rsync-announce@lists.samba.org
2005-Jul-07 23:06 UTC
[rsync-announce] rsync 2.6.6pre1 released (ALERT: info on zlib security flaw)
There has been some talk about a zlib security problem that could let someone overflow the buffers in the zlib decompression code, potentially allowing someone to craft an exploit to execute arbitrary code. Since this is a decompression bug, this can only affect an rsync daemon if it allows uploads with the --compress option enabled. If you run a daemon that allows uploads, you may wish to add this line to your rsyncd.conf file: refuse options = compress (If you already refuse other options, add "compress" after a space to that line instead of adding a new line.) I have just finished updating the zlib code in CVS to version 1.2.2 plus a security patch that fixes this latest exploit. The other changes in CVS are all worthwhile fixes, so I have decided to release the current CVS version as 2.6.6pre1 -- the first pre-release of version 2.6.6. You can read about all the changes between 2.6.5 and 2.6.6pre1 here: http://rsync.samba.org/ftp/rsync/preview/NEWS You can grab the source tar and its signature here: http://rsync.samba.org/ftp/rsync/preview/rsync-2.6.6pre1.tar.gz http://rsync.samba.org/ftp/rsync/preview/rsync-2.6.6pre1.tar.gz.asc If you exercise the compression code of this pre-release version of rsync, please drop me a line and let me know. Thanks! ..wayne.. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.samba.org/archive/rsync-announce/attachments/20050707/060566a2/attachment.bin
Wayne Davison
2005-Jul-08 21:10 UTC
rsync 2.6.6pre1 released (ALERT: info on zlib security flaw)
[I neglected to cross-post this from the rsync-announce list to the regular rsync mailing list when I sent this out yesterday.] There has been some talk about a zlib security problem that could let someone overflow the buffers in the zlib decompression code, potentially allowing someone to craft an exploit to execute arbitrary code. Since this is a decompression bug, this can only affect an rsync daemon if it allows uploads with the --compress option enabled. If you run a daemon that allows uploads, you may wish to add this line to your rsyncd.conf file: refuse options = compress (If you already refuse other options, add "compress" after a space to that line instead of adding a new line.) I have just finished updating the zlib code in CVS to version 1.2.2 plus a security patch that fixes this latest exploit. The other changes in CVS are all worthwhile fixes, so I have decided to release the current CVS version as 2.6.6pre1 -- the first pre-release of version 2.6.6. You can read about all the changes between 2.6.5 and 2.6.6pre1 here: http://rsync.samba.org/ftp/rsync/preview/NEWS You can grab the source tar and its signature here: http://rsync.samba.org/ftp/rsync/preview/rsync-2.6.6pre1.tar.gz http://rsync.samba.org/ftp/rsync/preview/rsync-2.6.6pre1.tar.gz.asc If you exercise the compression code of this pre-release version of rsync, please drop me a line and let me know. Thanks! ..wayne..
Maybe Matching Threads
- rsync 2.6.6pre1 released (ALERT: info on zlib security flaw)
- [LLVMdev] RFC: Using zlib to decompress debug info sections.
- [LLVMdev] RFC: Using zlib to decompress debug info sections.
- [LLVMdev] RFC: Using zlib to decompress debug info sections.
- [LLVMdev] RFC: Using zlib to decompress debug info sections.