Amazon Linux 2022 Security Advisory: ALAS-2022-148
Advisory Release Date: 2022-10-03 21:26 Pacific
Advisory Updated Date: 2022-10-13 18:48 Pacific
Severity:
Important
Issue Overview:
A flaw was found in rsync that is triggered by a victim rsync user/client connecting to a malicious rsync server. The server can copy and overwrite arbitrary files in the client's rsync target directory and subdirectories. This flaw allows a malicious server, or in some cases, another attacker who performs a man-in-the-middle attack, to potentially overwrite sensitive files on the client machine, resulting in further exploitation. (CVE-2022-29154)
A security vulnerability was found in zlib. The flaw triggered a heap-based buffer in inflate in the inflate.c function via a large gzip header extra field. This flaw is only applicable in the call inflateGetHeader. (CVE-2022-37434)
Affected Packages:
rsync
Issue Correction:
Run dnf update rsync --releasever=2022.0.20221012 to update your system.
New Packages:
aarch64:
rsync-debugsource-3.2.6-1.amzn2022.0.1.aarch64
rsync-debuginfo-3.2.6-1.amzn2022.0.1.aarch64
rsync-3.2.6-1.amzn2022.0.1.aarch64
noarch:
rsync-daemon-3.2.6-1.amzn2022.0.1.noarch
src:
rsync-3.2.6-1.amzn2022.0.1.src
x86_64:
rsync-debugsource-3.2.6-1.amzn2022.0.1.x86_64
rsync-debuginfo-3.2.6-1.amzn2022.0.1.x86_64
rsync-3.2.6-1.amzn2022.0.1.x86_64