rsync 2.5.7 fixes a remotly exploitable heap overflow, that, together with the do_brk bug in the kernel, could result in a remote root exploit. I suggest an updated ebuild and a message to rsync-mirror admins ASAP.
Already been done.
we caught this as it came out from the rsync folks :) Thanks for being vigilant as well though :)
actually I'll reopen -- we may as well track the GLSA request with this bug
Is anybody going to check if the mirrors actually all updated rsyncd (and their kernel)?
Gentoo uses 105 mirrors world wide. Many of these mirror's are not even using Gentoo or Linux so getting them to update thier kernels is going to be quite a task, however a mail has been sent to the gentoo-mirrors@ mailing list regarding http://marc.theaimsgroup.com/?l=rsync-announce&m=107051741303720&w=2 A complete list of rsync mirror's is being compiled now and remote version testing script is in the works. What we are looking at doing here is removing all servers from the main rotation and having them report in when they have updated to version 2.5.7 if they are not already running 2.5.7 Everyone else should rsync with a mirror you trust then emerge =net-misc/rsync-2.5.7
closing since we've publicised this via glsa and gwn
