Menu
▾
▴
Re: [tbox-l] Is AIX 5.2 vulnerable for the Rsync-bug?
|
From: David C. <cl...@au...> - 2004-03-02 01:01:58
|
AIX is not vulernable to this bug; it can only be exploited in conjunction with a vulnerability in the Linux brk() prior to 2.4.23. This was reviewed earlier with someone from the AIX security team. If you use rsync on Linux, however, you'll want to make the appropriate updates. Distributing an updated version of rsync for AIX from the Toolbox site is likely months away (as usual; this can vary quite a bit depending on the reviews and schedules of our open source lawyers). Meanwhile, I'll request a short-term review/approval to distribute a rebuild of our existing 2.5.4 level with the specific isolated patch backported alone with no other changes -- while it would not make a difference from a security perspective, it might just provide more confidence in using a pre-2.5.7 version until we are clear to distribute the current version. Such an isolated fix is often the sort of thing that can be approved more quickly for distribution. You might meanwhile also consider the other usual alternatives, such as building a newer version locally or using the already-built UCLA 4.6.0 rsync image from aixpdslib.seas.ucla.edu. (4.6.0 is the very latest rsync version.) BUT: I really don't mean to be sending mixed signals here -- you really can keep using the current Toolbox rsync. On Mon, Mar 01, 2004 at 05:03:14PM +0100, j.l...@be... wrote: > Rsync-question > > I am using rsync on an AIX 5L 5.2 ML1 server. The server is connected to > the internet. The rsync-version is 2.5.4-1 (provided as rpm-file by IBM on > their website).This is the most recent version provided by IBM. > On http://rsync.samba.org the samba-developers wrote about a bug in rsync > prior to 2.5.7. This bug causes a heap overflow vulnerabilty in combination > with the Linux kernel prior to 2.4.23. > I would like to know: > - when does IBM provide a new rsync-rpm based on rsync >= 2.5.7? > - is AIX 5.2 ML1 also vulnerable? > Can anyone answer these questions? > > thanks in advance, > > Jacco Logtenberg > Tax Office in the Netherlands > > email: j.l...@be... > > > > ------------------------------------------------------------------------------ > > De Belastingdienst gebruikt e-mail niet voor officiele mededelingen. > > ============================================================================== > > _______________________________________________ > aixtoolbox-list mailing list > aix...@ww... > http://www-124.ibm.com/developerworks/oss/mailman/listinfo/aixtoolbox-list -- David Clissold cl...@au... |
