<HTML>
<HEAD>
<TITLE>rsync</TITLE>
+<style>
+.security { color: red; }
+h3 { margin-bottom: 0px; }
+.date { color: #D25A0B; }
+</style>
</HEAD>
<!--#include virtual="header.html" -->
rsync is an <A HREF="http://www.opensource.org/">open source</A>
utility that provides fast incremental file transfer. rsync is freely
available under the <A HREF="GPL.html">GNU General Public
-License version 2</A>
-
-<p><b>**
-For all versions of rsync prior to 2.6.3, see the
-<a href="#security_aug04">August 2004 security advisory</a>!
-**
-If you're using a version prior to 2.6.1, see the
-<a href="#security_apr04">April 2004 security advisory</a>!
-**
-If you're using a version prior to 2.5.7, see the
-<a href="#security_dec03">December 2003 security advisory</a>!
-**</b>
-
-
-<h3>Rsync 2.6.4pre3 released</h3>
-
-<p><i style="color:#777777">March 15th, 2005</i>
-
-<p>Rsync version 2.6.4pre3 has been released. This release combines several
-new features with some improved delete efficiency and the usual array of
-bug fixes. Please try it out and send feedback to the mailing list!
-
-<p><b>Important:</b> protocol 29 was revised in pre3 to be incompatible with
-pre1 and pre2, so be sure to update all your pre-release test versions at the
-same time. Rsync has code in it to detect that it is talking to an older
-pre-release, so you should see an appropriate error if you mix incompatible
-versions. If upgrading is not an option, use the --protocol=28 option to make
-the programs fall-back to a protocol they have in common (this is suggested in
-the error message that is output).
-
-<p>See the <a href="/ftp/rsync/preview/rsync-2.6.4pre3-NEWS">release NEWS</a> for the
-details of what changed since 2.6.3.
-
-<p>The changes since 2.6.4pre2 are as follows:
-
-<ul>
-
-<li> Some protocol changes were made: (1) simplified the data flow for the
-generator's reporting of its basis-file choice to the receiver (because
-simplified data flow makes deadlock prevention easier); (2) made hard-linking
-be reported via the itemized log output; and (3) added an extra "phase" at the
-end of the transfer for the --delay-updates processing so that it can itemize
-any delayed hard-links. (These changes make protocol 29 incompatible with
-earlier pre-releases, as mentioned in the "Important" note above.)
-
-<li> Another change for hard-links: a cluster of hard-linked files is now
-dealt with as soon as possible, either when we complete the update of one file
-in the cluster, or we find an unchanged file in the cluster (the old code used
-to do all hard-linking at the end of the transfer).
-
-<li> When --max-delete=N is specified and we attempted to overflow this value,
-we now warn at the end of the transfer and exit with error code 25. If you
-want to know about too-many deletions prior to doing any deletes, do a check
-run with --dry-run first.
-
-<li> Fixed a potential protocol-corrupting bug in the data sent from the
-generator to the receiver (this doesn't seem to have been easy to trigger,
-though).
-
-<li> Fixed a slowdown in the name-sorting code.
-
-<li> When '%i' outputs a deletion, it uses the string "*deleting" (with the
-leading '*' being new). Also a few other minor changes to the itemized output,
-including adding an extra character for future code to be able to report when
-an ACL/extended-attribute changes. (See the man page for full details.)
-
-<li> Fixed a glitch in the --progress output when transferring zero-length
-files.
-
-<li> Fixed the over-reporting of changes to a write-protected dir.
-
-<li> The --copy-dest option has made a comback into CVS now that its algorithm
-has been improved to work just like a --link-dest with copies instead of hard
-links (an earlier version of the code did a less efficient transfer of
-unchanged files from the --copy-dest hierarchy).
-
-</ul>
-
-<p>To build it from source, snag one of these:
-<b><a href="/ftp/rsync/preview/rsync-2.6.4pre3.tar.gz">rsync-2.6.4pre3.tar.gz</a>
-(<a href="/ftp/rsync/preview/rsync-2.6.4pre3.tar.gz.asc">signature</a>),
-<a href="/ftp/rsync/preview/rsync-2.6.4pre2-2.6.4pre3.diffs.gz">rsync-2.6.4pre2-2.6.4pre3.diffs.gz</a>
-(<a href="/ftp/rsync/preview/rsync-2.6.4pre2-2.6.4pre3.diffs.gz.asc">signature</a>)</b>.
-<a href="/ftp/rsync/preview/old-patches/rsync-2.6.4pre1-2.6.4pre2.diffs.gz">rsync-2.6.4pre1-2.6.4pre2.diffs.gz</a>
-(<a href="/ftp/rsync/preview/old-patches/rsync-2.6.4pre1-2.6.4pre2.diffs.gz.asc">signature</a>)</b>.
-<a href="/ftp/rsync/preview/old-patches/rsync-2.6.3-2.6.4pre1.diffs.gz">rsync-2.6.3-2.6.4pre1.diffs.gz</a>
-(<a href="/ftp/rsync/preview/old-patches/rsync-2.6.3-2.6.4pre1.diffs.gz.asc">signature</a>)</b>.
-Note that the diffs do not contain updates for the "patches" dir -- grab the tar
-file if you want the full release.
-
+License</A> and is currently being maintained by
+<a href="http://opencoder.net/">Wayne Davison</a>.
+
+<p><i>If you are (1) running a writable rsync daemon of <b>any</b>
+version or (2) using a version of rsync older than 2.6.6, see the
+<a href="security.html" class=security>rsync security advisory page</a>.</i>
+
+<!--
+
+<p><hr>
+<h3>The latest development version</h3>
+
+<p>If you're curious about the changes going into the next version of rsync,
+you can view the <a href="/ftp/unpacked/rsync/NEWS">NEWS file from the source
+repository</a> to see a summary of the current changes. Also available are the
+<a href="/ftp/rsync/nightly/rsync.html">repository's rsync manpage</a> and the
+<a href="/ftp/rsync/nightly/rsyncd.conf.html">repository's rsyncd.conf
+manpage</a>. See the <a href="/download.html">download page</a> for more info
+on grabbing the development version.
+
+-->
+
+<p><hr>
+<h3>Rsync 3.0.1pre1 available for release testing</h3>
+<i class=date>March 24th, 2008</i>
+
+<p>Rsync version 3.0.1pre1 is now available for release testing. This is a
+bug-fix release, which also includes fixes/improvements for several issues in
+the daemon-exclude code.
+
+<p>Please test this new release and send email to the rsync mailing list with
+any questions, comments, or bug reports.
+
+<p>You can read all about the latest improvements and bug-fixes in the
+<a href="/ftp/rsync/src-previews/rsync-3.0.1pre1-NEWS">NEWS file</a>.
+The pre-release version of the manpages are also available for both
+<a href="/ftp/rsync/rsync.html">rsync</a> and
+<a href="/ftp/rsync/rsyncd.conf.html">rsyncd.conf</a>.
+
+<p>The source tar is available here:
+<b><a href="/ftp/rsync/src-previews/rsync-3.0.1pre1.tar.gz">rsync-3.0.1pre1.tar.gz</a>
+(<a href="/ftp/rsync/src-previews/rsync-3.0.1pre1.tar.gz.asc">signature</a>),</b>
+with a tar file of the "patches" directory now released in a separate file:
+<b><a href="/ftp/rsync/src-previews/rsync-patches-3.0.1pre1.tar.gz">rsync-patches-3.0.1pre1.tar.gz</a>
+(<a href="/ftp/rsync/src-previews/rsync-patches-3.0.1pre1.tar.gz.asc">signature</a>),</b>
+and the diffs from version 3.0.0 are available here:
+<b><a href="/ftp/rsync/src-previews/rsync-3.0.0-3.0.1pre1.diffs.gz">rsync-3.0.0-3.0.1pre1.diffs.gz</a>
+(<a href="/ftp/rsync/src-previews/rsync-3.0.0-3.0.1pre1.diffs.gz.asc">signature</a>)</b>.
+
+<p><hr>
+<h3>Rsync version 3.0.0 released</h3>
+<i class=date>March 1st, 2008</i>
+
+<p>Rsync version 3.0.0 is finally here! This is a feature release that
+also includes quite a few bug fixes.
+
+<p>The 3.0.0 version number is such a large bump up from 2.6.9 due to the
+addition of an
+incremental recursion scan (which helps a lot with large transfers) and the
+official arrival of several other new features, including ACL support, extended
+attribute support, filename character-set conversion, etc.
+
+<p>You can read all about the latest improvements and bug-fixes in the
+<a href="/ftp/rsync/src/rsync-3.0.0-NEWS">release NEWS</a>.
+
+The latest version of each manpage is also available:
+<a href="/ftp/rsync/rsync.html">rsync</a> and
+<a href="/ftp/rsync/rsyncd.conf.html">rsyncd.conf</a>.
+
+<p>The source tar is available here:
+<b><a href="/ftp/rsync/src/rsync-3.0.0.tar.gz">rsync-3.0.0.tar.gz</a>
+(<a href="/ftp/rsync/src/rsync-3.0.0.tar.gz.asc">signature</a>),</b>
+with a tar file of the "patches" directory now released in a separate file:
+<b><a href="/ftp/rsync/src/rsync-patches-3.0.0.tar.gz">rsync-patches-3.0.0.tar.gz</a>
+(<a href="/ftp/rsync/src/rsync-patches-3.0.0.tar.gz.asc">signature</a>),</b>
+and the diffs from version 2.6.9 are available here:
+<b><a href="/ftp/rsync/src-diffs/rsync-2.6.9-3.0.0.diffs.gz">rsync-2.6.9-3.0.0.diffs.gz</a>
+(<a href="/ftp/rsync/src-diffs/rsync-2.6.9-3.0.0.diffs.gz.asc">signature</a>)</b>.
+
+<p><hr>
+<h3>Rsync version 2.6.9 released</h3>
+<i class=date>November 6th, 2006</i>
+
+<p>Rsync version 2.6.9 has been released. This is primarily a bug-fix
+release with a few minor new features.
+
+<p>See the <a href="/ftp/rsync/src/rsync-2.6.9-NEWS">release NEWS</a>
+for the details of what changed since 2.6.8.
+
+<p><hr>
+<h3>Rsync version 2.6.8 released</h3>
+<i class=date>April 22th, 2006</i>
+
+<p>Rsync version 2.6.8 has been released. This is a bug-fix release that
+primarily addresses an exclude problem that affected the --relative option,
+but also includes a <a href="security.html#s2_6_8" class=security>security fix</a> for
+the xattrs.diff patch (which is not an
+official part of rsync, but some packagers include it in their release).
+
+<p>See the <a href="/ftp/rsync/src/rsync-2.6.8-NEWS">release NEWS</a>
+for the details of what changed since 2.6.7.
+
+<p><hr>
+<h3>Rsync 2.6.7 released</h3>
+<i class=date>March 11th, 2006</i>
+
+<p>Rsync version 2.6.7 has been released. This release has both several new
+features and the usual accompaniment of bug fixes.
+
+<p>See the <a href="/ftp/rsync/src/rsync-2.6.7-NEWS">release NEWS</a>
+for the details of what changed since 2.6.6.
+
+<p><hr>
+<h3>Rsync 2.6.6 released</h3>
+<i class=date>July 28th, 2005</i>
+
+<p>Rsync version 2.6.6 has been released. This release is a bug-fix release
+which contains a <a href="security.html#s2_6_6" class=security>security fix</a>
+to handle a null-pointer bug that turned up in rsync's version of zlib
+1.1.4 (this is not the recent zlib 1.2.2 security fix, which did not
+affect rsync) and to squash a few other minor bugs. To deal with the
+zlib issue, rsync has been upgraded to include zlib 1.2.3.
+
+<p>See the <a href="/ftp/rsync/src/rsync-2.6.6-NEWS">release NEWS</a>
+for the details of what changed since 2.6.5.
+
+<p><hr>
+<h3>Rsync 2.6.5 released</h3>
+<i class=date>June 1st, 2005</i>
+
+<p>Rsync version 2.6.5 has been released. This release is primarily a bug-fix
+release to squash some annoying problems that made it into the (feature-filled)
+release of 2.6.4, plus a few minor enhancements.
+
+<p>See the <a href="/ftp/rsync/src/rsync-2.6.5-NEWS">release NEWS</a>
+for the details of what changed since 2.6.4.
+
+<p><hr>
+<h3>Rsync 2.6.4 released</h3>
+<i class=date>March 30th, 2005</i>
+
+<p>Rsync version 2.6.4 has been released. This release combines quite a
+few new features, some improved delete efficiency, and the usual array of
+bug fixes.
+
+<p>See the <a href="/ftp/rsync/src/rsync-2.6.4-NEWS">release NEWS</a>
+for the details of what changed since 2.6.3.
+<p><hr>
<h3>Rsync 2.6.3 released</h3>
-
-<p><i style="color:#777777">September 30th, 2004</i>
+<i class=date>September 30th, 2004</i>
<p>Rsync version 2.6.3 has been released. It contains several new features
-and quite a few bug fixes.
+and quite a few bug fixes, including a <a href="security.html#s2_6_3" class=security>security
+fix</a> for a patch-sanitizing bug in the daemon code.
-<p>See the <a href="/ftp/rsync/rsync-2.6.3-NEWS">release NEWS</a> for the
+<p>See the <a href="/ftp/rsync/src/rsync-2.6.3-NEWS">release NEWS</a> for the
details of what changed since 2.6.2.
-<p>See the <a href="download.html">download page</a> for all the ways
-to grab the new version, or snag one of these:
-<b><a href="/ftp/rsync/rsync-2.6.3.tar.gz">rsync-2.6.3.tar.gz</a>
-(<a href="/ftp/rsync/rsync-2.6.3.tar.gz.asc">signature</a>),
-<a href="/ftp/rsync/rsync-2.6.2-2.6.3.diffs.gz">rsync-2.6.2-2.6.3.diffs.gz</a>
-(<a href="/ftp/rsync/rsync-2.6.2-2.6.3.diffs.gz.asc">signature</a>)</b>.
-
-<a name="security_aug04"></a>
-<h3 style="color:red">August 2004 Security Advisory</h3>
-
-<p><i style="color:#777777">August 12th, 2004</i>
-
-<h4>Background</h4>
-
-<p>There is a path-sanitizing bug that affects daemon mode in all modern
-rsync versions through version 2.6.2, but only if chroot is disabled. It
-does NOT affect the normal send/receive filenames that specify what
-files should be transferred (this is because these names happen to get
-sanitized twice, and thus the second call removes any lingering leading
-slash(es) that the first call left behind). It does affect certain
-option paths that cause auxilliary files to be read or written.
-
-<h4>The Fix</h4>
-
-<p>The best fix is to apply this one-word patch to the sanitize_path()
-function in util.c:
-
-<pre>
---- orig/util.c 2004-04-27 12:59:37 -0700
-+++ util.c 2004-08-11 23:37:27 -0700
-@@ -743,7 +743,7 @@
- allowdotdot = 1;
- } else {
- p += 2;
-- if (*p == '/')
-+ while (*p == '/')
- p++;
- if (sanp != start) {
- /* back up sanp one level */
-</pre>
-
-<p>This bug-fix was released in version 2.6.3 of rsync.
-
-<p>One potential fix that doesn't require recompiling rsync is to set
-"use chroot = true" for all the modules in the rsyncd.conf file.
-
-
+<p><hr>
<h3>Rsync 2.6.2 released</h3>
-
-<p><i style="color:#777777">April 30th, 2004</i>
+<i class=date>April 30th, 2004</i>
<p>Rsync version 2.6.2 has been released. It is a bugfix release that mainly
fixes <b>a bug with the --relative option (-R) in 2.6.1</b>
source right at the root of the filesystem, such as "/" or "/*" (if you
first "cd /" and then copy from ".", it would not tickle the bug).
-<p>See the <a href="/ftp/rsync/old-versions/rsync-2.6.2-NEWS">release NEWS</a> for the
+<p>See the <a href="/ftp/rsync/src/rsync-2.6.2-NEWS">release NEWS</a> for the
details of what else was fixed.
+<p><hr>
<h3>Rsync 2.6.1 released</h3>
-
-<p><i style="color:#777777">April 26th, 2004</i>
+<i class=date>April 26th, 2004</i>
<p>Rsync version 2.6.1 has been released. It is primarily a performance
release that requires less memory to run, makes fewer write calls to the socket
(lowering the system CPU time), does less string copying (lowering the user CPU
time), and also reduces the amount of data that is transmitted over the wire.
-There have also been quite a few bug fixes. See the
-<a href="/ftp/rsync/old-versions/rsync-2.6.1-NEWS">release NEWS</a> for the full
+There have also been quite a few bug fixes, including a
+<a href="security.html#s2_6_1" class=security>security fix</a> for a daemon problem when chroot
+is not enabled. See the
+<a href="/ftp/rsync/src/rsync-2.6.1-NEWS">release NEWS</a> for the full
details.
-<a name="security_apr04"></a>
-<h3 style="color:red">April 2004 Security Advisory</h3>
-
-<p><i style="color:#777777">April 26th, 2004</i>
-
-<p>There is a security problem in all versions prior to 2.6.1 that affects only
-people running a read/write daemon WITHOUT using chroot. If the user privs
-that such an rsync daemon is using is anything above "nobody", you are at risk
-of someone crafting an attack that could write a file outside of the module's
-"path" setting (where all its files should be stored). Please either enable
-chroot or upgrade to 2.6.1. People not running a daemon, running a read-only
-daemon, or running a chrooted daemon are totally unaffected.
-
+<p><hr>
<h3>One Cygwin hang-problem resolved</h3>
<p>The problem with rsync hanging at the end of the transfer on
(Note that this doesn't solve a hang that some folks see in the middle of a
transfer -- using daemon mode instead of ssh can work around that one.)
-<a name="two_six"></a>
+<p><hr>
<h3>Rsync 2.6.0 released</h3>
-
-<p><i style="color:#777777">January 1st, 2004</i>
+<i class=date>January 1st, 2004</i>
<P> Two important things to note in the new release:
<li>Some bug fixes in the include/exclude code, while making things work
properly, have resulted in some user-visible changes for certain wildcard
strings. Read the BUG FIXES section in the
-<a href="/ftp/rsync/old-versions/rsync-2.6.0-NEWS">NEWS file</a> to see if
+<a href="/ftp/rsync/src/rsync-2.6.0-NEWS">NEWS file</a> to see if
any of these changes apply to you.
(Most people should be unaffected.)
for more details.
<p>For a full list of changes in version 2.6.0, see the
-<a href="/ftp/rsync/old-versions/rsync-2.6.0-NEWS">release NEWS</a>.
-
-<a name="security_dec03"></a>
-<h3 style="color:red">December 2003 Security Advisory</h3>
-
-<p><i style="color:#777777">December 4th, 2003</i>
-
-<h4>Background</h4>
-
-<p>The rsync team has received evidence that a vulnerability in rsync was
-recently used in combination with a Linux kernel vulnerability to
-compromise the security of a public rsync server. While the forensic
-evidence we have is incomplete, we have pieced together the most
-likely way that this attack was conducted and we are releasing this
-advisory as a result of our investigations to date.
-
-<p>
-Our conclusions are that:
-
-<ul>
-
-<li>rsync version 2.5.6 and earlier contains a heap overflow vulnerability that can
- be used to remotely run arbitrary code.
-
-<li>While this heap overflow vulnerability could not be used by itself
- to obtain root access on a rsync server, it could be used in
- combination with the recently announced brk vulnerability in the
- Linux kernel to produce a full remote compromise.
-
-<li>The server that was compromised was using a non-default rsyncd.conf
- option <tt>"use chroot = no"</tt>. The use of this option made the attack on
- the compromised server considerably easier. A successful attack is
- almost certainly still possible without this option, but it would
- be much more difficult.
-</ul>
-
-<p>
-Please note that this vulnerability only affects the use of rsync as a
-"rsync server". To see if you are running a rsync server you should
-use the netstat command to see if you are listening on TCP port
-873. If you are not listening on TCP port 873 then you are not running
-a rsync server.
-
-<h4>New rsync release</h4>
-
-<p>
-In response we have released a new version of rsync, version
-2.5.7. This is based on the current stable 2.5.6 release with only the
-changes necessary to prevent this heap overflow vulnerability. There
-are no new features in this release.
-<p>
-We recommend that anyone running a rsync server take the following
-steps:
-<ol>
-<li>
- Update to (at least) rsync version 2.5.7 immediately.
-<li>
- If you are running a Linux kernel prior to version 2.4.23 then
- you should upgrade your kernel immediately. Note that some
- distribution vendors may have patched versions of the 2.4.x
- series kernel that fix the brk vulnerability in versions before
- 2.4.23. Check with your vendor security site to ensure that you
- are not vulnerable to the <tt>brk</tt> problem.
-<li>
- Review your <tt>/etc/rsyncd.conf</tt> configuration file. If you are
- using the option <tt>"use chroot = no"</tt> then remove that line or
- change it to <tt>"use chroot = yes"</tt>. If you find that you need that
- option for your rsync service then you should disable your rsync
- service until you have discussed a workaround with the rsync
- maintainers on the rsync mailing list. The disabling of the
- chroot option should not be needed for any normal rsync server.
-</ol>
-
-<p>The patches and full source for rsync version 2.5.7 are available from
-<a href="http://rsync.samba.org/">http://rsync.samba.org/</a> and mirror sites. We expect that vendors will
-produce updated packages for their distributions shortly.
-
-<h4>Credits</h4>
-
-<p>
-The rsync team would like to thank the following individuals for their
-assistance in investigating this vulnerability and producing this
-response:
-<ul>
-
-<li>Timo Sirainen <tss.iki.fi>
-<li>Mike Warfield <mhw.wittsend.com>
-<li>Paul Russell <rusty.samba.org>
-<li>Andrea Barisani <lcars.gentoo.org>
-</ul>
-
-<p>
-The Common Vulnerabilities and Exposures project (cve.mitre.org) has
-assigned the name
-<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0962">CAN-2003-0962</a>
-to this issue.
-
-<p>
-Regards,
-<p>
-The rsync team
+<a href="/ftp/rsync/src/rsync-2.6.0-NEWS">release NEWS</a>.
<!--#include virtual="footer.html" -->
git.samba.org / rsync-web.git / blobdiff