Security Advisories

Multiple vulnerabilities have been found in rsync, but most of them affect only the rsync daemon, which is not in use on the IACBOX.
But the rsync client is also affected if connected to unknown servers that are maybe controlled by an attacker.

Which versions are affected?

All versions up to v21 are affected as they are using rsync. The impact is rated only as MEDIUM as an IACBOX is only connecting to Asteas controlled update servers, so there is no real attack surface, except for a possible local exploitation.
The rsync package is updated anyway to eliminate any possibly left over risk.
This issue is fixed with the current version 21.0-p21595.

Version 24 is not using rsync anymore, but as the binary is installed it get's updated to the latest rsync version 3.4.1 too.
The new rsync version is shipped with version 24.0.2, released on 22 Jan 2025.

For all details please visit: https://kb.cert.org/vuls/id/952657