Critical Updates for rsync Package on Ubuntu-Based Systems
Users running Ubuntu-based operating systems—including Ubuntu, Kubuntu, Lubuntu, and Linux Mint—are being urged to promptly apply updates to the rsync package. Recent patches have been released to rectify multiple vulnerabilities that could lead to remote code execution (RCE) on both server and client platforms.
Overview of Vulnerabilities
In a detailed disclosure by Canonical, security researchers from Google (Pedro Gallegos, Simon Scannell, and Jasiel Spelman) identified significant vulnerabilities within the rsync server and client. The specific vulnerabilities include:
The rsync server issues (CVE-2024-12084 and CVE-2024-12085) present the risk of remote code execution. Meanwhile, the client vulnerabilities enable a compromised server to access arbitrary files (CVE-2024-12086), create insecure symlinks (CVE-2024-12087), and potentially overwrite files in certain scenarios (CVE-2024-12088).
Additionally, a sixth vulnerability (CVE-2024-12747) was reported by Aleksei Gorban, highlighting problems with how the rsync server manages symlinks.
Canonical’s security team has rolled out updates for all supported Ubuntu releases, effectively addressing these critical vulnerabilities.
Updating Your System
If you are using Ubuntu 16.04 LTS or later, the unattended-upgrades feature is likely enabled by default, ensuring that security updates are applied automatically within a 24-hour window. However, if you have disabled this feature or are operating a different distribution, you will need to manually update your system via the update manager or the terminal.
Terminal Update Instructions
To perform a full update using the terminal, enter the following command:
sudo apt update && sudo apt upgrade
For users who wish to specifically update only the rsync package, use this command:
sudo apt update && sudo apt install --only-upgrade rsync
Importance of Immediate Updates
Updating the rsync package should be considered a priority. These vulnerabilities not only threaten data integrity on servers but also pose risks to end-user machines. Attackers can exploit these flaws remotely, which further emphasizes the urgency of applying these updates without delay.
Detailed Patch Information
The following table lists the fixed versions of the rsync package for various Ubuntu releases:
| Release | Package Name | Fixed Version |
|---|---|---|
| Trusty (14.04 LTS) | rsync | 3.1.0-2ubuntu0.4+esm1 |
| Xenial (16.04 LTS) | rsync | 3.1.1-3ubuntu1.3+esm3 |
| Bionic (18.04 LTS) | rsync | 3.1.2-2.1ubuntu1.6+esm1 |
| Focal (20.04 LTS) | rsync | 3.1.3-8ubuntu0.8 |
| Jammy (22.04 LTS) | rsync | 3.2.7-0ubuntu0.22.04.3 |
| Noble (24.04 LTS) | rsync | 3.2.7-1free1.1 |
| Oracular (24.10) | rsync | fix not available |
Verification of Update
To confirm whether your package has been updated, run the following command in the terminal:
dpkg -l rsync
If your version is outdated, open your update manager to check for available updates. The rsync package is typically pre-installed on many Ubuntu-based systems, making it essential for all users to ensure they have the latest version for security reasons.
For further details, visit this source.
Leave a Reply