Advisories ยป MGASA-2022-0302

Updated rsync packages fix security vulnerability

Publication date: 25 Aug 2022
Type: security
Affected Mageia releases : 8
CVE: CVE-2022-29154


An issue was discovered in rsync before 3.2.5 that allows malicious remote
servers to write arbitrary files inside the directories of connecting
peers. The server chooses which files/directories are sent to the client.
However, the rsync client performs insufficient validation of file names.
A malicious rsync server (or Man-in-The-Middle attacker) can overwrite
arbitrary files in the rsync client target directory and subdirectories
(for example, overwrite the .ssh/authorized_keys file). (CVE-2022-29154)