CVE-2022-3362 Insufficient Session Expiration in GitHub repository ikus060/rdiffweb prior to 2.5.0.

CVE-2022-3362 Insufficient Session Expiration in GitHub repository ikus060/rdiffweb prior to 2.5.0.

Before 2.5.0, you can create multiple sessions with different expiration times on a repository. rDiff will try to use the session with the longest expiration time when you try to read or write data. If you create a second session with an expiration time of 1 week, and then create a third session with an expiration time of 1 month, rDiff will try to use the session with the longest expiration time for any write or read operation. This can lead to situations where repositories with long-expired sessions can be very slow to operate, or even impossible to work with.

With this 2.5.0 release, we are changing the behavior of session expiration to be consistent across all rDiff features. Now, all sessions will expire at the same time, regardless of the session’s length of existence. rDiff will now use the session with the longest length of existence when reading or writing to a repository.

rDiff 2.5.0 Reference

rDiff 2.5.0 Changelog: Security

One of the most important changes in this release is that we are changing how rDiff handles sessions. In previous releases, rDiff had a feature that allowed users to create multiple sessions with different expiration times on a repository. For example, you can have a session that expires after 1 week and another that expires after 1 month. If you started working on both repositories at the same time, then rDiff would use whichever session has been created with the longest duration. This could cause problems when working with repositories with long-expired sessions because those repositories would be very slow or even impossible to work with.
With this release, all sessions will expire at the same time for all rDiff features (reading and writing). When you start working on either repository, the session will expire exactly one hour later no matter what its length of existence is.

rDiff 2.5.0 Release Notes rDiff will now use the session with the longest duration when writing or reading to a repository.

This behavior change is consistent across all rDiff features, including repository creation and deletion.

rDiff 2.5.0 Installation Steps:

- Update rDiff to 2.5.0 by downloading the latest version from https://github.com/rdiff/rDiff/releases
- You will need an active rDiff installation to use this feature, so please make sure you have one before proceeding with these steps
- Once the update is complete, you must uninstall any previous versions of rDiff and install 2.5.0 from the above link
- After installing the new update, open up a terminal and execute "cd /path/to/my/repository" (if it's not already in your current directory)
- From here, you can run "rdiff login" to create a new repository session with one hour expiration time

Installation Steps for rDiff 2.5.0 rDiff 2.5.0 is a major release of rDiff. This release includes some important changes to the way that rDiff handles repositories and sessions, and we want you to be aware of these changes before upgrading your installation. Here are the steps for rDiff installations that will upgrade from 2.4.0 or earlier versions:

1) Stop any running rDiff processes on your system
2) Uninstall previous releases of rDiff (2.4.x or earlier) using this command in a terminal window: sudo dpkg -P rdiff-2*
3) Install new version of rDiff using this command in a terminal window: sudo dpkg -i rdiff-2_5_0-amd64.deb
4) Run the following commands to re-create all .rdiff directories as needed: sudo mkdir /usr/local/etc/rdiff-* && sudo rm -rf /usr/local/etc/rdiff-* && sudo chown root:wheel /usr/local/etc/rdiff- *
5) Start any running rDiff processes on your system
That’s it! You can now run the new version of Rdiff with no problems!

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe