Follow Slashdot stories on Twitter

 


Forgot your password?
Close
typodupeerror
×
Security Bug Upgrades

New rsync Released to Fix Vulnerability 226

Posted by CowboyNeal from the better-safe-than-sorry dept.
cshields2 writes "Today the rsync developers have released a new version that fixes an exploitable security vulnerability when running rsync as an 'rsync server.' Any server out there running rsync should check this out and upgrade if necessary. (which is every open source mirror server out there, and many mirrors themselves)"
This discussion has been archived. No new comments can be posted.

New rsync Released to Fix Vulnerability More

New rsync Released to Fix Vulnerability

Comments Filter:

  • Re:Gentoo (Score:5, Insightful)

    by keesh ( 202812 ) on Thursday December 04, 2003 @10:34PM (#7635488) Homepage
    That's, what, 24 hours or so from the attack to a full patch to a previously unknown exploit being released? Gotta give those Gentoo guys some credit, that's damned impressive...

  • chroot (Score:4, Insightful)

    by larry bagina ( 561269 ) on Thursday December 04, 2003 @10:36PM (#7635494) Journal
    The server that was compromised was using a non-default rsyncd.conf option "use chroot = no". The use of this option made the attack on the compromised server considerably easier. A successful attack is almost certainly still possible without this option, but it would be much more difficult.

    Maybe I can't see the forest for the trees, but why would you NOT want to be chrooted?

  • Re:chroot (Score:4, Insightful)

    by syntax ( 2932 ) on Thursday December 04, 2003 @10:37PM (#7635499) Homepage
    How about complete remote backups of the root file system?

  • Re:Workaround (Score:2, Insightful)

    by morelife ( 213920 ) <f00fbug&postREMOVETHISman,at> on Thursday December 04, 2003 @10:43PM (#7635525)

    don't run rsync as a server

    is not a workaround -- it's throwing the baby and the server out with the bathwater!

  • Re:Workaround (Score:3, Insightful)

    by brassman ( 112558 ) on Thursday December 04, 2003 @10:54PM (#7635572) Homepage
    ...connect with the "-e ssh" flag

    That's how I use it, but I'm not running a site like Gentoo's.

    If I were, I'd rather run an rsync server than give shell logins to every Tom Dick and Mary.

  • Re:Rsync Protocol Was a Bad Idea (Score:3, Insightful)

    by timeOday ( 582209 ) on Thursday December 04, 2003 @11:13PM (#7635685)
    What's the point of another network protocol, with more bugs to work out, and more security issues to be concerned with? Wonderful... More duplication of effort.

    Incidentally. Does anyone know of a program similar to rsync that is under a less restrictive license than the GPL? It would be very useful.

    So you think rsync is redundant and unnecessary, and you want to start a new fork of rsync? That makes a lot of sense.

  • Re:So... (Score:5, Insightful)

    by Anonymous Coward on Thursday December 04, 2003 @11:15PM (#7635691)
    It took the Debian developers over a *week* to find the cause of their servers being rooted, but Gentoo is able to accomplish the same in one day, *and* provide a fix?

    It seems obvious where the real talent in the Linux community lies today.

    In case you hadn't noticed, the Gentoo developers based their analysis on the Debian developers' work. The real talent in the Linux community lies in the community.

  • PGP-sign everything (Score:5, Insightful)

    by Meat Blaster ( 578650 ) on Thursday December 04, 2003 @11:22PM (#7635724)
    I see too many packages out there that have no meaningful way to verify their contents. I've felt for a long time that this was something that was going to come back to haunt us.

    I hope that this will provide more incentive for Open Source programmers and Linux distributors to properly secure their releases. This entails ensuring that from the time a package leaves a maintainer to the time it reaches a user there should be no possibility of tampering.

    Authors/maintainers need to generate PGP keypairs and start signing their archives. MD5 checksum distributed alongside the package does not cut it -- how are we to know the package wasn't tampered with and a fresh checksum generated? No, the only way we can really feel secure is to have authors use PGP on a regular basis to verify their work, and to integrate public key/private key into CVS in order to have submitters automatically sign their changes to the source.

    Then things like the Savannah hack and the various mirror compromises will only be a black eye instead of a serious threat to the Open Source methodology.

  • Re:Gentoo (Score:5, Insightful)

    by TheIzzy ( 615852 ) on Thursday December 04, 2003 @11:44PM (#7635813)
    Hello?

    Security breaches happen. Even on OpenBSD and other "secure" systems. If you looked into the event at all, you would see that Gentoo did indeed have excellent security counter measures in place. No amount of firewalling is going to stop an *unknown* vulnerability from being exploited. No amount of security auditing is going to find *every* exploit in code as complex as gentoo's. The fact that the compromised server could be restored, and the compromising code be analysed and fixed within twenty-four hours is very impressive. If anything, this is a testiment to the security at gentoo.

    If I were a CTO or someone who was checking to make a switch, this would be very impressive. I don't, however, think this is gentoo's target audience. But I do know that Microsoft definitely does not have turn-around times that impressive.

  • Re:Gentoo (Score:3, Insightful)

    by keesh ( 202812 ) on Thursday December 04, 2003 @11:46PM (#7635822) Homepage
    It was [gentoo.org].

  • Re:Rsync Protocol Was a Bad Idea (Score:5, Insightful)

    by Zork the Almighty ( 599344 ) on Thursday December 04, 2003 @11:55PM (#7635865) Journal
    I don't know why they even invented an rsync protocol. - To efficiently synchronize a large amount of data over a slow connection. The algorithm is one of the fundamental gems of computing science, and I'm suprised you don't appreciate it.

  • Re:this is why i dont use any package management (Score:2, Insightful)

    by quadelirus ( 694946 ) on Friday December 05, 2003 @12:05AM (#7635918)
    This is why I use package management. Hours before I read about this vulnerability on slashdot (read it just now) my redhat monitor had gone red and I had updated the rsync vulnerability without even a thought to when it was discovered. Its interesting that Redhat had the update so quickly though... good to know.

  • Re:Rsync Protocol Was a Bad Idea (Score:2, Insightful)

    by CheshireCat ( 73975 ) on Friday December 05, 2003 @01:00AM (#7636172)
    I would say there are still uses for rsync server protocol. Setting up an account for secure, anonymous SSH access to rsync sounds like a nightmare to me.

  • Re:Rsync Protocol Was a Bad Idea (Score:2, Insightful)

    by BaldingByMicrosoft ( 585534 ) on Friday December 05, 2003 @01:53AM (#7636468)
    Well now... let me be the first, then! Having a real user account for FTP access is, in certain environments, a security risk.

    Of course, if you're still using FTP for non-anonymous access instead of SCP/SFTP, I'd guess that security isn't one of your priorities.

  • Re:PGP-sign everything (Score:5, Insightful)

    by giminy ( 94188 ) on Friday December 05, 2003 @02:32AM (#7636649) Homepage Journal
    Hear, Hear. Along the same lines, it's pretty important that they sign with a key in the strongly connected set. I've seen a lot of projects that actually provide PGP sigs, but the keys used to generate the sigs don't have any signatures, or are part of closed (2-3 key) set! This is about as useless as MD5 checksums, imho. It's very easy to generate a key with Linus Torvalds as the name, but very difficult to get people in the strongly connected set to actually sign it...

  • Re:Some history.. (Score:3, Insightful)

    by boots@work ( 17305 ) on Friday December 05, 2003 @03:18AM (#7636835)
    But I have been running rsync v.2.5.7 since BEFORE the gentoo rsync server was compromised.

    Don't be ridiculous. There was no 2.5.7 release before the Gentoo compromise. I know because I was one of the team that responded to the intrusion and produced the patch. The machine was crashed on Tuesday and the patch came out on Thursday, about 36 hours later.

    I suppose you're running kernel 2.7 as well?

Slashdot Top Deals

One way to make your old car run better is to look up the price of a new model.

Close