Just as it was with the CUPS hysteria, a set of rsync vulnerabilities have been promptly patched for all supported LTS versions of Ubuntu, even 18.04 LTS and 16.04 LTS for the users of Ubuntu Pro. The current non-LTS stable release, 24.10, has a lower priority regarding the security updates.

OMG! Ubuntu: Ubuntu Patches Major Security Vulnerabilities in Rsync. Obviously, these vulnerabilities also affected RHEL and other distros, not just Ubuntu.

NIST: CVE-2024-12084, CVE-2024-12085, CVE-2024-12747

Ubuntu

CVE-2024-12084

  • Vulnerable: 24.10 oracular
  • Fixed: 24.04 LTS noble, 22.04 LTS jammy
  • Not affected: 20.04 LTS focal, 18.04 LTS bionic, 16.04 LTS xenial, 14.04 LTS trusty

CVE-2024-12085

  • Vulnerable: 24.10 oracular
  • Fixed: 24.04 LTS noble, 22.04 LTS jammy, 20.04 LTS focal, 18.04 LTS bionic (Ubuntu Pro), 16.04 LTS xenial (Ubuntu Pro)
  • Ignored (end of ESM support): 14.04 LTS trusty

CVE-2024-12747

  • Vulnerable: 24.10 oracular
  • Fixed: 24.04 LTS noble, 22.04 LTS jammy, 20.04 LTS focal, 18.04 LTS bionic (Ubuntu Pro), 16.04 LTS xenial (Ubuntu Pro)
  • Ignored (end of ESM support): 14.04 LTS trusty

Red Hat

CVE-2024-12084

  • No RHEL version affected.

CVE-2024-12085

  • Fixed: RHEL 8, RHEL 9
  • Affected: RHEL 6, RHEL 7

CVE-2024-12747

  • Affected: RHEL 8, RHEL 9
  • Out of support scope: RHEL 6, RHEL 7

A couple of remarks

  1. As I am writing this, launchpad.net/ubuntu/+source/rsync reveals that a patch for the development version 25.04 plucky was proposed, but not released. The current non-LTS stable release, 24.10 oracular, should benefit from it, once released (it’s the same version).
  2. RHEL 6 and 7 are out of the normal support scope, but for RHEL 7, the Extended Lifecycle Support (ELS) is available as an add-on until June 30, 2026, should anyone have paid for it. The way they presented the situation is completely inconsistent.
  3. There is an explanation for RHEL being “immune” to the first CVE: “This vulnerability only affects a limited range of Rsync versions, rsync-3.2.7 and rsync-3.3.0. Red Hat Enterprise Linux does not ship these versions of Rsync and is not affected.” RHEL releasing the main versions (6, 7, 8, 9, 10) less frequently than Ubuntu’s LTS, and dot-releases (x.y) only upgrading a limited number of packages, it just so happened that these rsync versions were never shipped. The major disadvantage of RHEL vs. Ubuntu LTS is RHEL’s too old kernels. Ubuntu LTS also release optional hardware enablement (HWE) and specialized (e.g. OEM) kernels, often without additional subscription requirements (Ubuntu Pro is free for up to 5 PCs). RHEL’s extra kernels (e.g. RT) are usually offered in niche use cases or require subscriptions.
  4. Most desktop users would probably not be impacted by such vulnerabilities, but the general rule applies: Ubuntu LTS receives security updates with the highest priority, and Ubuntu Pro extends the support to 10 years. Non-LTS releases are less secure, although, realistically speaking, home users typically don’t use some such server-grade packages. This being said, how much can you trust a niche distro or any non-enterprise distro for promptness in fixing security vulnerabilities?