DescriptionA flaw was found in rsync in versions since 3.2.0pre1. Rsync improperly validates certificate with host mismatch vulnerability. A remote, unauthenticated attacker could exploit the flaw by performing a man-in-the-middle attack using a valid certificate for another hostname which could compromise confidentiality and integrity of data transmitted using rsync-ssl. The highest threat from this vulnerability is to data confidentiality and integrity. This flaw affects rsync versions before 3.2.4.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs969530

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
rsync (PTS)buster3.1.3-6fixed
sid, trixie, bookworm3.2.7-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
rsyncsourcestretch(not affected)
rsyncsourcebuster(not affected)


[buster] - rsync <not-affected> (Vulnerable code introduced later)
[stretch] - rsync <not-affected> (Vulnerable code introduced later)
Introduced by:;a=commitdiff;h=2a87d78f693f10fe5ad13af0bb9311bd3714077d (v3.2.0pre1)
Fixed by:;a=commitdiff;h=c3f7414c450faaf6a8281cc4a4403529aeb7d859

Search for package or bug name: Reporting problems