From owner-freebsd-security Fri Feb 1 8:12:57 2002 Delivered-To: freebsd-security@freebsd.org Received: from yez.hyperreal.org (blowfish.ny.collab.net [63.121.102.222]) by hub.freebsd.org (Postfix) with SMTP id 2EFFA37B402 for ; Fri, 1 Feb 2002 08:12:54 -0800 (PST) Received: (qmail 17908 invoked by uid 1000); 1 Feb 2002 16:13:24 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 1 Feb 2002 16:13:24 -0000 Date: Fri, 1 Feb 2002 08:13:24 -0800 (PST) From: Brian Behlendorf X-X-Sender: brian@localhost To: security@freebsd.org Subject: rsync core dumping? Message-ID: <20020201080635.H14011-100000@localhost> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org So there've been numerous bulletins to bugtraq, etc. about remote vulnerabilities in rsync prior to 2.4.6 or so. I saw no FreeBSD-specific announcements, however the hole appeared to be pretty generic, so I upgraded anyways to the current version in /usr/ports, 2.5.2. Since the vulnerability announcements, and both before *and* after my upgrade, I've been seeing core dumps from the two public rsync servers I run for apache.org. Feb 1 07:34:09 daedalus /kernel: pid 81088 (rsync), uid 65534: exited on signal 11 Since it runs as an untrusted user and I see no evidence of a compromise I assume it's script kiddies trying whatever linux exploit shove-3-K-of-^@'s-in-a-header kind of attack they might have, but the fact that it still causes a seg fault despite upgrading to a supposedly "fixed" version is somewhat concerning. Is anyone else seeing this? I can't recreate what causes the core dump, I suppose doing a tcpdump to see what people are feeding my server is the next step. Brian To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message