[cc: to packages@ just in case others are wondering]

On Mon, 25 Oct 2004, [elided] wrote:

> >   SECURITY FIXES:
> >
> >     - A bug in the sanitize_path routine (which affects a non-chrooted
> >       rsync daemon) could allow a user to craft a pathname that would get
> >       transformed into an absolute path for certain options (but not for
> >       file-transfer names).  If you're running an rsync daemon with chroot
> >       disabled, *please upgrade*, ESPECIALLY if the user privs you run
> >       rsync under is anything above "nobody".
>
> pkg-vulnerabilities entry?  Pullup request for pkgsrc-2004Q3?

"Don't panic."  Sorry about that; I didn't think to include this in the
commit log:

=====
This was addressed by patches/patch-ac on 2004/08/14, rsync-2.6.2nb1, which
is on the branch, so pkgsrc-2004Q3 is already fixed.  It is not necessary to
rush to upgrade to 2.6.3 if 2.6.2nb1 is already installed.

rsync<2.6.2nb1          remote-file-access      http://samba.org/rsync/#security_aug04
=====

(I updated to 2.6.3 specifically to get the --delete crash fix.)

-- 
-- Todd Vierling <tv@duh.org> <tv@pobox.com>