From nobody Fri Jan 17 15:18:53 2025
X-Original-To: questions@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4YZNgD4NVkz5l5mR
	for <questions@mlmmj.nyi.freebsd.org>; Fri, 17 Jan 2025 15:19:04 +0000 (UTC)
	(envelope-from ralf-mardorf@riseup.net)
Received: from mx0.riseup.net (mx0.riseup.net [198.252.153.6])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (2048 bits) client-digest SHA256)
	(Client CN "mx0.riseup.net", Issuer "R11" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4YZNgC3pkZz42r0
	for <questions@freebsd.org>; Fri, 17 Jan 2025 15:19:03 +0000 (UTC)
	(envelope-from ralf-mardorf@riseup.net)
Authentication-Results: mx1.freebsd.org;
	dkim=pass header.d=riseup.net header.s=squak header.b="gK/S10gg";
	spf=pass (mx1.freebsd.org: domain of ralf-mardorf@riseup.net designates 198.252.153.6 as permitted sender) smtp.mailfrom=ralf-mardorf@riseup.net;
	dmarc=pass (policy=none) header.from=riseup.net
Received: from fews02-sea.riseup.net (fews02-sea-pn.riseup.net [10.0.1.112])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by mx0.riseup.net (Postfix) with ESMTPS id 4YZNg54pfxz9vn9
	for <questions@freebsd.org>; Fri, 17 Jan 2025 15:18:57 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=riseup.net; s=squak;
	t=1737127137; bh=4rSY/rrOMxv/CWFYg025q3sXFeRaEvbaHiAOgACwkZs=;
	h=Subject:From:To:Date:In-Reply-To:References:From;
	b=gK/S10ggpMwcDH03MTz/2UB98giEXSulmGyODFym3BKh7nNMLOYdpCYlPwh0yPdc3
	 VG2BigH20Bwq9NThP/kW7RtIRs0QIINTdeXa6aiisvBs3yQO8k8G0RX3jGUWKqt/TQ
	 TQ6E0TL8M6S3eVsT4T1ws7gmHrb+ui2UUkW8HSPY=
X-Riseup-User-ID: 35ADC29D0A35B1AFFDEE0E0DBFB9A7BDE9157447F7A287400DA743E8E8309349
Received: from [127.0.0.1] (localhost [127.0.0.1])
	 by fews02-sea.riseup.net (Postfix) with ESMTPSA id 4YZNg51VwLzFpfS
	for <questions@freebsd.org>; Fri, 17 Jan 2025 15:18:57 +0000 (UTC)
Message-ID: <bf88ec8be42020f09f2f1b7d7b432a6d21cc0469.camel@riseup.net>
Subject: Re: Serious rsync security issues
From: Ralf Mardorf <ralf-mardorf@riseup.net>
To: questions@freebsd.org
Date: Fri, 17 Jan 2025 16:18:53 +0100
In-Reply-To: <398c151770891c5b4d51e32a586dcd255303d47a.camel@riseup.net>
References: 
	<wZLuLkwazDCoRo0ZPIV8GRbRz_nELAq5DJlWTSWe3bXHAwG1tNABShCEL8zfFkAh9viyhGnNf1QvPnJcpWRuTbqMUE8tRD5XURUWrUaoTVs=@protonmail.com>
		 <CAHzLAVFZzDKSnMDdzoLPOzY2q-8uNHPWutmvU97zXYS2vc9Zrw@mail.gmail.com>
		 <CAJgUTdkMRvdH4JempSmpeeq2eTOnKWvme+6dLN7RWTCsZMj7uw@mail.gmail.com>
		 <CAHzLAVGSu_PECgL4VCkM=GLHaz20c7hBkNkV8y-VBO-d5Vb3qg@mail.gmail.com>
	 <398c151770891c5b4d51e32a586dcd255303d47a.camel@riseup.net>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
List-Id: User questions <freebsd-questions.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-questions
List-Help: <mailto:questions+help@freebsd.org>
List-Post: <mailto:questions@freebsd.org>
List-Subscribe: <mailto:questions+subscribe@freebsd.org>
List-Unsubscribe: <mailto:questions+unsubscribe@freebsd.org>
X-BeenThere: freebsd-questions@freebsd.org
Sender: owner-freebsd-questions@FreeBSD.org
MIME-Version: 1.0
X-Spamd-Result: default: False [-6.10 / 15.00];
	NEURAL_HAM_MEDIUM(-1.00)[-1.000];
	DWL_DNSWL_LOW(-1.00)[riseup.net:dkim];
	NEURAL_HAM_LONG(-1.00)[-1.000];
	RBL_SENDERSCORE_REPUT_9(-1.00)[198.252.153.6:from];
	NEURAL_HAM_SHORT(-1.00)[-1.000];
	DMARC_POLICY_ALLOW(-0.50)[riseup.net,none];
	R_DKIM_ALLOW(-0.20)[riseup.net:s=squak];
	R_SPF_ALLOW(-0.20)[+a:mx0.riseup.net];
	MIME_GOOD(-0.10)[text/plain];
	RCVD_IN_DNSWL_LOW(-0.10)[198.252.153.6:from];
	RCPT_COUNT_ONE(0.00)[1];
	DKIM_TRACE(0.00)[riseup.net:+];
	RECEIVED_HELO_LOCALHOST(0.00)[];
	RCVD_TLS_ALL(0.00)[];
	TO_MATCH_ENVRCPT_ALL(0.00)[];
	FROM_HAS_DN(0.00)[];
	ASN(0.00)[asn:16652, ipnet:198.252.153.0/24, country:US];
	ARC_NA(0.00)[];
	TO_DN_NONE(0.00)[];
	RCVD_COUNT_TWO(0.00)[2];
	FROM_EQ_ENVFROM(0.00)[];
	MISSING_XM_UA(0.00)[];
	PREVIOUSLY_DELIVERED(0.00)[questions@freebsd.org];
	MID_RHS_MATCH_FROM(0.00)[];
	MLMMJ_DEST(0.00)[questions@freebsd.org];
	RCVD_VIA_SMTP_AUTH(0.00)[];
	MIME_TRACE(0.00)[0:+]
X-Spamd-Bar: ------
X-Rspamd-Queue-Id: 4YZNgC3pkZz42r0

On Fri, 2025-01-17 at 16:13 +0100, Ralf Mardorf wrote:
> On Fri, 2025-01-17 at 09:54 -0500, Vincent Miller wrote:
> > Up to version 3.4.0?
>=20
> Regarding the Arch Linux Announce Mailing List < 3.4.0, but >=3D 3.4.0
> is not affected [1].
>=20
> [1]
> -------- Forwarded Message --------
> From: Arch Linux: Recent news updates: Robin Candau
> <arch-announce@lists.archlinux.org>
> To: arch-announce@lists.archlinux.org
> Subject: [arch-announce] Critical rsync security release 3.4.0
> Date: 01/16/2025 04:33:43 PM
>=20
> [snip]
>=20
> We highly advise anyone who runs an rsync daemon or client prior to
> version `3.4.0-1` to upgrade and reboot their systems immediately.
>=20
> [snip]

Disclaimer: Maybe Arch Linux does patch the version of the Arch package
3.4.0-1.

Seemingly there is no patch:
https://gitlab.archlinux.org/archlinux/packaging/packages/rsync/-/tree/3.4.=
0-1?ref_type=3Dtags
But there were some regressions
https://gitlab.archlinux.org/archlinux/packaging/packages/rsync/-/tree/3.4.=
0-2?ref_type=3Dtags
and there's a new release
https://gitlab.archlinux.org/archlinux/packaging/packages/rsync/-/tree/3.4.=
1-1?ref_type=3Dtags