You are not logged in.
- Topics: Active | Unanswered
Pages: 1
#1 2025-01-28 13:18:39
- OneAndOnlyRoot
- Member
- Registered: 2025-01-01
- Posts: 3
rsync Vulnerability advice
I recently heard about the rsync exploit via https://archlinux.org/news/critical-rsy … lease-340/
The post mentions the mirrors need updating.
Is there a way of knowing which mirrors have been updated to counter the exploit, thus making them safe?
Thanks
Last edited by OneAndOnlyRoot (2025-01-28 13:20:30)
Offline
#2 2025-01-28 21:52:50
- BenjB83
- Member
- From: Caracas, VE
- Registered: 2023-11-14
- Posts: 16
- Website
Re: rsync Vulnerability advice
According to the ASA-202501-1 report, this has already been fixed in rsync 3.4.0-1 and above. I have checked my system, which is pretty up to date and I run 3.4.1. So it should be fine. If you run a different version, you can run:
# pacman -Syu "rsync>=3.4.0-1"The link you posted also states, that all the Arch infrastructure and mirrors have been updated already... As for the other mirror administrators, I don't think, there is actually a way, to find out if they are...
Last edited by BenjB83 (2025-01-28 21:53:52)
Offline
#3 2025-01-28 22:59:42
- OneAndOnlyRoot
- Member
- Registered: 2025-01-01
- Posts: 3
Re: rsync Vulnerability advice
According to the ASA-202501-1 report, this has already been fixed in rsync 3.4.0-1 and above. I have checked my system, which is pretty up to date and I run 3.4.1. So it should be fine. If you run a different version, you can run:
# pacman -Syu "rsync>=3.4.0-1"The link you posted also states, that all the Arch infrastructure and mirrors have been updated already... As for the other mirror administrators, I don't think, there is actually a way, to find out if they are...
Thanks for the reply,
I know that the new version of rsync fixes it thankfully. I was focusing on the line "we highly advise any mirror administrator to act immediately" which implies the mirrors are still vulnerable. But I guess the packages being cryptographically signed helps mitigate the risk.
I didn't think there would be a way to know if each mirror has successfully mitigated the risk, I have just been refering to https://archlinux.org/mirrors/status/ and using ones with 100% completion to try make sure I use the most somewhat up to date mirror.
Last edited by OneAndOnlyRoot (2025-01-28 23:00:44)
Offline
#4 2025-01-29 01:30:19
- arh
- Member
- Registered: 2024-10-09
- Posts: 21
Re: rsync Vulnerability advice
i'd not really be worried about which mirrors are vulnerable and might have been attacked, as in the same principle a mirror could intentionally turn malicious and serve you bad packages anyway. you don't really know what someone else's server is doing so that's why there's signatures to verify the package with, a mismatched package will fail the check.
i intepreted "we highly advise any mirror administrator to act immediately" as you don't want to leave a known vulnerable service running because your private keys might get stolen since the vulnerability involves rce, it's more of a warning to the server owners than to you.
Offline
#5 2025-01-29 15:08:12
- OneAndOnlyRoot
- Member
- Registered: 2025-01-01
- Posts: 3
Re: rsync Vulnerability advice
i'd not really be worried about which mirrors are vulnerable and might have been attacked, as in the same principle a mirror could intentionally turn malicious and serve you bad packages anyway. you don't really know what someone else's server is doing so that's why there's signatures to verify the package with, a mismatched package will fail the check.
i intepreted "we highly advise any mirror administrator to act immediately" as you don't want to leave a known vulnerable service running because your private keys might get stolen since the vulnerability involves rce, it's more of a warning to the server owners than to you.
Yeah I think your right, certainly makes sense. The cryptographical aspect I now realise is meant to defend against this very situation.
Thanks for your reply.
Offline
#6 2025-01-29 18:06:50
- ReDress
- Member
- From: Nairobi
- Registered: 2024-11-30
- Posts: 96
Re: rsync Vulnerability advice
arh wrote:i'd not really be worried about which mirrors are vulnerable and might have been attacked, as in the same principle a mirror could intentionally turn malicious and serve you bad packages anyway. you don't really know what someone else's server is doing so that's why there's signatures to verify the package with, a mismatched package will fail the check.
i intepreted "we highly advise any mirror administrator to act immediately" as you don't want to leave a known vulnerable service running because your private keys might get stolen since the vulnerability involves rce, it's more of a warning to the server owners than to you.
Yeah I think your right, certainly makes sense. The cryptographical aspect I now realise is meant to defend against this very situation.
Thanks for your reply.
I hope you have had these blue individuals let go because they're quite frightening :-(
Offline
Pages: 1