Lucene search
Arch LinuxASA-201503-10HistoryMar 16, 2015 - 12:00 a.m.
librsync: checksum collision
2015-03-1600:00:00
Arch Linux
lists.archlinux.org
29
EPSS
0.007
Percentile
79.9%
librsync previously used a truncated MD4 "strong" check sum to match
blocks. However, MD4 is not cryptographically strong. It’s possible that
an attacker who can control the contents of one part of a file could use
it to control other regions of the file, if it’s transferred using
librsync/rdiff. For example this might occur in a database, mailbox, or
VM image containing some attacker-controlled data.
To mitigate this issue, signatures will by default be computed with a
256-bit BLAKE2 hash. Old versions of librsync will complain about a bad
magic number when given these signature files.
Related
fedora
fedora
[SECURITY] Fedora 21 Update: librsync-1.0.0-1.fc21
2015-03-19 18:44:40
[SECURITY] Fedora 22 Update: duplicity-0.6.25-3.fc22
2015-03-09 08:18:48
[SECURITY] Fedora 21 Update: rdiff-backup-1.2.8-14.fc21
2015-03-19 18:44:40
ubuntucve
ubuntucve
CVE-2014-8242
2015-10-26 00:00:00
nessus
nessus
openvas
openvas
Fedora Update for duplicity FEDORA-2015-2923
2015-07-07 00:00:00
Fedora Update for duplicity FEDORA-2015-3366
2015-03-20 00:00:00
Fedora Update for duplicity FEDORA-2015-3497
2015-03-20 00:00:00
debiancve
debiancve
CVE-2014-8242
2015-10-26 17:59:00
freebsd
freebsd
librsync -- collision vulnerability
2014-07-28 00:00:00
prion
prion
Code injection
2015-10-26 17:59:00
mageia
mageia
Updated librsync packages fix security vulnerabilities
2015-04-15 12:01:28
securityvulns
securityvulns
librsync weak permission
2015-05-05 00:00:00
[ MDVSA-2015:204 ] librsync
2015-05-05 00:00:00
cve
cve
CVE-2014-8242
2015-10-26 17:59:00
nvd
nvd
CVE-2014-8242
2015-10-26 17:59:00
osv
osv
librsync-devel-1.0.0-2.8 on GA media
2024-06-15 00:00:00
rsync-3.1.2-1.5 on GA media
2024-06-15 00:00:00
cvelist
cvelist
CVE-2014-8242
2015-10-26 17:00:00
gentoo
gentoo
rsync: Multiple vulnerabilities
2016-05-30 00:00:00