Subject: rsync-2.6.3 "security fix"
To: None <firstname.lastname@example.org>
From: Todd Vierling <email@example.com>
Date: 10/26/2004 12:32:02
[cc: to packages@ just in case others are wondering]
On Mon, 25 Oct 2004, [elided] wrote:
> > SECURITY FIXES:
> > - A bug in the sanitize_path routine (which affects a non-chrooted
> > rsync daemon) could allow a user to craft a pathname that would get
> > transformed into an absolute path for certain options (but not for
> > file-transfer names). If you're running an rsync daemon with chroot
> > disabled, *please upgrade*, ESPECIALLY if the user privs you run
> > rsync under is anything above "nobody".
> pkg-vulnerabilities entry? Pullup request for pkgsrc-2004Q3?
"Don't panic." Sorry about that; I didn't think to include this in the
This was addressed by patches/patch-ac on 2004/08/14, rsync-2.6.2nb1, which
is on the branch, so pkgsrc-2004Q3 is already fixed. It is not necessary to
rush to upgrade to 2.6.3 if 2.6.2nb1 is already installed.
rsync<2.6.2nb1 remote-file-access http://samba.org/rsync/#security_aug04
(I updated to 2.6.3 specifically to get the --delete crash fix.)
-- Todd Vierling <firstname.lastname@example.org> <email@example.com>