This is the mail archive of the
cygwin-apps
mailing list for the Cygwin project.
[SECURITY] rdiff/librsync, rdiff-backup
- From: Yaakov Selkowitz <yselkowitz at cygwin dot com>
- To: "cygwin-apps at cygwin dot com" <cygwin-apps at cygwin dot com>
- Date: Tue, 02 Jun 2015 16:21:36 -0500
- Subject: [SECURITY] rdiff/librsync, rdiff-backup
- Authentication-results: sourceware.org; auth=none
David,
A checksum collision vulnerability has been found in librsync (rdiff):
https://bugzilla.redhat.com/show_bug.cgi?id=1126712#c17
The solution is to update librsync to 1.0.0; you may wish to consider
the following patch as well:
http://pkgs.fedoraproject.org/cgit/librsync.git/plain/librsync-0.9.7-getopt.patch
Please note that both Fedora and Debian call the main package librsync
based on upstream packaging, from which rdiff could be a subpackage.
The different naming of this package threw me off for a while. Any
chance we could shuffle the packaging around (I can help with the server
side)?
Then, all librsync-dependent packages need to be rebuilt against 1.0.0,
namely rdiff-backup, which requires the following patch:
http://pkgs.fedoraproject.org/cgit/rdiff-backup.git/plain/rdiff-backup-1.2.8-librsync-1.0.0.patch
You may wish to consider the following patches for rdiff-backup as well:
http://pkgs.fedoraproject.org/cgit/rdiff-backup.git/plain/rdiff-backup--popen2.patch
http://pkgs.fedoraproject.org/cgit/rdiff-backup.git/plain/rdiff-backup-1.2.8-docdir.patch
TIA,
Yaakov