git: e39886d24184 - main - security/vuxml: add net/rsync vulnerabilities

From: Sergey A. Osokin <osa_at_FreeBSD.org>
Date: Tue, 14 Jan 2025 21:28:15 UTC 
The branch main has been updated by osa:

URL: https://cgit.FreeBSD.org/ports/commit/?id=e39886d24184b32d45055c46ad89bcced7f46c1a

commit e39886d24184b32d45055c46ad89bcced7f46c1a
Author:     Sergey A. Osokin <osa@FreeBSD.org>
AuthorDate: 2025-01-14 21:27:45 +0000
Commit:     Sergey A. Osokin <osa@FreeBSD.org>
CommitDate: 2025-01-14 21:27:45 +0000

    security/vuxml: add net/rsync vulnerabilities
---
 security/vuxml/vuln/2025.xml | 38 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 38 insertions(+)

diff --git a/security/vuxml/vuln/2025.xml b/security/vuxml/vuln/2025.xml
index 8fda2190e48a..27d050d0e54f 100644
--- a/security/vuxml/vuln/2025.xml
+++ b/security/vuxml/vuln/2025.xml
@@ -1,3 +1,41 @@
+  <vuln vid="163edccf-d2ba-11ef-b10e-589cfc10a551">
+    <topic>rsync -- Multiple security fixes</topic>
+    <affects>
+      <package>
+	<name>rsync</name>
+	<range><lt>3.4.0</lt></range>
+      </package>
+    </affects>
+    <description>
+	<body xmlns="http://www.w3.org/1999/xhtml">
+	<p>rsync reports:</p>
+	<blockquote cite="https://kb.cert.org/vuls/id/952657">
+	  <p>This update includes multiple security fixes:</p>
+	  <ul>
+	    <li>CVE-2024-12084: Heap Buffer Overflow in Checksum Parsing</li>
+	    <li>CVE-2024-12085: Info Leak via uninitialized Stack contents defeats ASLR</li>
+	    <li>CVE-2024-12086: Server leaks arbitrary client files</li>
+	    <li>CVE-2024-12087: Server can make client write files outside of destination directory using symbolic links</li>
+	    <li>CVE-2024-12088: --safe-links Bypass</li>
+	    <li>CVE-2024-12747: symlink race condition</li>
+	  </ul>
+	</blockquote>
+	</body>
+    </description>
+    <references>
+      <cvename>CVS-2024-12084</cvename>
+      <cvename>CVS-2024-12085</cvename>
+      <cvename>CVS-2024-12086</cvename>
+      <cvename>CVS-2024-12087</cvename>
+      <cvename>CVS-2024-12088</cvename>
+      <cvename>CVS-2024-12747</cvename>
+    </references>
+    <dates>
+      <discovery>2025-01-14</discovery>
+      <entry>2025-01-14</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="3445e4b6-d2b8-11ef-9ff3-43c2b5d6c4c8">
     <topic>git -- multiple vulnerabilities</topic>
     <affects>