In rsync > 3.2.0pre1, rsync-ssl does not verify the hostname in the server certificate in openssl mode, so a man-in-the-middle attacker with a valid certificate for another hostname could intercept connections. Upstream patch: https://git.samba.org/?p=rsync.git;a=commit;h=c3f7414
Acknowledgments: Name: Matt McCutchen
Created rsync tracking bugs for this issue: Affects: fedora-32 [bug 1875550]
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-14387
Hi The information that the issue is fixed in 3.2.3: is this correct? Upstream commit c3f7414c450f ("rsync-ssl: Verify the hostname in the certificate when using openssl.") seems to not have been included in the v3.2.3 release. Regards, Salvatore
In reply to comment #5: > The information that the issue is fixed in 3.2.3: is this correct? You're right, that's incorrect and occurred due to misinterpretation of a comment regarding a new *package* release of 3.2.3 with a patch, and not the patch being in 3.2.3 itself. I've adjusted the metadata accordingly. Thanks for reporting that and apologize for confusion around this.
Mitigation: This vulnerability can be mitigated by not using rsync-ssl in openssl mode.
To be fixed in the 3.2.4 release[1]. https://download.samba.org/pub/rsync/NEWS#3.2.4