This is the mail archive of the cygwin-apps mailing list for the Cygwin project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[SECURITY] rdiff/librsync, rdiff-backup

From: Yaakov Selkowitz <yselkowitz at cygwin dot com>
To: "cygwin-apps at cygwin dot com" <cygwin-apps at cygwin dot com>
Date: Tue, 02 Jun 2015 16:21:36 -0500
Subject: [SECURITY] rdiff/librsync, rdiff-backup
Authentication-results: sourceware.org; auth=none

David,

A checksum collision vulnerability has been found in librsync (rdiff):

https://bugzilla.redhat.com/show_bug.cgi?id=1126712#c17

The solution is to update librsync to 1.0.0; you may wish to consider
the following patch as well:

http://pkgs.fedoraproject.org/cgit/librsync.git/plain/librsync-0.9.7-getopt.patch

Please note that both Fedora and Debian call the main package librsync
based on upstream packaging, from which rdiff could be a subpackage.
The different naming of this package threw me off for a while.  Any
chance we could shuffle the packaging around (I can help with the server
side)?

Then, all librsync-dependent packages need to be rebuilt against 1.0.0,
namely rdiff-backup, which requires the following patch:

http://pkgs.fedoraproject.org/cgit/rdiff-backup.git/plain/rdiff-backup-1.2.8-librsync-1.0.0.patch

You may wish to consider the following patches for rdiff-backup as well:

http://pkgs.fedoraproject.org/cgit/rdiff-backup.git/plain/rdiff-backup--popen2.patch
http://pkgs.fedoraproject.org/cgit/rdiff-backup.git/plain/rdiff-backup-1.2.8-docdir.patch

TIA,

Yaakov

Follow-Ups:
- Re: [SECURITY] rdiff/librsync, rdiff-backup
  - From: David Rothenberger
- Re: [SECURITY] rdiff/librsync, rdiff-backup
  - From: David Rothenberger

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]