Debian Bug report logs -
#778333
rsync: CVE-2014-9512
Reported by: Moritz Muehlenhoff <jmm@debian.org>
Date: Fri, 13 Feb 2015 16:57:08 UTC
Severity: important
Tags: patch, security, upstream
Found in version rsync/3.1.1-2
Fixed in version rsync/3.1.1-3
Done: Paul Slootman <paul@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Paul Slootman <paul@debian.org>:
Bug#778333; Package rsync.
(Fri, 13 Feb 2015 16:57:12 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Paul Slootman <paul@debian.org>.
(Fri, 13 Feb 2015 16:57:12 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: rsync
Version: 3.1.1-2+b1
Severity: important
Tags: security
This was assigned CVE-2014-9512:
http://xteam.baidu.com/?p=169
Patch is here:
https://git.samba.org/?p=rsync.git;a=commit;h=962f8b90045ab331fc04c9e65f80f1a53e68243b
It would be nice if we could still get this into jessie with a
targeted fix / unblock.
Cheers,
Moritz
Changed Bug title to 'rsync: CVE-2014-9512' from 'CVE-2014-9512'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 13 Feb 2015 18:57:12 GMT) (full text, mbox, link).
Added tag(s) upstream and patch.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 13 Feb 2015 18:57:13 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Paul Slootman <paul@debian.org>:
Bug#778333; Package rsync.
(Thu, 05 Mar 2015 21:06:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Paul Slootman <paul@debian.org>.
(Thu, 05 Mar 2015 21:06:05 GMT) (full text, mbox, link).
Message #14 received at 778333@bugs.debian.org (full text, mbox, reply):
On Fri, Feb 13, 2015 at 05:55:46PM +0100, Moritz Muehlenhoff wrote:
> Package: rsync
> Version: 3.1.1-2+b1
> Severity: important
> Tags: security
>
> This was assigned CVE-2014-9512:
> http://xteam.baidu.com/?p=169
>
> Patch is here:
> https://git.samba.org/?p=rsync.git;a=commit;h=962f8b90045ab331fc04c9e65f80f1a53e68243b
>
> It would be nice if we could still get this into jessie with a
> targeted fix / unblock.
Could you upload a fixed package?
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Paul Slootman <paul@debian.org>:
Bug#778333; Package rsync.
(Sat, 07 Mar 2015 15:45:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Paul Slootman <paul@debian.org>.
(Sat, 07 Mar 2015 15:45:08 GMT) (full text, mbox, link).
Message #19 received at 778333@bugs.debian.org (full text, mbox, reply):
Hi Paul,
Thanks for the fix into unstable,
https://tracker.debian.org/news/674517 . Could you please as well ask
the release team for the unblock, so that the fix can go in in jessie
as well?
Regards,
Salvatore
Reply sent
to Paul Slootman <paul@debian.org>:
You have taken responsibility.
(Sat, 07 Mar 2015 15:45:33 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(Sat, 07 Mar 2015 15:45:33 GMT) (full text, mbox, link).
Message #24 received at 778333-close@bugs.debian.org (full text, mbox, reply):
Source: rsync
Source-Version: 3.1.1-3
We believe that the bug you reported is fixed in the latest version of
rsync, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 778333@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Paul Slootman <paul@debian.org> (supplier of updated rsync package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 07 Mar 2015 15:45:05 +0100
Source: rsync
Binary: rsync
Architecture: source amd64
Version: 3.1.1-3
Distribution: unstable
Urgency: medium
Maintainer: Paul Slootman <paul@debian.org>
Changed-By: Paul Slootman <paul@debian.org>
Description:
rsync - fast, versatile, remote (and local) file-copying tool
Closes: 778333
Changes:
rsync (3.1.1-3) unstable; urgency=medium
.
* Added patch for CVE-2014-9512, Rsync path spoofing attack vulnerability.
closes:#778333
Checksums-Sha1:
0041879c614eb91a4b19af04db93d9e4d414b32e 1676 rsync_3.1.1-3.dsc
d762d84817fa06ed43d6dc15b64be8a9235b54b5 21968 rsync_3.1.1-3.debian.tar.xz
59860e09b6e0e843ed680769914d728d8110f98a 389702 rsync_3.1.1-3_amd64.deb
Checksums-Sha256:
1ca6cc2c514d6e82dfde28c3984bea8651f8c197640cbc05aa544c46d2891a69 1676 rsync_3.1.1-3.dsc
be77fe6d9932e82c4215f6fcd127f813c667d50662a1416be5f4cd854c19c960 21968 rsync_3.1.1-3.debian.tar.xz
e9d160978c317b689f6031d51b729d79a342e545e4403615f2a8113d61a141dc 389702 rsync_3.1.1-3_amd64.deb
Files:
0162fcf4775af91e9c8c96a95a146141 1676 net optional rsync_3.1.1-3.dsc
2a65abafc829cc1e38f2b665701cab2b 21968 net optional rsync_3.1.1-3.debian.tar.xz
47a2bc9d1b06af8e470906957b658be1 389702 net optional rsync_3.1.1-3_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJU+xAvAAoJEDL3jc6tETuLjWwP/RdCWvmuIK2P1gthR9nP7Zje
XaS1oJ4x7XurSB0d8MnZ8OlMJr2Y6q/rWCGM24+0m/Gd2Ra/G6IPV33lj7e0zq4z
+hoCNEH8uKQxHYGjW5gReNP2mV4MvrTFlju09lFgTa+CeWhFx96ldi10RYx+Z0Ni
2nIrcavghMFOMb20B9IXD4pE9WMdVKSWez0v8xbZbZvMB/4SbbtL/lpQNf50gCET
5kYQxnq5HYkN2hnURwDRHbYmgO5j5DqHg/sfPxImfg5IktbrOn0aKwbywSUyq0f7
IYjkJmc6IaHxq+UJj7U7bnw7IU4i9tSLA986vCXrMp3cCzkkOgcQf5Ua/W8D5Xk1
dSyZcoUrRusN4/C4qw3GFeFtkAy6vw0Qn6z89ar7zG9Pdf49xsS+auUgOgHv5BzH
VhPEd5SpwqUlIP+W7Jn1fAaPzLY5sxsZWZ56i/aFyqfPi4GnBGuYi5cmeOTX4WUH
hfHhE98k9KUyBTz11QGNhSX/ihFdCuo7HTCdfzBE4BfIA4MVBm42aUFG980qEnbz
RcI6eaeALj9PVzoUQBhdesSqXeqcvEWXe3VbP5ORsEdfrlCJTVgCKA+kkiOD/mUs
SBqiLEUizy2A+lSQ96zSFf4n8gEapD0EXPj1icOc4iKwkX0tQEkV+3ja0GseDLsw
mCtDMowf7p3H6mEvQzJh
=c7zt
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 10 Apr 2015 07:26:41 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:54:41 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon