AIX Open Source

AIX Open Source

Share your experiences and connect with fellow developers to discover how to build and manage open source software for the AIX operating system

 View Only
Expand all | Collapse all

rsync security vulnerability fix on AIX toolbox

  • 1.  rsync security vulnerability fix on AIX toolbox

    Posted Wed April 11, 2018 11:00 AM

    Originally posted by: sanket


     

     

    rsync-3.1.3-1.aix6.1.ppc.rpm is now available on AIX toolbox.

     

    This version of rsync has fixes for following security vulnerabilities.

    CVE-2017-17434
    CVE-2017-17433
    CVE-2017-16548

    CVE-2018-5764

     

    You can also use YUM to update to these versions of rsync from AIX toolbox repository

    Thanks

     



  • 2.  Re: rsync security vulnerability fix on AIX toolbox

    Posted Tue April 17, 2018 06:03 AM
      |   view attached

    Originally posted by: ejk


    Previous version started in daemon mode

    # oslevel -s
    7200-02-02-1810

    # rpm -q rsync
    rsync-3.1.2-2.ppc

     

    Entry from the log file

    2018/04/17 12:50:15 [7012724] rsyncd version 3.1.2 starting, listening on port 873

     

    The 3.1.3 version does not start in daemon mode

    # rpm -q rsync
    rsync-3.1.3-1.ppc

    # /usr/bin/rsync --daemon

     

    Each startup adds these four same, excluding timestamp and PID, lines in the log file are:



    2018/04/17 12:52:33 [6685068] rsyncd version 3.1.3 starting, listening on port 873
    2018/04/17 12:52:33 [6685068] bind() failed: Invalid argument (address-family 2)
    2018/04/17 12:52:33 [6685068] unable to bind any inbound sockets on port 873
    2018/04/17 12:52:33 [6685068] rsync error: error in socket IO (code 10) at socket.c(555) [Receiver=3.1.3]

     

    I've tried various combination of "-4", "--ipv4", "-6", "--ipv6", "--verbose" and "--no-detach" arguments, none have resulted in rsync running in daemon mode.

    I've attached output from "truss -a -d -D -e -f -l -mall -m!fltpage -s all -t all -X rsync --daemon" to this post.

     

     

     

    Attachment(s)

    log
    truss.2018-04-17.log   14 KB 1 version


  • 3.  Re: rsync security vulnerability fix on AIX toolbox

    Posted Fri April 20, 2018 07:30 AM

    Originally posted by: sanket


    We will look into this issue.



  • 4.  Re: rsync security vulnerability fix on AIX toolbox

    Posted Wed July 11, 2018 03:18 PM

    Originally posted by: Montani.SL


    Anyone ever solve this? Just hit me after an update.

    UPDATE: Downgrading to previous version worked.



  • 5.  Re: rsync security vulnerability fix on AIX toolbox

    Posted Fri July 13, 2018 05:46 AM

    Originally posted by: sanket


     

    Yes the issue is resolved. 

    We missed to upload the fixed version that we will do in a day or two. 

    Thanks for reporting and reminding us about the issue.



  • 6.  Re: rsync security vulnerability fix on AIX toolbox

    Posted Wed July 18, 2018 02:39 PM

    Originally posted by: sanket


     

    We have uploaded the fixed version of rsync at following location.

    Please use yum to update or download and install.

    https://public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/ppc/rsync/rsync-3.1.3-2.aix6.1.ppc.rpm

     

    Thanks