Amazon Linux 2 Security Advisory: ALAS-2022-1873
Advisory Release Date: 2022-10-31 19:40 Pacific
Advisory Updated Date: 2022-11-08 22:20 Pacific
Severity:
Important
Issue Overview:
A flaw was found in rsync that is triggered by a victim rsync user/client connecting to a malicious rsync server. The server can copy and overwrite arbitrary files in the client's rsync target directory and subdirectories. This flaw allows a malicious server, or in some cases, another attacker who performs a man-in-the-middle attack, to potentially overwrite sensitive files on the client machine, resulting in further exploitation. (CVE-2022-29154)
Affected Packages:
rsync
Note:
This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.
Issue Correction:
Run yum update rsync to update your system.
New Packages:
aarch64:
rsync-3.1.2-11.amzn2.0.1.aarch64
rsync-debuginfo-3.1.2-11.amzn2.0.1.aarch64
i686:
rsync-3.1.2-11.amzn2.0.1.i686
rsync-debuginfo-3.1.2-11.amzn2.0.1.i686
src:
rsync-3.1.2-11.amzn2.0.1.src
x86_64:
rsync-3.1.2-11.amzn2.0.1.x86_64
rsync-debuginfo-3.1.2-11.amzn2.0.1.x86_64