Re: Serious rsync security issues

In reply to: Ralf Mardorf : "Re: Serious rsync security issues"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Ralf Mardorf <ralf-mardorf_at_riseup.net>
Date: Fri, 17 Jan 2025 15:18:53 UTC

On Fri, 2025-01-17 at 16:13 +0100, Ralf Mardorf wrote:
> On Fri, 2025-01-17 at 09:54 -0500, Vincent Miller wrote:
> > Up to version 3.4.0?
> 
> Regarding the Arch Linux Announce Mailing List < 3.4.0, but >= 3.4.0
> is not affected [1].
> 
> [1]
> -------- Forwarded Message --------
> From: Arch Linux: Recent news updates: Robin Candau
> <arch-announce@lists.archlinux.org>
> To: arch-announce@lists.archlinux.org
> Subject: [arch-announce] Critical rsync security release 3.4.0
> Date: 01/16/2025 04:33:43 PM
> 
> [snip]
> 
> We highly advise anyone who runs an rsync daemon or client prior to
> version `3.4.0-1` to upgrade and reboot their systems immediately.
> 
> [snip]

Disclaimer: Maybe Arch Linux does patch the version of the Arch package
3.4.0-1.

Seemingly there is no patch:
https://gitlab.archlinux.org/archlinux/packaging/packages/rsync/-/tree/3.4.0-1?ref_type=tags
But there were some regressions
https://gitlab.archlinux.org/archlinux/packaging/packages/rsync/-/tree/3.4.0-2?ref_type=tags
and there's a new release
https://gitlab.archlinux.org/archlinux/packaging/packages/rsync/-/tree/3.4.1-1?ref_type=tags