> Sent: Thursday, January 16, 2025 at 9:36 PM
> From: "Andy Smith" <a...@strugglers.net>
> To: debian-user@lists.debian.org
> Subject: Re: A warning about rsync in stable: it became broken 3 days ago, is
> now fixed
>
> Hi,
>
> On Fri, Jan 17, 2025 at 03:27:26AM +0100, poc...@homemail.com wrote:
> > Actually the last patched debian rsync version is still vulnerable
> > https://kb.cert.org/vuls/id/952657
> >
> > rsync 3.4.1 is the latest version that fixes the issues.
>
> That page was last updated 15 January whereas the fixes that went out in
> upstream rsync release 3.4.1 were backported to Debian stable in version
> 3.2.7-1+deb12u2 which was released 16 January.
>
> You can verify this at:
>
> https://security-tracker.debian.org/tracker/source-package/rsync
>
> Thanks,
> Andy
>
> --
> https://bitfolk.com/ -- No-nonsense VPS hosting
>
https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-rsync-could-allow-for-remote-code-execution_2025-007
THREAT INTELLIGENCE:
The CERT Coordination Center (CERT/CC) issued a bulletin warning about the
Rsync flaws, marking Red Hat, Arch, Gentoo, Ubuntu NixOS, AlmaLinux OS
Foundation, and the Triton Data Center as impacted.
SYSTEMS AFFECTED:
Rsync Server versions prior to 3.4.0
Why use 3 year old rsync?
