In rsync > 3.2.0pre1, rsync-ssl does not verify the hostname in the server certificate in openssl mode, so a man-in-the-middle attacker with a valid certificate for another hostname could intercept connections.
Upstream patch: https://git.samba.org/?p=rsync.git;a=commit;h=c3f7414
Name: Matt McCutchen
Created rsync tracking bugs for this issue:
Affects: fedora-32 [bug 1875550]
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):
The information that the issue is fixed in 3.2.3: is this correct? Upstream commit c3f7414c450f ("rsync-ssl: Verify the hostname in the certificate when using openssl.") seems to not have been included in the v3.2.3 release.
In reply to comment #5:
> The information that the issue is fixed in 3.2.3: is this correct?
You're right, that's incorrect and occurred due to misinterpretation of a comment regarding a new *package* release of 3.2.3 with a patch, and not the patch being in 3.2.3 itself. I've adjusted the metadata accordingly. Thanks for reporting that and apologize for confusion around this.
This vulnerability can be mitigated by not using rsync-ssl in openssl mode.
To be fixed in the 3.2.4 release.