Date: Thu, 16 Jan 2025 17:36:08 -0700 From: "Edward Sanford Sutton, III" <mirror176@hotmail.com> To: questions@freebsd.org Subject: Re: Serious rsync security issues Message-ID: <CO1PR11MB47709364EA39BAF0BAD27D10E61B2@CO1PR11MB4770.namprd11.prod.outlook.com> In-Reply-To: <wZLuLkwazDCoRo0ZPIV8GRbRz_nELAq5DJlWTSWe3bXHAwG1tNABShCEL8zfFkAh9viyhGnNf1QvPnJcpWRuTbqMUE8tRD5XURUWrUaoTVs=@protonmail.com> References: <wZLuLkwazDCoRo0ZPIV8GRbRz_nELAq5DJlWTSWe3bXHAwG1tNABShCEL8zfFkAh9viyhGnNf1QvPnJcpWRuTbqMUE8tRD5XURUWrUaoTVs=@protonmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 1/16/25 16:02, Martin wrote: > I am going to point this to the message on the Arch Linux site, > but it's all over the net. > > https://archlinux.org/news/critical-rsync-security-release-340/ > > I am wondering why the FreeBSD rsync package been updated yet? > > https://www.vuxml.org/freebsd/163edccf-d2ba-11ef-b10e-589cfc10a551.html sounds like the entry that brings those CVEs up. There was a bug when it was initially added but since been fixed though I think it would still fail `pkg audit` even with the first entry (-F flag will update the database). It is saying >=3.4.0 is fine which seems to match what https://download.samba.org/pub/rsync/NEWS#3.4.0 says. Both quarterly and latest ports branches have it so packages should arrive on the next successful build from buildservers if it is not there now. As stated previously, you can always build from ports if you need it built sooner than the servers do it.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CO1PR11MB47709364EA39BAF0BAD27D10E61B2>