Rapid7 Vulnerability & Exploit Database

RHSA-2011:0999: rsync security, bug fix, and enhancement update

Back to Search

RHSA-2011:0999: rsync security, bug fix, and enhancement update

Severity
10
CVSS
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
Published
12/01/2007
Created
07/25/2018
Added
07/29/2011
Modified
07/04/2017

Description

rsync is a program for synchronizing files over a network.A flaw was found in the way the rsync daemon handled the "filter","exclude", and "exclude from" options, used for hiding files and preventingaccess to them from rsync clients. A remote attacker could use this flaw tobypass those restrictions by using certain command line options andsymbolic links, allowing the attacker to overwrite those files if they knewtheir file names and had write access to them. (CVE-2007-6200)Note: This issue only affected users running rsync as a writable daemon:"read only" set to "false" in the rsync configuration file (for example,"/etc/rsyncd.conf"). By default, this option is set to "true".This update also fixes the following bugs:All users of rsync are advised to upgrade to this updated package, whichresolves these issues and adds enhancements.

Solution(s)

  • redhat-upgrade-rsync

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;