EulerOS 2.0 SP5 : rsync (EulerOS-SA-2019-1989)
High Nessus Plugin ID 129183
SynopsisThe remote EulerOS host is missing multiple security updates.
DescriptionAccording to the versions of the rsync package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :
- rsync 3.1.3-development before 2017-10-24 mishandles archaic checksums, which makes it easier for remote attackers to bypass intended access restrictions. NOTE:
the rsync development branch has significant use beyond the rsync developers, e.g., the code has been copied for use in various GitHub projects.(CVE-2017-15994)
- The recv_files function in receiver.c in the daemon in rsync 3.1.2, and 3.1.3-development before 2017-12-03, proceeds with certain file metadata updates before checking for a filename in the daemon_filter_list data structure, which allows remote attackers to bypass intended access restrictions.(CVE-2017-17433)
Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
SolutionUpdate the affected rsync packages.