From owner-freebsd-security Fri Feb 1 9:53:30 2002 Delivered-To: freebsd-security@freebsd.org Received: from va.cs.wm.edu (va.cs.wm.edu [128.239.2.31]) by hub.freebsd.org (Postfix) with ESMTP id A222437B402 for ; Fri, 1 Feb 2002 09:53:24 -0800 (PST) Received: from corona.cs.wm.edu (corona [128.239.2.50]) by va.cs.wm.edu (8.11.4/8.9.1) with ESMTP id g11HqfG06283 for ; Fri, 1 Feb 2002 12:52:42 -0500 (EST) Received: (from zvezdan@localhost) by corona.cs.wm.edu (8.11.6/8.9.1) id g11HrMP19520 for security@FreeBSD.ORG; Fri, 1 Feb 2002 12:53:22 -0500 Date: Fri, 1 Feb 2002 12:53:22 -0500 From: Zvezdan Petkovic To: security@FreeBSD.ORG Subject: Re: rsync core dumping? Message-ID: <20020201125322.A19287@corona.cs.wm.edu> Mail-Followup-To: security@FreeBSD.ORG References: <20020201080635.H14011-100000@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020201080635.H14011-100000@localhost>; from brian@collab.net on Fri, Feb 01, 2002 at 08:13:24AM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, Feb 01, 2002 at 08:13:24AM -0800, Brian Behlendorf wrote: > > So there've been numerous bulletins to bugtraq, etc. about remote > vulnerabilities in rsync prior to 2.4.6 or so. I saw no FreeBSD-specific > announcements, however the hole appeared to be pretty generic, so I > upgraded anyways to the current version in /usr/ports, 2.5.2. Since the > vulnerability announcements, and both before *and* after my upgrade, I've > been seeing core dumps from the two public rsync servers I run for > apache.org. > > Feb 1 07:34:09 daedalus /kernel: pid 81088 (rsync), uid 65534: exited on signal 11 > > Since it runs as an untrusted user and I see no evidence of a compromise I > assume it's script kiddies trying whatever linux exploit > shove-3-K-of-^@'s-in-a-header kind of attack they might have, but the fact > that it still causes a seg fault despite upgrading to a supposedly "fixed" > version is somewhat concerning. Is anyone else seeing this? I can't > recreate what causes the core dump, I suppose doing a tcpdump to see what > people are feeding my server is the next step. > > Brian > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message I don't know about FreeBSD package since I do not use rsync on my BSD machine, but on the network I maintain Red Hat issued two rsync updates in five days. The first one was the security issue. The second one was a fix because rsync segfaulted and even corrupted file system. FWIW. -- Zvezdan Petkovic http://www.cs.wm.edu/~zvezdan/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message