CLSA-2026-1779869103

See a problem?
Import Source
https://github.com/cloudlinux/tuxcare-osv/tree/main/data/els_os/debian10els/CLSA-2026-1779869103.json
JSON Data
https://api.osv.dev/v1/vulns/CLSA-2026-1779869103
Upstream
  • CVE-2026-29518
  • CVE-2026-43618
Published
2026-05-27T08:05:13Z
Modified
2026-06-04T09:45:29.638669800Z
Summary
Fix CVE(s): CVE-2024-12086, CVE-2026-29518, CVE-2026-43618
Details
  • SECURITY UPDATE: receiver process memory disclosure via compressed-token integer overflow:
    • debian/patches/els/0004-CVE-2026-43618.patch: cap rxtoken at MAXTOKEN_INDEX; reject out-of-range token values.
    • CVE-2026-43618.
  • SECURITY UPDATE: malicious server can enumerate arbitrary client files via crafted checksum responses:
    • debian/patches/els/0005-CVE-2024-12086.patch: add securerelativeopen() and route the receiver's basis-file open through it.
    • CVE-2024-12086.
  • SECURITY UPDATE: daemon TOCTOU symlink race on parent path components when "use chroot = no":
    • debian/patches/els/0006-CVE-2026-29518.patch: gate sender/receiver opens and chmods through securerelativeopen() / dochmodat().
    • CVE-2026-29518.
References

Affected packages

TuxCare:Debian:10 / rsync

Package

Name
rsync
Purl
pkg:deb/tuxcare/rsync?distro=debian-10

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.1.3-6+tuxcare.els2

Database specific

source 
"https://github.com/cloudlinux/tuxcare-osv/tree/main/data/els_os/debian10els/CLSA-2026-1779869103.json"