(If you're using a version of rsync older than 2.6.3, see below for some security advisories.)
July 28th, 2005
Rsync version 2.6.6 has been released. This release is a bug-fix release to handle a null-pointer bug that turned up in rsync's version of zlib 1.1.4 (this is not the recent zlib 1.2.2 security fix, which did not affect rsync) and to squash a few other minor bugs. To deal with the zlib issue, rsync has been upgraded to include zlib 1.2.3.
If you'd like to read about all the fixes that are in 2.6.6, read the NEWS file. See the OLDNEWS file for details of what changed in prior versions. You can also read the man pages for rsync and rsyncd.conf.
See the download page for all the ways to grab the new version, or snag one of these: rsync-2.6.6.tar.gz (signature), rsync-2.6.5-2.6.6.diffs.gz (signature). Note that the diffs do not contain updates for the "patches" dir -- grab the tar file if you want the full release.
June 1st, 2005
Rsync version 2.6.5 has been released. This release is primarily a bug-fix release to squash some annoying problems that made it into the (feature-filled) release of 2.6.4, plus a few minor enhancements.
See the release NEWS for the details of what changed since 2.6.4.
March 30th, 2005
Rsync version 2.6.4 has been released. This release combines quite a few new features, some improved delete efficiency, and the usual array of bug fixes.
See the release NEWS for the details of what changed since 2.6.3.
September 30th, 2004
Rsync version 2.6.3 has been released. It contains several new features and quite a few bug fixes.
See the release NEWS for the details of what changed since 2.6.2.
August 12th, 2004
There is a path-sanitizing bug that affects daemon-mode in rsync versions through version 2.6.2, but only if chroot is disabled. It does NOT affect the normal send/receive filenames that specify what files should be transferred (this is because these names happen to get sanitized twice, and thus the second call removes any lingering leading slash(es) that the first call left behind). It does affect certain option paths that cause auxilliary files to be read or written.
This bug was fixed in version 2.6.3 of rsync.
One potential fix that doesn't require recompiling rsync is to set "use chroot = true" for all the modules in the rsyncd.conf file.
April 30th, 2004
Rsync version 2.6.2 has been released. It is a bugfix release that mainly fixes a bug with the --relative option (-R) in 2.6.1 that could cause files to be transferred incorrectly. This only affected a source right at the root of the filesystem, such as "/" or "/*" (if you first "cd /" and then copy from ".", it would not tickle the bug).
See the release NEWS for the details of what else was fixed.
April 26th, 2004
Rsync version 2.6.1 has been released. It is primarily a performance release that requires less memory to run, makes fewer write calls to the socket (lowering the system CPU time), does less string copying (lowering the user CPU time), and also reduces the amount of data that is transmitted over the wire. There have also been quite a few bug fixes. See the release NEWS for the full details.
April 26th, 2004
There is a security problem in all versions prior to 2.6.1 that affects only people running a read/write daemon WITHOUT using chroot. If the user privs that such an rsync daemon is using is anything above "nobody", you are at risk of someone crafting an attack that could write a file outside of the module's "path" setting (where all its files should be stored). Please either enable chroot or upgrade to 2.6.1. People not running a daemon, running a read-only daemon, or running a chrooted daemon are totally unaffected.
The problem with rsync hanging at the end of the transfer on Cygwin had been previously traced to a signal-handling bug in their compatibility DLL. This bug appears to now be fixed in DLL version 1.5.7-1, and Cygwin users are reporting that upgrading the DLL removes the hang-at-end-of-transfer problem for their existing rsync executable. (Note that this doesn't solve a hang that some folks see in the middle of a transfer -- using daemon mode instead of ssh can work around that one.)
January 1st, 2004
Two important things to note in the new release:
One other item of note is that the oft-requested option "--files-from" is now available. This option lets you specify a list of files to transfer, and can be much more efficient than a recursive descent using include/exclude statements (if you know in advance what files you want to transfer). The list of files can come from either side of the connection, so it is possible for a server to provide the file-list that lets someone grab a server-specified set of files, for example. See the rsync man page for more details.
For a full list of changes in version 2.6.0, see the release NEWS.
December 4th, 2003
Rsync version 2.5.6 and earlier contains a heap overflow vulnerability that could be used to remotely run arbitrary code, but this only affects the use of rsync as an "rsync daemon" (where rsync handles incoming socket connections, typically on port 873).
This bug was fixed in rsync 2.5.7.