the alloca comes from the new popt release. What system are you having an issue with? On Wed, 15 Jan 2025 at 07:16, <rsbecker at nexbridge.com> wrote:> A new dependency was added since 3.3, alloca(), which is not portable. Is > there a way around this? > > Thanks, > > Randall > > > > *From:* rsync <rsync-bounces at lists.samba.org> *On Behalf Of *rsync.project > via rsync > *Sent:* January 14, 2025 2:49 PM > *To:* rsync-announce at lists.samba.org > *Cc:* rsync at lists.samba.org > *Subject:* new release 3.4.0 - critical security release > > > > We have just released version 3.4.0 of rsync. This release fixes 6 > security vulnerabilities found by two groups of security researchers. > > > > You can find the new release links here: > > > > - https://rsync.samba.org/ > > - https://download.samba.org/pub/rsync/src/ > > > > For details on the vulnerabilities please see this CERT advisory: > > > > https://kb.cert.org/vuls/id/952657 > > > > The various distros should be doing security releases today > > Many thanks to Simon Scannell, Pedro Gallegos, and Jasiel Spelman at > Google Cloud Vulnerability Research and Aleksei Gorban (Loqpa) for > discovering these vulnerabilities and working with the rsync project to > develop and test fixes. > > > > Also many thanks to Wayne Davison for assisting with the release process > as this is the first release I've done since 2002 when Wayne took over as > the rsync maintainer. > > > > Andrew Tridgell > > rsync maintainer (again!) > > > > >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.samba.org/pipermail/rsync/attachments/20250115/004c900e/attachment.htm>
The patches within the rsync-patches-3.4.0.tar.gz archive seem to contain new
unnecessary hunks that change the prefix from /usr to /usr/local. This was not
the case in 3.3.0.
I use the fileflags.diff patch in the MacPorts build of rsync, and with the
3.4.0 version of this patch, it does not build:
t_stub.c:34:14: error: redefinition of 'module_dirlen' with a different
type: 'unsigned int' vs 'int'
unsigned int module_dirlen = 0;
^
t_stub.c:31:5: note: previous definition is here
int module_dirlen = 0;
^
1 error generated.
rsbecker at nexbridge.com
2025-Jan-14 23:09 UTC
new release 3.4.0 - critical security release
This happens on NonStop x86 and ia64. I have been building/packaging Rsync for years ? almost a decade in fact. I think this happened once before this year, in fact. It is equivalent to the more portable malloc/free, which I would prefer to have in this series even if it has to be wrapped in a #if defined (__TANDEM) block. This call is considered not portable and allocates on the stack instead of the heap. This can cause performance issues as memory management on the heap is generally given more attention by runtimes. The reason it is not supported on NonStop is that the c99 compiler does not generate code for allocating on the stack on this machine. Please forgive me here, but adding a new dependency for a critical security fix is rather painful. --Randall From: rsync.project <rsync.project at gmail.com> Sent: January 14, 2025 4:31 PM To: rsbecker at nexbridge.com Cc: rsync at lists.samba.org Subject: Re: new release 3.4.0 - critical security release the alloca comes from the new popt release. What system are you having an issue with? On Wed, 15 Jan 2025 at 07:16, <rsbecker at nexbridge.com <mailto:rsbecker at nexbridge.com> > wrote: A new dependency was added since 3.3, alloca(), which is not portable. Is there a way around this? Thanks, Randall From: rsync <rsync-bounces at lists.samba.org <mailto:rsync-bounces at lists.samba.org> > On Behalf Of rsync.project via rsync Sent: January 14, 2025 2:49 PM To: rsync-announce at lists.samba.org <mailto:rsync-announce at lists.samba.org> Cc: rsync at lists.samba.org <mailto:rsync at lists.samba.org> Subject: new release 3.4.0 - critical security release We have just released version 3.4.0 of rsync. This release fixes 6 security vulnerabilities found by two groups of security researchers. You can find the new release links here: - https://rsync.samba.org/ - https://download.samba.org/pub/rsync/src/ For details on the vulnerabilities please see this CERT advisory: https://kb.cert.org/vuls/id/952657 The various distros should be doing security releases today Many thanks to Simon Scannell, Pedro Gallegos, and Jasiel Spelman at Google Cloud Vulnerability Research and Aleksei Gorban (Loqpa) for discovering these vulnerabilities and working with the rsync project to develop and test fixes. Also many thanks to Wayne Davison for assisting with the release process as this is the first release I've done since 2002 when Wayne took over as the rsync maintainer. Andrew Tridgell rsync maintainer (again!) -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.samba.org/pipermail/rsync/attachments/20250114/319d08b7/attachment.htm>