fosstodon.org is one of the many independent Mastodon servers you can use to participate in the fediverse.
Fosstodon is an invite only Mastodon instance that is open to those who are interested in technology; particularly free & open source software. If you wish to join, contact us for an invite.

Administered by:

Server stats:

11K
active users

Natanael Copa

rsync has some really serious CVEs[1], but the 3.4.0 release with the fixes has regressions[2] that will break things for people. What to do?

[1]: openwall.com/lists/oss-securit
[2]: github.com/RsyncProject/rsync/

www.openwall.comoss-security - RSYNC: 6 vulnerabilities

The obvious answer is:

- add the regression to the testsuite
- fix the regression
- submit a pull request
- move on

Too bad I have meetings...

@ncopa "Mitigation: Disable SHA* support by compiling with
CFLAGS=-DDISABLE_SHA512_DIGEST and CFLAGS=-DDISABLE_SHA256_DIGEST."

@dalias what will break if I do that?

@ncopa Probably nothing but I'm not 100% sure how negotiation works.

@ncopa Thanks, really kind of you

@ncopa can you just patch the CVEs?

@fossdd 6 of them. sure. but its gonna take time.

@ncopa ah damn. why didnt they just created more patch releases for older releases

@craftyguy @fossdd Then they have backported the regression and have a broken `rsync -aH`.

Regression introduced with the fix for
security-tracker.debian.org/tr

security-tracker.debian.orgCVE-2024-12087

@craftyguy @fossdd
What really annoys me is that i don't seem to be able to get this thing built due to changes in how man pages are generated/bundled.

@ncopa @fossdd wowzers. I assume that's just something new in 3.4 and not from the CVE fixes?

So maybe releasing critical security fixes along with a bunch of unrelated changes is... a bad idea? 🙃