rsync vulnerabilities

[Goverp]

There's been a flurry of interest in a batch of vulnerabilities in rsyncd. Release 3.4.0 is supposed to contain the fixes, so after my "emerge --update --..." today I thought I'd check, and found it was still at net-misc/rsync-3.3.0-r2, so I got all worked up. However, a dig on bugs.gentoo.org turns up bug 948106, which shows the fixes are in that "-r2", so all is well.

The bug report is interesting reading. Kudos to the Gentoo devs for taking it carefully, rather than just pumping 3.4.0 out (as at least one other distro has already done).
_________________
Greybeard

[bunder]

I wish that they would have put out a "news" article on the exploit(s), given that almost every gentoo install needs to sync their trees over rsync (that is unless you switch to git pulls, which I believe is still frowned upon).

Given that it's still in progress after two weeks doesn't instill much confidence either.
_________________

[Hu]

It looks like sam_ published a backport of the fixes fairly quickly, and that backport has been keyworded stable in Gentoo for more than a week. Yes, there seem to be reports of ongoing regressions, but given that the reporter of one such was a Debian user, it seems at least plausible that the problem is in the backport patches generally, not with anything Gentoo did specifically. Moreover, I read bug #948106, comment #10 to be that even the v3.4.0 release of rsync is experiencing regressions due to these fixes. As such, I find it quite reasonable that Gentoo is not publishing v3.4.0 yet, since it looks like 3.4.0 has even more regressions than just 3.3.0-r2. It would be nice if upstream could get this fixed more quickly, but if the CVE fixes are effective at their stated purpose, at least users can choose between having an rsync with regressions or an rsync with vulnerabilities.

[sam_]

We already published a GLSA too, so I'm not sure what bunder is requesting.

[bunder]

I didn't see the GLSA because I had already known about the issue from online reports outside of gentoo, and had already run package updates... but if I was living under a rock, the only way I would have known it was an issue was if I manually ran glsa-check... I still think something in eselect news would have been nice, since it would have been visible any time I ran emerge.
_________________

[sam_]

We publish GLSAs on the website, glsa-check, the mailing list, and others (e.g. LWN) repost security messages from all distros including us. We don't generally do news items for security issues because it's not the right mechanism (and it'd be duplicating it).

I think having some way of making GLSAs more visible would be nice, I'm just not yet sure what that would be.

Sometimes, for such severe vulnerabilities, we p.mask as well, but the regressions here have made that sort of painful to do (which is the same reason the bug is still IN_PROGRESS -- because cleanup remains to be done, and I haven't cleaned up yet for the same reason: in case people need to downgrade if they're affected by the regressions).