On 1/14/25 08:53, Nick Tait wrote:
Hello OSS-security,
Two independent groups of researchers have identified a total of 6
vulnerabilities in rsync. In the most severe CVE, an attacker only requires
anonymous read access to a rsync server, such as a public mirror, to
execute arbitrary code on the
On 1/14/25 08:53, Nick Tait wrote:
Upstream has prepared patches for these CVEs. These fixes will be included
in rsync 3.4.0 which is to be released shortly.
This has happened now -
https://lists.samba.org/archive/rsync-announce/2025/000120.html says:
We have just released version 3.4.0 of rs
Nick Tait wrote:
> [1] Heap Buffer Overflow in Rsync due to Improper Checksum Length Handling
>
> CVE ID: CVE-2024-12084
>
> CVSS 3.1: 9.8 - AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
>
> Description: A heap-based buffer overflow flaw was found in the rsync
> daemon. This issue is due to improper han
