Source: rsync Version: 3.2.4-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for rsync. CVE-2022-29154[0]: | An issue was discovered in rsync before 3.2.5 that allows malicious | remote servers to write arbitrary files inside the directories of | connecting peers. The server chooses which files/directories are sent | to the client. However, the rsync client performs insufficient | validation of file names. A malicious rsync server (or Man-in-The- | Middle attacker) can overwrite arbitrary files in the rsync client | target directory and subdirectories (for example, overwrite the | .ssh/authorized_keys file). IMHO the issue does not warrant a DSA, but can be fixed at a point release time. Note that apart the initial commit mentioned in the oss-security post there were additional commits done upstream around that. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-29154 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29154 [1] https://www.openwall.com/lists/oss-security/2022/08/02/1 Please adjust the affected versions in the BTS as needed. Regards, Salvatore