Note: 3.2.0 includes security updates, relevant if rsync uses the bundled zlib library (and not system (ports version)): Various zlib fixes, including security fixes for CVE-2016-9843, CVE-2016-9842, CVE-2016-9841, and CVE-2016-9840. 3.1.3 contains security fixes too: Fixed a buffer overrun in the protocol's handling of xattr names and ensure that the received name is null terminated. Fix an issue with ‑‑protect-args where the user could specify the arg in the protected-arg list and short-circuit some of the arg-sanitizing code.
*** Bug 247796 has been marked as a duplicate of this bug. ***
Hi, The Patch since 3.2.0 RC, and will be pushed in the next days. I just wanna wait a couple of days since the rsync developers still fixing their 3.2.X releases (3.2.0, 3.2.1, 3.2.2) and a 3.2.3 seems to be on the go. Regarding security fixes, they are all from from 2016/2017. So no reason to rush and update and break rsync.
Done, thanks for the heads up
@Rodrigo Can you reference the "ports rXXXXXXX" for the VuXML entry, head commit and MFH (merge) please
With 3.2.2 I find that the build fails if I turn off ICONV checking for library containing MD5_Init... -lcrypto checking whether to enable xxhash checksum support... no configure.sh: error: Failed to find xxhash.h for xxhash checksum support. Use --disable-xxhash to continue without it. If I add --disable-xxhash it still fails: checking whether to enable zstd compression... no configure.sh: error: Failed to find zstd.h for zstd compression support. Use --disable-zstd to continue without it. Adding that: checking whether to enable LZ4 compression... no configure.sh: error: Failed to find lz4.h for lz4 compression support. Use --disable-lz4 to continue without it. And I guess I don't want to disable zstd or lz4 compression so I stopped pulling the thread and enabled ICONV.
Rsync version has moved on to 3.2.3. Current fetch URL is https://rsync.samba.org/ftp/rsync/rsync-patches-3.2.3.tar.gz
A commit references this bug: Author: rodrigo Date: Sun Aug 16 17:08:02 UTC 2020 New revision: 545124 URL: https://svnweb.freebsd.org/changeset/ports/545124 Log: net/rsync upgrade to 3.2.3 major changes: - Fix multiple bugs in xattr code. - Restored the ability to use --bwlimit=0 to specify no bandwidth limit. - Fix a bug when combining --delete-missing-args with --no-implied-dirs & -R where rsync might create the destination path of a missing arg. - Fixed an issue where hard-linked devices could cause the rdev_major value to get out of sync between the sender and the receiver. - Rsync now complains about a missing --temp-dir before starting any file transfers. - A completely empty source arg is now a fatal error. See full changelog: https://download.samba.org/pub/rsync/NEWS#3.2.3 Also, fix build issue with ACL option (patch is not required anymore) PR: 248318 247795 Changes: head/net/rsync/Makefile head/net/rsync/distinfo head/net/rsync/files/extrapatch-acl
^Triage: Pending VuXML entry and MFH
@kuubs: VUXML done in r545126. MFH is ready to land. Can I do the MFH based on r545124 who fix issues introduces by rsync 3.2.2 ?
(In reply to Rodrigo Osorio from comment #9) 3.2.2 (ports r543580) fixed a CVE & bugs and was tagged to be MFH, but it looks like its still 3.1.3 is still in quarterly (2020Q3) Since we want to merge 3.2.3, you'll need to merge all the intervening commit revisions too
(In reply to Kubilay Kocak from comment #10) @koobs, Yes that's it. Should I merge each change one by one or just take the r545124 who draws the intermediary changes ?
Approved for 2020Q3 Please use for Quaterly Branch the MFH option in the commit line
(In reply to Jochen Neumeister from comment #12) @joneum: Thanks, but to be completely sure '${PORTSDIR}/Tools/scripts/mfh 2020Q3 545124' is OK for you ?
(In reply to Rodrigo Osorio from comment #13) yes, this is the correct syntax :-)
^Triage: Leave merge-quarterly flag open (?) until merged
A commit references this bug: Author: rodrigo Date: Thu Aug 20 07:17:52 UTC 2020 New revision: 545504 URL: https://svnweb.freebsd.org/changeset/ports/545504 Log: MFH: r543580 r543582 r543637 r544331 r545124 net/rsync upgrade to 3.2.2 Major changes and bugfixes: 3.1.3 -> 3.2.0 * Avoid potential out-of-bounds read in daemon mode * Fix defaul list list of skip-compress files for non-daemon transfers * Fix xattr filter rules losing an 'x' attribute in a non-local transfer * zlib fixes for CVE-2016-9843, CVE-2016-9842, CVE-2016-9841, and CVE-2016-9840 * Fixed a crash in the --iconv code * Checksum enhancements, including the addition of xxhash * The checksum preference order of the negotiation can be customized or forced * Compression enhancements, including the addition of zstd and lz4 compression algorithms * Added openssl & preliminary gnutls support to the rsync-ssl script * Added the proxy protocol daemon parameter that allows your rsyncd to know the real remote IP when it is setup behind a proxy 3.2.0 -> 3.2.1 * Fix potential issue with MD5 assembly-language code * option --backup-dir=STR now implies --backup 3.2.1 -> 3.2.2 * Avoid a crash when a daemon module enables transfer logging without setting a log format value Full release message: https://download.samba.org/pub/rsync/NEWS#3.2.2 Security: CVE-2016-9843 CVE-2016-9842 CVE-2016-9841 CVE-2016-9840 MFH after: 2 weeks rsync: Unbreak fetch rsync: Unbreak and fix depends rsync now depends on stuff in LOCALBASE. Previously, clang only needed to know about LOCALBASE if POPT or ICONV was enabled. When those options are off, xxhash and zstd were not found by configure. Also, a depend on libssl was missing, and there were some noop reinplaces. With hat: portmgr - Fix fetch - Fix license and add LICENSE_FILE - Add missing dependency on liblz4 - Whitespace fixes - Switch to options helpers Approved by: portmgr blanket net/rsync upgrade to 3.2.3 major changes: - Fix multiple bugs in xattr code. - Restored the ability to use --bwlimit=0 to specify no bandwidth limit. - Fix a bug when combining --delete-missing-args with --no-implied-dirs & -R where rsync might create the destination path of a missing arg. - Fixed an issue where hard-linked devices could cause the rdev_major value to get out of sync between the sender and the receiver. - Rsync now complains about a missing --temp-dir before starting any file transfers. - A completely empty source arg is now a fatal error. See full changelog: https://download.samba.org/pub/rsync/NEWS#3.2.3 Also, fix build issue with ACL option (patch is not required anymore) PR: 248318 247795 Approved by: ports-secteam (joenum) Changes: _U branches/2020Q3/ branches/2020Q3/net/rsync/Makefile branches/2020Q3/net/rsync/distinfo branches/2020Q3/net/rsync/files/extrapatch-acl branches/2020Q3/net/rsync/files/patch-siginfo branches/2020Q3/net/rsync/pkg-plist
MFC committed, we can now close this PR