[Software] Are old versions of Debian affected by rsync's vulnerability?

[bertulli]

Hi everyone, thank you for your work. For my job, I am using a series of devices mounting Debian 9 stretch. I hear about the rsync's vulnerability, which our devices use. I read in the announcement that Bullseye (11) is not affected. However, in the announcement about the same topic for Ubuntu, it is said that the affected versions upstream of rsync are from 3.1.0 to at least 3.2.7, i.e. from 2014 to now, so I would expect also the upstream Debian versions to be affected as well. For instance, I can see my devices use rsync 3.1.2. So my question is: can I be sure that pre-Bullseye versions of Debian are unaffected (due to, I guess, different patches applied with respect to Ubuntu?), or should I compile from source the new version of rsync, to be sure? Thank you and have a good day!

[wizard10000]

Bullseye and earlier have not been patched; check it out - https://security-tracker.debian.org/tra ... kage/rsync

I'm afraid Debian normally only provides security updates for three years.

[ann_droid]

Hi

Hope this helps....

https://www.theregister.com/2025/01/17/ ... abilities/

Brief snippet.........

""
Good news: these vulnerabilities were identified in December of last year, and rsync 3.40, released the day after the Openwall announcement, fixes all of them. That version did introduce a few regressions, though, and the following day (January 15) saw a minor bug-fix version, version 3.4.1. As this is a high-priority problem – BleepingComputer says it identified 600,000 affected machines – Linux distributors are on the case.

For instance, Canonical put out an update going back to Ubuntu 14.10 on the day of the announcement. As you'd expect, except for the latest "Oracular Oriole" release, it only covers LTS versions. If you're still running CentOS Linux, we hope you're paying someone for fixes.
""

So apt dist-upgrade etc etc.

Check you have version 3.4.1 installed.

[bertulli]

Bullseye and earlier have not been patched; check it out - https://security-tracker.debian.org/tra ... kage/rsync

I'm afraid Debian normally only provides security updates for three years.

I'm sorry, I'm not sure I understood. From the bug tracker, I see that for Bullseye, many of the disclosed vulnerabilities I'm talking about have been patched, the only missing is another one. I can't find any info about previous versions: for instance, in the stretch package the vulnerability could not have been introduced yet. I highly doubt it, as I was saying before the upstream version is affected, but I wanted to check. Anyways it seems that even for stretch it has been patched by the extended LTS by Freexian (https://www.freexian.com/lts/extended/u ... 0-1-rsync/), so I guess it answers to the question

[arzgi]

Debian 9 can also be vurnenable for more securit flaws, as it is has not been updated for years.

I run for my own purposes Debian 9, but I have removed all the networking capabilities.