Ubuntu Patches rsync Regression After Security Fix Introduces Functionality Issues

Ubuntu released USN-8349-3 as a follow-up patch to address unintended regressions introduced by the previous rsync security update (USN-8349-1). While the initial security patch successfully mitigated three distinct vulnerabilities in rsync, it inadvertently broke core functionality in the file synchronization tool.

The regression fix maintains all security improvements from the original advisory while restoring normal rsync operations. This addresses a common challenge in security patching: balancing vulnerability remediation with application stability.

Original Vulnerabilities Addressed

• Heap-based out-of-bounds read during file transfers allowing remote denial of service (CVE-2025-10158)
• Race condition in rsync daemons without chroot protection enabling local privilege escalation and file overwrite attacks (CVE-2026-29518)
• Improper length validation in extended attribute sorting leading to denial of service (CVE-2026-41035)
• Reverse-DNS lookup bypass in certain chrooted daemon configurations

Patch Strategy and Deployment Considerations

• Regression patches require careful testing to ensure security fixes remain intact while restoring functionality
• Organizations running rsync servers should prioritize deployment of USN-8349-3 to avoid operational disruptions
• File transfer integrity and daemon security posture are maintained in the updated version
• Administrators should verify rsync functionality post-update, particularly for non-chroot daemon configurations

Sources

• USN-8349-3: rsync regression