[CLSA-2025:1763136711] Fix CVE(s): CVE-2022-29154, CVE-2024-12087, CVE-2024-12088

Type:

security

Severity:

Important

Release date:

2025-11-14 16:11:55 UTC

Description:

   * SECURITY UPDATE: malicious remote servers to write arbitrary files inside
     the directories of connecting peers:
     - debian/patches/els/0001-CVE-2022-29154.patch: fix insufficient validation of file
       names.
     - CVE-2022-29154.
   * SECURITY UPDATE: path traversal vulnerability.
     - debian/patches/els/0002-CVE-2024-12087.patch: refuse a duplicate dirlist and
       range check dir_ndx before use
     - CVE-2024-12087
   * SECURITY UPDATE: rsync client fails to properly verify if a symbolic link
     destination sent from the server contains another symbolic link within it:
     - debian/patches/els/0003-CVE-2024-12088.patch: make --safe-links stricter.
     - CVE-2024-12088.

Updated packages:

rsync_3.1.3-6+tuxcare.els1_amd64.deb
sha:ee57d5f92e35c90e1ea8c1bca846f2b20be67419

Notes:

This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.