Package "rsync"

  rsync (3.1.3-8ubuntu0.8) focal-security; urgency=medium

  * SECURITY UPDATE: safe links bypass vulnerability
    - d/p/CVE-2024-12088/0001-make-safe-links-stricter.patch: reject
      links where a "../" component is included in the destination
    - CVE-2024-12088
  * SECURITY UPDATE: arbitrary file write via symbolic links
    - d/p/CVE-2024-12087/0001-Refuse-a-duplicate-dirlist.patch: refuse
      malicious duplicate flist for dir
    - d/p/CVE-2024-12087/0002-range-check-dir_ndx-before-use.patch: refuse
      invalid dir_ndx
    - CVE-2024-12087
  * SECURITY UPDATE: arbitrary client file leak
    - d/p/CVE-2024-12086/0001-refuse-fuzzy-options-when-fuzzy-not-selected.patch:
      refuse fuzzy options when not selected
    - d/p/CVE-2024-12086/0002-added-secure_relative_open.patch: safe
      implementation to open a file relative to a base directory
    - d/p/CVE-2024-12086/0003-receiver-use-secure_relative_open-for-basis-file.patch:
      ensure secure file access for basis file
    - d/p/CVE-2024-12086/0004-disallow-.-elements-in-relpath-for-secure_relative_o.patch:
      disallow "../" in relative path
    - CVE-2024-12086
  * SECURITY UPDATE: information leak via uninitialized stack contents
    - d/p/CVE-2024-12085/0001-prevent-information-leak-off-the-stack.patch:
      prevent information leak by zeroing
    - CVE-2024-12085
  * SECURITY UPDATE: symlink race condition
    - d/p/CVE-2024-12747/0001-fixed-symlink-race-condition-in-sender.patch:
      do_open_checklinks to prevent symlink race
    - CVE-2024-12747

 -- Sudhakar Verma <email address hidden> Tue, 17 Dec 2024 15:04:45 +0530

  rsync (3.1.3-8ubuntu0.7) focal; urgency=medium

  * d/p/add-trust-sender-option-docs.patch: Add manpage and help documentation
    for the --trust-sender option (LP: #2028810)

  rsync (3.1.3-8ubuntu0.5) focal-security; urgency=medium

  * SECURITY UPDATE: arbitrary file write via malicious remote servers
    - d/p/CVE-2022-29154-*.patch: backported patches to fix the issue.
    - d/p/avoid_quoting_of_tilde_when_its_a_destination_arg.patch: added
      additional patch to fix regression.
    - CVE-2022-29154

 -- Marc Deslauriers <email address hidden> Tue, 28 Feb 2023 07:58:57 -0500

  rsync (3.1.3-8ubuntu0.4) focal-security; urgency=medium

  * SECURITY UPDATE: zlib buffer overflow when inflating certain gzip
    hearders.
    - debian/patches/CVE-2022-37434-1.patch: catches overflow in
      inflateGetHeader by enforcing buffer size.
    - debian/patches/CVE-2022-37434-2.patch: prevents NULL dereference
      regression previous patch introduced.
    - CVE-2022-37434

 -- Mark Esler <email address hidden> Tue, 16 Aug 2022 13:48:36 -0500

  rsync (3.1.3-8ubuntu0.3) focal-security; urgency=medium

  * SECURITY UPDATE: memory corruption when zlib deflating
    - debian/patches/CVE-2018-25032-1.patch: fix a bug that can crash
      deflate on some input when using Z_FIXED in zlib/deflate.c,
      zlib/deflate.h.
    - debian/patches/CVE-2018-25032-2.patch: assure that the number of bits
      for deflatePrime() is valid in zlib/deflate.c.
    - CVE-2018-25032

 -- Marc Deslauriers <email address hidden> Wed, 30 Mar 2022 14:02:52 -0400