rsync (3.2.7-0ubuntu0.22.04.4) jammy-security; urgency=medium
* SECURITY REGRESSION: flag collision (LP: #2095004)
- d/p/fix_flag_got_dir_flist_collision.patch: change the flag bit to 13
-- Sudhakar Verma <sudhakar.verma@canonical.com> Thu, 16 Jan 2025 15:25:20 +0530
rsync (3.2.7-0ubuntu0.22.04.3) jammy-security; urgency=medium
* SECURITY UPDATE: safe links bypass vulnerability
- d/p/CVE-2024-12088/0001-make-safe-links-stricter.patch: reject
links where a "../" component is included in the destination
- CVE-2024-12088
* SECURITY UPDATE: arbitrary file write via symbolic links
- d/p/CVE-2024-12087/0001-Refuse-a-duplicate-dirlist.patch: refuse
malicious duplicate flist for dir
- d/p/CVE-2024-12087/0002-range-check-dir_ndx-before-use.patch: refuse
invalid dir_ndx
- CVE-2024-12087
* SECURITY UPDATE: arbitrary client file leak
- d/p/CVE-2024-12086/0001-refuse-fuzzy-options-when-fuzzy-not-selected.patch:
refuse fuzzy options when not selected
- d/p/CVE-2024-12086/0002-added-secure_relative_open.patch: safe
implementation to open a file relative to a base directory
- d/p/CVE-2024-12086/0003-receiver-use-secure_relative_open-for-basis-file.patch:
ensure secure file access for basis file
- d/p/CVE-2024-12086/0004-disallow-.-elements-in-relpath-for-secure_relative_o.patch:
disallow "../" in relative path
- CVE-2024-12086
* SECURITY UPDATE: information leak via uninitialized stack contents
- d/p/CVE-2024-12085/0001-prevent-information-leak-off-the-stack.patch:
prevent information leak by zeroing
- CVE-2024-12085
* SECURITY UPDATE: heap buffer overflow in checksum parsing
- d/p/CVE-2024-12084/0001-Some-checksum-buffer-fixes.patch: fix
checksum buffer issues, better length check
- d/p/CVE-2024-12084/0002-Another-cast-when-multiplying-integers.patch:
fix multiplying size by a better cast
- CVE-2024-12084
* SECURITY UPDATE: symlink race condition
- d/p/CVE-2024-12747/0001-fixed-symlink-race-condition-in-sender.patch:
do_open_checklinks to prevent symlink race
- CVE-2024-12747
-- Sudhakar Verma <sudhakar.verma@canonical.com> Mon, 13 Jan 2025 16:36:53 +0530
rsync (3.2.7-0ubuntu0.22.04.2) jammy-security; urgency=medium
* SECURITY UPDATE: arbitrary file write via malicious remote servers
- Updated to 3.2.7 to fix security issue and multiple regressions
caused by the original security fixes.
- debian/patches: Added two additional upstream patches:
+ trust_the_sender_on_a_local_transfer.patch
+ avoid_quoting_of_tilde_when_its_a_destination_arg.patch
- Removed patches no longer needed with 3.2.7:
+ CVE-2020-14387.patch, fix_ftcbfs_configure.patch,
fix_delay_updates.patch, copy-devices.diff,
workaround_glibc_lchmod_regression.patch,
manpage_upstream_fixes.patch, fix_mkpath.patch,
fix_sparse_inplace.patch, update_rrsync_options.patch,
fix_rsync-ssl_RSYNC_SSL_CERT_feature.patch,
avoid_spurious_is_newer_messages_with_update.patch.
- debian/control, debian/rules, debian/rsync.install,
debian/rsync.links: ship new python-based rrsync.
- debian/rsync.install: cull_options has been renamed to cull-options.
- CVE-2022-29154
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 27 Feb 2023 14:36:14 -0500
rsync (3.2.3-8ubuntu3.1) jammy; urgency=medium
* d/p/avoid_spurious_is_newer_messages_with_update.patch: New patch from
upstream (LP: #1965076)
-- Simon Deziel <simon@sdeziel.info> Tue, 11 Oct 2022 22:37:36 +0000
rsync (3.2.3-8ubuntu3) jammy; urgency=high
* No change rebuild for ppc64el baseline bump.
-- Julian Andres Klode <juliank@ubuntu.com> Fri, 25 Mar 2022 10:51:06 +0100
rsync (3.2.3-8ubuntu2) jammy; urgency=medium
* No-change rebuild against openssl3
-- Simon Chopin <simon.chopin@canonical.com> Wed, 24 Nov 2021 14:01:07 +0000
rsync (3.2.3-8ubuntu1) jammy; urgency=medium
* Merge with Debian unstable. Remaining changes:
- debian/rules: add --disable-asm configure flag. The only asm
implementation is available for md5 on x86_64, however it is no-op,
because we built with OpenSSL which has optimized md5
implementation. Furthermore, linking noop md5 asm on x86_64 results in
rsync binary not getting marked as CET compatible, because the noop
md5 asm is not marked as CET compatible. Thus building without noop
md5 asm, results in rsync gaining CET.
-- Bryce Harrington <bryce@canonical.com> Mon, 01 Nov 2021 16:05:43 -0700
rsync (3.2.3-8) unstable; urgency=medium
* debian/patches:
- manpage_upstream_fixes.patch: Import multiple upstream patches to fix
manpage.
- copy-devices.diff: Add missing manpage changes to patch
- CVE-2020-14387.patch: Add Forwarded DEP3 field to point to upstream patch
- fix_delay_updates.patch: Refresh patch
- fix_mkpath.patch: New upstream patch to fix an edge case on --mkpath
- fix_rsync-ssl_RSYNC_SSL_CERT_feature.patch: New upstream patch
- fix_sparse_inplace.patch: New upstream patch to fix --sparse + --inplace
options
- update_rrsync_options.patch: New upstream patch to update rrsync options
-- Samuel Henrique <samueloph@debian.org> Sat, 25 Sep 2021 17:38:16 +0100
rsync (3.2.3-7) unstable; urgency=medium
* Bump Standards-Version to 4.6.0
* d/p/workaround_glibc_lchmod_regression.patch: New patch from upstream
(closes: #994543)
* debian/rsync.NEWS: Fix typo in last entry
-- Samuel Henrique <samueloph@debian.org> Sat, 18 Sep 2021 00:25:13 +0100
rsync (3.2.3-6) unstable; urgency=medium
* d/t/upstream-tests: Suppress stderr warnings from the build process
-- Samuel Henrique <samueloph@debian.org> Sun, 12 Sep 2021 18:22:57 +0100
# For older changelog entries, run 'apt-get changelog rsync'
Generated by dwww version 1.14 on Wed Jan 22 04:44:03 CET 2025.