Release date:
2026-05-29 13:42:01 UTC
Description:
* SECURITY UPDATE: use-after-free in receive_xattr()
- debian/patches/CVE-2026-41035.patch: replace stale local 'count'
with temp_xattr.count in the qsort call inside receive_xattr(),
so the sort uses the live size of the rebuilt xattr items list;
victim must run rsync with -X / --xattrs
- CVE-2026-41035
Updated packages:
-
rsync_3.1.1-3ubuntu1.3+tuxcare.els10_amd64.deb
sha:c7e14e1653eb73fa546b5b21bc19600bf381a8e7
Notes:
This page is generated automatically and has not been checked for errors. For clarification or
corrections please contact the
CloudLinux Packaging Team.
