* [SECURITY] rdiff/librsync, rdiff-backup
@ 2015-06-02 21:21 Yaakov Selkowitz
2015-06-03 4:56 ` David Rothenberger
2015-06-07 22:35 ` David Rothenberger
0 siblings, 2 replies; 4+ messages in thread
From: Yaakov Selkowitz @ 2015-06-02 21:21 UTC (permalink / raw)
To: cygwin-apps
David,
A checksum collision vulnerability has been found in librsync (rdiff):
https://bugzilla.redhat.com/show_bug.cgi?id=1126712#c17
The solution is to update librsync to 1.0.0; you may wish to consider
the following patch as well:
http://pkgs.fedoraproject.org/cgit/librsync.git/plain/librsync-0.9.7-getopt.patch
Please note that both Fedora and Debian call the main package librsync
based on upstream packaging, from which rdiff could be a subpackage.
The different naming of this package threw me off for a while. Any
chance we could shuffle the packaging around (I can help with the server
side)?
Then, all librsync-dependent packages need to be rebuilt against 1.0.0,
namely rdiff-backup, which requires the following patch:
http://pkgs.fedoraproject.org/cgit/rdiff-backup.git/plain/rdiff-backup-1.2.8-librsync-1.0.0.patch
You may wish to consider the following patches for rdiff-backup as well:
http://pkgs.fedoraproject.org/cgit/rdiff-backup.git/plain/rdiff-backup--popen2.patch
http://pkgs.fedoraproject.org/cgit/rdiff-backup.git/plain/rdiff-backup-1.2.8-docdir.patch
TIA,
Yaakov
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [SECURITY] rdiff/librsync, rdiff-backup
2015-06-02 21:21 [SECURITY] rdiff/librsync, rdiff-backup Yaakov Selkowitz
@ 2015-06-03 4:56 ` David Rothenberger
2015-06-07 22:35 ` David Rothenberger
1 sibling, 0 replies; 4+ messages in thread
From: David Rothenberger @ 2015-06-03 4:56 UTC (permalink / raw)
To: cygwin-apps
On 6/2/2015 2:21 PM, Yaakov Selkowitz wrote:
> David,
>
> A checksum collision vulnerability has been found in librsync (rdiff):
>
> https://bugzilla.redhat.com/show_bug.cgi?id=1126712#c17
>
> The solution is to update librsync to 1.0.0; you may wish to consider
> the following patch as well:
>
> http://pkgs.fedoraproject.org/cgit/librsync.git/plain/librsync-0.9.7-getopt.patch
>
> Please note that both Fedora and Debian call the main package librsync
> based on upstream packaging, from which rdiff could be a subpackage.
> The different naming of this package threw me off for a while. Any
> chance we could shuffle the packaging around (I can help with the server
> side)?
>
> Then, all librsync-dependent packages need to be rebuilt against 1.0.0,
> namely rdiff-backup, which requires the following patch:
>
> http://pkgs.fedoraproject.org/cgit/rdiff-backup.git/plain/rdiff-backup-1.2.8-librsync-1.0.0.patch
>
> You may wish to consider the following patches for rdiff-backup as well:
>
> http://pkgs.fedoraproject.org/cgit/rdiff-backup.git/plain/rdiff-backup--popen2.patch
> http://pkgs.fedoraproject.org/cgit/rdiff-backup.git/plain/rdiff-backup-1.2.8-docdir.patch
Thanks for the detailed information. I'll take a look at this over the
weekend. I'll upload the new packages once I get them built and send
another email so you can shuffle things around on the server side.
--
David Rothenberger ---- daveroth@acm.org
Kaufman's First Law of Party Physics:
Population density is inversely proportional
to the square of the distance from the keg.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [SECURITY] rdiff/librsync, rdiff-backup
2015-06-02 21:21 [SECURITY] rdiff/librsync, rdiff-backup Yaakov Selkowitz
2015-06-03 4:56 ` David Rothenberger
@ 2015-06-07 22:35 ` David Rothenberger
2015-06-08 7:28 ` Yaakov Selkowitz
1 sibling, 1 reply; 4+ messages in thread
From: David Rothenberger @ 2015-06-07 22:35 UTC (permalink / raw)
To: cygwin-apps
On 6/2/2015 2:21 PM, Yaakov Selkowitz wrote:
> Please note that both Fedora and Debian call the main package librsync
> based on upstream packaging, from which rdiff could be a subpackage.
> The different naming of this package threw me off for a while. Any
> chance we could shuffle the packaging around (I can help with the server
> side)?
Yaakov,
I've uploaded new librsync packages, but have not created the !ready
file. Would you please shuffle the packaging around?
I have new rdiff-backup packages ready as well; I'll upload those as
soon as librsync is done.
Thanks,
David
--
David Rothenberger ---- daveroth@acm.org
"... an experienced, industrious, ambitious, and often quite often
picturesque liar."
-- Mark Twain
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [SECURITY] rdiff/librsync, rdiff-backup
2015-06-07 22:35 ` David Rothenberger
@ 2015-06-08 7:28 ` Yaakov Selkowitz
0 siblings, 0 replies; 4+ messages in thread
From: Yaakov Selkowitz @ 2015-06-08 7:28 UTC (permalink / raw)
To: cygwin-apps
On Sun, 2015-06-07 at 15:35 -0700, David Rothenberger wrote:
> I've uploaded new librsync packages, but have not created the !ready
> file. Would you please shuffle the packaging around?
Done, librsync-1.0.0 is in place now.
> I have new rdiff-backup packages ready as well; I'll upload those as
> soon as librsync is done.
Whenever you're ready.
Thanks,
Yaakov
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2015-06-08 7:28 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-06-02 21:21 [SECURITY] rdiff/librsync, rdiff-backup Yaakov Selkowitz
2015-06-03 4:56 ` David Rothenberger
2015-06-07 22:35 ` David Rothenberger
2015-06-08 7:28 ` Yaakov Selkowitz
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).