RHEL 2.1 / 3 : rsync (RHSA-2003:399)

This script is Copyright (C) 2004-2014 Tenable Network Security, Inc.


Synopsis :

The remote Red Hat host is missing a security update.

Description :

Updated rsync packages are now available that fix a heap overflow in
the Rsync server.

rsync is a program for sychronizing files over the network.

A heap overflow bug exists in rsync versions prior to 2.5.7. On
machines where the rsync server has been enabled, a remote attacker
could use this flaw to execute arbitrary code as an unprivileged user.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CVE-2003-0962 to this issue.

All users should upgrade to these erratum packages containing version
2.5.7 of rsync, which is not vulnerable to this issue.

NOTE: The rsync server is disabled (off) by default in Red Hat
Enterprise Linux. To check if the rsync server has been enabled (on),
run the following command :

/sbin/chkconfig --list rsync

If the rsync server has been enabled but is not required, it can be
disabled by running the following command as root :

/sbin/chkconfig rsync off

Red Hat would like to thank the rsync team for their rapid response
and quick fix for this issue.

See also :

https://www.redhat.com/security/data/cve/CVE-2003-0962.html
http://rsync.samba.org/
http://rhn.redhat.com/errata/RHSA-2003-399.html

Solution :

Update the affected rsync package.

Risk factor :

High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
Public Exploit Available : true

Family: Red Hat Local Security Checks

Nessus Plugin ID: 12440 ()

Bugtraq ID:

CVE ID: CVE-2003-0962