Mentioned in yet-unreleased 3.2.5 release notes (https://rsync.samba.org/ftp/rsync/NEWS#3.2.5): ``` Changes in this version: SECURITY FIXES: Added some file-list safety checking that helps to ensure that a rogue sending rsync can't add unrequested top-level names and/or include recursive names that should have been excluded by the sender. These extra safety checks only require the receiver rsync to be udateed. When dealing with an untrusted sending host, it is safest to copy into a dedicated destination directory for the remote content (i.e. don't copy into a destination directory that contains files that aren't from the remote host unless you trust the remote host). Fixes CVE-2022-29154. ```
Also, the release notes for 3.2.5_pre1 (https://lists.samba.org/archive/rsync-announce/2022/000112.html) say: """ I have released rsync version 3.2.5pre1 for release testing. This includes a checksum fix that affects some architectures (such as ARM), improves the security of the received file list, enhances the manpage, etc. I'd really appreciate it if people would give this release some extensive testing and see if the improved security results in any false alerts. I did a bunch of testing and found a few options that caused a problem (and were then fixed), but there may be more. You can use a side-effect of the --old-args option <https://download.samba.org/pub/rsync/rsync.1#opt--old-args> to work around an invalid complaint, but please also report it. Thanks! """ I'm going to add it unkeyworded (ofc).
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=85155265903a3db773bb84edabf4a427836eb34a commit 85155265903a3db773bb84edabf4a427836eb34a Author: Sam James <sam@gentoo.org> AuthorDate: 2022-08-02 02:56:24 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-08-02 02:56:34 +0000 net-misc/rsync: add 3.2.5_pre1 (unkeyworded) Note that upstream are particularly interested in feedback on the new security hardening and whether it breaks any options, so please report any issues upstream if you hit them. Bug: https://bugs.gentoo.org/862876 Signed-off-by: Sam James <sam@gentoo.org> net-misc/rsync/Manifest | 2 + net-misc/rsync/rsync-3.2.5_pre1.ebuild | 164 +++++++++++++++++++++++++++++++++ 2 files changed, 166 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9af26cceb3409642d295a569c3b090f2fb9f9c92 commit 9af26cceb3409642d295a569c3b090f2fb9f9c92 Author: Sam James <sam@gentoo.org> AuthorDate: 2022-08-12 15:36:16 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-08-12 15:37:54 +0000 net-misc/rsync: add 3.2.5_pre2 (unkeyworded) Bug: https://bugs.gentoo.org/862876 Signed-off-by: Sam James <sam@gentoo.org> net-misc/rsync/Manifest | 2 + net-misc/rsync/rsync-3.2.5_pre2.ebuild | 164 +++++++++++++++++++++++++++++++++ 2 files changed, 166 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8bf24582363286b4330b5bb0fcacb1dd6f4dce93 commit 8bf24582363286b4330b5bb0fcacb1dd6f4dce93 Author: Sam James <sam@gentoo.org> AuthorDate: 2022-08-14 19:47:19 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-08-14 19:49:15 +0000 net-misc/rsync: drop 3.2.5_pre1, 3.2.5_pre2 Bug: https://bugs.gentoo.org/862876 Signed-off-by: Sam James <sam@gentoo.org> net-misc/rsync/Manifest | 4 - net-misc/rsync/rsync-3.2.5_pre1.ebuild | 164 --------------------------------- net-misc/rsync/rsync-3.2.5_pre2.ebuild | 164 --------------------------------- 3 files changed, 332 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4e5ed953755580feb167672fb76923f1980d3a9e commit 4e5ed953755580feb167672fb76923f1980d3a9e Author: Sam James <sam@gentoo.org> AuthorDate: 2022-08-14 19:44:11 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-08-14 19:49:09 +0000 net-misc/rsync: add 3.2.5 Drops USE=ipv6 given it's not a well-tested option anyway (see e.g. https://bugzilla.samba.org/show_bug.cgi?id=10715). IPv6 support is now always enabled. Bug: https://bugs.gentoo.org/862876 Signed-off-by: Sam James <sam@gentoo.org> net-misc/rsync/Manifest | 2 + net-misc/rsync/rsync-3.2.5.ebuild | 160 ++++++++++++++++++++++++++++++++++++++ net-misc/rsync/rsync-9999.ebuild | 12 +-- 3 files changed, 166 insertions(+), 8 deletions(-)
Looks like some possible regressions: - https://github.com/WayneD/rsync/issues/360 - https://github.com/WayneD/rsync/issues/356
(In reply to Sam James from comment #5) > Looks like some possible regressions: > - https://github.com/WayneD/rsync/issues/360 > - https://github.com/WayneD/rsync/issues/356 3.2.6 is planned in a few days: https://github.com/WayneD/rsync/issues/356#issuecomment-1225096541
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b1a245c7eebb053d90d080782222ec96e009af51 commit b1a245c7eebb053d90d080782222ec96e009af51 Author: Sam James <sam@gentoo.org> AuthorDate: 2022-09-10 04:44:46 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-09-10 04:44:55 +0000 net-misc/rsync: add 3.2.6 Bug: https://bugs.gentoo.org/862876 Signed-off-by: Sam James <sam@gentoo.org> net-misc/rsync/Manifest | 2 + net-misc/rsync/rsync-3.2.6.ebuild | 167 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 169 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=247739d5f91629ea69875115dd20f18a8ebfd77c commit 247739d5f91629ea69875115dd20f18a8ebfd77c Author: Sam James <sam@gentoo.org> AuthorDate: 2022-10-25 05:30:32 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-10-25 05:31:01 +0000 net-misc/rsync: add 3.2.7, drop 3.2.7_pre1 Bug: https://bugs.gentoo.org/862876 Signed-off-by: Sam James <sam@gentoo.org> net-misc/rsync/Manifest | 4 ++-- net-misc/rsync/{rsync-3.2.7_pre1.ebuild => rsync-3.2.7.ebuild} | 0 2 files changed, 2 insertions(+), 2 deletions(-)
Ready?
(In reply to John Helmert III from comment #9) > Ready? I think sort of, but let's not rush to clean up.
Ping. Can we remove rsync-3.2.4-r3 at this point?
