[SECURITY] rdiff/librsync, rdiff-backup
Yaakov Selkowitz
yselkowitz@cygwin.com
Tue Jun 2 21:21:00 GMT 2015
David,
A checksum collision vulnerability has been found in librsync (rdiff):
https://bugzilla.redhat.com/show_bug.cgi?id=1126712#c17
The solution is to update librsync to 1.0.0; you may wish to consider
the following patch as well:
http://pkgs.fedoraproject.org/cgit/librsync.git/plain/librsync-0.9.7-getopt.patch
Please note that both Fedora and Debian call the main package librsync
based on upstream packaging, from which rdiff could be a subpackage.
The different naming of this package threw me off for a while. Any
chance we could shuffle the packaging around (I can help with the server
side)?
Then, all librsync-dependent packages need to be rebuilt against 1.0.0,
namely rdiff-backup, which requires the following patch:
http://pkgs.fedoraproject.org/cgit/rdiff-backup.git/plain/rdiff-backup-1.2.8-librsync-1.0.0.patch
You may wish to consider the following patches for rdiff-backup as well:
http://pkgs.fedoraproject.org/cgit/rdiff-backup.git/plain/rdiff-backup--popen2.patch
http://pkgs.fedoraproject.org/cgit/rdiff-backup.git/plain/rdiff-backup-1.2.8-docdir.patch
TIA,
Yaakov
More information about the Cygwin-apps
mailing list