rpm package
suse/rsync&distro=SUSE Linux Enterprise Server for SAP Applications 11 SP4
pkg:rpm/suse/rsync&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2011%20SP4
Vulnerabilities (6)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2018-5764 | Hig | 7.5 | < 3.0.4-2.53.6.1 | 3.0.4-2.53.6.1 | Jan 17, 2018 | The parse_arguments function in options.c in rsyncd in rsync before 3.1.3 does not prevent multiple --protect-args uses, which allows remote attackers to bypass an argument-sanitization protection mechanism. | |
| CVE-2017-17434 | Cri | 9.8 | < 3.0.4-2.53.3.1 | 3.0.4-2.53.3.1 | Dec 6, 2017 | The daemon in rsync 3.1.2, and 3.1.3-development before 2017-12-03, does not check for fnamecmp filenames in the daemon_filter_list data structure (in the recv_files function in receiver.c) and also does not apply the sanitize_paths protection mechanism to pathnames found in "xna | |
| CVE-2017-17433 | Low | 3.7 | < 3.0.4-2.53.3.1 | 3.0.4-2.53.3.1 | Dec 6, 2017 | The recv_files function in receiver.c in the daemon in rsync 3.1.2, and 3.1.3-development before 2017-12-03, proceeds with certain file metadata updates before checking for a filename in the daemon_filter_list data structure, which allows remote attackers to bypass intended acces | |
| CVE-2017-16548 | Cri | 9.8 | < 3.0.4-2.53.3.1 | 3.0.4-2.53.3.1 | Nov 6, 2017 | The receive_xattr function in xattrs.c in rsync 3.1.2 and 3.1.3-development does not check for a trailing '\0' character in an xattr name, which allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) or possibly have unspecified o | |
| CVE-2014-8242 | — | < 3.0.4-2.49.1 | 3.0.4-2.49.1 | Oct 26, 2015 | librsync before 1.0.0 uses a truncated MD4 checksum to match blocks, which makes it easier for remote attackers to modify transmitted data via a birthday attack. | ||
| CVE-2014-9512 | — | < 3.0.4-2.49.1 | 3.0.4-2.49.1 | Feb 12, 2015 | rsync 3.1.1 allows remote attackers to write to arbitrary files via a symlink attack on a file in the synchronization path. |
- affected < 3.0.4-2.53.6.1fixed 3.0.4-2.53.6.1
The parse_arguments function in options.c in rsyncd in rsync before 3.1.3 does not prevent multiple --protect-args uses, which allows remote attackers to bypass an argument-sanitization protection mechanism.
- affected < 3.0.4-2.53.3.1fixed 3.0.4-2.53.3.1
The daemon in rsync 3.1.2, and 3.1.3-development before 2017-12-03, does not check for fnamecmp filenames in the daemon_filter_list data structure (in the recv_files function in receiver.c) and also does not apply the sanitize_paths protection mechanism to pathnames found in "xna
- affected < 3.0.4-2.53.3.1fixed 3.0.4-2.53.3.1
The recv_files function in receiver.c in the daemon in rsync 3.1.2, and 3.1.3-development before 2017-12-03, proceeds with certain file metadata updates before checking for a filename in the daemon_filter_list data structure, which allows remote attackers to bypass intended acces
- affected < 3.0.4-2.53.3.1fixed 3.0.4-2.53.3.1
The receive_xattr function in xattrs.c in rsync 3.1.2 and 3.1.3-development does not check for a trailing '\0' character in an xattr name, which allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) or possibly have unspecified o
- CVE-2014-8242Oct 26, 2015affected < 3.0.4-2.49.1fixed 3.0.4-2.49.1
librsync before 1.0.0 uses a truncated MD4 checksum to match blocks, which makes it easier for remote attackers to modify transmitted data via a birthday attack.
- CVE-2014-9512Feb 12, 2015affected < 3.0.4-2.49.1fixed 3.0.4-2.49.1
rsync 3.1.1 allows remote attackers to write to arbitrary files via a symlink attack on a file in the synchronization path.