From ${URL} : Ryan Finnie discovered that rsync 3.1.0 contains a denial of service issue when attempting to authenticate using a nonexistent username. A remote attacker could use this flaw to cause a denial of service via CPU consumption. Bug reports: https://bugzilla.samba.org/show_bug.cgi?id=10551 https://bugs.launchpad.net/ubuntu/+source/rsync/+bug/1307230 Fix: https://git.samba.org/?p=rsync.git;a=commitdiff;h=0dedfbce2c1b851684ba658861fe9d620636c56a @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
+*rsync-3.1.0-r1 (15 Apr 2014) + + 15 Apr 2014; Lars Wendler <polynomial-c@gentoo.org> -rsync-3.1.0.ebuild, + +rsync-3.1.0-r1.ebuild, + +files/rsync-3.1.1_pre1-avoid_infinite_wait_reading_secrets_file.patch: + Security bump (bug #507698. Removed vulnerable version. + No stabilization needed as the affected version still is ~arch everywhere.
(In reply to Lars Wendler (Polynomial-C) from comment #1) > No stabilization needed as the affected version still is ~arch everywhere. Are you sure that 3.0.9 is not affected?
(In reply to Agostino Sarubbo from comment #2) > (In reply to Lars Wendler (Polynomial-C) from comment #1) > > No stabilization needed as the affected version still is ~arch everywhere. > > Are you sure that 3.0.9 is not affected? No. To be honest I trusted the bug report from launchpad which only mentions rsync-3.1.0.
(In reply to Lars Wendler (Polynomial-C) from comment #3) > No. To be honest I trusted the bug report from launchpad which only mentions > rsync-3.1.0. In the doubt...if it is not causing regressions, we can stabilize it to stay safe...
(In reply to Agostino Sarubbo from comment #4) > (In reply to Lars Wendler (Polynomial-C) from comment #3) > > No. To be honest I trusted the bug report from launchpad which only mentions > > rsync-3.1.0. > > In the doubt...if it is not causing regressions, we can stabilize it to stay > safe... I did tests with =net-misc/rsync-3.0.9-r3 and unpatched rsync-3.1.0. rsync-3.0.9-r3 is not affected by this bug, only rsync-3.1.0 and rsync-3.1.1_pre1 (not in portage) are. So no need to rush into stabilization here.
Since we have verification version rsync-3.0.9-r3 is not vulnerable and since version 3.1.0 was never stable, and has been removed. With rsync-3.1.0-r1 is a non vulnerable version and can be stabilized separately when ready, I am closing the bug with NOGLSA.
CVE-2014-2855 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2855): The check_secret function in authenticate.c in rsync 3.1.0 and earlier allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a user name which does not exist in the secrets file.
