Release date:
2026-05-29 11:39:28 UTC
Description:
* SECURITY UPDATE: use-after-free in receive_xattr()
- debian/patches/CVE-2026-41035.patch: replace stale local 'count'
with temp_xattr.count in the qsort call inside receive_xattr(),
so the sort uses the live size of the rebuilt xattr items list;
victim must run rsync with -X / --xattrs
- CVE-2026-41035
Updated packages:
-
rsync_3.1.2-2.1ubuntu1.6+tuxcare.els8_amd64.deb
sha:f287b4e07c26c1ffc239da6d8250156e489a49a4
Notes:
This page is generated automatically and has not been checked for errors. For clarification or
corrections please contact the
CloudLinux Packaging Team.
