[rsync-announce] Rsync 2.6.8 released (incl. xattrs.diff security note)

rsync-announce at lists.samba.org rsync-announce at lists.samba.org
Sat Apr 22 16:38:59 GMT 2006

I have released rsync version 2.6.8.

A SECURITY NOTE for users of the unofficial xattrs.diff patch:  See
below for a discussion of a security fix contained in the latest patch.

You can read all about the latest improvements and bug-fixes that went
into this release on this page:


The tar file of the source and its signature are here:


See the web site for other download possibilities (including unified
diffs based on the previous version).

The latest man pages are online in their usual spots:


** A SECURITY NOTE for anyone using the xattrs.diff patch:

A bug in the extended-attributes receiving code could allow someone to
send data to a writable rsync daemon that could overflow a read buffer.
If you are running a "read only = NO" rsync daemon that has this patch
applied, either: (1) disable the reception of xattrs by your daemon (use
the "refuse options = -X" parameter in rsyncd.conf), (2) upgrade to
2.6.8 with the supplied xattrs.diff patch, or (3) manually apply the
same simple fix to your code that went into the latest patch -- consult
the rsync CVS for the last change that went into patches/xattrs.diff and
look at the two new lines added in the last hunk of that change:


Also of note for packagers:  as first seen in the 2.6.7 release, the
diffs in the patches dir of the release tar now contain patches for
generated files, so you won't need to use autoconf and yodl unless
you're creating a custom combination of patches that don't apply
cleanly together.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: Digital signature
Url : http://lists.samba.org/archive/rsync-announce/attachments/20060422/781a6efe/attachment.bin

More information about the rsync-announce mailing list