Hi there, Just a mention of the latest batch of rsync vulnerabilities and how they affect (or, in this case, don't affect) rsync-bpc.
There's a NEWS.md file on the rsync Github repository here: https://github.com/RsyncProject/rsync/blob/master/NEWS.md The first part of that file is reproduced below: 8<---------------------------------------------------------------------- # NEWS for rsync 3.4.3 (20 May 2026) ## Changes in this version: ### SECURITY FIXES: Six CVEs are fixed in this release. All six are assigned by VulnCheck as CNA. Affected versions are 3.4.2 and earlier in every case. Three of the six (CVE-2026-29518, CVE-2026-43617, CVE-2026-43619) require non-default daemon configuration to reach: the first and third need `use chroot = no` for a module, the second needs `daemon chroot = ...` set in rsyncd.conf. Two (CVE-2026-43618, CVE-2026-43620) are reachable from a normal pull or a normal authenticated daemon connection. The sixth (CVE-2026-45232) is reachable only when `RSYNC_PROXY` is set and the proxy (or a MITM) returns a pathological response. [...snip...] 8<---------------------------------------------------------------------- Putting that into English, all these issues affect rsync when it is used in ways in which BackupPC by means of rsync-bpc does not use it. OTOH when, in the normal course of making backups, rsync-bpc talks to remote hosts, it will be talking to a perfectly ordinary rsync. The BackupPC host itself may of course have a vulnerable version of rsync installed. You may wish to upgrade your perfectly ordinary rsync; if you have any untrusted hosts on your network which can run or connect to such an rsync then you certainly should upgrade. There are no changes to the rsync 'protocol' (if that's not putting it in too grandiose a way) so rsync-bpc SHOULD happily talk to the latest version of rsync (which is version 3.4.3). I plan to test that today. Over the coming days I'll also be looking at importing the changes from 3.4.3 to my local version of rsync-bpc-3.4.1.0rc1. Until these latest disclosures I was considering it more or less ready for general release via Github. As I said back in March[*] it's available from me direct if anyone wants to give it a spin. I've been using it here in production for some weeks with no issues. For now, before producing rsync-bpc-3.4.3.0rc1, my next step will be to check for regressions by installing version 3.4.3 of rsync on all my clients. As always I strongly recommend that rsync connections should never be allowed directly from the Internet, and never from untrusted hosts. If you need to use rsync over the Internet, the connections should for example be routed via VPN so that rsync ports are never exposed. Even locking down rsync access by for example xinetd is prone to accidental loss of protection, and if the only thing between my rsync daemons and untrusted connections was an iptables rule, then I think that I'd live in a perpetual state of anxiety. [*] https://sourceforge.net/p/backuppc/mailman/message/59310560/ -- 73, Ged. _______________________________________________ BackupPC-users mailing list [email protected] List: https://lists.sourceforge.net/lists/listinfo/backuppc-users Wiki: https://github.com/backuppc/backuppc/wiki Project: https://backuppc.github.io/backuppc/
