fosstodon.org is one of the many independent Mastodon servers you can use to participate in the fediverse.
Fosstodon is an invite only Mastodon instance that is open to those who are interested in technology; particularly free & open source software. If you wish to join, contact us for an invite.

Administered by:

Server stats:

11K
active users

rsync has some really serious CVEs[1], but the 3.4.0 release with the fixes has regressions[2] that will break things for people. What to do?

[1]: openwall.com/lists/oss-securit
[2]: github.com/RsyncProject/rsync/

www.openwall.comoss-security - RSYNC: 6 vulnerabilities

@ncopa can you just patch the CVEs?

@fossdd 6 of them. sure. but its gonna take time.

@ncopa ah damn. why didnt they just created more patch releases for older releases

Natanael Copa

@craftyguy @fossdd Then they have backported the regression and have a broken `rsync -aH`.

Regression introduced with the fix for
security-tracker.debian.org/tr

security-tracker.debian.orgCVE-2024-12087

@craftyguy @fossdd
What really annoys me is that i don't seem to be able to get this thing built due to changes in how man pages are generated/bundled.

@ncopa @fossdd wowzers. I assume that's just something new in 3.4 and not from the CVE fixes?

So maybe releasing critical security fixes along with a bunch of unrelated changes is... a bad idea? 🙃