Your message dated Sat, 3 Dec 2011 12:28:32 +0100
with message-id <[email protected]>
and subject line Re: Bug#621866: Bug fixed in unstable/testung/experimental
has caused the Debian Bug report #621866,
regarding rsync: CVE-2011-1097 DoS and possibly code execution on client side
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
621866: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=621866
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: rsync
Severity: grave
Tags: security patch
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for rsync.
CVE-2011-1097[0]:
| rsync 3.x before 3.0.8, when certain recursion, deletion, and
| ownership options are used, allows remote rsync servers to cause a
| denial of service (heap memory corruption and application crash) or
| possibly execute arbitrary code via malformed data.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
More info:
https://bugzilla.samba.org/show_bug.cgi?id=7936
http://gitweb.samba.org/?p=rsync.git;a=commitdiff;h=83b94efa6b60a3ff5eee4c5f7812c617a90a03f6;hp=c8255147b06b74dad940d32f9cef5fbe17595239
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1097
http://security-tracker.debian.org/tracker/CVE-2011-1097
--
Nico Golde - http://www.ngolde.de - [email protected] - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.
pgpOtEimLwfko.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
Version: 3.0.8-1
Hi!
* Arne Wichmann <[email protected]> [111005 16:35]:
> As far as I can see, this bug is fixed in testing (and anything newer):
>
> /usr/share/doc/rsync/changelog.gz:
>
> [...]
> - Fixed a data-corruption issue when preserving hard-links without
> preserving file ownership, and doing deletions either before or during
> the transfer (CVE-2011-1097). This fixes some assert errors in the
> hard-linking code, and some potential failed checksums (via -c) that
> should have matched.
> [...]
Yes, I checked the source, that's fixed for testing and higher, so I
versioned close this bug. It's still open for stable, though.
Best Regards,
Alexander
--- End Message ---
