Rsync 3.4 Released Due To Multiple, Significant Security Vulnerabilities

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts
  • phoronix
    Administrator
    • Jan 2007
    • 67385

    Rsync 3.4 Released Due To Multiple, Significant Security Vulnerabilities

    Phoronix: Rsync 3.4 Released Due To Multiple, Significant Security Vulnerabilities

    Rsync 3.4 is out today for this widely-used utility for incrementally transferring and synchronizing files between systems. Rsync is widely-used especially for backing up Linux servers in an incremental manner and unfortunately this v3.4 release isn't some cheery news...

    Phoronix, Linux Hardware Reviews, Linux hardware benchmarks, Linux server benchmarks, Linux benchmarking, Desktop Linux, Linux performance, Open Source graphics, Linux How To, Ubuntu benchmarks, Ubuntu hardware, Phoronix Test Suite
  • toves
    Senior Member
    • Sep 2021
    • 131

    #2
    A few of the CVEs look like memory safety failings.
    So we might anticipate a rewrite in Rust?
    RustySink?

    Actually going by Rclone I would think Go might as good a candidate as Rust for this.

    Comment

    • rclark
      Senior Member
      • Oct 2021
      • 201

      #3
      Yawn. Been using for years and years, and just works. All software has bugs of some sort, so no surprise... And it isn't going to stop working because of them. Business as usual.

      Comment

      • Chugworth
        Senior Member
        • Feb 2019
        • 390

        #4
        If you're the admin at both the source and destination, and sending the data through SSH, there shouldn't really be much concern right?

        Comment

        • sophisticles
          Senior Member
          • Dec 2015
          • 2608

          #5
          Why do I enjoy reading these types of articles so much?

          Comment

          • Yndoendo
            Phoronix Member
            • Oct 2015
            • 102

            #6
            Originally posted by Chugworth View Post
            If you're the admin at both the source and destination, and sending the data through SSH, there shouldn't really be much concern right?
            With out full test, this just means that rsync would be a useful tool for exploiting a system to gain root used by a perceived good 3rd party. Worst case is possible rare file corruption because common file corruption would of been reported ASAP.

            You would be surprised how many rare issues a developer can find just jumping into a debugger and trying to do things out of order from what the average person does. This is why I try to take a day and just play with a debugger. If you are part of a team you want a QA person that knows it can be broken because they will find any means to break what you coded.

            Be humble about flaws that other people find because it means you don't have to find them yourself.

            Comment

            • ayumu
              Senior Member
              • Oct 2008
              • 668

              #7
              Yawn.

              Comment

              • varikonniemi
                Senior Member
                • Jan 2012
                • 1102

                #8
                amazing that such an old, widely used project is full of holes like this

                maybe it's time for it to rust.

                Comment

                • anda_skoa
                  Senior Member
                  • Nov 2013
                  • 1212

                  #9
                  Originally posted by sophisticles View Post
                  Why do I enjoy reading these types of articles so much?
                  Because they show the power of collaborative software development in which anyone with respective skills can contribute to the improvement of products they use.

                  It even enables the formation of specialized teams such as Google's Cloud Vulnerability Research team who can then apply their skills across a wide range of products.

                  Imagine a world in which each vendor would need such a team or where nobody knew about the importance of certain updates because details were hidden.

                  I can understand why you are enthusiastic about not living in such a horrible situation and enjoying reminders how much more advanced ours is.

                  Comment

                  • rene
                    Senior Member
                    • Jul 2015
                    • 1505

                    #10
                    Well, if they just had used safe C++ for a decade or two already, .... ;-)

                    Comment

                    Working...
                    X