| Description: | Description:
The remote host is missing updates announced in
advisory RHSA-2003:399.
rsync is a program for sychronizing files over the network.
A heap overflow bug exists in rsync versions prior to 2.5.7. On machines
where the rsync server has been enabled, a remote attacker could use this
flaw to execute arbitrary code as an unprivileged user. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CVE-2003-0962 to this issue.
All users should upgrade to these erratum packages containing version
2.5.7 of rsync, which is not vulnerable to this issue.
NOTE: The rsync server is disabled (off) by default in Red Hat Enterprise
Linux. To check if the rsync server has been enabled (on), run the
following command:
/sbin/chkconfig --list rsync
If the rsync server has been enabled but is not required, it can be
disabled by running the following command as root:
/sbin/chkconfig rsync off
Red Hat would like to thank the rsync team for their rapid response and
quick fix for this issue.
Solution:
Please note that this update is available via
Red Hat Network. To use Red Hat Network, launch the Red
Hat Update Agent with the following command: up2date
http://rhn.redhat.com/errata/RHSA-2003-399.html
http://rsync.samba.org/
Risk factor : High
CVSS Score:
7.5
|
