rsync is an <A HREF="http://www.opensource.org/">open source</A>
utility that provides fast incremental file transfer. rsync is freely
available under the <A HREF="GPL.html">GNU General Public
-License version 2</A>
-
-<p><b style="color:red">**</b>
-<b>For all released veersions of rsync, see the
-<a href="security_aug04" style="color:red">August 2004 security advisory</a>!</b>
-<b style="color:red">**</b>
-<b>If you're using a version prior to 2.6.1, see the
-<a href="#security_apr04" style="color:red">April 2004 security advisory</a>!</b>
-<b style="color:red">**</b>
-<b>If you're using a version prior to 2.5.7, also see the
-<a href="#security_dec03" style="color:red">December 2003 security advisory</a>!</b>
-<b style="color:red">**</b>
+License version 2</A> and is currently being maintained by
+<a href="http://opencoder.net/">Wayne Davison</a>.
+
+<p><i>(If you're using a version of rsync older than 2.6.3, see below for some security advisories.)</i>
+
+<h3>Rsync 2.6.6 released</h3>
+
+<p><i style="color:#777777">July 28th, 2005</i>
+
+<p>Rsync version 2.6.6 has been released. This release is a bug-fix release to
+handle a null-pointer bug that turned up in zlib 1.1.4 (not the recent zlib
+1.2.2 security fix, which did not affect rsync) and to squash a few other minor
+bugs. To deal with the zlib issue, rsync has been upgraded to include zlib
+1.2.3.
+
+<p>If you'd like to read about all the fixes that are in 2.6.6, read the
+<a href="http://rsync.samba.org/ftp/rsync/NEWS">NEWS file</a>. See the
+<a href="/ftp/rsync/OLDNEWS">OLDNEWS file</a> for details of what changed
+in prior versions. You can also read the man pages for
+<a href="http://rsync.samba.org/ftp/rsync/rsync.html">rsync</a> and
+<a href="http://rsync.samba.org/ftp/rsync/rsyncd.conf.html">rsyncd.conf</a>.
+
+<p>See the <a href="download.html">download page</a> for all the ways
+to grab the new version, or snag one of these:
+<b><a href="/ftp/rsync/rsync-2.6.6.tar.gz">rsync-2.6.6.tar.gz</a>
+(<a href="/ftp/rsync/rsync-2.6.6.tar.gz.asc">signature</a>),
+<a href="/ftp/rsync/rsync-2.6.5-2.6.6.diffs.gz">rsync-2.6.5-2.6.6.diffs.gz</a>
+(<a href="/ftp/rsync/rsync-2.6.5-2.6.6.diffs.gz.asc">signature</a>)</b>.
+Note that the diffs do not contain updates for the "patches" dir -- grab the tar
+file if you want the full release.
+
+<h3>Rsync 2.6.5 released</h3>
+
+<p><i style="color:#777777">June 1st, 2005</i>
+
+<p>Rsync version 2.6.5 has been released. This release is primarily a bug-fix
+release to squash some annoying problems that made it into the (feature-filled)
+release of 2.6.4, plus a few minor enhancements.
+
+<p>See the <a href="/ftp/rsync/old-versions/NEWS">release NEWS</a> for the
+details of what changed since 2.6.4.
+
+<h3>Rsync 2.6.4 released</h3>
+
+<p><i style="color:#777777">March 30th, 2005</i>
+
+<p>Rsync version 2.6.4 has been released. This release combines quite a
+few new features, some improved delete efficiency, and the usual array of
+bug fixes.
+
+<p>See the <a href="/ftp/rsync/old-versions/rsync-2.6.4-NEWS">release NEWS</a> for the
+details of what changed since 2.6.3.
+
+
+<h3>Rsync 2.6.3 released</h3>
+
+<p><i style="color:#777777">September 30th, 2004</i>
+
+<p>Rsync version 2.6.3 has been released. It contains several new features
+and quite a few bug fixes.
+
+<p>See the <a href="/ftp/rsync/old-versions/rsync-2.6.3-NEWS">release NEWS</a> for the
+details of what changed since 2.6.2.
+
<a name="security_aug04"></a>
<h3 style="color:red">August 2004 Security Advisory</h3>
-<h4>SUMMARY</h4>
+<p><i style="color:#777777">August 12th, 2004</i>
-<p>There is a path-sanitizing bug that affects daemon mode in all recent
-rsync versions (including 2.6.2) but only if chroot is disabled. It
+<p>There is a path-sanitizing bug that affects daemon-mode in
+rsync versions through version 2.6.2, but only if chroot is disabled. It
does NOT affect the normal send/receive filenames that specify what
files should be transferred (this is because these names happen to get
sanitized twice, and thus the second call removes any lingering leading
-slash(es) that the first call left behind).
-
-<h4>POTENTIAL EXPLOITS</h4>
-
-<p>I can think of two ways to exploit this sanitizing bug:
-
-<p>For anyone running an rsync daemon with chroot turned off while allowing
-the uploading of files, this bug can allow a carefully crafted filename
-for the --backup-dir option to cause rsync to overwrite a file outside
-of the module's path (if the UID of the daemon module has adequate
-permissions, of course).
-
-<p>For anyone running a 2.6.0 or 2.6.1 rsync daemon with chroot turned off,
-this bug can potentially reveal the contents of a file outside the
-module's hierarchy if the user uses a carefully crafted --files-from
-filename. This causes each line of the file to be revealed to the user
-as link_stat errors (other rsync versions hide these errors from the
-remote user).
-
-<h4>FIXES</h4>
-
-<p>The best fix is to apply this one-word patch to the sanitize_path()
-function in util.c:
-
-<pre>
---- orig/util.c 2004-04-27 12:59:37 -0700
-+++ util.c 2004-08-11 23:37:27 -0700
-@@ -743,7 +743,7 @@
- allowdotdot = 1;
- } else {
- p += 2;
-- if (*p == '/')
-+ while (*p == '/')
- p++;
- if (sanp != start) {
- /* back up sanp one level */
-</pre>
-
-<p>This bug is fixed in the CVS version of rsync, and will be released in
-version 2.6.3 (which will begin release-testing soon).
+slash(es) that the first call left behind). It does affect certain
+option paths that cause auxilliary files to be read or written.
+
+<p>This bug was fixed in version 2.6.3 of rsync.
<p>One potential fix that doesn't require recompiling rsync is to set
"use chroot = true" for all the modules in the rsyncd.conf file.
-<p>A band-aid work-around for those running a 2.6.2 daemon is to exclude
-the use of the above options in the rsyncd.conf file:
-
- <blockquote>refuse options = files-from backup-dir</blockquote>
-
-<p>Note, however, that this "refuse options" configure item was broken in
-older rsync versions, such as all the 2.5.x versions and 2.6.0.
-
-
-<h4>EXPERIENCING DEJA VU?</h4>
-
-<p>Yes this bug is similar to the last security problem fixed in rsync in
-that the effect is the same even though the cause is slightly different.
-In the older bug, there was a way to slip certain option values through
-the option-parsing without sanitize_path() getting called on the path at
-all. In this new bug, the problem is that a carefully crafted path can
-be cleaned improperly, resulting in an absolute filename being generated
-instead of a relative one. (I note that this cleaning problem in the
-sanitize_path() function exists even as far back as rsync 2.3.0.)
<h3>Rsync 2.6.2 released</h3>
-<p>April 30th, 2004
+<p><i style="color:#777777">April 30th, 2004</i>
<p>Rsync version 2.6.2 has been released. It is a bugfix release that mainly
fixes <b>a bug with the --relative option (-R) in 2.6.1</b>
that could cause files to be transferred incorrectly. This only affected a
-source right at the root of the filesystem, such as "/" or "/*" (using "."
-as the source after a chdir to "/" was not affected, however).
+source right at the root of the filesystem, such as "/" or "/*" (if you
+first "cd /" and then copy from ".", it would not tickle the bug).
-<p>See the <a href="/ftp/rsync/rsync-2.6.2-NEWS">release NEWS</a> for the
+<p>See the <a href="/ftp/rsync/old-versions/rsync-2.6.2-NEWS">release NEWS</a> for the
details of what else was fixed.
-<p>See the <a href="download.html">download page</a> for all the ways
-to grab the new version, or snag one of these: <b>
-<a href="/ftp/rsync/rsync-2.6.2.tar.gz">rsync-2.6.2.tar.gz</a>
-(<a href="/ftp/rsync/rsync-2.6.2.tar.gz.asc">signature</a>),
-<a href="/ftp/rsync/rsync-2.6.1-2.6.2.diffs.gz">rsync-2.6.1-2.6.2.diffs.gz</a>
-(<a href="/ftp/rsync/rsync-2.6.1-2.6.2.diffs.gz.asc">signature</a>)</b>.
<h3>Rsync 2.6.1 released</h3>
-<p>April 26th, 2004
+<p><i style="color:#777777">April 26th, 2004</i>
<p>Rsync version 2.6.1 has been released. It is primarily a performance
release that requires less memory to run, makes fewer write calls to the socket
<a href="/ftp/rsync/old-versions/rsync-2.6.1-NEWS">release NEWS</a> for the full
details.
+
<a name="security_apr04"></a>
<h3 style="color:red">April 2004 Security Advisory</h3>
+<p><i style="color:#777777">April 26th, 2004</i>
+
<p>There is a security problem in all versions prior to 2.6.1 that affects only
people running a read/write daemon WITHOUT using chroot. If the user privs
that such an rsync daemon is using is anything above "nobody", you are at risk
chroot or upgrade to 2.6.1. People not running a daemon, running a read-only
daemon, or running a chrooted daemon are totally unaffected.
-<p>See the <a href="download.html">download page</a> for all the ways
-to grab the new version.
<h3>One Cygwin hang-problem resolved</h3>
(Note that this doesn't solve a hang that some folks see in the middle of a
transfer -- using daemon mode instead of ssh can work around that one.)
+
<a name="two_six"></a>
<h3>Rsync 2.6.0 released</h3>
-<p>January 1st, 2004
+<p><i style="color:#777777">January 1st, 2004</i>
<P> Two important things to note in the new release:
<li>Some bug fixes in the include/exclude code, while making things work
properly, have resulted in some user-visible changes for certain wildcard
-strings. Read the BUG FIXES below to see if any of these changes apply to you.
+strings. Read the BUG FIXES section in the
+<a href="/ftp/rsync/old-versions/rsync-2.6.0-NEWS">NEWS file</a> to see if
+any of these changes apply to you.
(Most people should be unaffected.)
</ol>
<a name="security_dec03"></a>
<h3 style="color:red">December 2003 Security Advisory</h3>
-<p>December 4th, 2003
-
-<h4>Background</h4>
-
-<p>The rsync team has received evidence that a vulnerability in rsync was
-recently used in combination with a Linux kernel vulnerability to
-compromise the security of a public rsync server. While the forensic
-evidence we have is incomplete, we have pieced together the most
-likely way that this attack was conducted and we are releasing this
-advisory as a result of our investigations to date.
-
-<p>
-Our conclusions are that:
-
-<ul>
-
-<li>rsync version 2.5.6 and earlier contains a heap overflow vulnerability that can
- be used to remotely run arbitrary code.
-
-<li>While this heap overflow vulnerability could not be used by itself
- to obtain root access on a rsync server, it could be used in
- combination with the recently announced brk vulnerability in the
- Linux kernel to produce a full remote compromise.
-
-<li>The server that was compromised was using a non-default rsyncd.conf
- option <tt>"use chroot = no"</tt>. The use of this option made the attack on
- the compromised server considerably easier. A successful attack is
- almost certainly still possible without this option, but it would
- be much more difficult.
-</ul>
-
-<p>
-Please note that this vulnerability only affects the use of rsync as a
-"rsync server". To see if you are running a rsync server you should
-use the netstat command to see if you are listening on TCP port
-873. If you are not listening on TCP port 873 then you are not running
-a rsync server.
-
-<h4>New rsync release</h4>
-
-<p>
-In response we have released a new version of rsync, version
-2.5.7. This is based on the current stable 2.5.6 release with only the
-changes necessary to prevent this heap overflow vulnerability. There
-are no new features in this release.
-<p>
-We recommend that anyone running a rsync server take the following
-steps:
-<ol>
-<li>
- Update to (at least) rsync version 2.5.7 immediately.
-<li>
- If you are running a Linux kernel prior to version 2.4.23 then
- you should upgrade your kernel immediately. Note that some
- distribution vendors may have patched versions of the 2.4.x
- series kernel that fix the brk vulnerability in versions before
- 2.4.23. Check with your vendor security site to ensure that you
- are not vulnerable to the <tt>brk</tt> problem.
-<li>
- Review your <tt>/etc/rsyncd.conf</tt> configuration file. If you are
- using the option <tt>"use chroot = no"</tt> then remove that line or
- change it to <tt>"use chroot = yes"</tt>. If you find that you need that
- option for your rsync service then you should disable your rsync
- service until you have discussed a workaround with the rsync
- maintainers on the rsync mailing list. The disabling of the
- chroot option should not be needed for any normal rsync server.
-</ol>
+<p><i style="color:#777777">December 4th, 2003</i>
+
+<p>Rsync version 2.5.6 and earlier contains a heap overflow vulnerability that
+could be used to remotely run arbitrary code, but this only affects the use of
+rsync as an "rsync daemon" (where rsync handles incoming socket connections,
+typically on port 873).
-<p>The patches and full source for rsync version 2.5.7 are available from
-<a href="http://rsync.samba.org/">http://rsync.samba.org/</a> and mirror sites. We expect that vendors will
-produce updated packages for their distributions shortly.
-
-<h4>Credits</h4>
-
-<p>
-The rsync team would like to thank the following individuals for their
-assistance in investigating this vulnerability and producing this
-response:
-<ul>
-
-<li>Timo Sirainen <tss.iki.fi>
-<li>Mike Warfield <mhw.wittsend.com>
-<li>Paul Russell <rusty.samba.org>
-<li>Andrea Barisani <lcars.gentoo.org>
-</ul>
-
-<p>
-The Common Vulnerabilities and Exposures project (cve.mitre.org) has
-assigned the name
-<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0962">CAN-2003-0962</a>
-to this issue.
-
-<p>
-Regards,
-<p>
-The rsync team
+<p>This bug was fixed in rsync 2.5.7.
<!--#include virtual="footer.html" -->