rsync is a program for sychronizing files over the network.
A heap overflow bug exists in rsync versions prior to 2.5.7. On machines
where the rsync server has been enabled, a remote attacker could use this
flaw to execute arbitrary code as an unprivileged user. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2003-0962 to this issue.
All users should upgrade to these erratum packages containing version
2.5.7 of rsync, which is not vulnerable to this issue.
NOTE: The rsync server is disabled (off) by default in Red Hat Enterprise
Linux. To check if the rsync server has been enabled (on), run the
following command:
/sbin/chkconfig --list rsync
If the rsync server has been enabled but is not required, it can be
disabled by running the following command as root:
/sbin/chkconfig rsync off
Red Hat would like to thank the rsync team for their rapid response and
quick fix for this issue.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
RedHat | any | x86_64 | rsync | < 2.5.7-1 | rsync-2.5.7-1.x86_64.rpm |
RedHat | any | ia64 | rsync | < 2.5.7-0.7 | rsync-2.5.7-0.7.ia64.rpm |
RedHat | any | s390x | rsync | < 2.5.7-1 | rsync-2.5.7-1.s390x.rpm |
RedHat | any | i386 | rsync | < 2.5.7-0.7 | rsync-2.5.7-0.7.i386.rpm |
RedHat | any | s390 | rsync | < 2.5.7-1 | rsync-2.5.7-1.s390.rpm |
RedHat | any | i386 | rsync | < 2.5.7-1 | rsync-2.5.7-1.i386.rpm |
RedHat | any | ia64 | rsync | < 2.5.7-1 | rsync-2.5.7-1.ia64.rpm |
RedHat | any | ppc | rsync | < 2.5.7-1 | rsync-2.5.7-1.ppc.rpm |