Bug 247795 - net/rsync: Update to 3.2.2
Summary: net/rsync: Update to 3.2.2
Status: In Progress
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Many People
Assignee: Rodrigo Osorio
URL: https://download.samba.org/pub/rsync/...
Keywords: security
: 247796 (view as bug list)
Depends on:
Reported: 2020-07-06 07:30 UTC by Kubilay Kocak
Modified: 2020-07-28 20:52 UTC (History)
4 users (show)

See Also:
bugzilla: maintainer-feedback? (rodrigo)
koobs: merge-quarterly?


Note You need to log in before you can comment on or make changes to this bug.
Description Kubilay Kocak freebsd_committer freebsd_triage 2020-07-06 07:30:02 UTC

3.2.0 includes security updates, relevant if rsync uses the bundled zlib library (and not system (ports version)):

  Various zlib fixes, including security fixes for CVE-2016-9843, CVE-2016-9842, 
  CVE-2016-9841, and CVE-2016-9840.

3.1.3 contains security fixes too:

  Fixed a buffer overrun in the protocol's handling of xattr names and ensure 
  that the received name is null terminated.

  Fix an issue with ‑‑protect-args where the user could specify the arg in the 
  protected-arg list and short-circuit some of the arg-sanitizing code.
Comment 1 Kurt Jaeger freebsd_committer 2020-07-06 07:35:47 UTC
*** Bug 247796 has been marked as a duplicate of this bug. ***
Comment 2 Rodrigo Osorio freebsd_committer 2020-07-06 21:33:32 UTC

The Patch since 3.2.0 RC, and will be pushed in the next days.
I just wanna wait a couple of days since the rsync developers still fixing their 3.2.X releases (3.2.0, 3.2.1, 3.2.2) and a 3.2.3 seems to be on the go.

Regarding security fixes, they are all from from 2016/2017. So no reason to rush and update and break rsync.
Comment 3 Rodrigo Osorio freebsd_committer 2020-07-28 07:03:18 UTC
Done, thanks for the heads up
Comment 4 Kubilay Kocak freebsd_committer freebsd_triage 2020-07-28 08:19:23 UTC
@Rodrigo Can you reference the "ports rXXXXXXX" for the VuXML entry, head commit and MFH (merge) please
Comment 5 Craig Leres freebsd_committer 2020-07-28 17:30:06 UTC
With 3.2.2 I find that the build fails if I turn off ICONV

    checking for library containing MD5_Init... -lcrypto
    checking whether to enable xxhash checksum support... no
    configure.sh: error: Failed to find xxhash.h for xxhash checksum support.
    Use --disable-xxhash to continue without it.

If I add --disable-xxhash it still fails:

    checking whether to enable zstd compression... no
    configure.sh: error: Failed to find zstd.h for zstd compression support.
    Use --disable-zstd to continue without it.

Adding that:

    checking whether to enable LZ4 compression... no
    configure.sh: error: Failed to find lz4.h for lz4 compression support.
    Use --disable-lz4 to continue without it.

And I guess I don't want to disable zstd or lz4 compression so I stopped pulling the thread and enabled ICONV.