Re: Serious rsync security issues

In reply to: Martin : "Serious rsync security issues"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Edward Sanford Sutton, III <mirror176_at_hotmail.com>
Date: Fri, 17 Jan 2025 00:36:08 UTC

On 1/16/25 16:02, Martin wrote:
> I am going to point this to the message on the Arch Linux site,
> but it's all over the net.
> 
> https://archlinux.org/news/critical-rsync-security-release-340/
> 
> I am wondering why the FreeBSD rsync package been updated yet?
> 
> 

https://www.vuxml.org/freebsd/163edccf-d2ba-11ef-b10e-589cfc10a551.html 
sounds like the entry that brings those CVEs up. There was a bug when it 
was initially added but since been fixed though I think it would still 
fail `pkg audit` even with the first entry (-F flag will update the 
database). It is saying >=3.4.0 is fine which seems to match what 
https://download.samba.org/pub/rsync/NEWS#3.4.0 says.
   Both quarterly and latest ports branches have it so packages should 
arrive on the next successful build from buildservers if it is not there 
now. As stated previously, you can always build from ports if you need 
it built sooner than the servers do it.