5.1 - MDVSA-2011:066

Executive Summary

Informations
Name	MDVSA-2011:066	First vendor Publication	2011-04-05
Vendor	Mandriva	Last vendor Modification	2011-04-05
Severity (Vendor)	N/A	Revision	N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score	NA
Base Score	NA	Environmental Score	NA
impact SubScore	NA	Temporal Score	NA
Exploitabality Sub Score	NA

Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:H/Au:N/C:P/I:P/A:P)
Cvss Base Score	5.1	Attack Range	Network
Cvss Impact Score	6.4	Attack Complexity	High
Cvss Expoit Score	4.9	Authentication	None Required
Calculate full CVSS 2.0 Vectors scores

Detail

A vulnerability wase discovered and corrected in rsync:

rsync 3.x before 3.0.8, when certain recursion, deletion, and ownership options are used, allows remote rsync servers to cause a denial of service (heap memory corruption and application crash) or possibly execute arbitrary code via malformed data (CVE-2011-1097).

Packages for 2009.0 are provided as of the Extended Maintenance Program. Please visit this link to learn more: http://store.mandriva.com/product_info.php?cPath=149&products_id=490

The updated packages have been patched to correct this issue.

Original Source

Url : http://www.mandriva.com/security/advisories?name=MDVSA-2011:066

CWE : Common Weakness Enumeration

%	Id	Name
100 %	CWE-119	Failure to Constrain Operations within the Bounds of a Memory Buffer

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:14049

Oval ID:	oval:org.mitre.oval:def:14049
Title:	USN-1124-1 -- rsync vulnerability
Description:	rsync: fast remote file copy program rsync could be made to crash or run programs as your login if it connected to a malicious server.
Family:	unix	Class:	patch
Reference(s):	USN-1124-1 CVE-2011-1097	Version:	5
Platform(s):	Ubuntu 10.10 Ubuntu 9.10 Ubuntu 10.04	Product(s):	rsync
Definition Synopsis:
Release section Ubuntu 10.10 is installed AND Installed architecture is all AND rsync DPKG is earlier than 3.0.7-2ubuntu1.1 OR Release section Ubuntu 9.10 is installed AND Installed architecture is all AND rsync DPKG is earlier than 3.0.6-1ubuntu1.1 OR Release section Ubuntu 10.04 is installed AND Installed architecture is all AND rsync DPKG is earlier than 3.0.7-1ubuntu1.1

Definition Id: oval:org.mitre.oval:def:21910

Oval ID:	oval:org.mitre.oval:def:21910
Title:	RHSA-2011:0390: rsync security update (Moderate)
Description:	rsync 3.x before 3.0.8, when certain recursion, deletion, and ownership options are used, allows remote rsync servers to cause a denial of service (heap memory corruption and application crash) or possibly execute arbitrary code via malformed data.
Family:	unix	Class:	patch
Reference(s):	RHSA-2011:0390-01 CVE-2011-1097	Version:	4
Platform(s):	Red Hat Enterprise Linux 6	Product(s):	rsync
Definition Synopsis:
rsync is earlier than 0:3.0.6-5.el6_0.1 AND The operating system installed on the system is Red Hat Enterprise Linux 6

Definition Id: oval:org.mitre.oval:def:23356

Oval ID:	oval:org.mitre.oval:def:23356
Title:	ELSA-2011:0390: rsync security update (Moderate)
Description:	rsync 3.x before 3.0.8, when certain recursion, deletion, and ownership options are used, allows remote rsync servers to cause a denial of service (heap memory corruption and application crash) or possibly execute arbitrary code via malformed data.
Family:	unix	Class:	patch
Reference(s):	ELSA-2011:0390-01 CVE-2011-1097	Version:	6
Platform(s):	Oracle Linux 6	Product(s):	rsync
Definition Synopsis:
rsync is earlier than 0:3.0.6-5.el6_0.1 AND Oracle Linux 6.x

Definition Id: oval:org.mitre.oval:def:27919

Oval ID:	oval:org.mitre.oval:def:27919
Title:	DEPRECATED: ELSA-2011-0390 -- rsync security update (moderate)
Description:	[3.0.6-5.1] - Add upstream patch to fix CVE-2011-1097 - Incremental file-list corruption due to temporary file_extra_cnt increments Resolves: #684932
Family:	unix	Class:	patch
Reference(s):	ELSA-2011-0390 CVE-2011-1097	Version:	4
Platform(s):	Oracle Linux 6	Product(s):	rsync
Definition Synopsis:
Oracle Linux 6.x AND rsync is earlier than 0:3.0.6-5.el6_0.1

CPE : Common Platform Enumeration

Type	Description	Count
Application	Samba Rsync cpe:2.3:a:samba:rsync:3.0.7:-:::::: cpe:2.3:a:samba:rsync:3.0.6:-:::::: cpe:2.3:a:samba:rsync:3.0.5:-:::::: cpe:2.3:a:samba:rsync:3.0.4:-:::::: cpe:2.3:a:samba:rsync:3.0.3:-:::::: cpe:2.3:a:samba:rsync:3.0.2:::::::* cpe:2.3:a:samba:rsync:3.0.1:-:::::: cpe:2.3:a:samba:rsync:3.0.0:-::::::	8

OpenVAS Exploits

Date	Description
2012-06-06	Name : RedHat Update for rsync RHSA-2011:0390-01 File : nvt/gb_RHSA-2011_0390-01_rsync.nasl
2011-08-03	Name : FreeBSD Ports: rsync File : nvt/freebsd_rsync4.nasl
2011-05-10	Name : Ubuntu Update for rsync USN-1124-1 File : nvt/gb_ubuntu_USN_1124_1.nasl
2011-04-22	Name : Rsync Multiple Denial of Service Vulnerabilities (Windows) File : nvt/gb_rsync_mult_dos_vuln.nasl
2011-04-11	Name : Fedora Update for rsync FEDORA-2011-4413 File : nvt/gb_fedora_2011_4413_rsync_fc14.nasl
2011-04-11	Name : Fedora Update for rsync FEDORA-2011-4427 File : nvt/gb_fedora_2011_4427_rsync_fc13.nasl
2011-04-11	Name : Mandriva Update for rsync MDVSA-2011:066 (rsync) File : nvt/gb_mandriva_MDVSA_2011_066.nasl

Open Source Vulnerability Database (OSVDB)

Id	Description
74996	rsync Incremental Recursion Remote Memory Corruption DoS

Nessus® Vulnerability Scanner

Date	Description
2014-12-15	Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201412-09.nasl - Type : ACT_GATHER_INFO
2014-06-13	Name : The remote openSUSE host is missing a security update. File : suse_11_3_rsync-110404.nasl - Type : ACT_GATHER_INFO
2014-06-13	Name : The remote openSUSE host is missing a security update. File : suse_11_4_rsync-110404.nasl - Type : ACT_GATHER_INFO
2013-07-12	Name : The remote Oracle Linux host is missing a security update. File : oraclelinux_ELSA-2011-0390.nasl - Type : ACT_GATHER_INFO
2012-08-01	Name : The remote Scientific Linux host is missing a security update. File : sl_20110329_rsync_on_SL6_x.nasl - Type : ACT_GATHER_INFO
2011-07-21	Name : The remote FreeBSD host is missing a security-related update. File : freebsd_pkg_9a777c23b31011e0832d00215c6a37bb.nasl - Type : ACT_GATHER_INFO
2011-06-13	Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-1124-1.nasl - Type : ACT_GATHER_INFO
2011-05-06	Name : The remote openSUSE host is missing a security update. File : suse_11_2_rsync-110404.nasl - Type : ACT_GATHER_INFO
2011-05-06	Name : The remote SuSE 11 host is missing a security update. File : suse_11_rsync-110404.nasl - Type : ACT_GATHER_INFO
2011-04-08	Name : The remote Fedora host is missing a security update. File : fedora_2011-4413.nasl - Type : ACT_GATHER_INFO
2011-04-08	Name : The remote Fedora host is missing a security update. File : fedora_2011-4427.nasl - Type : ACT_GATHER_INFO
2011-04-06	Name : The remote Fedora host is missing a security update. File : fedora_2011-4389.nasl - Type : ACT_GATHER_INFO
2011-04-06	Name : The remote Mandriva Linux host is missing a security update. File : mandriva_MDVSA-2011-066.nasl - Type : ACT_GATHER_INFO
2011-03-29	Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2011-0390.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.

Date	Informations
2014-02-17 11:42:10	Multiple Updates

Global Informations

Type	Count
CWE ID(s)	1
Oval ID(s)	4
CPE ID(s)	8
osvdb(s)	1
Openvas Exploit(s)	7
Nessus® Exploit(s)	14

	Related
5.1	CVE-2011-1097
Info : listing not affected by your CVSS Env Score

Same Subject	Severity
Login to view 1 more Alert(s)

5.1 - MDVSA-2011:066

Executive Summary

Security-Database Scoring CVSS v3

Security-Database Scoring CVSS v2

Detail

Original Source

CWE : Common Weakness Enumeration

OVAL Definitions

CPE : Common Platform Enumeration

OpenVAS Exploits

Open Source Vulnerability Database (OSVDB)

Nessus® Vulnerability Scanner

Alert History

Global Informations

Open Standards

Other Databases

COMPANY

STANDARDS

RECENT POSTS

MENU