security bugs (?)
As a Cygwin rsync package maintainer, the following security fixes have been brought to my attention: http://sources.gentoo.org/viewcvs.py/gentoo-x86/net-misc/rsync/files/rsync-2.6.9-stats-fix.patch http://sources.gentoo.org/viewcvs.py/gentoo-x86/net-misc/rsync/files/rsync-2.6.9-fname-obo.patch And while they seem trusted enough to me (present in many packages such as Gentoo, FreeBSD and other; in bug lists such as Secunia...), I am no rsync deep code knower, and I still wonder why there's no mention in this mailing list or the homepage? Do the actual authors of rsync think that those bugs has never been exploitable? If that's so, please confirm it, thanks =) Lapo -- To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
Re: security bugs (?)
Lapo Luchini wrote: As a Cygwin rsync package maintainer, the following security fixes have been brought to my attention: http://sources.gentoo.org/viewcvs.py/gentoo-x86/net-misc/rsync/files/rsync-2.6.9-stats-fix.patch http://sources.gentoo.org/viewcvs.py/gentoo-x86/net-misc/rsync/files/rsync-2.6.9-fname-obo.patch On a closer inspection, the first one doesn't really seem to regard security... what about the other, aka CVE-2007-4091[1] and SA26493[2]? 1. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4091 2. http://secunia.com/advisories/26493/ Lapo -- To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
Re: security bugs (?)
Sat, 29 Sep 2007 10:55:32 +0200, lapo wrote: Lapo Luchini wrote: As a Cygwin rsync package maintainer, the following security fixes have been brought to my attention: http://sources.gentoo.org/viewcvs.py/gentoo-x86/net-misc/rsync/files/rsync-2.6.9-stats-fix.patch http://sources.gentoo.org/viewcvs.py/gentoo-x86/net-misc/rsync/files/rsync-2.6.9-fname-obo.patch On a closer inspection, the first one doesn't really seem to regard security... what about the other, aka CVE-2007-4091[1] and SA26493[2]? There is a thread under the subject CVE-2007-4091 :-) in the archives of this list: http://lists.samba.org/archive/rsync/2007-August/thread.html Sven pgp2s7vXhlK5A.pgp Description: PGP signature -- To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html