CVE-2020-14387

NameCVE-2020-14387
DescriptionA flaw was found in rsync in versions since 3.2.0pre1. Rsync improperly validates certificate with host mismatch vulnerability. A remote, unauthenticated attacker could exploit the flaw by performing a man-in-the-middle attack using a valid certificate for another hostname which could compromise confidentiality and integrity of data transmitted using rsync-ssl. The highest threat from this vulnerability is to data confidentiality and integrity. This flaw affects rsync versions before 3.2.4.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)
Debian Bugs969530

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
rsync (PTS)buster3.1.3-6fixed
bullseye3.2.3-4+deb11u1fixed
bookworm, sid3.2.4-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
rsyncsourcestretch(not affected)
rsyncsourcebuster(not affected)
rsyncsource(unstable)3.2.3-3969530

Notes

[buster] - rsync <not-affected> (Vulnerable code introduced later)
[stretch] - rsync <not-affected> (Vulnerable code introduced later)
Introduced by: https://git.samba.org/?p=rsync.git;a=commitdiff;h=2a87d78f693f10fe5ad13af0bb9311bd3714077d (v3.2.0pre1)
Fixed by: https://git.samba.org/?p=rsync.git;a=commitdiff;h=c3f7414c450faaf6a8281cc4a4403529aeb7d859
https://bugzilla.redhat.com/show_bug.cgi?id=1875549
Search for package or bug name: Reporting problems