New rsync Released to Fix Vulnerability

cshields2 writes "Today the rsync developers have released a new version that fixes an exploitable security vulnerability when running rsync as an 'rsync server.' Any server out there running rsync should check this out and upgrade if necessary. (which is every open source mirror server out there, and many mirrors themselves)"

Package Download

[Hal The Computer]

Instructions on how to update Slackware to the latest and greatest rsync are at:
http://slackware.com/security/viewer.php?l=slackwa re-security&y=2003&m=slackware-security.399741 [slackware.com]
Of course if you're running a server you should theoretically be subscribing to the security mailing list. Right?

Re:Workaround

[pHDNgell]

or just don't run rsync as a server. There's no need to for most uses anyway - just install the client at both ends and connect with the "-e ssh" flag and you're laughing

What if I don't want system users for every rsync user? What if I need to run my connections through an http proxy server (yes, I really, really do)? What if I want standard mechanisms for listing available modules? What if I want to limit the number of simultaneous connections for a specific area? What if I want to limit the files available in a specific area? What if I want to transfer sensitive files on a system periodically from cron, but I don't want to have an ssh key that grants access to do this without a password on the recipient machine?

I think that pretty much sums up the ways I most commonly use rsync around the house. I do use it with the -e ssh option for one-off things sometimes as well, but not running a server is certainly no workaround for me.

Wow, that was fast

[Steve 'Rim' Jobs]

I'd really like to take this opportunity to congratulate both the Gentoo devs and the rsync devs on a job well done. This is one of the many reasons why I continue to use and recommend Open Source to my friends, my boss, and my colleagues. The community simply does a first rate job of identifying and patching problems in their software. Most commercial software vendors wish they had a track record as good as most of the important open source projects out there.

Keep up the great work, guys! I'm definitely donating to the Gentoo project this Xmas ;) It has put the fun back in computing for me.

Re:FSF Savannah Server Compromised

[Feztaa]

One thing is certain though, with Debian, Gentoo and now the FSF being exploited in the same month, the open source/free software community is clearly under attack.

While it can be somewhat distressing, these attacks can only make us stronger.

It's kinda sad, really. I mean, we're just a big happy group of people who write code for the fun of it, and then share it with everybody else. We're a decent bunch. What did we do to deserve all this hostility?

Re:Gentoo

[Anonymous Coward]

what would have been more impressive is, if it wouldn't have happened in the first place. I could understand maybe if a port slipped by someone, but shoddy security it's rather sad. Don't take this as a troll post my coworker is a Gentoo devel, and we've spoken about this back and forth.

What would be nice, would be if some of the developers focused on security from the jump, sort of OpenBSD'ish, and no I'm not making a comparison, sort of throwing an idea for devels to use preemptive strikes, assessing a situation beforehand. Regardless if there was a buffer overflow of stack/heap/$INSERT_VULN_HERE, what about the core concept of security. User accounts, firewall rules, checksums, etal.

If I were a CTO or someone who was checking into making a switch, sorry to say but right now it wouldn't be Gentoo. Sure its a nice little distribution, but the security lapse just threw them into an `I won't be using that distro any time soon` category.

Again not putting down Gentoo just adding my observations

Debian Security Advisory

[Anonymous Coward]

[DSA 404-1] New rsync packages fix unauthorised remote code execution [debian.org]

Snapshot-Style Backups with rsync

[Rescate]

You might want to take a look at Easy Automated Snapshot-Style Backups with Linux and Rsync [mikerubel.org] posted by Mike Rubel. I think this is mentioned in the book Linux Server Hacks [oreilly.com] by O'Reilly (hack #42 [oreilly.com]), although I don't have the book so I'm not sure.

Basically it uses rsync and cp to create a backup, but only changed files are actually copied; unchanged files are simply linked to. This saves a lot of disk space, and allows you to keep many backups on the system at one time, assuming most of your files don't change.

Some history..

[cras]

Two months ago I found the problem [mail-archive.com] and gave a patch [mail-archive.com] to fix it. Looks like the bad guys were smarter than I thought and figured out a way to exploit it. Lesson: release fixes for even potential security holes immediately :)

Re:FSF Savannah Server Compromised

[Anonymous Coward]

Well, (a) Microsoft's entire internal network had russians roaming about it for MONTHS in the Win2k era. (b) As a european, I'm far more worried about what MS ITSELF might be putting into ITS OWN CODE to serve its neofascist american masters - remember NSA_KEY?