[SECURITY] [DLA 1725-1] rsync security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 1725-1] rsync security update
From: Thorsten Alteholz <debian@alteholz.de>
Date: Sun, 24 Mar 2019 22:48:25 +0100 (CET)
Message-id: <[🔎] alpine.DEB.2.20.1903242244050.25518@jupiter.server.alteholz.net>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

Trail of Bits used the automated vulnerability discovery tools developedfor the DARPA Cyber Grand Challenge to audit zlib. As rsync, a fast,versatile, remote (and local) file-copying tool, uses an embedded copy ofzlib, those issues are also present in rsync.



CVE-2016-9840
     In order to avoid undefined behavior, remove offset pointer
     optimization, as this is not compliant with the C standard.

CVE-2016-9841
     Only use post-increment to be compliant with the C standard.

CVE-2016-9842
     In order to avoid undefined behavior, do not shift negative values,
     as this is not compliant with the C standard.

CVE-2016-9843
     In order to avoid undefined behavior, do not pre-decrement a pointer
     in big-endian CRC calculation, as this is not compliant with the
     C standard.

CVE-2018-5764
     Prevent remote attackers from being able to bypass the
     argument-sanitization protection mechanism by ignoring --protect-args
     when already sent by client.


For Debian 8 "Jessie", these problems have been fixed in version
3.1.1-3+deb8u2.

We recommend that you upgrade your rsync packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAlyX+ylfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy
MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7
WEd2pQ//TtCnHozTv2geDIs3msDvt/S0Rn0gPuXrlXWdpmXkXIrE8olPexHxSx16
BSC4UQI3b7BytIGy7KSANGRHjBpQIwbVbW/jSqKAiM2MAzjEqJi7hjljs8G/oOVa
rEA7T2FflszlSsdbUE2zLbjJ81YCOXDYZ3nduoHJYXOPTbq7lLk0klENxXovHJ+4
3vy8wf9iF8o8Gfy78a/nvCehfqzCCCbgiCRKClEBDHNuZ23IEXkYBW8T+caDtorI
/CgqCdjNwV6J3x/F6g38rol5NYQ/ZlvS8Dc1hf6gwsr9JvVu8NuzECC9GoXa5Xmv
XSbkUJegDB3HjFn3TzIUfU+ZMhJ2zRgg0NJHHMyIfZlMWtlVla+KmicUQ0ZIjEyM
axRJZuG2NNjUH7knzP3mrCWBpPYXvcx23YI5byf9gyqR/bioU6+rz8zg/cP7fXWb
YBWbAuDzujilrUOqkQvjCt4jXgmydiaDtdLvWOvNejRx2Jhrzd5qrS2vPlRAWhD1
6wsCdZvXbBFw0wO/rH5dMLxiCfhZwk2VDEi+T0BH+eamRZhWpYM3QkJua+Sb9y9M
GYdyf5iMDKLENVhJyd+nBFTSewAnL2r/ADmuHYpV2wkNGzUVJuQtLSxqQ4wmm6Pi
DNZKEImAxMHasdluy6hHZCNOe75XxQk4boyuPcHdPOa8S9vc9jU=
=Df1t
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 1724-1] ntfs-3g security update
Next by Date: [SECURITY] [DLA 1726-1] bash security update
Previous by thread: [SECURITY] [DLA 1724-1] ntfs-3g security update
Next by thread: [SECURITY] [DLA 1726-1] bash security update
Index(es):
- Date
- Thread