This is the mail archive of the
cygwin-apps
mailing list for the Cygwin project.
Re: [SECURITY] rdiff/librsync, rdiff-backup
- From: David Rothenberger <daveroth at acm dot org>
- To: cygwin-apps at cygwin dot com
- Date: Tue, 02 Jun 2015 21:55:34 -0700
- Subject: Re: [SECURITY] rdiff/librsync, rdiff-backup
- Authentication-results: sourceware.org; auth=none
- References: <1433280096 dot 8324 dot 89 dot camel at cygwin dot com>
On 6/2/2015 2:21 PM, Yaakov Selkowitz wrote:
> David,
>
> A checksum collision vulnerability has been found in librsync (rdiff):
>
> https://bugzilla.redhat.com/show_bug.cgi?id=1126712#c17
>
> The solution is to update librsync to 1.0.0; you may wish to consider
> the following patch as well:
>
> http://pkgs.fedoraproject.org/cgit/librsync.git/plain/librsync-0.9.7-getopt.patch
>
> Please note that both Fedora and Debian call the main package librsync
> based on upstream packaging, from which rdiff could be a subpackage.
> The different naming of this package threw me off for a while. Any
> chance we could shuffle the packaging around (I can help with the server
> side)?
>
> Then, all librsync-dependent packages need to be rebuilt against 1.0.0,
> namely rdiff-backup, which requires the following patch:
>
> http://pkgs.fedoraproject.org/cgit/rdiff-backup.git/plain/rdiff-backup-1.2.8-librsync-1.0.0.patch
>
> You may wish to consider the following patches for rdiff-backup as well:
>
> http://pkgs.fedoraproject.org/cgit/rdiff-backup.git/plain/rdiff-backup--popen2.patch
> http://pkgs.fedoraproject.org/cgit/rdiff-backup.git/plain/rdiff-backup-1.2.8-docdir.patch
Thanks for the detailed information. I'll take a look at this over the
weekend. I'll upload the new packages once I get them built and send
another email so you can shuffle things around on the server side.
--
David Rothenberger ---- daveroth@acm.org
Kaufman's First Law of Party Physics:
Population density is inversely proportional
to the square of the distance from the keg.