When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

Rsync package in Ubuntu distros updated to fix remote code execution bugs, download now

The new Ubuntu logo

If you are running an Ubuntu-based operating system such as Ubuntu, Kubuntu, Lubuntu, and even Linux Mint, you really need to apply available updates to patch the rsync package. Fixes have just been issued to address numerous vulnerabilities that allow remote code execution and affect servers and client machines.

Highlighting the issues, Canonical says:

Security researchers at Google (Pedro Gallegos, Simon Scannell, and Jasiel Spelman) discovered vulnerabilities in the rsync server and rsync client. The rsync server vulnerabilities (CVE-2024-12084 and CVE-2024-12085) ultimately allow remote code execution (RCE). The rsync client vulnerabilities allow a malicious server to read arbitrary files (CVE-2024-12086), create unsafe symlinks (CVE-2024-12087) and overwrite arbitrary files in certain circumstances (CVE-2024-12088).

During the coordinated vulnerability response of the above issues, a sixth vulnerability (CVE-2024-12747) which affects how the rsync server handles symlinks was reported by Aleksei Gorban.

Canonical’s security team has released updates of the rsync packages for all supported Ubuntu releases. The updates remediate CVE-2024-12084, CVE-2024-12085, CVE-2024-12086, CVE-2024-12087, CVE-2024-12088, and CVE-2024-12747. Information on the affected versions can be found in the CVE pages linked above.

If you are on Ubuntu 16.04 LTS or above, the unattended-upgrades feature is enabled by default, which means these security updates will be applied within 24 hours of them being available. If you've switched that off or are using another distribution, then you might have to get the update yourself via your update manager or the terminal.

To update via the terminal, enter the following command and input your password when requested:

sudo apt update && sudo apt upgrade

If you can't upgrade all packages and want to just update rsync then you can use the following command:

sudo apt update && sudo apt install --only-upgrade rsync

If you're wondering whether you really need to update the rsync package now, the answer is yes, you should do it as soon as possible. It can impact both servers and end user computers, and it can all be done remotely.

The fixed packages for each Ubuntu release are as follows:

Release Package Name Fixed Version

Trusty (14.04 LTS)

rsync

3.1.0-2ubuntu0.4+esm1

Xenial (16.04 LTS)

rsync

3.1.1-3ubuntu1.3+esm3

Bionic (18.04 LTS)

rsync

3.1.2-2.1ubuntu1.6+esm1

Focal (20.04 LTS)

rsync

3.1.3-8ubuntu0.8

Jammy (22.04 LTS)

rsync

3.2.7-0ubuntu0.22.04.3

Noble (24.04 LTS)

rsync

3.2.7-1ubuntu1.1

Oracular (24.10)

rsync

fix not available

You can open the terminal and run dpkg -l rsync to check if you have the updated package. If you have a lower version, open up the update manager and look to see if the update is available. This package comes pre-installed on most Ubuntu-based systems so it's important for everyone to check that they're updated.

Report a problem with article
The Bing logo on a blue background
Next Article

Bing no longer pretends to be Google, but it still tries hard to make you stay

The Linux Mint logo on a green and black background
Previous Article

Linux Mint 22.1 ISOs approved, here's how to download them now

Join the conversation!

Login or Sign Up to read and post a comment.

2 Comments - Add comment