From: Matt Crawford Subject: CRITICAL VULNERABILITY: rsync server Date: December 4, 2003 5:14:30 PM CST To: cppm_reg_sysadmins@fnal.gov Cc: linux-users@fnal.gov, computer_security@fnal.gov Reply-To: Computer Security Team There is an exploitable vulnerability in the rsync service. Any machine running that service must update to version 2.5.7. For Fermi Linux 7.1, 7.3 and 9.0, RPMs are available in the "rolling" set and will be in the auto yum area tomorrow. See Connie's mail at http://listserv.fnal.gov/scripts/wa.exe?A2=ind0312&L=linux- users&F=&S=&P=6091 For other systems, get a fix from a vendor or build from source. See the announcement at http://www.secunia.com/advisories/10353/ for information. If you have users who execute rsync through an rsh or ssh connection, your system is vulnerable only to those authenticated users. You ought to fix rsync, but it's not so urgent. Below is a list of systems that have offered the rsync service in the past month. Any that aren't reported as patched by noon Wednesday, December 10, may be blocked from network access. We'll make an effort to look up system managers for them before then, but we may not find them all. Send reports of systems patched to nightwatch@fnal.gov. [[ List of affected systems removed from this web page. ]] [[ It is available to for local viewing at ]] [[ http://computing.fnal.gov/security/CriticalVuln/private/rsync.txt ]]