rsync is an <A HREF="http://www.opensource.org/">open source</A>
utility that provides fast incremental file transfer. rsync is freely
available under the <A HREF="GPL.html">GNU General Public
-License version 2</A>
+License version 2</A> and is currently being maintained by
+<a href="http://opencoder.net/">Wayne Davison</a>.
<p><i>(If you're using a version of rsync older than 2.6.3, see below for some security advisories.)</i>
-<h3>Rsync 2.6.4pre4 released</h3>
+<!--
+<h3>The CVS version</h3>
+
+<p>If you're curious about the changes going into the next version of
+rsync, you can view the <a href="/ftp/unpacked/rsync/NEWS">NEWS file from
+CVS</a> to see a summary of the current changes. Also available are the
+<a href="/ftp/rsync/nightly/rsync.html">rsync manpage from CVS</a> and the
+<a href="/ftp/rsync/nightly/rsyncd.conf.html">rsyncd.conf manpage from
+CVS</a>.
+-->
+
+<h3>Rsync 2.6.9pre2 available for release testing</h3>
+
+<p><i style="color:#777777">October 14th, 2006</i>
+
+<p>Rsync version 2.6.9pre2 is now available for release testing. Please test it
+and send email to the rsync mailing list with any questions, comments, or bug
+reports.
+
+<p>You can read all about the latest improvements and bug-fixes in the
+<a href="/ftp/rsync/rsync-2.6.9pre2-NEWS">NEWS file</a>.
+The pre-release version of the manpages are also available for both
+<a href="/ftp/rsync/rsync.html">rsync</a> and
+<a href="/ftp/rsync/rsyncd.conf.html">rsyncd.conf</a>.
+
+<p>The source tar is available here:
+<b><a href="/ftp/rsync/rsync-2.6.9pre2.tar.gz">rsync-2.6.9pre2.tar.gz</a>
+(<a href="/ftp/rsync/rsync-2.6.9pre2.tar.gz.asc">signature</a>),</b>
+the diffs from version 2.6.9pre1 are available here:
+<b><a href="/ftp/rsync/rsync-2.6.9pre1-2.6.9pre2.diffs.gz">rsync-2.6.9pre1-2.6.9pre2.diffs.gz</a>
+(<a href="/ftp/rsync/rsync-2.6.9pre1-2.6.9pre2.diffs.gz.asc">signature</a>)</b>,
+and the earlier pre-release diffs are available here:
+<b><a href="/ftp/rsync/rsync-2.6.8-2.6.9pre1.diffs.gz">rsync-2.6.8-2.6.9pre1.diffs.gz</a>
+(<a href="/ftp/rsync/rsync-2.6.8-2.6.9pre1.diffs.gz.asc">signature</a>)</b>.
+Note that the diffs do not contain updates for the "patches" dir -- grab the tar
+file if you want the full release.
-<p><i style="color:#777777">March 28th, 2005</i>
+<h3>Rsync version 2.6.8 released</h3>
-<p>Rsync version 2.6.4pre4 has been released. This release combines several
-new features with some improved delete efficiency and the usual array of
-bug fixes. Please try it out and send feedback to the mailing list!
+<p><i style="color:#777777">April 22th, 2006</i>
-<p>See the <a href="/ftp/rsync/preview/rsync-2.6.4pre4-NEWS">release NEWS</a> for the
-details of what changed since 2.6.3. You can also read a preview of the man pages
-for <a href="http://rsync.samba.org/ftp/rsync/preview/rsync.html">rsync</a> and
-<a href="http://rsync.samba.org/ftp/rsync/preview/rsyncd.conf.html">rsyncd.conf</a>.
+<p>Rsync version 2.6.8 has been released. This is a bug-fix release that
+primarily addresses an exclude problem that affected the --relative option,
+but also includes a security fix for the xattrs.diff patch (which is not an
+official part of rsync, but some packagers include it in their release).
-<p>The changes since 2.6.4pre3 are as follows:
+<p>You can read all about the latest improvements and bug-fixes in the
+<a href="/ftp/rsync/rsync-2.6.8-NEWS">NEWS file</a>.
+The latest versions of the manpages are also available for both
+<a href="/ftp/rsync/rsync.html">rsync</a> and
+<a href="/ftp/rsync/rsyncd.conf.html">rsyncd.conf</a>.
-<ul>
+<p>See the <a href="download.html">download page</a> for all the ways
+to grab the new version, or snag one of these:
+<b><a href="/ftp/rsync/rsync-2.6.8.tar.gz">rsync-2.6.8.tar.gz</a>
+(<a href="/ftp/rsync/rsync-2.6.8.tar.gz.asc">signature</a>),
+<a href="/ftp/rsync/rsync-2.6.7-2.6.8.diffs.gz">rsync-2.6.7-2.6.8.diffs.gz</a>
+(<a href="/ftp/rsync/rsync-2.6.7-2.6.8.diffs.gz.asc">signature</a>)</b>.
+Note that the diffs do not contain updates for the "patches" dir -- grab the tar
+file if you want the full release.
-<li> Fixed the listing of files on an rsync daemon that is version 2.6.3 or before.
+<p>Also of note for packagers: as was the case with the 2.6.7 release, the
+diffs in the patches dir of the release tar now contain patches for generated
+files, so you won't need to use autoconf and yodl unless you're creating a
+custom combination of patches that don't apply cleanly together.
-<li> Fixed the saving of the state of the --dirs option in a protocol-29 batch file.
-Also added the saving of --compress.
+<h3>Rsync 2.6.7 released</h3>
-<li> Got rid of the customized death message when talking to pre1/pre2 version
-of 2.6.4 (since everyone should have upgraded to pre3 by now).
+<p><i style="color:#777777">March 11th, 2006</i>
-<li> Don't reject --dry-run with --read-batch or --write-batch. Instead, output
-what changes would be made without --dry-run (but do nothing).
+<p>Rsync version 2.6.7 has been released. This release has both several new
+features and the usual accompanyment of bug fixes.
-<li> Limit the maximum fuzzy-name distance the --fuzzy option will accept when
-looking for an alternate basis file. Also fixed a bug in the parsing of each
-file's suffix.
+<p>See the <a href="/ftp/rsync/old-versions/rsync-2.6.7-NEWS">release NEWS</a> for the
+details of what changed since 2.6.6.
-<li> Tweaked the generator to do any --delete-after processing and any
-directory tweaking after any --delay-updates processing has finished.
+<h3>Rsync 2.6.6 released</h3>
-<li> Reversed the meaning of the '<' or '>' prefix that is output by
-the log-format's "%i" escape when files are transferred.
+<p><i style="color:#777777">July 28th, 2005</i>
-<li> Documented the --protocol=NUM option (which can be useful for creating
-batch files with an older protocol version).
+<p>Rsync version 2.6.6 has been released. This release is a bug-fix release
+to handle a null-pointer bug that turned up in rsync's version of zlib
+1.1.4 (this is not the recent zlib 1.2.2 security fix, which did not
+affect rsync) and to squash a few other minor bugs. To deal with the
+zlib issue, rsync has been upgraded to include zlib 1.2.3.
-</ul>
+<p>See the <a href="/ftp/rsync/old-versions/rsync-2.6.6-NEWS">release NEWS</a> for the
+details of what changed since 2.6.5.
-<p>To build it from source, snag one of these:
-<b><a href="/ftp/rsync/preview/rsync-2.6.4pre4.tar.gz">rsync-2.6.4pre4.tar.gz</a>
-(<a href="/ftp/rsync/preview/rsync-2.6.4pre4.tar.gz.asc">signature</a>),
-<a href="/ftp/rsync/preview/rsync-2.6.4pre3-2.6.4pre4.diffs.gz">rsync-2.6.4pre3-2.6.4pre4.diffs.gz</a>
-(<a href="/ftp/rsync/preview/rsync-2.6.4pre3-2.6.4pre4.diffs.gz.asc">signature</a>)</b>.
-<a href="/ftp/rsync/preview/old-patches/rsync-2.6.4pre2-2.6.4pre3.diffs.gz">rsync-2.6.4pre2-2.6.4pre3.diffs.gz</a>
-(<a href="/ftp/rsync/preview/old-patches/rsync-2.6.4pre2-2.6.4pre3.diffs.gz.asc">signature</a>)</b>.
-<a href="/ftp/rsync/preview/old-patches/rsync-2.6.4pre1-2.6.4pre2.diffs.gz">rsync-2.6.4pre1-2.6.4pre2.diffs.gz</a>
-(<a href="/ftp/rsync/preview/old-patches/rsync-2.6.4pre1-2.6.4pre2.diffs.gz.asc">signature</a>)</b>.
-<a href="/ftp/rsync/preview/old-patches/rsync-2.6.3-2.6.4pre1.diffs.gz">rsync-2.6.3-2.6.4pre1.diffs.gz</a>
-(<a href="/ftp/rsync/preview/old-patches/rsync-2.6.3-2.6.4pre1.diffs.gz.asc">signature</a>)</b>.
-Note that the diffs do not contain updates for the "patches" dir -- grab the tar
-file if you want the full release.
+<h3>Rsync 2.6.5 released</h3>
+
+<p><i style="color:#777777">June 1st, 2005</i>
+
+<p>Rsync version 2.6.5 has been released. This release is primarily a bug-fix
+release to squash some annoying problems that made it into the (feature-filled)
+release of 2.6.4, plus a few minor enhancements.
+
+<p>See the <a href="/ftp/rsync/old-versions/rsync-2.6.5-NEWS">release NEWS</a> for the
+details of what changed since 2.6.4.
+
+<h3>Rsync 2.6.4 released</h3>
+
+<p><i style="color:#777777">March 30th, 2005</i>
+
+<p>Rsync version 2.6.4 has been released. This release combines quite a
+few new features, some improved delete efficiency, and the usual array of
+bug fixes.
+
+<p>See the <a href="/ftp/rsync/old-versions/rsync-2.6.4-NEWS">release NEWS</a> for the
+details of what changed since 2.6.3.
<h3>Rsync 2.6.3 released</h3>
<p>Rsync version 2.6.3 has been released. It contains several new features
and quite a few bug fixes.
-<p>See the <a href="/ftp/rsync/rsync-2.6.3-NEWS">release NEWS</a> for the
+<p>See the <a href="/ftp/rsync/old-versions/rsync-2.6.3-NEWS">release NEWS</a> for the
details of what changed since 2.6.2.
-<p>See the <a href="download.html">download page</a> for all the ways
-to grab the new version, or snag one of these:
-<b><a href="/ftp/rsync/rsync-2.6.3.tar.gz">rsync-2.6.3.tar.gz</a>
-(<a href="/ftp/rsync/rsync-2.6.3.tar.gz.asc">signature</a>),
-<a href="/ftp/rsync/rsync-2.6.2-2.6.3.diffs.gz">rsync-2.6.2-2.6.3.diffs.gz</a>
-(<a href="/ftp/rsync/rsync-2.6.2-2.6.3.diffs.gz.asc">signature</a>)</b>.
<a name="security_aug04"></a>
<h3 style="color:red">August 2004 Security Advisory</h3>
<p><i style="color:#777777">August 12th, 2004</i>
-<h4>Background</h4>
-
-<p>There is a path-sanitizing bug that affects daemon mode in all modern
+<p>There is a path-sanitizing bug that affects daemon-mode in
rsync versions through version 2.6.2, but only if chroot is disabled. It
does NOT affect the normal send/receive filenames that specify what
files should be transferred (this is because these names happen to get
sanitized twice, and thus the second call removes any lingering leading
slash(es) that the first call left behind). It does affect certain
-option paths that cause auxilliary files to be read or written.
-
-<h4>The Fix</h4>
-
-<p>The best fix is to apply this one-word patch to the sanitize_path()
-function in util.c:
-
-<pre>
---- orig/util.c 2004-04-27 12:59:37 -0700
-+++ util.c 2004-08-11 23:37:27 -0700
-@@ -743,7 +743,7 @@
- allowdotdot = 1;
- } else {
- p += 2;
-- if (*p == '/')
-+ while (*p == '/')
- p++;
- if (sanp != start) {
- /* back up sanp one level */
-</pre>
+option paths that cause auxiliary files to be read or written.
-<p>This bug-fix was released in version 2.6.3 of rsync.
+<p>This bug was fixed in version 2.6.3 of rsync.
<p>One potential fix that doesn't require recompiling rsync is to set
"use chroot = true" for all the modules in the rsyncd.conf file.
<p>See the <a href="/ftp/rsync/old-versions/rsync-2.6.2-NEWS">release NEWS</a> for the
details of what else was fixed.
+
<h3>Rsync 2.6.1 released</h3>
<p><i style="color:#777777">April 26th, 2004</i>
<a href="/ftp/rsync/old-versions/rsync-2.6.1-NEWS">release NEWS</a> for the full
details.
+
<a name="security_apr04"></a>
<h3 style="color:red">April 2004 Security Advisory</h3>
chroot or upgrade to 2.6.1. People not running a daemon, running a read-only
daemon, or running a chrooted daemon are totally unaffected.
+
<h3>One Cygwin hang-problem resolved</h3>
<p>The problem with rsync hanging at the end of the transfer on
(Note that this doesn't solve a hang that some folks see in the middle of a
transfer -- using daemon mode instead of ssh can work around that one.)
+
<a name="two_six"></a>
<h3>Rsync 2.6.0 released</h3>
<p><i style="color:#777777">December 4th, 2003</i>
-<h4>Background</h4>
-
-<p>The rsync team has received evidence that a vulnerability in rsync was
-recently used in combination with a Linux kernel vulnerability to
-compromise the security of a public rsync server. While the forensic
-evidence we have is incomplete, we have pieced together the most
-likely way that this attack was conducted and we are releasing this
-advisory as a result of our investigations to date.
-
-<p>
-Our conclusions are that:
-
-<ul>
-
-<li>rsync version 2.5.6 and earlier contains a heap overflow vulnerability that can
- be used to remotely run arbitrary code.
-
-<li>While this heap overflow vulnerability could not be used by itself
- to obtain root access on a rsync server, it could be used in
- combination with the recently announced brk vulnerability in the
- Linux kernel to produce a full remote compromise.
-
-<li>The server that was compromised was using a non-default rsyncd.conf
- option <tt>"use chroot = no"</tt>. The use of this option made the attack on
- the compromised server considerably easier. A successful attack is
- almost certainly still possible without this option, but it would
- be much more difficult.
-</ul>
-
-<p>
-Please note that this vulnerability only affects the use of rsync as a
-"rsync server". To see if you are running a rsync server you should
-use the netstat command to see if you are listening on TCP port
-873. If you are not listening on TCP port 873 then you are not running
-a rsync server.
-
-<h4>New rsync release</h4>
-
-<p>
-In response we have released a new version of rsync, version
-2.5.7. This is based on the current stable 2.5.6 release with only the
-changes necessary to prevent this heap overflow vulnerability. There
-are no new features in this release.
-<p>
-We recommend that anyone running a rsync server take the following
-steps:
-<ol>
-<li>
- Update to (at least) rsync version 2.5.7 immediately.
-<li>
- If you are running a Linux kernel prior to version 2.4.23 then
- you should upgrade your kernel immediately. Note that some
- distribution vendors may have patched versions of the 2.4.x
- series kernel that fix the brk vulnerability in versions before
- 2.4.23. Check with your vendor security site to ensure that you
- are not vulnerable to the <tt>brk</tt> problem.
-<li>
- Review your <tt>/etc/rsyncd.conf</tt> configuration file. If you are
- using the option <tt>"use chroot = no"</tt> then remove that line or
- change it to <tt>"use chroot = yes"</tt>. If you find that you need that
- option for your rsync service then you should disable your rsync
- service until you have discussed a workaround with the rsync
- maintainers on the rsync mailing list. The disabling of the
- chroot option should not be needed for any normal rsync server.
-</ol>
+<p>Rsync version 2.5.6 and earlier contains a heap overflow vulnerability that
+could be used to remotely run arbitrary code, but this only affects the use of
+rsync as an "rsync daemon" (where rsync handles incoming socket connections,
+typically on port 873).
-<p>The patches and full source for rsync version 2.5.7 are available from
-<a href="http://rsync.samba.org/">http://rsync.samba.org/</a> and mirror sites. We expect that vendors will
-produce updated packages for their distributions shortly.
-
-<h4>Credits</h4>
-
-<p>
-The rsync team would like to thank the following individuals for their
-assistance in investigating this vulnerability and producing this
-response:
-<ul>
-
-<li>Timo Sirainen <tss.iki.fi>
-<li>Mike Warfield <mhw.wittsend.com>
-<li>Paul Russell <rusty.samba.org>
-<li>Andrea Barisani <lcars.gentoo.org>
-</ul>
-
-<p>
-The Common Vulnerabilities and Exposures project (cve.mitre.org) has
-assigned the name
-<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0962">CAN-2003-0962</a>
-to this issue.
-
-<p>
-Regards,
-<p>
-The rsync team
+<p>This bug was fixed in rsync 2.5.7.
<!--#include virtual="footer.html" -->
git.samba.org / rsync-web.git / blobdiff