Alert GCSA-25006 - Vulnerabilita' multiple in Rsync

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

******************************************************************

Alert ID: GCSA-25006
Data: 15 Gennaio 2025
Titolo: Vulnerabilita' multiple in Rsync

******************************************************************

:: Descrizione del problema

Sono state individuate 6 vulnerabilita' in Rsync,
con criticita' variabile, la piu' severa delle quali potrebbe consentire
l'esecuzione remota di codice arbitrario, ottenendo l'accesso anonimo in lettura
sul server rsync.

Maggiori informazioni sono disponibili alla sezione "Riferimenti".


:: Software interessato

Rsync versioni precedenti alla 3.4.0


:: Impatto

Remote Code Execution
Privilege Escalation
Information Disclosure


:: Soluzioni

Aggiornare il software all'ultima versione:

https://github.com/RsyncProject/rsync
https://download.samba.org/pub/rsync/src/


:: Riferimenti

OpenWall.com:
https://www.openwall.com/lists/oss-security/2025/01/14/3

Deeping.org
https://www.deepin.org/en/rsync-vulnerability-announcement/

CERT/CC
https://kb.cert.org/vuls/id/952657

CIRCL:
https://vulnerability.circl.lu/bundle/d938dc28-6877-40db-ad5f-25f3051288e6

Mitre CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-12084
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-12085
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-12086
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-12087
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-12088
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-12747




GARR CERT Security Alert - subscribe/unsubscribe:
http://www.cert.garr.it/alert/ricevi-gli-alert-di-cert
-----BEGIN PGP SIGNATURE-----

iGsEAREIACsWIQTGpdiR5MqstacBGHbBnEyTZRJgQgUCZ4epXQ0cY2VydEBnYXJy
Lml0AAoJEMGcTJNlEmBCO0QAn248vegoXMKVOXOSLCQW27R2TURNAKDaboR3rdBa
p2VtvQE4f1xUrUFLmQ==
=AINa
-----END PGP SIGNATURE-----