Rsync Vulnerabilities (fix now available)

[IgorTodorovskiIBM]

The zopen community port of Rsync, currently at version 3.3.0, is affected by recently disclosed security vulnerabilities. These include critical issues like CVE-2024-12084 (CVSS 9.8), which can allow attackers to execute arbitrary code on connected clients. Other vulnerabilities, such as path traversal and information leaks, are also present in versions prior to 3.4.0.

For more details on these vulnerabilities, you can read the full report here: Google Cloud Researchers Uncover Flaws in Rsync.

We are actively working to update the zopen rsync port to version 3.4.1 to address these issues. In the meantime, we recommend reviewing the mitigations provided in the article for enhanced security.

Update
FYI, rsync has been updated to 3.4.1, addressing the 6 critical vulnerabilities. To upgrade, run zopen upgrade rsync -y. Additionally, we’ve implemented functional fixes that previously prevented rsync from syncing files between z/OS and non-z/OS systems. To learn more about what's supported, read here.

[ijmitch]

youtube fed me https://youtu.be/eKtpdMmLMHY?si=mXg37p5LLdDVr9Yg too.

[IgorTodorovskiIBM]

rsync has been updated to 3.4.1, addressing the 6 critical vulnerabilities. To upgrade, run zopen upgrade rsync -y. Additionally, we’ve implemented functional fixes that previously prevented rsync from syncing files between z/OS and non-z/OS systems. To learn more about what's supported, read here.