Looks like this is http://people.canonical.com/~ubuntu- security/cve/2014/CVE-2014-9512.html
** Information type changed from Private Security to Public Security ** Changed in: rsync (Ubuntu) Status: New => Confirmed ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2014-9512 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to rsync in Ubuntu. https://bugs.launchpad.net/bugs/1531061 Title: Rsync path spoofing attack vulnerability Status in rsync package in Ubuntu: Confirmed Bug description: A security fix in rsync 3.1.2 was released, adding extra check to the file list to prevent a malicious sender to use unsafe destination path for transferred file, such as just-sent symlink. Details on the bug from rsync's page (hosted at samba), replication information, patch information can be found here: https://bugzilla.samba.org/show_bug.cgi?id=10977 Upstream patch: https://git.samba.org/rsync.git/?p=rsync.git;a=commit;h=962f8b90045ab331fc04c9e65f80f1a53e68243b Seems like this should be backported to currently supported LTS and regular releases as a security update? To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/rsync/+bug/1531061/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp