{"id":"MGASA-2015-0146","summary":"Updated librsync packages fix security vulnerabilities","details":"Updated librsync packages fix security vulnerability:\n\nlibrsync before 1.0.0 used a truncated MD4 \"strong\" check sum to match\nblocks. However, MD4 is not cryptographically strong. It's possible that an\nattacker who can control the contents of one part of a file could use it to\ncontrol other regions of the file, if it's transferred using librsync/rdiff\n(CVE-2014-8242).\n\nThe change to fix this is not backward compatible with older versions of\nlibrsync. Backward compatibility can be obtained using the new `rdiff sig\n--hash=md4` option or through specifying the \"signature magic\" in the API,\nbut this should not be used when either the old or new file contain\nuntrusted data.\n\nAlso, any applications that use the librsync library will need to be\nrecompiled against the updated library.  The duplicity and rdiff-backup\npackages have been rebuilt for this reason.\n","modified":"2026-01-30T08:00:28.571343Z","published":"2015-04-15T09:01:28Z","related":["CVE-2014-8242"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2015-0146.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=15543"},{"type":"REPORT","url":"https://lists.fedoraproject.org/pipermail/package-announce/2015-March/152366.html"}],"affected":[{"package":{"name":"librsync","ecosystem":"Mageia:4","purl":"pkg:rpm/mageia/librsync?arch=source&distro=mageia-4"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.0.0-2.2.mga4"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2015-0146.json"}},{"package":{"name":"duplicity","ecosystem":"Mageia:4","purl":"pkg:rpm/mageia/duplicity?arch=source&distro=mageia-4"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.6.22-5.1.mga4"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2015-0146.json"}},{"package":{"name":"rdiff-backup","ecosystem":"Mageia:4","purl":"pkg:rpm/mageia/rdiff-backup?arch=source&distro=mageia-4"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.3.3-8.1.mga4"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2015-0146.json"}}],"schema_version":"1.7.3","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}