From security@tinysofa.org Tue Aug 17 03:32:08 2004
From: tinysofa Security Team <security@tinysofa.org>
To: bugtraq@securityfocus.com
Date: Tue, 17 Aug 2004 01:31:47 +1000
Subject: TSSA-2004-020-ES - rsync

 ===========================================================================
                                             _     
                         |_ .  _      _  _  (_  _  
                         |_ | | ) \/ _) (_) |  (_| 
                                  /                


                       Security Advisory  #2004-020

 Package Name:      rsync
 Summary:           Exposure of System Information
 Advisory ID:       TSSA-2004-020-ES
 Date:              2004-08-16
 Affected Products: tinysofa enterprise server 2.0

 ===========================================================================

 Description
 -----------

    rsync [0] is a program for synchronizing files over a network.

    A vulnerability [1] has been reported in rsync, which potentially can be 
    exploited by malicious users to read or write arbitrary files on a 
    vulnerable system.

    The vulnerability is caused due to an input validation error within the 
    "sanitize_path()" function of the "util.c" file.

    Successful exploitation requires that the rsync daemon isn't running 
    chrooted.

    The vulnerability affects version 2.6.2 and prior.    

 Resolution
 ----------

    The rsync package has been updated to address this vulnerability.

 References
 ----------
   
    [0] http://samba.org/rsync/
    [1] http://samba.org/rsync/#security_aug04
 

 Recommended Action
 ==================

  We recommend that all systems with these packages installed be upgraded.


 Location
 ========

  All tinysofa updates are available from
  <URI:http://http.tinysofa.org/pub/tinysofa/updates/>
  <URI:ftp://ftp.tinysofa.org/pub/tinysofa/updates/>


 Automatic Updates
 =================

  Users of the APT tool can enjoy having updates automatically
  installed using 'apt-get upgrade'.


 Questions?
 ==========

  Check out our mailing lists:
  <URI:http://www.tinysofa.org/communicate/>


 Verification
 ============

  This advisory is signed with the tinysofa security sign key.
  This key is available from:
  <URI:http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xAEDCBB4B>

  All tinysofa packages are signed with the tinysofa stable sign key.
  This key is available from:
  <URI:http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x0F1240A2>

  The advisory is available from the tinysofa errata database at
  <URI:http://www.tinysofa.org/support/errata/>
  or directly at
  <URI:http://www.tinysofa.org/support/errata/2004/020.html>


 Updated Packages
 ================

  SRPMS
  -----

  606db14378c661b0b5ce1bbb3cd87d52  rsync-2.6.2-2ts.src.rpm

  i386
  ----

  7d8ea97c366ae496d266b168c9c172ca  rsync-2.6.2-2ts.i386.rpm


 --
 tinysofa Security Team <security at tinysofa dot org>

    [ Part 2, Application/PGP-SIGNATURE  196bytes. ]
    [ Unable to print this part. ]