It was discovered that lsyncd, a daemon to synchronize local directories using rsync, performed insufficient sanitising of filenames which might result in the execution of arbitrary commands.

For the stable distribution (wheezy), this problem has been fixed in version 2.0.7-3+deb7u1. For the upcoming stable distribution (jessie), this problem has been fixed in version 2.1.5-2. For the unstable distribution (sid), this problem has been fixed in version 2.1.5-2. We recommend that you upgrade your lsyncd packages.

Lsyncd (Live syncing mirror daemon) uses rsync to synchronize local directories with a remote machine running rsyncd. Lsyncd watches multiple directories trees through inotify. The first step after adding the watches is to rsync all directories with the remote host, and then sync single file by collecting the inotify events. So lsyncd is a light-weight live mirror solution that should be easy to install and use while blending well with your system.

lsyncd on Debian Linux

This check tests the installed software version using the apt package manager.

• http://www.debian.org/security/2015/dsa-3130.html

---

Updated on 2015-03-25