On 1/14/25 08:53, Nick Tait wrote:
Upstream has prepared patches for these CVEs. These fixes will be included
in rsync 3.4.0 which is to be released shortly.
This has happened now -
https://lists.samba.org/archive/rsync-announce/2025/000120.html says:
We have just released version 3.4.0 of rsync. This release fixes 6 security
vulnerabilities found by two groups of security researchers.
You can find the new release links here:
- https://rsync.samba.org/
- https://download.samba.org/pub/rsync/src/
For details on the vulnerabilities please see this CERT advisory:
https://kb.cert.org/vuls/id/952657
The various distros should be doing security releases today
Many thanks to Simon Scannell, Pedro Gallegos, and Jasiel Spelman at Google
Cloud Vulnerability Research and Aleksei Gorban (Loqpa) for discovering
these vulnerabilities and working with the rsync project to develop and
test fixes.
Also many thanks to Wayne Davison for assisting with the release process as
this is the first release I've done since 2002 when Wayne took over as the
rsync maintainer.
Andrew Tridgell
rsync maintainer (again!)
--
-Alan Coopersmith- alan.coopersm...@oracle.com
Oracle Solaris Engineering - https://blogs.oracle.com/solaris
