Ukuba sengozini (CVE-2022-29154) kukhonjwe ku-rsync, ukuvumelanisa ifayela kanye nensiza eyisipele, engavumela iseva ye-rsync elawulwa umhlaseli ukuthi ibhale noma ibhale phezu kwamafayela aphikisayo kumkhombandlela oqondiwe ohlangothini lomsebenzisi. Ngokunokwenzeka, ukuhlasela kungenziwa futhi ngenxa yokuphazamiseka (MITM) kuthrafikhi yezokuthutha phakathi kweklayenti neseva esemthethweni. Inkinga isilungisiwe ekukhishweni kokuhlola kwe-Rsync 3.2.5pre1.
Ukuba sengozini kukhumbuza izinkinga zesikhathi esidlule ku-SCP futhi kubangelwa ukuthi iseva yenza isinqumo mayelana nendawo yefayela elibhalwayo, futhi iklayenti alihloli kahle ukuthi yini ebuyiswa yiseva ngokumelene nalokho okuceliwe, okuvumela iseva ukuthi ibhale. amafayela angacelwanga iklayenti ekuqaleni. Isibonelo, uma umsebenzisi ekopisha amafayela kuhla lwemibhalo lwasekhaya lomsebenzisi, iseva ingase ibuyisele amafayela aqanjwe ngokuthi .bash_aliases noma .ssh/authorized_keys esikhundleni samafayela aceliwe, futhi azogcinwa kuhla lwemibhalo lwasekhaya lomsebenzisi.
Source: opennet.ru