At 02:25 Beijing time on January 15, 2025, security researcher Nick Tait reported six security vulnerabilities in rsync on the oss-security mailing list. Among them, the most severe vulnerability allows attackers to execute arbitrary code on the server simply by having anonymous read access to the rsync server (such as a public mirror). Vulnerability Details: CVE-2024-12084 (CVSS: 9.8): There is a heap buffer overflow vulnerability in rsync due to improper handling of checksum lengths. When MAX_DIGEST_LEN exceeds the fixed SUM_LENGTH (16 bytes), attackers can perform out-of-bounds writes in the sum2 buffer. Affected versions: 3.2.7 to 3.4.0. CVE-2024-12085 (CVSS: 7.5): In ...Read more