Critical rsync security release 3.4.0 please update your system

there is a serious vulnerability with rsync. be aware to update rsync to 3.4.0-1.

https://archlinux.org/news/critical-rsync-security-release-340/

a short description from arch:

An attacker only requires anonymous read access to a vulnerable rsync server, such as a public mirror, to execute arbitrary code on the machine the server is running on. Additionally, attackers can take control of an affected server and read/write arbitrary files of any connected client. Sensitive data can be extracted, such as OpenPGP and SSH keys, and malicious code can be executed by overwriting files such as ~/.bashrc or ~/.popt.

We highly advise anyone who runs an rsync daemon or client prior to version 3.4.0-1 to upgrade and reboot their systems immediately. As Arch Linux mirrors are mostly synchronized using rsync, we highly advise any mirror administrator to act immediately, even though the hosted package files themselves are cryptographically signed.

All infrastructure servers and mirrors maintained by Arch Linux have already been updated.

1 Like

You are little late with this announcement, update was several days ago and current version on stable branch is even newer than 3.4.0-1 :stuck_out_tongue:

$ rsync --version
rsync  version 3.4.1  protocol version 32
2 Likes

:point_up: Indeed.

@Olli Please check Announcements topics first. :wink:

2 Likes