rsync - Mar 2019 - zlib issues

Hi,

I just had a look at the rysnc code (master branch) and realized, that
there is a copy of the zlib included. So I checked if the CVEs from 2016
are patched in this, and NOPE! they arent!

This means rsync still has those vulnerabilities of zlib in the current
release:

https://security-tracker.debian.org/tracker/CVE-2016-9840

https://security-tracker.debian.org/tracker/CVE-2016-9841

https://security-tracker.debian.org/tracker/CVE-2016-9842

https://security-tracker.debian.org/tracker/CVE-2016-9843


I already informed the debian security team about this and they
suggested me to inform you, so here it is :)

Best regards,

Christoph Gentsch

On Wed, Mar 13, 2019 at 6:02 AM Christoph Gentsch via rsync <
rsync at lists.samba.org> wrote:
> I just had a look at the rysnc code (master branch) and realized, that
> there is a copy of the zlib included. So I checked if the CVEs from 2016
> are patched in this, and NOPE! they arent!
>
Thanks for pointing that out. Those zlib security fixes are now checked-in
to git.

..wayne..
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.samba.org/pipermail/rsync/attachments/20190316/7cfcdde2/attachment.html>