Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2015.1173
MDVSA-2015:204 Updated librsync packages fix security vulnerability
29 April 2015
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: librsync
Publisher: Mandriva
Operating System: Mandriva Linux
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Modify Arbitrary Files -- Remote/Unauthenticated
Delete Arbitrary Files -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2014-8242
Original Bulletin:
https://www.mandriva.com/en/support/security/advisories/advisory/MDVSA-2015:204/
Comment: This advisory references vulnerabilities in products which run on
platforms other than Mandriva. It is recommended that administrators
running librsync check for an updated version of the software for
their operating system.
- --------------------------BEGIN INCLUDED TEXT--------------------
MDVSA-2015:204
Package name
librsync
Date
2015-04-27
Advisory ID
MDVSA-2015:204
Affected versions
MBS1 x86_64
Problem description
Updated librsync packages fix security vulnerability:
librsync before 1.0.0 used a truncated MD4 strong check sum to match
blocks. However, MD4 is not cryptographically strong. It's possible
that an attacker who can control the contents of one part of a file
could use it to control other regions of the file, if it's transferred
using librsync/rdiff (CVE-2014-8242).
The change to fix this is not backward compatible with older versions
of librsync. Backward compatibility can be obtained using the new
rdiff sig --hash=md4 option or through specifying the signature magic
in the API, but this should not be used when either the old or new
file contain untrusted data.
Also, any applications that use the librsync library will need to
be recompiled against the updated library. The rdiff-backup packages
have been rebuilt for this reason.
Updated packages
MBS1 x86_64
e9e5dbb84ff6effa94d8b37d805e4500 mbs1/x86_64/lib64rsync2-1.0.0-1.mbs1.x86_64.rpm
db4b256939b54eb5919eceedf50f4192 mbs1/x86_64/lib64rsync-devel-1.0.0-1.mbs1.x86_64.rpm
ffaaf1c1364528d0c18bdda8cf514c34 mbs1/x86_64/rdiff-1.0.0-1.mbs1.x86_64.rpm
fd173f99aecfaa9d1d8d9af132b136b6 mbs1/x86_64/rdiff-backup-1.3.3-6.1.mbs1.x86_64.rpm
707dc6da51d7451541ce83400ee33f3a mbs1/SRPMS/librsync-1.0.0-1.mbs1.src.rpm
eb91121a971f6079d3b666419e08e0db mbs1/SRPMS/rdiff-backup-1.3.3-6.1.mbs1.src.rpm
References
http://advisories.mageia.org/MGASA-2015-0146.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8242
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBVUBsVBLndAQH1ShLAQIgvxAAqqk5KaEtBKUo7NmvAVgY7vyurwDSt1GM
MUC+xe9OWnnnrir6bZtxGr9zJZRMtv6No7wMfVrOaBCUv/4307u3XXPP+dxzgyYP
nHD6JXIbaHsI1KMZbYk6OapGLLQlCVXt1qLibAkOuRDuoTSkacbzRlPY75xYFzD9
yguj3QsrZo727sspHkrYQRMb/OTA3yMI/C2J9AZNqCf0c3HsO74ZsMy+lMbqzazz
71Z8vXRDUOllOOZlrwuKPMbMpZ3IatuAZKBRrXJ55EmBIFFA5or/z4RXXQJqzm4Z
ATWuSzWAW1hexwyo0HdPm3GFysEVVfmSZDjv/qX0FcZDQ5km95aXYYS9WUHRNA65
B+yO5z5qnkPbP72H/G4d2LeMrVwz5lGfUmwpdK8+dZnZ186qYF2KXa8L+54ljBJH
yuIT1sXtNBQrvGXOXzu9Yv663Q1pOl6QGFEDSEdDsC9dh9oigvZAey0qntEbtUl+
Lz7oOaSU1wq6qzreuDA0t2Dvc6V6swW1bKzQ8I4IBM3VEV8jGyl7vvrnrYcuZ/+Y
Nugz+90eKxdmz+fyn2rKRkNOg8PRKC3WUs5PdOakOO1bjcChAIdj1sUBoSNH5LB7
ECry30Uac8owSOoUEEhb0ePzM5OLO4ORSIO3zTpqom4XKAnTMsHgO4pfJU8Apcge
BMUw0I0cOvY=
=tSV0
-----END PGP SIGNATURE-----