Описание
Security update for rsync
This update for rsync fixes the following issues:
- CVE-2022-29154: Fixed an arbitrary file write issue that could be triggered by a malicious remote server (bsc#1201840).
Список пакетов
Image SLES12-SP4-SAP-Azure-LI-BYOS-Production
rsync-3.1.0-13.19.1
Image SLES12-SP4-SAP-Azure-VLI-BYOS-Production
rsync-3.1.0-13.19.1
SUSE Linux Enterprise Server 12 SP2-BCL
rsync-3.1.0-13.19.1
SUSE Linux Enterprise Server 12 SP3-BCL
rsync-3.1.0-13.19.1
SUSE Linux Enterprise Server 12 SP4-LTSS
rsync-3.1.0-13.19.1
SUSE Linux Enterprise Server for SAP Applications 12 SP4
rsync-3.1.0-13.19.1
SUSE OpenStack Cloud 9
rsync-3.1.0-13.19.1
SUSE OpenStack Cloud Crowbar 9
rsync-3.1.0-13.19.1
Ссылки
- Link for SUSE-SU-2022:2859-1
- E-Mail link for SUSE-SU-2022:2859-1
- SUSE Security Ratings
- SUSE Bug 1201840
- SUSE CVE CVE-2022-29154 page
Описание
An issue was discovered in rsync before 3.2.5 that allows malicious remote servers to write arbitrary files inside the directories of connecting peers. The server chooses which files/directories are sent to the client. However, the rsync client performs insufficient validation of file names. A malicious rsync server (or Man-in-The-Middle attacker) can overwrite arbitrary files in the rsync client target directory and subdirectories (for example, overwrite the .ssh/authorized_keys file).
Затронутые продукты
Image SLES12-SP4-SAP-Azure-LI-BYOS-Production:rsync-3.1.0-13.19.1
Image SLES12-SP4-SAP-Azure-VLI-BYOS-Production:rsync-3.1.0-13.19.1
SUSE Linux Enterprise Server 12 SP2-BCL:rsync-3.1.0-13.19.1
SUSE Linux Enterprise Server 12 SP3-BCL:rsync-3.1.0-13.19.1
Ссылки
- CVE-2022-29154
- SUSE Bug 1201840
- SUSE Bug 1202970
- SUSE Bug 1202998
- SUSE Bug 1203401
- SUSE Bug 1203727
- SUSE Bug 1203789
- SUSE Bug 1204119
- SUSE Bug 1205072