1 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
6 <!--#include virtual="header.html" -->
8 <H2 align="center">Welcome to the rsync web pages</H2>
10 rsync is an <A HREF="http://www.opensource.org/">open source</A>
11 utility that provides fast incremental file transfer. rsync is freely
12 available under the <A HREF="GPL.html">GNU General Public
15 <p><b style="color:red">** If you're using a version prior to 2.6.1, see the
16 <a href="#security_apr04">April 2004 security advisory</a>! If you're using
17 a version prior to 2.5.7, also see the <a href="#security_dec03">December
18 2003 security advisory</a>! **</b>
20 <h3>Rsync 2.6.2 released</h3>
24 <p>Rsync version 2.6.2 has been released. It is a bugfix release that mainly
25 fixes <b>a bug with the --relative option (-R) in 2.6.1</b>
26 that could cause files to be transferred incorrectly. This only affected a
27 source right at the root of the filesystem, such as "/" or "/*" (using "."
28 as the source after a chdir to "/" was not affected, however).
30 <p>See the <a href="/ftp/rsync/rsync-2.6.2-NEWS">release NEWS</a> for the
31 details of what else was fixed.
33 <p>See the <a href="download.html">download page</a> for all the ways
34 to grab the new version, or snag one of these: <b>
35 <a href="/ftp/rsync/rsync-2.6.2.tar.gz">rsync-2.6.2.tar.gz</a>
36 (<a href="/ftp/rsync/rsync-2.6.2.tar.gz.asc">signature</a>),
37 <a href="/ftp/rsync/rsync-2.6.1-2.6.2.diffs.gz">rsync-2.6.1-2.6.2.diffs.gz</a>
38 (<a href="/ftp/rsync/rsync-2.6.1-2.6.2.diffs.gz.asc">signature</a>)</b>.
40 <h3>Rsync 2.6.1 released</h3>
44 <p>Rsync version 2.6.1 has been released. It is primarily a performance
45 release that requires less memory to run, makes fewer write calls to the socket
46 (lowering the system CPU time), does less string copying (lowering the user CPU
47 time), and also reduces the amount of data that is transmitted over the wire.
48 There have also been quite a few bug fixes. See the
49 <a href="/ftp/rsync/old-versions/rsync-2.6.1-NEWS">release NEWS</a> for the full
52 <a name="security_apr04"></a>
53 <h4>April 2004 Security Advisory</h4>
55 <p>There is a security problem in all versions prior to 2.6.1 that affects only
56 people running a read/write daemon WITHOUT using chroot. If the user privs
57 that such an rsync daemon is using is anything above "nobody", you are at risk
58 of someone crafting an attack that could write a file outside of the module's
59 "path" setting (where all its files should be stored). Please either enable
60 chroot or upgrade to 2.6.1. People not running a daemon, running a read-only
61 daemon, or running a chrooted daemon are totally unaffected.
63 <p>See the <a href="download.html">download page</a> for all the ways
64 to grab the new version.
66 <h3>One Cygwin hang-problem resolved</h3>
68 <p>The problem with rsync hanging at the end of the transfer on
69 <a href="http://www.cygwin.com/">Cygwin</a> had been previously traced to a
70 signal-handling bug in their compatibility DLL. This bug appears to now be
71 fixed in DLL version 1.5.7-1, and Cygwin users are reporting that upgrading the
72 DLL removes the hang-at-end-of-transfer problem for their existing rsync executable.
73 (Note that this doesn't solve a hang that some folks see in the middle of a
74 transfer -- using daemon mode instead of ssh can work around that one.)
76 <a name="two_six"></a>
77 <h3>Rsync 2.6.0 released</h3>
81 <P> Two important things to note in the new release:
85 <li>The default remote shell is now "ssh" unless you tell configure you want to
86 make something else the default.
88 <li>Some bug fixes in the include/exclude code, while making things work
89 properly, have resulted in some user-visible changes for certain wildcard
90 strings. Read the BUG FIXES below to see if any of these changes apply to you.
91 (Most people should be unaffected.)
95 <p>One other item of note is that the oft-requested option "--files-from" is now
96 available. This option lets you specify a list of files to transfer, and can
97 be much more efficient than a recursive descent using include/exclude
98 statements (if you know in advance what files you want to transfer). The list
99 of files can come from either side of the connection, so it is possible for a
100 server to provide the file-list that lets someone grab a server-specified set of
101 files, for example. See the <a href="/ftp/rsync/rsync.html">rsync man page</a>
104 <p>For a full list of changes in version 2.6.0, see the
105 <a href="/ftp/rsync/old-versions/rsync-2.6.0-NEWS">release NEWS</a>.
107 <a name="security_dec03"></a>
108 <h3>December 2003 Security Advisory</h3>
110 <p>December 4th, 2003
114 <p>The rsync team has received evidence that a vulnerability in rsync was
115 recently used in combination with a Linux kernel vulnerability to
116 compromise the security of a public rsync server. While the forensic
117 evidence we have is incomplete, we have pieced together the most
118 likely way that this attack was conducted and we are releasing this
119 advisory as a result of our investigations to date.
122 Our conclusions are that:
126 <li>rsync version 2.5.6 and earlier contains a heap overflow vulnerability that can
127 be used to remotely run arbitrary code.
129 <li>While this heap overflow vulnerability could not be used by itself
130 to obtain root access on a rsync server, it could be used in
131 combination with the recently announced brk vulnerability in the
132 Linux kernel to produce a full remote compromise.
134 <li>The server that was compromised was using a non-default rsyncd.conf
135 option <tt>"use chroot = no"</tt>. The use of this option made the attack on
136 the compromised server considerably easier. A successful attack is
137 almost certainly still possible without this option, but it would
138 be much more difficult.
142 Please note that this vulnerability only affects the use of rsync as a
143 "rsync server". To see if you are running a rsync server you should
144 use the netstat command to see if you are listening on TCP port
145 873. If you are not listening on TCP port 873 then you are not running
148 <h4>New rsync release</h4>
151 In response we have released a new version of rsync, version
152 2.5.7. This is based on the current stable 2.5.6 release with only the
153 changes necessary to prevent this heap overflow vulnerability. There
154 are no new features in this release.
156 We recommend that anyone running a rsync server take the following
160 Update to (at least) rsync version 2.5.7 immediately.
162 If you are running a Linux kernel prior to version 2.4.23 then
163 you should upgrade your kernel immediately. Note that some
164 distribution vendors may have patched versions of the 2.4.x
165 series kernel that fix the brk vulnerability in versions before
166 2.4.23. Check with your vendor security site to ensure that you
167 are not vulnerable to the <tt>brk</tt> problem.
169 Review your <tt>/etc/rsyncd.conf</tt> configuration file. If you are
170 using the option <tt>"use chroot = no"</tt> then remove that line or
171 change it to <tt>"use chroot = yes"</tt>. If you find that you need that
172 option for your rsync service then you should disable your rsync
173 service until you have discussed a workaround with the rsync
174 maintainers on the rsync mailing list. The disabling of the
175 chroot option should not be needed for any normal rsync server.
178 <p>The patches and full source for rsync version 2.5.7 are available from
179 <a href="http://rsync.samba.org/">http://rsync.samba.org/</a> and mirror sites. We expect that vendors will
180 produce updated packages for their distributions shortly.
185 The rsync team would like to thank the following individuals for their
186 assistance in investigating this vulnerability and producing this
190 <li>Timo Sirainen <tss.iki.fi>
191 <li>Mike Warfield <mhw.wittsend.com>
192 <li>Paul Russell <rusty.samba.org>
193 <li>Andrea Barisani <lcars.gentoo.org>
197 The Common Vulnerabilities and Exposures project (cve.mitre.org) has
199 <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0962">CAN-2003-0962</a>
207 <!--#include virtual="footer.html" -->