{ "schema_version": "1.7.0", "id": "MGASA-2020-0108", "published": "2020-02-29T13:42:35Z", "modified": "2020-02-29T13:20:44Z", "summary": "Updated rsync packages fix security vulnerabilities", "details": "Updated rsync packages fix security vulnerabilities:\n\nIt was discovered that rsync incorrectly handled pointer arithmetic in\nzlib. An attacker could use this issue to cause rsync to crash, resulting\nin a denial of service, or possibly execute arbitrary code (CVE-2016-9840,\nCVE-2016-9841)\n\nIt was discovered that rsync incorrectly handled vectors involving left\nshifts of negative integers in zlib. An attacker could use this issue to\ncause rsync to crash, resulting in a denial of service, or possibly\nexecute arbitrary code (CVE-2016-9842).\n\nIt was discovered that rsync incorrectly handled vectors involving big-\nendian CRC calculation in zlib. An attacker could use this issue to cause\nrsync to crash, resulting in a denial of service, or possibly execute\narbitrary code (CVE-2016-9843).\n\nPlease note, we now compile against system zlib. If rsync fails to sync\nwith older remote systems using compression (-z), you have either update\nthe remote host to a newer version or disable compression.\n", "upstream": [ "CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843" ], "references": [ { "type": "ADVISORY", "url": "https://advisories.mageia.org/MGASA-2020-0108.html" }, { "type": "REPORT", "url": "https://bugs.mageia.org/show_bug.cgi?id=26254" } ], "affected": [ { "package": { "ecosystem": "Mageia:7", "name": "rsync", "purl": "pkg:rpm/mageia/rsync?arch=source&distro=mageia-7" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "3.1.3-4.mga7" } ] } ], "ecosystem_specific": { "section": "core" } } ], "credits": [ { "name": "Mageia", "type": "COORDINATOR", "contact": [ "https://wiki.mageia.org/en/Packages_Security_Team" ] } ] }