From 3.1.2 NEWS file: SECURITY FIXES: - Make sure that all transferred files use only path names from inside the transfer. This makes it impossible for a malicious sender to try to make the receiver use an unsafe destination path for a transferred file, such as a just-sent symlink. Dunno if there's a CVE for this issue.
Arches please test and mark stable =net-misc/rsync-3.1.2 with target KEYWORDS: alpha amd64 arm ~arm64 hppa ia64 ~m68k ~mips ppc ppc64 ~s390 ~sh sparc x86 ~ppc-aix ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~x64-freebsd ~x86-freebsd ~hppa-hpux ~ia64-hpux ~x86-interix ~amd64-linux ~arm-linux ~ia64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris
AMD64 OK
amd64 stable
Stable for HPPA PPC64.
x86 done
arm stable
sparc stable
alpha stable
ia64 stable
all arches done now
commit de1507df9ad772d4cf78297924c6815b83a22f7a Author: Lars Wendler <polynomial-c@gentoo.org> Date: Tue Jan 26 10:25:40 2016 net-misc/rsync: Removed vulnerable versions. Package-Manager: portage-2.2.27 Signed-off-by: Lars Wendler <polynomial-c@gentoo.org> net-misc/rsync/Manifest | 1 - net-misc/rsync/rsync-3.1.1.ebuild | 75 --------------------------------------- 2 files changed, 76 deletions(-)
Arches and Maintainer(s), Thank you for your work. New GLSA Request filed.
This issue was resolved and addressed in GLSA 201605-04 at https://security.gentoo.org/glsa/201605-04 by GLSA coordinator Yury German (BlueKnight).