Advisories » MGASA-2020-0108

Updated rsync packages fix security vulnerabilities

Publication date: 29 Feb 2020
Modification date: 29 Feb 2020
Type: security
Affected Mageia releases : 7
CVE: CVE-2016-9840 , CVE-2016-9841 , CVE-2016-9842 , CVE-2016-9843

Description

Updated rsync packages fix security vulnerabilities:

It was discovered that rsync incorrectly handled pointer arithmetic in
zlib. An attacker could use this issue to cause rsync to crash, resulting
in a denial of service, or possibly execute arbitrary code (CVE-2016-9840,
CVE-2016-9841)

It was discovered that rsync incorrectly handled vectors involving left
shifts of negative integers in zlib. An attacker could use this issue to
cause rsync to crash, resulting in a denial of service, or possibly
execute arbitrary code (CVE-2016-9842).

It was discovered that rsync incorrectly handled vectors involving big-
endian CRC calculation in zlib. An attacker could use this issue to cause
rsync to crash, resulting in a denial of service, or possibly execute
arbitrary code (CVE-2016-9843).

Please note, we now compile against system zlib. If rsync fails to sync
with older remote systems using compression (-z), you have either update
the remote host to a newer version or disable compression.
                

References

• https://bugs.mageia.org/show_bug.cgi?id=26254
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9840
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9841
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9842
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9843

SRPMS

7/core

• rsync-3.1.3-4.mga7