News

Friday, April 11, 2008

ubuntu-security-announce Digest, Vol 43, Issue 4

Send ubuntu-security-announce mailing list submissions to
ubuntu-security-announce@lists.ubuntu.com

To subscribe or unsubscribe via the World Wide Web, visit
https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
or, via email, send a message with subject or body 'help' to
ubuntu-security-announce-request@lists.ubuntu.com

You can reach the person managing the list at
ubuntu-security-announce-owner@lists.ubuntu.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of ubuntu-security-announce digest..."


Today's Topics:

1. [USN-600-1] rsync vulnerability (Kees Cook)


----------------------------------------------------------------------

Message: 1
Date: Thu, 10 Apr 2008 23:52:11 -0700
From: Kees Cook <kees@ubuntu.com>
Subject: [USN-600-1] rsync vulnerability
To: ubuntu-security-announce@lists.ubuntu.com
Cc: full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com
Message-ID: <20080411065211.GT18929@outflux.net>
Content-Type: text/plain; charset="us-ascii"

===========================================================
Ubuntu Security Notice USN-600-1 April 11, 2008
rsync vulnerability
CVE-2008-1720
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 7.04
Ubuntu 7.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 7.04:
rsync 2.6.9-3ubuntu1.2

Ubuntu 7.10:
rsync 2.6.9-5ubuntu1.1

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

Sebastian Krahmer discovered that rsync could overflow when handling ACLs.
An attacker could construct a malicious set of files that when processed
by rsync could lead to arbitrary code execution or a crash.


Updated packages for Ubuntu 7.04:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/r/rsync/rsync_2.6.9-3ubuntu1.2.diff.gz

Size/MD5: 39403 9633c4376d4aa5d8e4c3da99405ca0d6

http://security.ubuntu.com/ubuntu/pool/main/r/rsync/rsync_2.6.9-3ubuntu1.2.dsc

Size/MD5: 658 08549083557957c66e73e42aa683f1b5

http://security.ubuntu.com/ubuntu/pool/main/r/rsync/rsync_2.6.9.orig.tar.gz

Size/MD5: 811841 996d8d8831dbca17910094e56dcb5942

amd64 architecture (Athlon64, Opteron, EM64T Xeon):

http://security.ubuntu.com/ubuntu/pool/main/r/rsync/rsync_2.6.9-3ubuntu1.2_amd64.deb

Size/MD5: 275936 633f49faf8c061d199fa1fa109e4d46a

i386 architecture (x86 compatible Intel/AMD):

http://security.ubuntu.com/ubuntu/pool/main/r/rsync/rsync_2.6.9-3ubuntu1.2_i386.deb

Size/MD5: 262086 381d1741edd2151b09fdfcd11829246f

powerpc architecture (Apple Macintosh G3/G4/G5):

http://security.ubuntu.com/ubuntu/pool/main/r/rsync/rsync_2.6.9-3ubuntu1.2_powerpc.deb

Size/MD5: 282406 e8704361305a8308274b253863876766

sparc architecture (Sun SPARC/UltraSPARC):

http://security.ubuntu.com/ubuntu/pool/main/r/rsync/rsync_2.6.9-3ubuntu1.2_sparc.deb

Size/MD5: 270148 d6af336d9d029920c4c9b308e50f1e45

Updated packages for Ubuntu 7.10:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/r/rsync/rsync_2.6.9-5ubuntu1.1.diff.gz

Size/MD5: 40051 f86fdffdfeb406e1164dd8573c527174

http://security.ubuntu.com/ubuntu/pool/main/r/rsync/rsync_2.6.9-5ubuntu1.1.dsc

Size/MD5: 658 6ce35afac1779ce799dd10e42535bcb7

http://security.ubuntu.com/ubuntu/pool/main/r/rsync/rsync_2.6.9.orig.tar.gz

Size/MD5: 811841 996d8d8831dbca17910094e56dcb5942

amd64 architecture (Athlon64, Opteron, EM64T Xeon):

http://security.ubuntu.com/ubuntu/pool/main/r/rsync/rsync_2.6.9-5ubuntu1.1_amd64.deb

Size/MD5: 277264 2652f8655e5f33073a90e0d25559aada

i386 architecture (x86 compatible Intel/AMD):

http://security.ubuntu.com/ubuntu/pool/main/r/rsync/rsync_2.6.9-5ubuntu1.1_i386.deb

Size/MD5: 263124 90761cc1de553a35fb6c719e5632b84d

powerpc architecture (Apple Macintosh G3/G4/G5):

http://security.ubuntu.com/ubuntu/pool/main/r/rsync/rsync_2.6.9-5ubuntu1.1_powerpc.deb

Size/MD5: 283556 cc28973832efb6c5e2fe82893ce774d4

sparc architecture (Sun SPARC/UltraSPARC):

http://security.ubuntu.com/ubuntu/pool/main/r/rsync/rsync_2.6.9-5ubuntu1.1_sparc.deb

Size/MD5: 271206 4909fa7ccc14431f6419f51da2487400

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20080410/2f239f35/attachment-0001.pgp


------------------------------

--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce


End of ubuntu-security-announce Digest, Vol 43, Issue 4
*******************************************************

No comments:

Blog Archive