OpenPKG CVS Repository
http://cvs.openpkg.org/
____________________________________________________________________________
Server: cvs.openpkg.org Name: Ralf S. Engelschall
Root: /e/openpkg/cvs Email: [EMAIL PROTECTED]
Module: openpkg-web Date: 04-Dec-2003 17:03:25
Branch: HEAD Handle: 2003120416032500
Modified files:
openpkg-web/security OpenPKG-SA-2003.051-rsync.txt
Log:
final polishing and signing
Summary:
Revision Changes Path
1.2 +13 -8 openpkg-web/security/OpenPKG-SA-2003.051-rsync.txt
____________________________________________________________________________
patch -p0 <<'@@ .'
Index: openpkg-web/security/OpenPKG-SA-2003.051-rsync.txt
============================================================================
$ cvs diff -u -r1.1 -r1.2 OpenPKG-SA-2003.051-rsync.txt
--- openpkg-web/security/OpenPKG-SA-2003.051-rsync.txt 4 Dec 2003 15:21:13
-0000 1.1
+++ openpkg-web/security/OpenPKG-SA-2003.051-rsync.txt 4 Dec 2003 16:03:25
-0000 1.2
@@ -1,5 +1,5 @@
-
-
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
________________________________________________________________________
@@ -18,18 +18,16 @@
OpenPKG 1.3 <= rsync-2.5.6-1.3.0 >= rsync-2.5.6-1.3.1
OpenPKG 1.2 <= rsync-2.5.5-1.2.0 >= rsync-2.5.5-1.2.1
-Dependent Packages: none FIXME check meta-core and rdiff-backup
+Dependent Packages: none
Description:
According to a rsync security advisory [0], a heap overflow
vulnerability exists in rsync [1] version 2.5.6 and earlier when used
as a rsync server which typically listens on TCP port 873. An exploit
- is known to be in the wild and the security of a public rsync was
- compromised. A successful attack does not directly lead to root access
- but can be combined with other local exploits. The do_brk vulnerbility
- in Linux kernels prior 2.4.23 is worthwhile to mention these days. The
+ is already known. A successful attack can lead to arbitrary code
+ execution in the run-time environment of the rsync server process. The
attack is known to be considerably easier when the "use chroot = no"
- option is set in rsync.conf which is not the default in OpenPKG. The
+ option is set in rsync.conf, which is not the default in OpenPKG. The
Common Vulnerabilities and Exposures (CVE) project assigned the id
CAN-2003-0962 [2] to the problem.
@@ -78,3 +76,10 @@
for details on how to verify the integrity of this advisory.
________________________________________________________________________
+-----BEGIN PGP SIGNATURE-----
+Comment: OpenPKG <[EMAIL PROTECTED]>
+
+iD8DBQE/z1qTgHWT4GPEy58RAlxXAKCch/r7WEGUK7Mhb1097usmXCAgfgCg6+MS
+LxFw05CYw9iXSegnHARtuuc=
+=YPfZ
+-----END PGP SIGNATURE-----
@@ .
______________________________________________________________________
The OpenPKG Project www.openpkg.org
CVS Repository Commit List [EMAIL PROTECTED]
