[ubuntu/focal-security] rsync 3.1.3-8ubuntu0.8 (Accepted)

Sudhakar Verma sudhakar.verma at canonical.com
Tue Jan 14 21:06:45 UTC 2025 

rsync (3.1.3-8ubuntu0.8) focal-security; urgency=medium

  * SECURITY UPDATE: safe links bypass vulnerability
    - d/p/CVE-2024-12088/0001-make-safe-links-stricter.patch: reject
      links where a "../" component is included in the destination
    - CVE-2024-12088
  * SECURITY UPDATE: arbitrary file write via symbolic links
    - d/p/CVE-2024-12087/0001-Refuse-a-duplicate-dirlist.patch: refuse
      malicious duplicate flist for dir
    - d/p/CVE-2024-12087/0002-range-check-dir_ndx-before-use.patch: refuse
      invalid dir_ndx
    - CVE-2024-12087
  * SECURITY UPDATE: arbitrary client file leak
    - d/p/CVE-2024-12086/0001-refuse-fuzzy-options-when-fuzzy-not-selected.patch:
      refuse fuzzy options when not selected
    - d/p/CVE-2024-12086/0002-added-secure_relative_open.patch: safe
      implementation to open a file relative to a base directory
    - d/p/CVE-2024-12086/0003-receiver-use-secure_relative_open-for-basis-file.patch:
      ensure secure file access for basis file
    - d/p/CVE-2024-12086/0004-disallow-.-elements-in-relpath-for-secure_relative_o.patch:
      disallow "../" in relative path
    - CVE-2024-12086
  * SECURITY UPDATE: information leak via uninitialized stack contents
    - d/p/CVE-2024-12085/0001-prevent-information-leak-off-the-stack.patch:
      prevent information leak by zeroing
    - CVE-2024-12085
  * SECURITY UPDATE: symlink race condition
    - d/p/CVE-2024-12747/0001-fixed-symlink-race-condition-in-sender.patch:
      do_open_checklinks to prevent symlink race
    - CVE-2024-12747

rsync (3.1.3-8ubuntu0.7) focal; urgency=medium

  * d/p/add-trust-sender-option-docs.patch: Add manpage and help documentation
    for the --trust-sender option (LP: #2028810)

rsync (3.1.3-8ubuntu0.6) focal; urgency=medium

  * d/p/add-trust-sender-option.patch: Add --trust-sender argument to decrease
    overhead when transferring files (LP: #2028810)
    In order to mitigate the performance decrease experienced by the security
    update blocking arbitrary file writes by remote servers, this update allows
    users the option to inherently trust the remote server instead. The
    --trust-sender argument tells the local server to trust the remote server's
    file list, leading to a speedup in transfer speed since the extra checks
    are no longer needed. The argument should only be used when transferring
    between two controlled servers though, to avoid arbitrary file access from
    a malicious server.

Date: 2025-01-14 16:19:10.761181+00:00
Changed-By: Sudhakar Verma <sudhakar.verma at canonical.com>
https://launchpad.net/ubuntu/+source/rsync/3.1.3-8ubuntu0.8
-------------- next part --------------
Sorry, changesfile not available.

More information about the Focal-changes mailing list