[rsync-announce] rsync 2.6.6pre1 released (ALERT: info on zlib
security flaw)
rsync-announce at lists.samba.org
rsync-announce at lists.samba.org
Thu Jul 7 23:06:25 GMT 2005
There has been some talk about a zlib security problem that could let
someone overflow the buffers in the zlib decompression code, potentially
allowing someone to craft an exploit to execute arbitrary code. Since
this is a decompression bug, this can only affect an rsync daemon if
it allows uploads with the --compress option enabled.
If you run a daemon that allows uploads, you may wish to add this line
to your rsyncd.conf file:
refuse options = compress
(If you already refuse other options, add "compress" after a space to
that line instead of adding a new line.)
I have just finished updating the zlib code in CVS to version 1.2.2 plus
a security patch that fixes this latest exploit. The other changes in
CVS are all worthwhile fixes, so I have decided to release the current
CVS version as 2.6.6pre1 -- the first pre-release of version 2.6.6.
You can read about all the changes between 2.6.5 and 2.6.6pre1 here:
http://rsync.samba.org/ftp/rsync/preview/NEWS
You can grab the source tar and its signature here:
http://rsync.samba.org/ftp/rsync/preview/rsync-2.6.6pre1.tar.gz
http://rsync.samba.org/ftp/rsync/preview/rsync-2.6.6pre1.tar.gz.asc
If you exercise the compression code of this pre-release version of
rsync, please drop me a line and let me know. Thanks!
..wayne..
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.samba.org/archive/rsync-announce/attachments/20050707/060566a2/attachment.bin
More information about the rsync-announce
mailing list