受影响系统:
rsync rsync 2.6.9 - 3.0.1
不受影响系统:
rsync rsync 3.0.2
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 28726
CVE(CAN) ID: CVE-2008-1720
rsync是一个快速增量文件传输工具,用于在同一主机备份内部的备份。
rsync处理扩展属性数据时存在漏洞,如果rsync启用了扩展属性(xattr)支持的话,则负责处理该属性的代码中的整数溢出漏洞可能导致执行任意指令。
<*来源:Sebastian Krahmer (krahmer@suse.de)
链接:http://secunia.com/advisories/29668/
rsync-announce@lists.samba.org/msg00057.html" target="_blank">http://www.mail-archive.com/rsync-announce@lists.samba.org/msg00057.html
http://samba.anu.edu.au/rsync/security.html#s3_0_2
http://www.debian.org/security/2008/dsa-1545
*>
建议:
--------------------------------------------------------------------------------
网管网www.bitscn.com
厂商补丁:
Debian
------
Debian已经为此发布了一个安全公告(DSA-1545-1)以及相应补丁:
DSA-1545-1:New rsync packages fix arbitrary code execution
链接:http://www.debian.org/security/2008/dsa-1545
补丁下载:
Source archives:
http://security.debian.org/pool/updates/main/r/rsync/rsync_2.6.9-2etch2.dsc
Size/MD5 checksum: 566 6504d35182ed2141c8d7d2f8152d5fb7
http://security.debian.org/pool/updates/main/r/rsync/rsync_2.6.9.orig.tar.gz
Size/MD5 checksum: 811841 996d8d8831dbca17910094e56dcb5942
http://security.debian.org/pool/updates/main/r/rsync/rsync_2.6.9-2etch2.diff.gz
Size/MD5 checksum: 51039 2131acc598dbbe26f9b6f04c0a0d3f2b
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/r/rsync/rsync_2.6.9-2etch2_alpha.deb
Size/MD5 checksum: 294664 ea644ca8d37211ccbc1f8173e934d45a
amd64 architecture (AMD x86_64 (AMD64))
网管u家u.bitsCN.com
http://security.debian.org/pool/updates/main/r/rsync/rsync_2.6.9-2etch2_amd64.deb
Size/MD5 checksum: 272046 0d9e9576b24a245265f9a98d15ce3b0b
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/r/rsync/rsync_2.6.9-2etch2_hppa.deb
Size/MD5 checksum: 282552 dd5e17e39eeaa712287d166e3346bd7d
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/r/rsync/rsync_2.6.9-2etch2_i386.deb
Size/MD5 checksum: 261454 b68ddd05ba2a02f7a5f6bd9cc7807a2e
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/r/rsync/rsync_2.6.9-2etch2_ia64.deb
Size/MD5 checksum: 356986 df80d4332478c019d540b07ac16c235f
mips architecture (MIPS (Big Endian))
http://security.debian.org/pool/updates/main/r/rsync/rsync_2.6.9-2etch2_mips.deb
Size/MD5 checksum: 286532 21aeda2221c4b31c2f19296b58654222
mipsel architecture (MIPS (Little Endian))
中国网管论坛bbs.bitsCN.com
http://security.debian.org/pool/updates/main/r/rsync/rsync_2.6.9-2etch2_mipsel.deb
Size/MD5 checksum: 287282 0c750c3cf7089ad7e7ea3d9d273df9b9
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/r/rsync/rsync_2.6.9-2etch2_powerpc.deb
Size/MD5 checksum: 275184 6d81a7a14422fd5bc7c89bd755320e80
s390 architecture (IBM S/390)
http://security.debian.org/pool/updates/main/r/rsync/rsync_2.6.9-2etch2_s390.deb
Size/MD5 checksum: 278828 5300915466913e7832a3649ba701d49e
sparc architecture (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/r/rsync/rsync_2.6.9-2etch2_sparc.deb
Size/MD5 checksum: 264144 885fc97a390e1db66290805c06e35947
补丁安装方法:
1. 手工安装补丁包:
首先,使用下面的命令来下载补丁软件:
# wget url (url是补丁下载链接地址)
然后,使用下面的命令来安装补丁:
网管论坛bbs_bitsCN_com # dpkg -i file.deb (file是相应的补丁名)
2. 使用apt-get自动安装补丁包:
首先,使用下面的命令更新内部数据库:
# apt-get update
然后,使用下面的命令安装更新软件包:
# apt-get upgrade
rsync
-----
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
http://samba.anu.edu.au/rsync/download.html
http://rsync.samba.org/ftp/rsync/security/rsync-3.0.1-xattr-alloc.diff
评论加载中…
