Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2015.1173 MDVSA-2015:204 Updated librsync packages fix security vulnerability 29 April 2015 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: librsync Publisher: Mandriva Operating System: Mandriva Linux UNIX variants (UNIX, Linux, OSX) Impact/Access: Modify Arbitrary Files -- Remote/Unauthenticated Delete Arbitrary Files -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2014-8242 Original Bulletin: https://www.mandriva.com/en/support/security/advisories/advisory/MDVSA-2015:204/ Comment: This advisory references vulnerabilities in products which run on platforms other than Mandriva. It is recommended that administrators running librsync check for an updated version of the software for their operating system. - --------------------------BEGIN INCLUDED TEXT-------------------- MDVSA-2015:204 Package name librsync Date 2015-04-27 Advisory ID MDVSA-2015:204 Affected versions MBS1 x86_64 Problem description Updated librsync packages fix security vulnerability: librsync before 1.0.0 used a truncated MD4 strong check sum to match blocks. However, MD4 is not cryptographically strong. It's possible that an attacker who can control the contents of one part of a file could use it to control other regions of the file, if it's transferred using librsync/rdiff (CVE-2014-8242). The change to fix this is not backward compatible with older versions of librsync. Backward compatibility can be obtained using the new rdiff sig --hash=md4 option or through specifying the signature magic in the API, but this should not be used when either the old or new file contain untrusted data. Also, any applications that use the librsync library will need to be recompiled against the updated library. The rdiff-backup packages have been rebuilt for this reason. Updated packages MBS1 x86_64 e9e5dbb84ff6effa94d8b37d805e4500 mbs1/x86_64/lib64rsync2-1.0.0-1.mbs1.x86_64.rpm db4b256939b54eb5919eceedf50f4192 mbs1/x86_64/lib64rsync-devel-1.0.0-1.mbs1.x86_64.rpm ffaaf1c1364528d0c18bdda8cf514c34 mbs1/x86_64/rdiff-1.0.0-1.mbs1.x86_64.rpm fd173f99aecfaa9d1d8d9af132b136b6 mbs1/x86_64/rdiff-backup-1.3.3-6.1.mbs1.x86_64.rpm 707dc6da51d7451541ce83400ee33f3a mbs1/SRPMS/librsync-1.0.0-1.mbs1.src.rpm eb91121a971f6079d3b666419e08e0db mbs1/SRPMS/rdiff-backup-1.3.3-6.1.mbs1.src.rpm References http://advisories.mageia.org/MGASA-2015-0146.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8242 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVUBsVBLndAQH1ShLAQIgvxAAqqk5KaEtBKUo7NmvAVgY7vyurwDSt1GM MUC+xe9OWnnnrir6bZtxGr9zJZRMtv6No7wMfVrOaBCUv/4307u3XXPP+dxzgyYP nHD6JXIbaHsI1KMZbYk6OapGLLQlCVXt1qLibAkOuRDuoTSkacbzRlPY75xYFzD9 yguj3QsrZo727sspHkrYQRMb/OTA3yMI/C2J9AZNqCf0c3HsO74ZsMy+lMbqzazz 71Z8vXRDUOllOOZlrwuKPMbMpZ3IatuAZKBRrXJ55EmBIFFA5or/z4RXXQJqzm4Z ATWuSzWAW1hexwyo0HdPm3GFysEVVfmSZDjv/qX0FcZDQ5km95aXYYS9WUHRNA65 B+yO5z5qnkPbP72H/G4d2LeMrVwz5lGfUmwpdK8+dZnZ186qYF2KXa8L+54ljBJH yuIT1sXtNBQrvGXOXzu9Yv663Q1pOl6QGFEDSEdDsC9dh9oigvZAey0qntEbtUl+ Lz7oOaSU1wq6qzreuDA0t2Dvc6V6swW1bKzQ8I4IBM3VEV8jGyl7vvrnrYcuZ/+Y Nugz+90eKxdmz+fyn2rKRkNOg8PRKC3WUs5PdOakOO1bjcChAIdj1sUBoSNH5LB7 ECry30Uac8owSOoUEEhb0ePzM5OLO4ORSIO3zTpqom4XKAnTMsHgO4pfJU8Apcge BMUw0I0cOvY= =tSV0 -----END PGP SIGNATURE-----