Overview

File _patchinfo of Package patchinfo.36939

<patchinfo incident="36939">
  <issue tracker="bnc" id="1234101">VUL-0: CVE-2024-12085: rsync: Info Leak via uninitialized Stack contents defeats ASLR</issue>
  <issue tracker="bnc" id="1234102">VUL-0: CVE-2024-12086: rsync: server leaks arbitrary client files</issue>
  <issue tracker="bnc" id="1234103">VUL-0: CVE-2024-12087: rsync: server can make client write files outside of destination directory using symbolic links</issue>
  <issue tracker="bnc" id="1234104">VUL-0: CVE-2024-12088: rsync: --safe-links bypass</issue>
  <issue tracker="cve" id="2024-12086"/>
  <issue tracker="cve" id="2024-12085"/>
  <issue tracker="cve" id="2024-12088"/>
  <issue tracker="cve" id="2024-12087"/>
  <packager>ayankov</packager>
  <rating>important</rating>
  <category>security</category>
  <summary>Security update for rsync</summary>
  <description>This update for rsync fixes the following issues:

NOTE: This update was retracted due to a buggy security fix. A followup update will be provided.

- CVE-2024-12085: leak of uninitialized stack data on the server leading to possible ASLR bypass. (bsc#1234101)
- CVE-2024-12086: leak of a client machine's file contents through the processing of checksum data. (bsc#1234102)
- CVE-2024-12087: arbitrary file overwrite possible on clients when symlink syncing is enabled. (bsc#1234103)
- CVE-2024-12088: bypass of the --safe-links flag may allow the placement of unsafe symlinks in a client. (bsc#1234104)
</description>
<retracted/>
</patchinfo>
openSUSE Build Service is sponsored by
Places