3175x175(CURRENT).thumb.jpg.b05acc060982b36f5891ba728e6d953c.jpg)
If you are running an Ubuntu-based operating system such as Ubuntu, Kubuntu, Lubuntu, and even Linux Mint, you really need to apply available updates to patch the rsync package. Fixes have just been issued to address numerous vulnerabilities that allow remote code execution and affect servers and client machines.
Highlighting the issues, Canonical says:
Security researchers at Google (Pedro Gallegos, Simon Scannell, and Jasiel Spelman) discovered vulnerabilities in the rsync server and rsync client. The rsync server vulnerabilities (CVE-2024-12084 and CVE-2024-12085) ultimately allow remote code execution (RCE). The rsync client vulnerabilities allow a malicious server to read arbitrary files (CVE-2024-12086), create unsafe symlinks (CVE-2024-12087) and overwrite arbitrary files in certain circumstances (CVE-2024-12088).
During the coordinated vulnerability response of the above issues, a sixth vulnerability (CVE-2024-12747) which affects how the rsync server handles symlinks was reported by Aleksei Gorban.
Canonical’s security team has released updates of the rsync packages for all supported Ubuntu releases. The updates remediate CVE-2024-12084, CVE-2024-12085, CVE-2024-12086, CVE-2024-12087, CVE-2024-12088, and CVE-2024-12747. Information on the affected versions can be found in the CVE pages linked above.
If you are on Ubuntu 16.04 LTS or above, the unattended-upgrades feature is enabled by default, which means these security updates will be applied within 24 hours of them being available. If you've switched that off or are using another distribution, then you might have to get the update yourself via your update manager or the terminal.
To update via the terminal, enter the following command and input your password when requested:
sudo apt update && sudo apt upgrade
If you can't upgrade all packages and want to just update rsync then you can use the following command:
sudo apt update && sudo apt install --only-upgrade rsync
If you're wondering whether you really need to update the rsync package now, the answer is yes, you should do it as soon as possible. It can impact both servers and end user computers, and it can all be done remotely.
The fixed packages for each Ubuntu release are as follows:
| Release | Package Name | Fixed Version |
|---|---|---|
|
Trusty (14.04 LTS) |
rsync |
3.1.0-2ubuntu0.4+esm1 |
|
Xenial (16.04 LTS) |
rsync |
3.1.1-3ubuntu1.3+esm3 |
|
Bionic (18.04 LTS) |
rsync |
3.1.2-2.1ubuntu1.6+esm1 |
|
Focal (20.04 LTS) |
rsync |
3.1.3-8ubuntu0.8 |
|
Jammy (22.04 LTS) |
rsync |
3.2.7-0ubuntu0.22.04.3 |
|
Noble (24.04 LTS) |
rsync |
3.2.7-1ubuntu1.1 |
|
Oracular (24.10) |
rsync |
fix not available |
You can open the terminal and run dpkg -l rsync to check if you have the updated package. If you have a lower version, open up the update manager and look to see if the update is available. This package comes pre-installed on most Ubuntu-based systems so it's important for everyone to check that they're updated.
Hope you enjoyed this news post.
Thank you for appreciating my time and effort posting news every day for many years.
News posts... 2023: 5,800+ | 2024: 5,700+
RIP Matrix | Farewell my friend 
Recommended Comments
There are no comments to display.
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.