Ubuntu 14.04 LTS / 16.04 LTS / 17.04 / 17.10 : rsync vulnerabilities (USN-3506-1)
High Nessus Plugin ID 105099
SynopsisThe remote Ubuntu host is missing a security-related patch.
DescriptionIt was discovered that rsync proceeds with certain file metadata updates before checking for a filename. An attacker could use this to bypass access restrictions. (CVE-2017-17433)
It was discovered that rsync does not check for fnamecmp filenames and also does not apply the sanitize_paths protection mechanism to pathnames. An attacker could use this to bypass access restrictions.
Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
SolutionUpdate the affected rsync package.