RHEL 2.1 / 3 : rsync (RHSA-2003:399)
High Nessus Plugin ID 12440
SynopsisThe remote Red Hat host is missing a security update.
DescriptionUpdated rsync packages are now available that fix a heap overflow in the Rsync server.
rsync is a program for sychronizing files over the network.
A heap overflow bug exists in rsync versions prior to 2.5.7. On machines where the rsync server has been enabled, a remote attacker could use this flaw to execute arbitrary code as an unprivileged user.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2003-0962 to this issue.
All users should upgrade to these erratum packages containing version 2.5.7 of rsync, which is not vulnerable to this issue.
NOTE: The rsync server is disabled (off) by default in Red Hat Enterprise Linux. To check if the rsync server has been enabled (on), run the following command :
/sbin/chkconfig --list rsync
If the rsync server has been enabled but is not required, it can be disabled by running the following command as root :
/sbin/chkconfig rsync off
Red Hat would like to thank the rsync team for their rapid response and quick fix for this issue.
SolutionUpdate the affected rsync package.