Subject: rsync-2.6.3 "security fix"
To: None <>
From: Todd Vierling <>
List: tech-pkg
Date: 10/26/2004 12:32:02
[cc: to packages@ just in case others are wondering]

On Mon, 25 Oct 2004, [elided] wrote:

> >
> >     - A bug in the sanitize_path routine (which affects a non-chrooted
> >       rsync daemon) could allow a user to craft a pathname that would get
> >       transformed into an absolute path for certain options (but not for
> >       file-transfer names).  If you're running an rsync daemon with chroot
> >       disabled, *please upgrade*, ESPECIALLY if the user privs you run
> >       rsync under is anything above "nobody".
> pkg-vulnerabilities entry?  Pullup request for pkgsrc-2004Q3?

"Don't panic."  Sorry about that; I didn't think to include this in the
commit log:

This was addressed by patches/patch-ac on 2004/08/14, rsync-2.6.2nb1, which
is on the branch, so pkgsrc-2004Q3 is already fixed.  It is not necessary to
rush to upgrade to 2.6.3 if 2.6.2nb1 is already installed.

rsync<2.6.2nb1          remote-file-access

(I updated to 2.6.3 specifically to get the --delete crash fix.)

-- Todd Vierling <> <>