Hi, I just had a look at the rysnc code (master branch) and realized, that there is a copy of the zlib included. So I checked if the CVEs from 2016 are patched in this, and NOPE! they arent!
This means rsync still has those vulnerabilities of zlib in the current release: https://security-tracker.debian.org/tracker/CVE-2016-9840 https://security-tracker.debian.org/tracker/CVE-2016-9841 https://security-tracker.debian.org/tracker/CVE-2016-9842 https://security-tracker.debian.org/tracker/CVE-2016-9843 I already informed the debian security team about this and they suggested me to inform you, so here it is :) Best regards, Christoph Gentsch -- Please use reply-all for most replies to avoid omitting the mailing list. To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html