Advisories » MGASA-2017-0459

Updated rsync package fixes security vulnerability

Publication date: 21 Dec 2017
Modification date: 21 Dec 2017
Type: security
Affected Mageia releases : 5 , 6
CVE: CVE-2017-16548

Description

The receive_xattr function in xattrs.c in rsync 3.1.2 and
3.1.3-development does not check for a trailing '\0' character in an
xattr name, which allows remote attackers to cause a denial of service
(heap-based buffer over-read and application crash) or possibly have
unspecified other impact by sending crafted data to the daemon.
(CVE-2017-16548)
                

References

• https://bugs.mageia.org/show_bug.cgi?id=22216
• https://www.debian.org/security/2017/dsa-4068
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16548

SRPMS

6/core

• rsync-3.1.2-1.2.mga6

5/core

• rsync-3.1.1-5.3.mga5