Date: Wed, 10 Aug 2022 09:19:11 GMT From: Rodrigo Osorio <rodrigo@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: git: 6c5b063e240b - main - security/vuxml: Document rsync client-side arbitrary file write vulnerability Message-ID: <202208100919.27A9JB0J013599@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by rodrigo: URL: https://cgit.FreeBSD.org/ports/commit/?id=6c5b063e240ba123d9d8d888cf00866f50766afd commit 6c5b063e240ba123d9d8d888cf00866f50766afd Author: Rodrigo Osorio <rodrigo@FreeBSD.org> AuthorDate: 2022-08-10 09:01:54 +0000 Commit: Rodrigo Osorio <rodrigo@FreeBSD.org> CommitDate: 2022-08-10 09:04:11 +0000 security/vuxml: Document rsync client-side arbitrary file write vulnerability PR: 265633 --- security/vuxml/vuln-2022.xml | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/security/vuxml/vuln-2022.xml b/security/vuxml/vuln-2022.xml index 73ba3098a9ea..97428fd8d4c8 100644 --- a/security/vuxml/vuln-2022.xml +++ b/security/vuxml/vuln-2022.xml @@ -1,3 +1,36 @@ + <vuln vid="21f43976-1887-11ed-9911-40b034429ecf"> + <topic>rsync -- client-side arbitrary file write vulnerability</topic> + <affects> + <package> + <name>rsync</name> + <range><lt>3.2.5</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Openwall oss-security reports:</p> + <blockquote cite="https://www.openwall.com/lists/oss-security/2022/08/02/1">; + <p>We have discovered a critical arbitrary file write vulnerability + in the rsync utility that allows malicious remote servers to write + arbitrary files inside the directories of connecting peers. + The server chooses which files/directories are sent to the client. + Due to the insufficient controls inside the do_server_recv function + a malicious rysnc server (or Man-in-The-Middle attacker) can + overwrite arbitrary files in the rsync client target directory and + subdirectories.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2022-29154</cvename> + <url>https://www.openwall.com/lists/oss-security/2022/08/02/1</url>; + </references> + <dates> + <discovery>2022-08-02</discovery> + <entry>2022-08-10</entry> + </dates> + </vuln> + <vuln vid="1cd0c17a-17c0-11ed-91a5-080027f5fec9"> <topic>gnutls -- double free vulnerability</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202208100919.27A9JB0J013599>