Doing anything right now? Oh, you’re reading this – appreciated – but once you’re done go and install1 the pending update to Rsync, pushed out to all supported versions of Ubuntu desktop and server this week.
Rsync is a command-line tool preinstalled in all versions and flavours of Ubuntu. It’s used for data-efficient copying and synchronising of files between locations, be it local or remote.
You might not (knowingly) use it (it’s not a GUI app) it’s there, on your system.
And the fact it’s there is important.
This week, security researchers at Google disclosed major vulnerabilities in the Ubuntu rsync package that affect both its server and client components – vulnerabilities which can be exploited in bad ways if left unpatched.
A pair of vulnerabilities in the rsync daemon (CVE-2024-12084 & CVE-2024-12085) allow for remote code execution, while three flaws in the client may allow a malicious server to read files, create unsafe symlinks and possibly overwrite files – not good.
Highlighting the issues, Canonical says a sixth vulnerability (CVE-2024-12747) was uncovered during the “coordinated vulnerability response” to the other vulnerabilities, with the latter one affecting how the rsync server handles symlinks.
Ubuntu Server users should make extra effort to check the relevant update has been applied since servers can be mission critical infrastructure handling important or sensitive data.
Rsync security vulnerability update
Canonical’s security team pushed out patched versions of rsync to all supported Ubuntu releases this week. If you don’t have unattended-upgrades enabled on your system you should check to see if the update has been installed, and if not install it.
No new features are included; this is back-porting a newer version of Rsync to older releases simply patches applied to the version that shipped in each respective Ubuntu release.
You can manually check which version of rsync version is installed in Ubuntu by running:
dpkg -l rsync
From the output shown, check the version number against the patched versions listed on Launchpad or, for convenience sake, via this table:
| Ubuntu 14.04 LTS (Trusty) | 3.1.0-2ubuntu0.4+esm1 |
| Ubuntu 16.04 LTS (Xenial) | 3.1.1-3ubuntu1.3+esm3 |
| Ubuntu 18.04 LTS (Bionic) | 3.1.2-2.1ubuntu1.6+esm1 |
| Ubuntu 20.04 LTS (Focal) | 3.1.3-8ubuntu0.8 |
| Ubuntu 22.04 LTS (Jammy) | 3.2.7-0ubuntu0.22.04.3 |
| Ubuntu 24.04 LTS (Noble) | 3.2.7-1ubuntu1.2 |
If an older version is installed you’re at risk until it’s updated.
Run sudo apt update to check for the latest available updates, then run sudo apt upgrade to download and apply them.
On Ubuntu Server it’s not always desirable to install ALL updates. Run sudo apt install --only-upgrade rsync to upgrade Rsync only.
Whatever you don’t, don’t put off this update as it isn’t one of those “…only a flaw if someone has local access to your machine when you leave it unlocked” type flaws – be proactive!
- If you don’t have unattended-upgrades enabled, that is. If you don’t, consider enabling it as it means security fixes like this one are downloaded and applied automatically. ↩︎