Bug 1269782
Summary: | lsyncd: Direct mode allwos injecting unauthorized filesystem operations [epel-all] | ||
---|---|---|---|
Product: | [Fedora] Fedora EPEL | Reporter: | Adam Mariš <amaris> |
Component: | lsyncd | Assignee: | Jason Taylor <jtfas90> |
Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | el6 | CC: | filip, jtfas90, lkundrak, martin, pwouters, scenek, troxor0 |
Target Milestone: | --- | Keywords: | Security, SecurityTracking |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Release Note | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2017-03-05 00:29:51 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1269780 |
Description
Adam Mariš
2015-10-08 08:11:02 UTC
Use the following template to for the 'fedpkg update' request to submit an update for this issue as it contains the top-level parent bug(s) as well as this tracking bug. This will ensure that all associated bugs get updated when new packages are pushed to stable. ===== # bugfix, security, enhancement, newpackage (required) type=security # testing, stable request=testing # Bug numbers: 1234,9876 bugs=1269780,1269782 # Description of your update notes=Security fix for # Enable request automation based on the stable/unstable karma thresholds autokarma=True stable_karma=3 unstable_karma=-3 # Automatically close bugs when this marked as stable close_bugs=True # Suggest that users restart after update suggest_reboot=False ====== Additionally, you may opt to use the bodhi update submission link instead: https://admin.fedoraproject.org/updates/new/?type_=security&bugs=1269780,1269782 We should be able to close this ticket since default-direct.lua doesn't get installed in epel versions of lsyncd: [jason@cent7 ~]$ rpm -qi lsyncd Name : lsyncd Version : 2.1.5 Release : 6.el7 Architecture: x86_64 Install Date: Sat 14 Jan 2017 01:23:48 PM EST Group : Applications/Internet Size : 210392 License : GPLv2+ Signature : RSA/SHA256, Wed 19 Nov 2014 12:02:22 AM EST, Key ID 6a2faea2352c64e5 Source RPM : lsyncd-2.1.5-6.el7.src.rpm Build Date : Tue 18 Nov 2014 10:44:51 AM EST Build Host : buildhw-08.phx2.fedoraproject.org Relocations : (not relocatable) Packager : Fedora Project Vendor : Fedora Project URL : http://code.google.com/p/lsyncd/ Summary : File change monitoring and synchronization daemon Description : Lsyncd watches a local directory trees event monitor interface (inotify). It aggregates and combines events for a few seconds and then spawns one (or more) process(es) to synchronize the changes. By default this is rsync. Lsyncd is thus a light-weight live mirror solution that is comparatively easy to install not requiring new file systems or block devices and does not hamper local file system performance. [jason@cent7 ~]$ rpm -ql lsyncd /etc/logrotate.d/lsyncd /etc/lsyncd.conf /etc/sysconfig/lsyncd /usr/bin/lsyncd /usr/lib/systemd/system/lsyncd.service /usr/share/doc/lsyncd-2.1.5 /usr/share/doc/lsyncd-2.1.5/COPYING /usr/share/doc/lsyncd-2.1.5/ChangeLog /usr/share/doc/lsyncd-2.1.5/examples /usr/share/doc/lsyncd-2.1.5/examples/lbash.lua /usr/share/doc/lsyncd-2.1.5/examples/lecho.lua /usr/share/doc/lsyncd-2.1.5/examples/lgforce.lua /usr/share/doc/lsyncd-2.1.5/examples/limagemagic.lua /usr/share/doc/lsyncd-2.1.5/examples/lpostcmd.lua /usr/share/doc/lsyncd-2.1.5/examples/lrsync.lua /usr/share/doc/lsyncd-2.1.5/examples/lrsyncssh.lua /usr/share/man/man1/lsyncd.1.gz [jason@localhost ~]$ rpm -qi lsyncd Name : lsyncd Relocations: (not relocatable) Version : 2.1.5 Vendor: Fedora Project Release : 0.el6 Build Date: Fri 12 Jun 2015 01:15:21 PM EDT Install Date: Sat 14 Jan 2017 12:33:19 PM EST Build Host: buildvm-21.phx2.fedoraproject.org Group : Applications/Internet Source RPM: lsyncd-2.1.5-0.el6.src.rpm Size : 209441 License: GPLv2+ Signature : RSA/8, Sat 13 Jun 2015 01:03:44 PM EDT, Key ID 3b49df2a0608b895 Packager : Fedora Project URL : http://code.google.com/p/lsyncd/ Summary : File change monitoring and synchronization daemon Description : Lsyncd watches a local directory trees event monitor interface (inotify). It aggregates and combines events for a few seconds and then spawns one (or more) process(es) to synchronize the changes. By default this is rsync. Lsyncd is thus a light-weight live mirror solution that is comparatively easy to install not requiring new file systems or block devices and does not hamper local file system performance. [jason@localhost ~]$ rpm -ql lsyncd /etc/logrotate.d/lsyncd /etc/lsyncd.conf /etc/rc.d/init.d/lsyncd /etc/sysconfig/lsyncd /usr/bin/lsyncd /usr/share/doc/lsyncd-2.1.5 /usr/share/doc/lsyncd-2.1.5/COPYING /usr/share/doc/lsyncd-2.1.5/ChangeLog /usr/share/doc/lsyncd-2.1.5/examples /usr/share/doc/lsyncd-2.1.5/examples/lbash.lua /usr/share/doc/lsyncd-2.1.5/examples/lecho.lua /usr/share/doc/lsyncd-2.1.5/examples/lgforce.lua /usr/share/doc/lsyncd-2.1.5/examples/limagemagic.lua /usr/share/doc/lsyncd-2.1.5/examples/lpostcmd.lua /usr/share/doc/lsyncd-2.1.5/examples/lrsync.lua /usr/share/doc/lsyncd-2.1.5/examples/lrsyncssh.lua /usr/share/man/man1/lsyncd.1.gz /var/log/lsyncd /var/run/lsyncd [jason@localhost ~]$ [jason@localhost ~]$ rpm -qi lsyncd Name : lsyncd Relocations: (not relocatable) Version : 2.1.4 Vendor: Fedora Project Release : 4.el5.1.1 Build Date: Tue 18 Nov 2014 11:11:43 AM EST Install Date: Sat 14 Jan 2017 01:20:59 PM EST Build Host: buildhw-11.phx2.fedoraproject.org Group : Applications/Internet Source RPM: lsyncd-2.1.4-4.el5.1.1.src.rpm Size : 208694 License: GPLv2+ Signature : DSA/SHA1, Wed 19 Nov 2014 12:05:33 AM EST, Key ID 119cc036217521f6 Packager : Fedora Project URL : http://code.google.com/p/lsyncd/ Summary : File change monitoring and synchronization daemon Description : Lsyncd watches a local directory trees event monitor interface (inotify). It aggregates and combines events for a few seconds and then spawns one (or more) process(es) to synchronize the changes. By default this is rsync. Lsyncd is thus a light-weight live mirror solution that is comparatively easy to install not requiring new file systems or block devices and does not hamper local file system performance. [jason@localhost ~]$ rpm -ql lsyncd /etc/logrotate.d/lsyncd /etc/lsyncd.conf /etc/rc.d/init.d/lsyncd /etc/sysconfig/lsyncd /usr/bin/lsyncd /usr/share/doc/lsyncd-2.1.4 /usr/share/doc/lsyncd-2.1.4/COPYING /usr/share/doc/lsyncd-2.1.4/ChangeLog /usr/share/doc/lsyncd-2.1.4/examples /usr/share/doc/lsyncd-2.1.4/examples/lbash.lua /usr/share/doc/lsyncd-2.1.4/examples/lecho.lua /usr/share/doc/lsyncd-2.1.4/examples/lgforce.lua /usr/share/doc/lsyncd-2.1.4/examples/limagemagic.lua /usr/share/doc/lsyncd-2.1.4/examples/lpostcmd.lua /usr/share/doc/lsyncd-2.1.4/examples/lrsync.lua /usr/share/doc/lsyncd-2.1.4/examples/lrsyncssh.lua /usr/share/man/man1/lsyncd.1.gz /var/log/lsyncd /var/run/lsyncd |