursday, January 16, 2025 at 6:40 PM
From: "David" <[email protected]>
To: "debian-user" <[email protected]>
Subject: A warning about rsync in stable: it became broken 3 days ago, is now fixed
Hi,
For anyone not subscribed to debian-security-announce mailing list:
1) You should subscribe to it :)
2) rsync received a security update 3 days ago [1] with multiple fixes.
3) But that update also introduced a regression in the rsync -H option
(preserves hard links).
4) That regression is now fixed in bookworm [2]
5) That's all I know. I just thought it might be helpful to share this
information here because it might affect people's backup systems.
[1] https://lists.debian.org/debian-security-announce/2025/msg00004.html
[2] https://lists.debian.org/debian-security-announce/2025/msg00006.html
Actually the last patched debian rsync version is still vulnerable https://kb.cert.org/vuls/id/952657
rsync 3.4.1 is the latest version that fixes the issues.
Sent: Thursday, January 16, 2025 at 9:36 PM
From: "Andy Smith" <[email protected]>
To: [email protected]
Subject: Re: A warning about rsync in stable: it became broken 3 days ago, is now fixed
Hi,
On Fri, Jan 17, 2025 at 03:27:26AM +0100, [email protected] wrote:
Actually the last patched debian rsync version is still vulnerable https://kb.cert.org/vuls/id/952657
rsync 3.4.1 is the latest version that fixes the issues.
That page was last updated 15 January whereas the fixes that went out in upstream rsync release 3.4.1 were backported to Debian stable in version 3.2.7-1+deb12u2 which was released 16 January.
You can verify this at:
https://security-tracker.debian.org/tracker/source-package/rsync
Thanks,
Andy
--
https://bitfolk.com/ -- No-nonsense VPS hosting
Why use 3 year old rsync?
Sent: Thursday, January 16, 2025 at 10:34 PM
From: "Stefan Monnier" <[email protected]>
To: [email protected]
Subject: Re: A warning about rsync in stable: it became broken 3 days ago, is now fixed
Why use 3 year old rsync?
If you can't answer this question, then you probably will be better
served with Debian testing, Debian unstable, or even some other
distribution than Debian stable.
Sent: Thursday, January 16, 2025 at 10:34 PM
From: "Stefan Monnier" <[email protected]>
To: [email protected]
Subject: Re: A warning about rsync in stable: it became broken 3 days ago, is now fixed
Why use 3 year old rsync?
If you can't answer this question, then you probably will be better
served with Debian testing, Debian unstable, or even some other distribution than Debian stable.
I know the answer, the question was to the person I replied to.
Can YOU answer that question?
It is why I use a rolling release distribution for anything important
From: "Andy Smith" <[email protected]>
You can verify this at:
https://security-tracker.debian.org/tracker/source-package/rsync
https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-rsync-could-allow-for-remote-code-execution_2025-007
Sent: Friday, January 17, 2025 at 2:11 PM
From: "Andy Smith" <[email protected]>
To: [email protected]
Subject: Re: A warning about rsync in stable: it became broken 3 days ago, is now fixed
Hi,
On Fri, Jan 17, 2025 at 03:42:48AM +0100, [email protected] wrote:
From: "Andy Smith" <[email protected]>
You can verify this at:
https://security-tracker.debian.org/tracker/source-package/rsync
https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-rsync-could-allow-for-remote-code-execution_2025-007
Okay, I'll try one more time.
The link you gave above talks about the following security issues:
CVE-2024-12085
CVE-2024-12086
CVE-2024-12087
CVE-2024-12088
CVE-2024-12747
The link that I gave you shows that all of the above already have fixes backported to Debian stable-security.
Since there is no new information here and I am just re-stating what has already been shown to you, I wonder if the problem here is that you
don't understand what backporting is?
The version of rsync that was first released in Debian 12 is what will
be in Debian 12 forever. Barring some exceptional circumstances there
will never be a newer release of rsync in Debian 12. There will never be version 3.4.1 of rsync in Debian 12. Any security issues found in the
version of rsync that is in Debian 12 will have fixes backported to it.
So it follows that just because the program's --version says 3.2.7, it
does not mean that it is still vulnerable to all issues found between
3.2.7 and 3.4.1 inclusive. You would have to look at the Debian package version and check which fixes have been backported.
Thanks,
Has the following been Fixed or back ported to 3.2.7?
Has the following been Fixed or back ported to 3.2.7?
fixed handling of -H flag with conflict in internal flag values
fixed a user after free in logging of failed rename
fixed build on systems without openat()
removed dependency on alloca() in bundled popt
Fixed the included popt to avoid a memory error on modern gcc versions.
Fixed an incorrect extern variable's type that caused an ACL issue on macOS.
Fixed IPv6 configure check
Updated included popt to version 1.19.
Fixed a bug with --sparse --inplace where a trailing gap in the source file would not clear out the trailing data in the destination file.
Fixed an buffer overflow in the checksum2 code if SHA1 is being used for the checksum2 algorithm.
Fixed an issue when rsync is compiled using _FORTIFY_SOURCE so that the extra tests don't complain about a strlcpy() limit value (which was too large, even though it wasn't possible for the larger value to cause an overflow).
Add a backtick to the list of characters that the filename quoting needs to escape using backslashes.
Fixed a string-comparison issue in the internal handling of --progress (a locale such as tr_TR.utf-8 needed the internal triggering of --info options to use upper-case flag names to ensure that they match).
Make sure that a local transfer marks the sender side as trusted.
Change the argv handling to work with a newer popt library -- one that likes to free more data than it used to.
Rsync now calls OpenSSL_add_all_algorithms() when compiled against an older openssl library.
Fixed a problem in the daemon auth for older protocols (29 and before) if the openssl library is being used to compute MD4 checksums.
Fixed an old stats bug that counted devices as symlinks
Enhanced rrsync with the -no-overwrite option that allows you to ensure that existing files on your restricted but writable directory can't be modified.
Changed the mapfrom & mapto perl scripts (in the support dir) into a single python script named idmap. Converted a couple more perl scripts into python.
Changed the mnt-excl perl script (in the support dir) into a python script.
From: "Andy Smith" <[email protected]>
On Fri, Jan 17, 2025 at 03:42:48AM +0100, [email protected] wrote:
From: "Andy Smith" <[email protected]>
You can verify this at:
https://security-tracker.debian.org/tracker/source-package/rsync
https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-rsync-could-allow-for-remote-code-execution_2025-007
Okay, I'll try one more time.
The link you gave above talks about the following security issues:
CVE-2024-12085
CVE-2024-12086
CVE-2024-12087
CVE-2024-12088
CVE-2024-12747
The link that I gave you shows that all of the above already have fixes backported to Debian stable-security.
Has the following been Fixed or back ported to 3.2.7?
| Sysop: | Keyop |
|---|---|
| Location: | Huddersfield, West Yorkshire, UK |
| Users: | 715 |
| Nodes: | 16 (2 / 14) |
| Uptime: | 146:13:43 |
| Calls: | 12,089 |
| Calls today: | 2 |
| Files: | 15,000 |
| Messages: | 6,517,501 |