PublicDate: 2007-12-01 06:46:00 UTC
Candidate: CVE-2007-6199
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6199
 http://rsync.samba.org/security.html#s3_0_0
 http://rsync.samba.org/ftp/rsync/munge-symlinks-2.6.9.diff
Description:
 rsync before 3.0.0pre6, when running a writable rsync daemon that is not
 using chroot, allows remote attackers to access restricted files via
 unknown vectors that cause rsync to create a symlink that points outside of
 the module's hierarchy.
Ubuntu-Description:
Notes:
 jdstrand> lowering priority as it is only for rsyncd while not running in
   chroot.  This is a not-recommended, non-standard configuration. Above patch
   adds a configuration option to make this configuration 'safer'.
Bugs:
 https://bugs.launchpad.net/ubuntu/+source/rsync/+bug/174133
Priority: low
Discovered-by:
Assigned-to:
CVSS: 
Patches_rsync:
 upstream: http://rsync.samba.org/ftp/rsync/munge-symlinks-2.6.9.diff
upstream_rsync: released (2.6.9-5.1)
dapper_rsync: ignored (reached end-of-life)
edgy_rsync: needed (reached end-of-life)
feisty_rsync: needed (reached end-of-life)
gutsy_rsync: needed (reached end-of-life)
hardy_rsync: not-affected (2.6.9-6ubuntu1)
intrepid_rsync: not-affected (2.6.9-6ubuntu1)
jaunty_rsync: not-affected (2.6.9-6ubuntu1)
karmic_rsync: not-affected (2.6.9-6ubuntu1)
lucid_rsync: not-affected (2.6.9-6ubuntu1)
maverick_rsync: not-affected (2.6.9-6ubuntu1)
natty_rsync: not-affected (2.6.9-6ubuntu1)
devel_rsync: not-affected (2.6.9-6ubuntu1)