CVE-2014-8990

NameCVE-2014-8990
Descriptiondefault-rsyncssh.lua in Lsyncd 2.1.5 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in a filename.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
ReferencesDSA-3130-1
NVD severityhigh (attack range: remote)
Debian Bugs767227

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
lsyncd (PTS)wheezy, wheezy (security)2.0.7-3+deb7u1fixed
jessie2.1.5-2fixed
stretch, buster, sid2.1.6-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
lsyncdsource(unstable)2.1.5-2low767227
lsyncdsourcewheezy2.0.7-3+deb7u1highDSA-3130-1

Notes

[squeeze] - lsyncd <no-dsa> (Minor issue)
https://github.com/axkibe/lsyncd/issues/220
Upstream commit: https://github.com/creshal/lsyncd/commit/18f02ad013b41a72753912155ae2ba72f2a53e52
also required: https://github.com/axkibe/lsyncd/commit/e9ffda07f0145f50f2756f8ee3fb0775b455122b
the initial commit would be an incomplete fix and needs additional changes

Search for package or bug name: Reporting problems