[rsync-web.git] / index.html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<TITLE>rsync</TITLE>
</HEAD>
<!--#include virtual="header.html" -->

<H2 align="center">Welcome to the rsync web pages</H2>

rsync is an <A HREF="http://www.opensource.org/">open source</A>
utility that provides fast incremental file transfer. rsync is freely
available under the <A HREF="GPL.html">GNU General Public
License version 2</A>

<p><b style="color:red">**</b>
<b>For all versions of rsync prior to 2.6.3pre1, see the
<a href="#security_aug04" style="color:red">August 2004 security advisory</a>!</b>
<b style="color:red">**</b>
<b>If you're using a version prior to 2.6.1, see the
<a href="#security_apr04" style="color:red">April 2004 security advisory</a>!</b>
<b style="color:red">**</b>
<b>If you're using a version prior to 2.5.7, see the
<a href="#security_dec03" style="color:red">December 2003 security advisory</a>!</b>
<b style="color:red">**</b>

<h3>Rsync 2.6.3pre2 released</h3>

<p><i style="color:#777777">September 21th, 2004</i>

<p>Rsync version 2.6.3pre2 has been released.  It contains a few bug fixes and
one minor new feature compared with 2.6.3pre1.  This release should be the last
one prior to 2.6.3, so please give it a good workout.

<p>See the <a href="/ftp/rsync/preview/rsync-2.6.3pre2-NEWS">release NEWS</a> for the
details of what changed since 2.6.2.

<p>The changes since 2.6.3pre1 are:

<ul>

<li> Fixed the combination of --inplace and --backup to work properly.
Also optimized this combination to use the backup file as the basis
file for a more optimal transfer.

<li> Improved the combination of --keep-dirlinks and --delete so that only
symlinks-to-directories on the receiver that match a real directory
on the sender are treated as if they were a real directory.  This
eliminates some weird delete behavior for symlinks that point inside
the transferred hierarchy.

<li> Also added support for the RSYNC_PARTIAL_DIR environment variable
that, when found, transforms a regular --partial option (such as
the convenient -P option) into one that also specifies a directory.

<li> Added the ability to parse a literal IPv6 address in an "rsync:" URL
(e.g. rsync://[2001:638:500:101::21]:873/module/dir).

<li> The "backed up ..." message that is output when at least 2 --verbose
options are specified is now the same both with and without the
--backup-dir option.

<li> The file-list that is output when at least 4 verbose options are
specified reports the uid value on the sender even when rsync is
not running as root (since we might be sending to a root receiver).

<li> Fixed a typo in the RERR_VANISHED error message.

<li> We once again allow --include/--exclude options to be specified on
the server's command-line, even though rsync doesn't use this
combination itself (since other software does).  The parsing of these
options also ensures that a daemon transfer can't be told to use a
file that was excluded in the module's config section.

<li> We now reject the combination of --inplace with either --compare-dest
or --link-dest (since the rsync protocol will need to be extended to
tell the server when the generator is using an adjunct file as the
basis-file and when it is using the destination file directly).

<li> Fixed a bug that could cause a slow-to-connect rsync daemon to die
with an error instead of waiting for the connection to finish.

<li> Fixed a problem with --delete-after not happening if 2.6.3 was
talking to an rsync older than 2.5.6 as the receiver.

</ul>

<p>See the <a href="download.html">download page</a> for all the ways
to grab the new version (previews are in the "preview" subdir), or snag one of these:
<b><a href="/ftp/rsync/preview/rsync-2.6.3pre2.tar.gz">rsync-2.6.3pre2.tar.gz</a>
(<a href="/ftp/rsync/preview/rsync-2.6.3pre2.tar.gz.asc">signature</a>),
<a href="/ftp/rsync/preview/rsync-2.6.3pre1-2.6.3pre2.diffs.gz">rsync-2.6.3pre1-2.6.3pre2.diffs.gz</a>
(<a href="/ftp/rsync/preview/rsync-2.6.3pre1-2.6.3pre2.diffs.gz.asc">signature</a>)</b>.

<h3>Rsync 2.6.3pre1 released</h3>

<p><i style="color:#777777">August 12th, 2004</i>

<p>Rsync version 2.6.3pre1 has been released.  It contains a few new features and
quite a few bug fixes.
Please help out with the testing so that we give the latest code a good workout.

<p>See the <a href="/ftp/rsync/preview/old-versions/rsync-2.6.3pre1-NEWS">release NEWS</a> for the
details of what changed since 2.6.2.

<a name="security_aug04"></a>
<h3 style="color:red">August 2004 Security Advisory</h3>

<p><i style="color:#777777">August 12th, 2004</i>

<h4>Background</h4>

<p>There is a path-sanitizing bug that affects daemon mode in all recent
rsync versions (including 2.6.2) but only if chroot is disabled.  It
does NOT affect the normal send/receive filenames that specify what
files should be transferred (this is because these names happen to get
sanitized twice, and thus the second call removes any lingering leading
slash(es) that the first call left behind).  It does affect certain
option paths that cause auxilliary files to be read or written.

<h4>The Fix</h4>

<p>The best fix is to apply this one-word patch to the sanitize_path()
function in util.c:

<pre>
--- orig/util.c 2004-04-27 12:59:37 -0700
+++ util.c      2004-08-11 23:37:27 -0700
@@ -743,7 +743,7 @@
                                allowdotdot = 1;
                        } else {
                                p += 2;
-                               if (*p == '/')
+                               while (*p == '/')
                                        p++;
                                if (sanp != start) {
                                        /* back up sanp one level */
</pre>

<p>This bug is fixed in the CVS version of rsync, and will be released in
version 2.6.3 (it is currently in release-testing).

<p>One potential fix that doesn't require recompiling rsync is to set
"use chroot = true" for all the modules in the rsyncd.conf file.


<h3>Rsync 2.6.2 released</h3>

<p><i style="color:#777777">April 30th, 2004</i>

<p>Rsync version 2.6.2 has been released.  It is a bugfix release that mainly
fixes <b>a bug with the --relative option (-R) in 2.6.1</b>
that could cause files to be transferred incorrectly.  This only affected a
source right at the root of the filesystem, such as "/" or "/*" (using "."
as the source after a chdir to "/" was not affected, however).

<p>See the <a href="/ftp/rsync/rsync-2.6.2-NEWS">release NEWS</a> for the
details of what else was fixed.

<p>See the <a href="download.html">download page</a> for all the ways
to grab the new version, or snag one of these: <b>
<a href="/ftp/rsync/rsync-2.6.2.tar.gz">rsync-2.6.2.tar.gz</a>
(<a href="/ftp/rsync/rsync-2.6.2.tar.gz.asc">signature</a>),
<a href="/ftp/rsync/rsync-2.6.1-2.6.2.diffs.gz">rsync-2.6.1-2.6.2.diffs.gz</a>
(<a href="/ftp/rsync/rsync-2.6.1-2.6.2.diffs.gz.asc">signature</a>)</b>.

<h3>Rsync 2.6.1 released</h3>

<p><i style="color:#777777">April 26th, 2004</i>

<p>Rsync version 2.6.1 has been released.  It is primarily a performance
release that requires less memory to run, makes fewer write calls to the socket
(lowering the system CPU time), does less string copying (lowering the user CPU
time), and also reduces the amount of data that is transmitted over the wire.
There have also been quite a few bug fixes.  See the
<a href="/ftp/rsync/old-versions/rsync-2.6.1-NEWS">release NEWS</a> for the full
details.

<a name="security_apr04"></a>
<h3 style="color:red">April 2004 Security Advisory</h3>

<p><i style="color:#777777">April 26th, 2004</i>

<p>There is a security problem in all versions prior to 2.6.1 that affects only
people running a read/write daemon WITHOUT using chroot.  If the user privs
that such an rsync daemon is using is anything above "nobody", you are at risk
of someone crafting an attack that could write a file outside of the module's
"path" setting (where all its files should be stored).  Please either enable
chroot or upgrade to 2.6.1.  People not running a daemon, running a read-only
daemon, or running a chrooted daemon are totally unaffected.

<p>See the <a href="download.html">download page</a> for all the ways
to grab the new version.

<h3>One Cygwin hang-problem resolved</h3>

<p>The problem with rsync hanging at the end of the transfer on
<a href="http://www.cygwin.com/">Cygwin</a> had been previously traced to a
signal-handling bug in their compatibility DLL.  This bug appears to now be
fixed in DLL version 1.5.7-1, and Cygwin users are reporting that upgrading the
DLL removes the hang-at-end-of-transfer problem for their existing rsync executable.
(Note that this doesn't solve a hang that some folks see in the middle of a
transfer -- using daemon mode instead of ssh can work around that one.)

<a name="two_six"></a>
<h3>Rsync 2.6.0 released</h3>

<p><i style="color:#777777">January 1st, 2004</i>

<P> Two important things to note in the new release:

<ol>

<li>The default remote shell is now "ssh" unless you tell configure you want to
make something else the default.

<li>Some bug fixes in the include/exclude code, while making things work
properly, have resulted in some user-visible changes for certain wildcard
strings.  Read the BUG FIXES below to see if any of these changes apply to you.
(Most people should be unaffected.)

</ol>

<p>One other item of note is that the oft-requested option "--files-from" is now
available.  This option lets you specify a list of files to transfer, and can
be much more efficient than a recursive descent using include/exclude
statements (if you know in advance what files you want to transfer).  The list
of files can come from either side of the connection, so it is possible for a
server to provide the file-list that lets someone grab a server-specified set of
files, for example.  See the <a href="/ftp/rsync/rsync.html">rsync man page</a>
for more details.

<p>For a full list of changes in version 2.6.0, see the
<a href="/ftp/rsync/old-versions/rsync-2.6.0-NEWS">release NEWS</a>.

<a name="security_dec03"></a>
<h3 style="color:red">December 2003 Security Advisory</h3>

<p><i style="color:#777777">December 4th, 2003</i>

<h4>Background</h4>

<p>The rsync team has received evidence that a vulnerability in rsync was
recently used in combination with a Linux kernel vulnerability to
compromise the security of a public rsync server. While the forensic
evidence we have is incomplete, we have pieced together the most
likely way that this attack was conducted and we are releasing this
advisory as a result of our investigations to date.

<p>
Our conclusions are that:

<ul>

<li>rsync version 2.5.6 and earlier contains a heap overflow vulnerability that can
   be used to remotely run arbitrary code.

<li>While this heap overflow vulnerability could not be used by itself
   to obtain root access on a rsync server, it could be used in
   combination with the recently announced brk vulnerability in the
   Linux kernel to produce a full remote compromise.

<li>The server that was compromised was using a non-default rsyncd.conf
   option <tt>"use chroot = no"</tt>. The use of this option made the attack on
   the compromised server considerably easier. A successful attack is
   almost certainly still possible without this option, but it would
   be much more difficult.
</ul>

<p>
Please note that this vulnerability only affects the use of rsync as a
"rsync server". To see if you are running a rsync server you should
use the netstat command to see if you are listening on TCP port
873. If you are not listening on TCP port 873 then you are not running
a rsync server.

<h4>New rsync release</h4>

<p>
In response we have released a new version of rsync, version
2.5.7. This is based on the current stable 2.5.6 release with only the
changes necessary to prevent this heap overflow vulnerability. There
are no new features in this release.
<p>
We recommend that anyone running a rsync server take the following
steps:
<ol>
<li>
 Update to (at least) rsync version 2.5.7 immediately.
<li>
 If you are running a Linux kernel prior to version 2.4.23 then
      you should upgrade your kernel immediately. Note that some
      distribution vendors may have patched versions of the 2.4.x
      series kernel that fix the brk vulnerability in versions before
      2.4.23. Check with your vendor security site to ensure that you
      are not vulnerable to the <tt>brk</tt> problem.
<li>
 Review your <tt>/etc/rsyncd.conf</tt> configuration file. If you are
      using the option <tt>"use chroot = no"</tt> then remove that line or
      change it to <tt>"use chroot = yes"</tt>.  If you find that you need that
      option for your rsync service then you should disable your rsync
      service until you have discussed a workaround with the rsync
      maintainers on the rsync mailing list.  The disabling of the
      chroot option should not be needed for any normal rsync server.
</ol>

<p>The patches and full source for rsync version 2.5.7 are available from
<a href="http://rsync.samba.org/">http://rsync.samba.org/</a> and mirror sites. We expect that vendors will
produce updated packages for their distributions shortly.

<h4>Credits</h4>

<p>
The rsync team would like to thank the following individuals for their
assistance in investigating this vulnerability and producing this
response:
<ul>

<li>Timo Sirainen &lt;tss.iki.fi&gt;
<li>Mike Warfield &lt;mhw.wittsend.com&gt;
<li>Paul Russell &lt;rusty.samba.org&gt;
<li>Andrea Barisani &lt;lcars.gentoo.org&gt;
</ul>

<p>        
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name 
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0962">CAN-2003-0962</a> 
to this issue.

<p>
Regards,
<p>
The rsync team

<!--#include virtual="footer.html" -->