[CLSA-2026:1779869103] Fix CVE(s): CVE-2024-12086, CVE-2026-29518, CVE-2026-43618

Type:

security

Severity:

Important

Release date:

2026-05-27 08:05:13 UTC

Description:

   * SECURITY UPDATE: receiver process memory disclosure via compressed-token
     integer overflow:
     - debian/patches/els/0004-CVE-2026-43618.patch: cap rx_token at
       MAX_TOKEN_INDEX; reject out-of-range token values.
     - CVE-2026-43618.
   * SECURITY UPDATE: malicious server can enumerate arbitrary client files
     via crafted checksum responses:
     - debian/patches/els/0005-CVE-2024-12086.patch: add secure_relative_open()
       and route the receiver's basis-file open through it.
     - CVE-2024-12086.
   * SECURITY UPDATE: daemon TOCTOU symlink race on parent path components
     when "use chroot = no":
     - debian/patches/els/0006-CVE-2026-29518.patch: gate sender/receiver
       opens and chmods through secure_relative_open() / do_chmod_at().
     - CVE-2026-29518.

Updated packages:

rsync_3.1.3-6+tuxcare.els2_amd64.deb
sha:bdfe919ceda334a7a9bcabc02a6ba87ba2d8f58f

Notes:

This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.