COMMAND

	rsync group group privilege vulnerability

SYSTEMS AFFECTED

	2.5.3 and previous

PROBLEM

	Ethan Benson  found  that  rsyncd  fails  to  drop  root\'s  groups  (as
	explained in Mandrake advisory MDKSA-2002:024) :
	

	The supplementary groups that the rsync daemon runs as  (such  as  root)
	would not be removed from the  server  process  after  changing  to  the
	specified unprivileged uid and gid. This seems only serious if rsync  is
	called using \"rsync --daemon\" from the  command  line  where  it  will
	inherit the group of the user starting the server (usually root).

SOLUTION

	Upgrade to last version, 2.5.4, which also correct the zlib double  free
	bug.