Bug 2469060 (CVE-2026-43617) - CVE-2026-43617 rsync: rsync: Hostname-based ACL bypass in daemon chroot configuration
Summary: CVE-2026-43617 rsync: rsync: Hostname-based ACL bypass in daemon chroot confi...
Keywords:
Status: NEW
Alias: CVE-2026-43617
Deadline: 2026-05-20
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-05-11 14:46 UTC by OSIDB Bzimport
Modified: 2026-05-22 13:01 UTC (History)
3 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-05-11 14:46:24 UTC
Title: Hostname/ACL bypass on an rsync daemon with "daemon chroot = /X" set
when /X lacks DNS resolution support.
Description: On an rsync daemon configured with the global "daemon chroot =
/X" rsyncd.conf setting, the reverse-DNS lookup of the connecting client
was performed *after* the daemon had chrooted into /X. If /X did not
contain the files glibc needs for resolution (/etc/resolv.conf,
/etc/nsswitch.conf, /etc/hosts, NSS service modules), the lookup failed and
the connecting hostname was set to "UNKNOWN". Hostname-based deny rules
("hosts deny = *.evil.example") therefore could not match, and an attacker
controlling their PTR record could connect from a hostname the
administrator had intended to deny. IP-based ACLs are unaffected. The
per-module "use chroot" setting is unrelated to this issue.
Reach: rsync daemon configured with "daemon chroot = /X" AND hostname-based
ACLs AND /X does not include the libc resolver fixtures.
CWE: CWE-289 (Authentication Bypass by Alternate Name).
Reporter: MegaManSec.
GHSA:


Note You need to log in before you can comment on or make changes to this bug.