From 53f72320ba25b1dbb263dd14c26dc34c8ef3c89b Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Wed, 18 Dec 2024 09:20:33 +1100 Subject: [PATCH 3/3] update NEWS for 3.4.0 Backported-By: Samuel Henrique * Update patch context since upstream had other staged entries and we are just cherry-picking the CVE fixes. --- NEWS.md | 38 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) Index: rsync/NEWS.md =================================================================== --- rsync.orig/NEWS.md +++ rsync/NEWS.md @@ -1,3 +1,43 @@ +# NEWS for rsync 3.4.0 (9 January 2025) + +Version 3.4.0 is a security release fixing 6 important security bugs +found by two different security research teams. Many thanks to Simon +Scannell leading the google security team for 5 of the issues and +Aleksei Gorban (loqpa) for the 6th issue. + +All users are strongly enourages to update to 3.4.0 as soon as +possible. + +## Changes in this version: + +### BUG FIXES: + +- fixed 6 security issues, see CVE for full details + +- CVE-2024-12087 A server can make a client write files outside of the + destination directory using symbolic links + +- CVE-2024-12088 A --safe-links bypass vulnerability can result in a + client pointing outside of the destination directory + +- CVE-2024-12086 Server leaks arbitrary client files when a client is + connected to a malicious server. + +- CVE-2024-12085 Info leak via uninitialized stack contents defeats + address space layout randomization. + +- CVE-2024-12084 A vulnerability in the heap buffer overflow in + checksum parsing allows an attacker to write <= 48 bytes past the + sum2 buffer limit + +- CVE-2024-XXXX (not yet assigned) symlink race condition in sender + +- update to popt 1.19 + +- correct type size for orig_umask + +------------------------------------------------------------------------------ + # NEWS for rsync 3.3.0 (6 Apr 2024) ## Changes in this version: