Wayne Davison
2008-Apr-08 16:53 UTC
Rsync 3.0.2 released w/xattr security fix (attn: 2.6.9 onward)
I have released rsync 3.0.2. This is a security release to fix a potential buffer overflow in the extended attribute support. For more details, see the rsync security advisory page: http://rsync.samba.org/security.html There is a patch there that can be applied to 2.6.9 (if you were using the xattrs.patch), 3.0.0, or 3.0.1. Those running a writable rsync daemon can opt to refuse the "xattrs" option in their daemon config to avoid the problem without an upgrade. I would like to thank Sebastian Krahmer for bringing this bug to my attention. To see the brief summary of the changes since 3.0.1, visit this link: http://rsync.samba.org/ftp/rsync/src/rsync-3.0.2-NEWS You can download the source tar file and its signature from here: http://rsync.samba.org/ftp/rsync/src/rsync-3.0.2.tar.gz http://rsync.samba.org/ftp/rsync/src/rsync-3.0.2.tar.gz.asc ..wayne.. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.samba.org/archive/rsync/attachments/20080408/99045d45/attachment.bin
Robert DuToit
2008-Apr-08 17:05 UTC
Rsync 3.0.2 released w/xattr security fix (attn: 2.6.9 onward)
On Apr 8, 2008, at 12:53 PM, Wayne Davison wrote:> I have released rsync 3.0.2. This is a security release to fix a > potential buffer overflow in the extended attribute support. For > more details, see the rsync security advisory page: > > http://rsync.samba.org/security.html > > There is a patch there that can be applied to 2.6.9 (if you were using > the xattrs.patch), 3.0.0, or 3.0.1.Thanks Wayne, I only use the fileflags and crtimes patches. Can I just use them from the patch files directory released with 3.0.1, on 3.0.2? Rob> > > Those running a writable rsync daemon can opt to refuse the "xattrs" > option in their daemon config to avoid the problem without an upgrade. > > I would like to thank Sebastian Krahmer for bringing this bug to my > attention. > > To see the brief summary of the changes since 3.0.1, visit this link: > > http://rsync.samba.org/ftp/rsync/src/rsync-3.0.2-NEWS > > You can download the source tar file and its signature from here: > > http://rsync.samba.org/ftp/rsync/src/rsync-3.0.2.tar.gz > http://rsync.samba.org/ftp/rsync/src/rsync-3.0.2.tar.gz.asc > > ..wayne.. > -- > To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync > Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
Reasonably Related Threads
- Rsync 3.0.2 released w/xattr security fix (attn: 2.6.9 onward)
- 3.0.2 get_xattr_names on sockets?
- broken pipe when working on open files (?), MacOS X, 3.0.2/3.0.3pre2
- [Bug 8566] New: Spotlight comments (extended attributes) are not synced
- DO NOT REPLY [Bug 6276] New: crtimes.patch does not preserve creation dates on Mac x86_64 only