fredok
1
Am I missing something, or has rsync not been fixed on Ubuntu 24.10?
I have run sudo apt update && sudo apt upgrade to update.
Restarted rsync daemon by rebooting.
Running rsync --version … gives me: version 3.3.0 protocol version 31
From my research (hours googling), this version does not fix the CVE and there is apparently no documented fix for 24.10. I guess a fix hasn’t been published to the repos? But that can’t be true, right? I mean that’s crazy, right?
But the USNs and Ubuntu Blog post do not cite a fix for 24.10, see links below.
Ubuntu Version:
24.10
Desktop Environment (if applicable):
GNOME
Problem Description:
rsync version remains: v3.3.0 protocol version 31
Does this version fix the rsync CVEs on Oracular 24.10?
Relevant System Information:
x86_64, kernel v6.11.0-13-generic
What I’ve Tried:
- USN 7206-1 does not list 24.10 as being fixed:
- USN 7206-2 also does not list 24.10; note this was a fix for regressions introduced by the previous USN to fix the vulnerabilities.
- The Ubuntu Blog says, “Fix not available.”
Also, in the CVS information Oracular is still marked as “Vulnerable”.
1 Like
fredok
3
wut? 
Edit… perhaps I’m being a tad dramatic but I guess I don’t understand why rsync v3.4 has not been pushed to the 24.10 repository, but that’s too big brain for me (genuinely).
popey
4
Certainly looks that way, yes.
root@oracular:~# grype --quiet / --only-notfixed --distro ubuntu:24.10 | grep rsync
rsync 3.3.0-1 deb CVE-2024-12084 High
rsync 3.3.0-1 deb CVE-2024-12747 Medium
rsync 3.3.0-1 deb CVE-2024-12088 Medium
rsync 3.3.0-1 deb CVE-2024-12087 Medium
rsync 3.3.0-1 deb CVE-2024-12086 Medium
rsync 3.3.0-1 deb CVE-2024-12085 Medium
root@oracular:~# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 24.10
Release: 24.10
Codename: oracular
1 Like
Fixed today 
rsync (3.3.0-1ubuntu0.1) oracular-security; urgency=medium
* SECURITY UPDATE: safe links bypass vulnerability
- d/p/CVE-2024-12088/0001-make-safe-links-stricter.patch: reject
links where a "../" component is included in the destination
- CVE-2024-12088
* SECURITY UPDATE: arbitrary file write via symbolic links
- d/p/CVE-2024-12087/0001-Refuse-a-duplicate-dirlist.patch: refuse
malicious duplicate flist for dir
- d/p/CVE-2024-12087/0002-range-check-dir_ndx-before-use.patch: refuse
invalid dir_ndx
- d/p/fix_flag_got_dir_flist_collision.patch: fix flag collision
- CVE-2024-12087
* SECURITY UPDATE: arbitrary client file leak
- d/p/CVE-2024-12086/0001-refuse-fuzzy-options-when-fuzzy-not-selected.patch:
refuse fuzzy options when not selected
- d/p/CVE-2024-12086/0002-added-secure_relative_open.patch: safe
implementation to open a file relative to a base directory
- d/p/CVE-2024-12086/0003-receiver-use-secure_relative_open-for-basis-file.patch:
ensure secure file access for basis file
- d/p/CVE-2024-12086/0004-disallow-.-elements-in-relpath-for-secure_relative_o.patch:
disallow "../" in relative path
- CVE-2024-12086
* SECURITY UPDATE: information leak via uninitialized stack contents
- d/p/CVE-2024-12085/0001-prevent-information-leak-off-the-stack.patch:
prevent information leak by zeroing
- CVE-2024-12085
* SECURITY UPDATE: heap buffer overflow in checksum parsing
- d/p/CVE-2024-12084/0001-Some-checksum-buffer-fixes.patch: fix
checksum buffer issues, better length check
- d/p/CVE-2024-12084/0002-Another-cast-when-multiplying-integers.patch:
fix multiplying size by a better cast
- CVE-2024-12084
* SECURITY UPDATE: symlink race condition
- d/p/CVE-2024-12747/0001-fixed-symlink-race-condition-in-sender.patch:
do_open_checklinks to prevent symlink race
- CVE-2024-12747
-- Sudhakar Verma <sudhakar.verma@canonical.com> Tue, 28 Jan 2025 14:02:37 +0530
Thanks to everyone involved!
1 Like
