| Description: | rsync is a program for sychronizing files over the network.
A heap overflow bug exists in rsync versions prior to 2.5.7. On machines where the rsync server has been enabled, a remote attacker could use this flaw to execute arbitrary code as an unprivileged user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0962 to this issue.
All users should upgrade to these erratum packages containing version 2.5.7 of rsync, which is not vulnerable to this issue.
NOTE: The rsync server is disabled (off) by default in Red Hat Enterprise Linux. To check if the rsync server has been enabled (on), run the following command:
/sbin/chkconfig --list rsync
If the rsync server has been enabled but is not required, it can be disabled by running the following command as root:
/sbin/chkconfig rsync off
Red Hat would like to thank the rsync team for their rapid response and quick fix for this issue.
|