-<!-- $Header$ -->
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
+<HTML>
+<HEAD>
+<TITLE>rsync</TITLE>
+</HEAD>
<!--#include virtual="header.html" -->
<H2 align="center">Welcome to the rsync web pages</H2>
available under the <A HREF="GPL.html">GNU General Public
License version 2</A>
-<p><b style="color:red">** If you're using a version prior to 2.6.1, see the
-<a href="#security_apr04">April 2004 security advisory</a>! If you're using
-a version prior to 2.5.7, also see the <a href="#security_dec03">December
-2003 security advisory</a>! **</b>
+<p><i>(If you're using a version of rsync older than 2.6.3, see below for some security advisories.)</i>
+
+<h3>Rsync 2.6.6pre1 released</h3>
+
+<p><i style="color:#777777">July 7th, 2005</i>
+
+<p>Rsync version 2.6.6pre1 has been released. This release is a preliminary
+release for trying out a zlib upgrade to version 1.2.2 plus a security fix for
+the latest security problem found in zlib. I had originally thought that this
+release was needed to fix a security problem in the zlib included in rsync, but
+it turns out that zlib 1.1.4 (which is used in 2.6.5 and earlier) is not affected
+by this latest zlib security problem.
+
+<p>If you'd like to read about all the fixes that are in 2.6.6pre1, read the
+<a href="http://rsync.samba.org/ftp/rsync/preview/NEWS">NEWS file</a>.
+
+<p>You can download the pre-release version either as a tar file:
+<b><a href="/ftp/rsync/preview/rsync-2.6.6pre1.tar.gz">rsync-2.6.6pre1.tar.gz</a>
+(<a href="/ftp/rsync/preview/rsync-2.6.6pre1.tar.gz.asc">signature</a>),
+</b>or a set of diffs based on 2.6.5:<b>
+<a href="/ftp/rsync/preview/rsync-2.6.5-2.6.6pre1.diffs.gz">rsync-2.6.5-2.6.6pre1.diffs.gz</a>
+(<a href="/ftp/rsync/preview/rsync-2.6.5-2.6.6pre1.diffs.gz.asc">signature</a>)</b>.
+
+<h3>Rsync 2.6.5 released</h3>
+
+<p><i style="color:#777777">June 1st, 2005</i>
+
+<p>Rsync version 2.6.5 has been released. This release is primarily a bug-fix
+release to squash some annoying problems that made it into the (feature-filled)
+release of 2.6.4, plus a few minor enhancements.
+
+<p>See the <a href="/ftp/rsync/NEWS">release NEWS</a> for the
+details of what changed since 2.6.4, and the
+<a href="/ftp/rsync/OLDNEWS">OLDNEWS file</a> for details of what changed
+in prior versions. You can also read the man pages for
+<a href="http://rsync.samba.org/ftp/rsync/rsync.html">rsync</a> and
+<a href="http://rsync.samba.org/ftp/rsync/rsyncd.conf.html">rsyncd.conf</a>.
+
+<p>See the <a href="download.html">download page</a> for all the ways
+to grab the new version, or snag one of these:
+<b><a href="/ftp/rsync/rsync-2.6.5.tar.gz">rsync-2.6.5.tar.gz</a>
+(<a href="/ftp/rsync/rsync-2.6.5.tar.gz.asc">signature</a>),
+<a href="/ftp/rsync/rsync-2.6.4-2.6.5.diffs.gz">rsync-2.6.4-2.6.5.diffs.gz</a>
+(<a href="/ftp/rsync/rsync-2.6.4-2.6.5.diffs.gz.asc">signature</a>)</b>.
+Note that the diffs do not contain updates for the "patches" dir -- grab the tar
+file if you want the full release.
+
+
+<h3>Rsync 2.6.4 released</h3>
+
+<p><i style="color:#777777">March 30th, 2005</i>
+
+<p>Rsync version 2.6.4 has been released. This release combines quite a
+few new features, some improved delete efficiency, and the usual array of
+bug fixes.
+
+<p>See the <a href="/ftp/rsync/old-versions/rsync-2.6.4-NEWS">release NEWS</a> for the
+details of what changed since 2.6.3.
+
+
+<h3>Rsync 2.6.3 released</h3>
+
+<p><i style="color:#777777">September 30th, 2004</i>
+
+<p>Rsync version 2.6.3 has been released. It contains several new features
+and quite a few bug fixes.
+
+<p>See the <a href="/ftp/rsync/old-versions/rsync-2.6.3-NEWS">release NEWS</a> for the
+details of what changed since 2.6.2.
+
+
+<a name="security_aug04"></a>
+<h3 style="color:red">August 2004 Security Advisory</h3>
+
+<p><i style="color:#777777">August 12th, 2004</i>
+
+<p>There is a path-sanitizing bug that affects daemon-mode in
+rsync versions through version 2.6.2, but only if chroot is disabled. It
+does NOT affect the normal send/receive filenames that specify what
+files should be transferred (this is because these names happen to get
+sanitized twice, and thus the second call removes any lingering leading
+slash(es) that the first call left behind). It does affect certain
+option paths that cause auxilliary files to be read or written.
+
+<p>This bug was fixed in version 2.6.3 of rsync.
+
+<p>One potential fix that doesn't require recompiling rsync is to set
+"use chroot = true" for all the modules in the rsyncd.conf file.
+
<h3>Rsync 2.6.2 released</h3>
-<p>April 30th, 2004
+<p><i style="color:#777777">April 30th, 2004</i>
<p>Rsync version 2.6.2 has been released. It is a bugfix release that mainly
fixes <b>a bug with the --relative option (-R) in 2.6.1</b>
that could cause files to be transferred incorrectly. This only affected a
-source right at the root of the filesystem, such as "/" or "/*" (using "."
-as the source after a chdir to "/" was not affected, however).
+source right at the root of the filesystem, such as "/" or "/*" (if you
+first "cd /" and then copy from ".", it would not tickle the bug).
-<p>See the <a href="/ftp/rsync/rsync-2.6.2-NEWS">release NEWS</a> for the
+<p>See the <a href="/ftp/rsync/old-versions/rsync-2.6.2-NEWS">release NEWS</a> for the
details of what else was fixed.
-<p>See the <a href="download.html">download page</a> for all the ways
-to grab the new version, or snag one of these: <b>
-<a href="/ftp/rsync/rsync-2.6.2.tar.gz">rsync-2.6.2.tar.gz</a>
-(<a href="/ftp/rsync/rsync-2.6.2.tar.gz.sig">signature</a>),
-<a href="/ftp/rsync/rsync-2.6.1-2.6.2.diffs.gz">rsync-2.6.1-2.6.2.diffs.gz</a>
-(<a href="/ftp/rsync/rsync-2.6.1-2.6.2.diffs.gz.sig">signature</a>)</b>.
<h3>Rsync 2.6.1 released</h3>
-<p>April 26th, 2004
+<p><i style="color:#777777">April 26th, 2004</i>
<p>Rsync version 2.6.1 has been released. It is primarily a performance
release that requires less memory to run, makes fewer write calls to the socket
<a href="/ftp/rsync/old-versions/rsync-2.6.1-NEWS">release NEWS</a> for the full
details.
+
<a name="security_apr04"></a>
-<h4>April 2004 Security Advisory</h4>
+<h3 style="color:red">April 2004 Security Advisory</h3>
+
+<p><i style="color:#777777">April 26th, 2004</i>
<p>There is a security problem in all versions prior to 2.6.1 that affects only
people running a read/write daemon WITHOUT using chroot. If the user privs
chroot or upgrade to 2.6.1. People not running a daemon, running a read-only
daemon, or running a chrooted daemon are totally unaffected.
-<p>See the <a href="download.html">download page</a> for all the ways
-to grab the new version, or snag one of these: <b>
-<a href="/ftp/rsync/rsync-2.6.1.tar.gz">rsync-2.6.1.tar.gz</a>
-(<a href="/ftp/rsync/rsync-2.6.1.tar.gz.sig">signature</a>),
-<a href="/ftp/rsync/rsync-2.6.0-2.6.1.diffs.gz">rsync-2.6.0-2.6.1.diffs.gz</a>
-(<a href="/ftp/rsync/rsync-2.6.0-2.6.1.diffs.gz.sig">signature</a>)</b>.
<h3>One Cygwin hang-problem resolved</h3>
(Note that this doesn't solve a hang that some folks see in the middle of a
transfer -- using daemon mode instead of ssh can work around that one.)
+
<a name="two_six"></a>
<h3>Rsync 2.6.0 released</h3>
-<p>January 1st, 2004
+<p><i style="color:#777777">January 1st, 2004</i>
<P> Two important things to note in the new release:
<li>Some bug fixes in the include/exclude code, while making things work
properly, have resulted in some user-visible changes for certain wildcard
-strings. Read the BUG FIXES below to see if any of these changes apply to you.
+strings. Read the BUG FIXES section in the
+<a href="/ftp/rsync/old-versions/rsync-2.6.0-NEWS">NEWS file</a> to see if
+any of these changes apply to you.
(Most people should be unaffected.)
</ol>
<a href="/ftp/rsync/old-versions/rsync-2.6.0-NEWS">release NEWS</a>.
<a name="security_dec03"></a>
-<h3>December 2003 Security Advisory</h3>
-
-<p>December 4th, 2003
-
-<h4>Background</h4>
-
-<p>The rsync team has received evidence that a vulnerability in rsync was
-recently used in combination with a Linux kernel vulnerability to
-compromise the security of a public rsync server. While the forensic
-evidence we have is incomplete, we have pieced together the most
-likely way that this attack was conducted and we are releasing this
-advisory as a result of our investigations to date.
-
-<p>
-Our conclusions are that:
-
-<ul>
-
-<li>rsync version 2.5.6 and earlier contains a heap overflow vulnerability that can
- be used to remotely run arbitrary code.
-
-<li>While this heap overflow vulnerability could not be used by itself
- to obtain root access on a rsync server, it could be used in
- combination with the recently announced brk vulnerability in the
- Linux kernel to produce a full remote compromise.
-
-<li>The server that was compromised was using a non-default rsyncd.conf
- option <tt>"use chroot = no"</tt>. The use of this option made the attack on
- the compromised server considerably easier. A successful attack is
- almost certainly still possible without this option, but it would
- be much more difficult.
-</ul>
-
-<p>
-Please note that this vulnerability only affects the use of rsync as a
-"rsync server". To see if you are running a rsync server you should
-use the netstat command to see if you are listening on TCP port
-873. If you are not listening on TCP port 873 then you are not running
-a rsync server.
-
-<h4>New rsync release</h4>
-
-<p>
-In response we have released a new version of rsync, version
-2.5.7. This is based on the current stable 2.5.6 release with only the
-changes necessary to prevent this heap overflow vulnerability. There
-are no new features in this release.
-<p>
-We recommend that anyone running a rsync server take the following
-steps:
-<ol>
-<li>
- Update to (at least) rsync version 2.5.7 immediately.
-<li>
- If you are running a Linux kernel prior to version 2.4.23 then
- you should upgrade your kernel immediately. Note that some
- distribution vendors may have patched versions of the 2.4.x
- series kernel that fix the brk vulnerability in versions before
- 2.4.23. Check with your vendor security site to ensure that you
- are not vulnerable to the <tt>brk</tt> problem.
-<li>
- Review your <tt>/etc/rsyncd.conf</tt> configuration file. If you are
- using the option <tt>"use chroot = no"</tt> then remove that line or
- change it to <tt>"use chroot = yes"</tt>. If you find that you need that
- option for your rsync service then you should disable your rsync
- service until you have discussed a workaround with the rsync
- maintainers on the rsync mailing list. The disabling of the
- chroot option should not be needed for any normal rsync server.
-</ol>
+<h3 style="color:red">December 2003 Security Advisory</h3>
+
+<p><i style="color:#777777">December 4th, 2003</i>
+
+<p>Rsync version 2.5.6 and earlier contains a heap overflow vulnerability that
+could be used to remotely run arbitrary code, but this only affects the use of
+rsync as an "rsync daemon" (where rsync handles incoming socket connections,
+typically on port 873).
-<p>The patches and full source for rsync version 2.5.7 are available from
-<a href="http://rsync.samba.org/">http://rsync.samba.org/</a> and mirror sites. We expect that vendors will
-produce updated packages for their distributions shortly.
-
-<h4>Credits</h4>
-
-<p>
-The rsync team would like to thank the following individuals for their
-assistance in investigating this vulnerability and producing this
-response:
-<ul>
-
-<li>Timo Sirainen <tss.iki.fi>
-<li>Mike Warfield <mhw.wittsend.com>
-<li>Paul Russell <rusty.samba.org>
-<li>Andrea Barisani <lcars.gentoo.org>
-</ul>
-
-<p>
-The Common Vulnerabilities and Exposures project (cve.mitre.org) has
-assigned the name
-<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0962">CAN-2003-0962</a>
-to this issue.
-
-<p>
-Regards,
-<p>
-The rsync team
+<p>This bug was fixed in rsync 2.5.7.
<!--#include virtual="footer.html" -->