Bug 284064 - [PATCH] security update net/rsync to 3.4.0
Summary: [PATCH] security update net/rsync to 3.4.0
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Rodrigo Osorio
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2025-01-14 20:55 UTC by Sergey A. Osokin
Modified: 2025-01-15 00:16 UTC (History)
2 users (show)

See Also:
bugzilla: maintainer-feedback? (rodrigo)

Attachments
[PATCH] net/rsync security update to 3.4.0 (1.92 KB, patch)
2025-01-14 20:55 UTC, Sergey A. Osokin 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sergey A. Osokin freebsd_committer freebsd_triage 2025-01-14 20:55:10 UTC 
Created attachment 256698 [details]
[PATCH] net/rsync security update to 3.4.0

Hi,

here's the patch for net/rsync security update to 3.4.0.
Could you please review and approve.

Thank you.
Comment 1 Rodrigo Osorio freebsd_committer freebsd_triage 2025-01-14 22:36:02 UTC 
Hi Sergey,

I also start working on rsync update after release,
but I need a little more time to finish the tests & integration

cheers
-- rodrigo
Comment 2 commit-hook freebsd_committer freebsd_triage 2025-01-14 23:35:37 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=6afdd4c669193f2041216071d5723e474ae041bf

commit 6afdd4c669193f2041216071d5723e474ae041bf
Author:     Rodrigo Osorio <rodrigo@FreeBSD.org>
AuthorDate: 2025-01-14 23:21:25 +0000
Commit:     Rodrigo Osorio <rodrigo@FreeBSD.org>
CommitDate: 2025-01-14 23:29:21 +0000

    net/rsync: update to 3.4.0

    Full changelog: https://download.samba.org/pub/rsync/NEWS#3.4.0

    Security:       CVE-2024-12084 - Heap Buffer Overflow in Checksum Parsing
    Security:       CVE-2024-12085 - Info Leak via uninitialized Stack contents defeats ASLR
    Security:       CVE-2024-12086 - Server leaks arbitrary client files
    Security:       CVE-2024-12087 - Server can make client write files outside of destination directory using symbolic links
    Security:       CVE-2024-12088 - --safe-links Bypass
    Security:       CVE-2024-12747 -⁠ symlink race condition

    PR:             284064
    Reported by:    osa

 net/rsync/Makefile  |  4 ++--
 net/rsync/distinfo  | 10 +++++-----
 net/rsync/pkg-plist |  2 +-
 3 files changed, 8 insertions(+), 8 deletions(-)
Comment 3 commit-hook freebsd_committer freebsd_triage 2025-01-15 00:09:42 UTC 
A commit in branch 2025Q1 references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=0076d20a96718a28f956cb3589f1036e48a75f04

commit 0076d20a96718a28f956cb3589f1036e48a75f04
Author:     Rodrigo Osorio <rodrigo@FreeBSD.org>
AuthorDate: 2025-01-14 23:21:25 +0000
Commit:     Rodrigo Osorio <rodrigo@FreeBSD.org>
CommitDate: 2025-01-14 23:58:53 +0000

    net/rsync: update to 3.4.0

    Full changelog: https://download.samba.org/pub/rsync/NEWS#3.4.0

    Security:       CVE-2024-12084 - Heap Buffer Overflow in Checksum Parsing
    Security:       CVE-2024-12085 - Info Leak via uninitialized Stack contents defeats ASLR
    Security:       CVE-2024-12086 - Server leaks arbitrary client files
    Security:       CVE-2024-12087 - Server can make client write files outside of destination directory using symbolic links
    Security:       CVE-2024-12088 - --safe-links Bypass
    Security:       CVE-2024-12747 -⁠ symlink race condition

    PR:             284064
    Reported by:    osa

    (cherry picked from commit 6afdd4c669193f2041216071d5723e474ae041bf)

 net/rsync/Makefile  |  4 ++--
 net/rsync/distinfo  | 10 +++++-----
 net/rsync/pkg-plist |  2 +-
 3 files changed, 8 insertions(+), 8 deletions(-)
Comment 4 Rodrigo Osorio freebsd_committer freebsd_triage 2025-01-15 00:16:17 UTC 
Committed in main and quarter branches, thanks.