It was found that rsync mishandles archaic checksums, which makes it easier for remote attackers to bypass intended access restrictions. Upstream patches: https://git.samba.org/?p=rsync.git;a=commit;h=7b8a4ecd6ff9cdf4e5d3850ebf822f1e989255b3 https://git.samba.org/?p=rsync.git;a=commit;h=9a480deec4d20277d8e20bc55515ef0640ca1e55 https://git.samba.org/?p=rsync.git;a=commit;h=c252546ceeb0925eb8a4061315e3ff0a8c55b48b
Created rsync tracking bugs for this issue: Affects: fedora-all [bug 1511414] Created rsync-bpc tracking bugs for this issue: Affects: epel-7 [bug 1511413] Affects: fedora-all [bug 1511412]
None of the commits listed will apply to rsync-bpc. Most of the code around the changes just isn't there. What version of rsync are they supposed to work with?
(In reply to Richard Shaw from comment #2) > None of the commits listed will apply to rsync-bpc. Most of the code around > the changes just isn't there. > > What version of rsync are they supposed to work with? It's entirely possible that rsync-bpc is not vulnerable to these issues, I did not investigate in depth.
I think it's only minimally altered to be able to pass some attributes BackupPC needs so I would think it would be, but it's only used from the server side to a client which I think makes this less of a concern.
Statement: Red Hat Product Security has rated this issue as having Moderate security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.