New rsync Released to Fix Vulnerability 226
cshields2 writes "Today the rsync developers have released a new version that fixes an exploitable security vulnerability when running rsync as an 'rsync server.' Any server out there running rsync should check this out and upgrade if necessary. (which is every open source mirror server out there, and many mirrors themselves)"
Re:Gentoo (Score:5, Insightful)
chroot (Score:4, Insightful)
Maybe I can't see the forest for the trees, but why would you NOT want to be chrooted?
Re:chroot (Score:4, Insightful)
Re:Workaround (Score:2, Insightful)
don't run rsync as a server
is not a workaround -- it's throwing the baby and the server out with the bathwater!
Re:Workaround (Score:3, Insightful)
That's how I use it, but I'm not running a site like Gentoo's.
If I were, I'd rather run an rsync server than give shell logins to every Tom Dick and Mary.
Re:Rsync Protocol Was a Bad Idea (Score:3, Insightful)
Re:So... (Score:5, Insightful)
It seems obvious where the real talent in the Linux community lies today.
In case you hadn't noticed, the Gentoo developers based their analysis on the Debian developers' work. The real talent in the Linux community lies in the community.
PGP-sign everything (Score:5, Insightful)
I hope that this will provide more incentive for Open Source programmers and Linux distributors to properly secure their releases. This entails ensuring that from the time a package leaves a maintainer to the time it reaches a user there should be no possibility of tampering.
Authors/maintainers need to generate PGP keypairs and start signing their archives. MD5 checksum distributed alongside the package does not cut it -- how are we to know the package wasn't tampered with and a fresh checksum generated? No, the only way we can really feel secure is to have authors use PGP on a regular basis to verify their work, and to integrate public key/private key into CVS in order to have submitters automatically sign their changes to the source.
Then things like the Savannah hack and the various mirror compromises will only be a black eye instead of a serious threat to the Open Source methodology.
Re:Gentoo (Score:5, Insightful)
Security breaches happen. Even on OpenBSD and other "secure" systems. If you looked into the event at all, you would see that Gentoo did indeed have excellent security counter measures in place. No amount of firewalling is going to stop an *unknown* vulnerability from being exploited. No amount of security auditing is going to find *every* exploit in code as complex as gentoo's. The fact that the compromised server could be restored, and the compromising code be analysed and fixed within twenty-four hours is very impressive. If anything, this is a testiment to the security at gentoo.
If I were a CTO or someone who was checking to make a switch, this would be very impressive. I don't, however, think this is gentoo's target audience. But I do know that Microsoft definitely does not have turn-around times that impressive.
Re:Gentoo (Score:3, Insightful)
Re:Rsync Protocol Was a Bad Idea (Score:5, Insightful)
Re:this is why i dont use any package management (Score:2, Insightful)
Re:Rsync Protocol Was a Bad Idea (Score:2, Insightful)
Re:Rsync Protocol Was a Bad Idea (Score:2, Insightful)
Of course, if you're still using FTP for non-anonymous access instead of SCP/SFTP, I'd guess that security isn't one of your priorities.
Re:PGP-sign everything (Score:5, Insightful)
Re:Some history.. (Score:3, Insightful)
Don't be ridiculous. There was no 2.5.7 release before the Gentoo compromise. I know because I was one of the team that responded to the intrusion and produced the patch. The machine was crashed on Tuesday and the patch came out on Thursday, about 36 hours later.
I suppose you're running kernel 2.7 as well?