Looks like this is http://people.canonical.com/~ubuntu-
security/cve/2014/CVE-2014-9512.html
** Information type changed from Private Security to Public Security
** Changed in: rsync (Ubuntu)
Status: New => Confirmed
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2014-9512
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to rsync in Ubuntu.
https://bugs.launchpad.net/bugs/1531061
Title:
Rsync path spoofing attack vulnerability
Status in rsync package in Ubuntu:
Confirmed
Bug description:
A security fix in rsync 3.1.2 was released, adding extra check to the
file list to prevent a malicious sender to use unsafe destination path
for transferred file, such as just-sent symlink.
Details on the bug from rsync's page (hosted at samba), replication
information, patch information can be found here:
https://bugzilla.samba.org/show_bug.cgi?id=10977
Upstream patch:
https://git.samba.org/rsync.git/?p=rsync.git;a=commit;h=962f8b90045ab331fc04c9e65f80f1a53e68243b
Seems like this should be backported to currently supported LTS and
regular releases as a security update?
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/rsync/+bug/1531061/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
