rsync has some really serious CVEs[1], but the 3.4.0 release with the fixes has regressions[2] that will break things for people. What to do?
[1]: https://www.openwall.com/lists/oss-security/2025/01/14/3
[2]: https://github.com/RsyncProject/rsync/issues/702
@ncopa can you just patch the CVEs?
@fossdd 6 of them. sure. but its gonna take time.
@ncopa ah damn. why didnt they just created more patch releases for older releases
@fossdd @ncopa debian seems to have backported the fixes on bookworm for 3.2.7:
https://security-tracker.debian.org/tracker/DSA-5843-1
@craftyguy @fossdd Then they have backported the regression and have a broken `rsync -aH`.
Regression introduced with the fix for
https://security-tracker.debian.org/tracker/CVE-2024-12087
@craftyguy @fossdd
What really annoys me is that i don't seem to be able to get this thing built due to changes in how man pages are generated/bundled.
@craftyguy @fossdd correct. agree