Updated rsync package fixes security vulnerabilities
Publication date: 18 Jul 2026Modification date: 18 Jul 2026
Type: security
Affected Mageia releases : 10 , 9
CVE: CVE-2026-29518 , CVE-2026-43617 , CVE-2026-43618 , CVE-2026-43619 , CVE-2026-43620 , CVE-2026-45232
Description
The updated package fixes security vulnerabilities:
Rsync < 3.4.3 TOCTOU Race Condition Allows Symlink-Based Arbitrary File
Write. (CVE-2026-29518)
Rsync < 3.4.3 Authorization Bypass via Hostname Resolution.
(CVE-2026-43617)
Rsync < 3.4.3 Integer Overflow Information Disclosure. (CVE-2026-43618)
Rsync < 3.4.3 Symlink Race Condition via Path-Based Syscalls.
(CVE-2026-43619)
Rsync < 3.4.3 Out-of-Bounds Array Read via recv_files().
(CVE-2026-43620)
Rsync < 3.4.3 Off-by-One Stack Write via HTTP Proxy. (CVE-2026-45232)
References
- https://bugs.mageia.org/show_bug.cgi?id=35562
- https://www.openwall.com/lists/oss-security/2026/05/20/6
- https://lists.debian.org/debian-security-announce/2026/msg00193.html
- https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/FBOANNVT2JXHE24DJ2WIYE2BNCWRGT24/
- https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/4RPOIF6TVE233FKZN5TAC6XTNQ5WVFYL/
- https://www.openwall.com/lists/oss-security/2026/06/08/1
- https://ubuntu.com/security/notices/USN-8349-1
- https://ubuntu.com/security/notices/USN-8349-2
- https://www.cve.org/CVERecord?id=CVE-2026-29518
- https://www.cve.org/CVERecord?id=CVE-2026-43617
- https://www.cve.org/CVERecord?id=CVE-2026-43618
- https://www.cve.org/CVERecord?id=CVE-2026-43619
- https://www.cve.org/CVERecord?id=CVE-2026-43620
- https://www.cve.org/CVERecord?id=CVE-2026-45232
SRPMS
10/core
- rsync-3.4.1-4.1.mga10
9/core
- rsync-3.2.7-1.5.mga9