There are no functional changes in these files, but they are however
linked against OpenSSL 1.1.1 and need to be re-shipped before we remove
the legacy library.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 3.2.6 to 3.2.7
- Update of rootfile not required
- Changelog
# NEWS for rsync 3.2.7 (20 Oct 2022)
### BUG FIXES:
- Fixed the client-side validating of the remote sender's filtering behavior.
- More fixes for the "unrequested file-list name" name, including a copy of
"/" with `--relative` enabled and a copy with a lot of related paths with
`--relative` enabled (often derived from a `--files-from` list).
- When rsync gets an unpack error on an ACL, mention the filename.
- Avoid over-setting sanitize_paths when a daemon is serving "/" (even if
"use chroot" is false).
### ENHANCEMENTS:
- Added negotiated daemon-auth support that allows a stronger checksum digest
to be used to validate a user's login to the daemon. Added SHA512, SHA256,
and SHA1 digests to MD5 & MD4. These new digests are at the highest priority
in the new daemon-auth negotiation list.
- Added support for the SHA1 digest in file checksums. While this tends to be
overkill, it is available if someone really needs it. This overly-long
checksum is at the lowest priority in the normal checksum negotiation list.
See [`--checksum-choice`](rsync.1#opt) (`--cc`) and the `RSYNC_CHECKSUM_LIST`
environment var for how to customize this.
- Improved the xattr hash table to use a 64-bit key without slowing down the
key's computation. This should make extra sure that a hash collision doesn't
happen.
- If the `--version` option is repeated (e.g. `-VV`) then the information is
output in a (still readable) JSON format. Client side only.
- The script `support/json-rsync-version` is available to get the JSON style
version output from any rsync. The script accepts either text on stdin
**or** an arg that specifies an rsync executable to run with a doubled
`--version` option. If the text we get isn't already in JSON format, it is
converted. Newer rsync versions will provide more complete json info than
older rsync versions. Various tweaks are made to keep the flag names
consistent across versions.
- The [`use chroot`](rsyncd.conf.5#) daemon parameter now defaults to "unset"
so that rsync can use chroot when it works and a sanitized copy when chroot
is not supported (e.g., for a non-root daemon). Explicitly setting the
parameter to true or false (on or off) behaves the same way as before.
- The `--fuzzy` option was optimized a bit to try to cut down on the amount of
computations when considering a big pool of files. The simple heuristic from
Kenneth Finnegan resuled in about a 2x speedup.
- If rsync is forced to use protocol 29 or before (perhaps due to talking to an
rsync before 3.0.0), the modify time of a file is limited to 4-bytes. Rsync
now interprets this value as an unsigned integer so that a current year past
2038 can continue to be represented. This does mean that years prior to 1970
cannot be represented in an older protocol, but this trade-off seems like the
right choice given that (1) 2038 is very rapidly approaching, and (2) newer
protocols support a much wider range of old and new dates.
- The rsync client now treats an empty destination arg as an error, just like
it does for an empty source arg. This doesn't affect a `host:` arg (which is
treated the same as `host:.`) since the arg is not completely empty. The use
of [`--old-args`](rsync.1#opt) (including via `RSYNC_OLD_ARGS`) allows the
prior behavior of treating an empty destination arg as a ".".
### PACKAGING RELATED:
- The checksum code now uses openssl's EVP methods, which gets rid of various
deprecation warnings and makes it easy to support more digest methods. On
newer systems, the MD4 digest is marked as legacy in the openssl code, which
makes openssl refuse to support it via EVP. You can choose to ignore this
and allow rsync's MD4 code to be used for older rsync connections (when
talking to an rsync prior to 3.0.0) or you can choose to configure rsync to
tell openssl to enable legacy algorithms (see below).
- A simple openssl config file is supplied that can be installed for rsync to
use. If you install packaging/openssl-rsync.cnf to a public spot (such as
`/etc/ssl/openssl-rsync.cnf`) and then run configure with the option
`--with-openssl-conf=/path/name.cnf`, this will cause rsync to export the
configured path in the OPENSSL_CONF environment variable (when the variable
is not already set). This will enable openssl's MD4 code for rsync to use.
- The packager may wish to include an explicit "use chroot = true" in the top
section of their supplied /etc/rsyncd.conf file if the daemon is being
installed to run as the root user (though rsync should behave the same even
with the value unset, a little extra paranoia doesn't hurt).
- I've noticed that some packagers haven't installed support/nameconvert for
users to use in their chrooted rsync configs. Even if it is not installed
as an executable script (to avoid a python3 dependency) it would be good to
install it with the other rsync-related support scripts.
- It would be good to add support/json-rsync-version to the list of installed
support scripts.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 3.2.4 plus CVE-2022-29154 patch to 3.2.6
- Patch for CVE-2022-29154 applied in CU170 turned out to have a bug within it causing
rsync to fail with an error. Four additional commits were done to fix this bug and
its consequences but these were all applied in the rsync git repo after the patch had
been merged into CU170.
- Version 3.2.5 onwards contains the CVE-2022-29154 fix and associated commits.
- No update of rootfile required.
- Changelog
NEWS for rsync 3.2.6 (9 Sep 2022)
BUG FIXES:
More path-cleaning improvements in the file-list validation code to avoid
rejecting of valid args.
A file-list validation fix for a --files-from file that ends without a
line-terminating character.
Added a safety check that prevents the sender from removing destination
files when a local copy using --remove-source-files has some files that are
shared between the sending & receiving hierarchies, including the case
where the source dir & destination dir are identical.
Fixed a bug in the internal MD4 checksum code that could cause the digest to
be sporadically incorrect (the openssl version was/is fine).
A minor tweak to rrsync added "copy-devices" to the list of known args, but
left it disabled by default.
ENHANCEMENTS:
Rename --protect-args to --secluded-args to make it clearer how it differs
from the default backslash-escaped arg-protecting behavior of rsync. The
old option names are still accepted. The environment-variable override did
not change its name.
PACKAGING RELATED:
The configure option --with-protected-args was renamed to
--with-secluded-args. This option makes --secluded-args the default rsync
behavior instead of using backslash escaping for protecting args.
The mkgitver script now makes sure that a .git dir/file is in the top-level
source dir before calling git describe. It also runs a basic check on the
version value. This should avoid using an unrelated git description for
rsync's version.
DEVELOPER RELATED:
The configure script no longer sets the -pedantic-errors CFLAG (which it
used to try to do only for gcc).
The name_num_obj struct was modified to allow its dynamic name_num_item list
to be initialized in a better way.
NEWS for rsync 3.2.5 (14 Aug 2022)
SECURITY FIXES:
Added some file-list safety checking that helps to ensure that a rogue
sending rsync can't add unrequested top-level names and/or include
recursive names that should have been excluded by the sender. These extra
safety checks only require the receiver rsync to be updated. When dealing
with an untrusted sending host, it is safest to copy into a dedicated
destination directory for the remote content (i.e. don't copy into a
destination directory that contains files that aren't from the remote host
unless you trust the remote host). Fixes CVE-2022-29154.
A fix for CVE-2022-37434 in the bundled zlib (buffer overflow issue).
BUG FIXES:
Fixed the handling of filenames specified with backslash-quoted wildcards
when the default remote-arg-escaping is enabled.
Fixed the configure check for signed char that was causing a host that
defaults to unsigned characters to generate bogus rolling checksums. This
made rsync send mostly literal data for a copy instead of finding matching
data in the receiver's basis file (for a file that contains high-bit
characters).
Lots of manpage improvements, including an attempt to better describe how
include/exclude filters work.
If rsync is compiled with an xxhash 0.8 library and then moved to a system
with a dynamically linked xxhash 0.7 library, we now detect this and
disable the XX3 hashes (since these routines didn't stabilize until 0.8).
ENHANCEMENTS:
The --trust-sender option was added as a way to bypass the extra file-list
safety checking (should that be required).
PACKAGING RELATED:
A note to those wanting to patch older rsync versions: the changes in this
release requires the quoted argument change from 3.2.4. Then, you'll want
every single code change from 3.2.5 since there is no fluff in this release.
The build date that goes into the manpages is now based on the developer's
release date, not on the build's local-timezone interpretation of the date.
DEVELOPER RELATED:
Configure now defaults GETGROUPS_T to gid_t when cross compiling.
Configure now looks for the bsd/string.h include file in order to fix the
build on a host that has strlcpy() in the main libc but not defined in the
main string.h file.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Historically, the MD5 checksums in our LFS files serve as a protection
against broken downloads, or accidentally corrupted source files.
While the sources are nowadays downloaded via HTTPS, it make sense to
beef up integrity protection for them, since transparently intercepting
TLS is believed to be feasible for more powerful actors, and the state
of the public PKI ecosystem is clearly not helping.
Therefore, this patch switches from MD5 to BLAKE2, updating all LFS
files as well as make.sh to deal with this checksum algorithm. BLAKE2 is
notably faster (and more secure) than SHA2, so the performance penalty
introduced by this patch is negligible, if noticeable at all.
In preparation of this patch, the toolchain files currently used have
been supplied with BLAKE2 checksums as well on
https://source.ipfire.org/.
Cc: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Acked-by: Michael Tremer <michael.tremeripfire.org>
Bumping across one of our scripts with very long trailing whitespaces, I
thought it might be a good idea to clean these up. Doing so, some
missing or inconsistent licence headers were fixed.
There is no need in shipping all these files en bloc, as their
functionality won't change.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
* Add a Summary and Services field to all pak lfs files
* Replace occurances of INSTALL_INITSCRIPT with new INSTALL_INITSCRIPTS
macro in all pak lfs files.
Signed-off-by: Robin Roevens <robin.roevens@disroot.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Not sure why this has ever been there. This simply makes it
nicer to read and edit because we can have line-breaks now.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Die laedt der sich dann alleine.
rsync-Update.
Das Pakfire-Update kann beim Verbinden auch im Hintergrund ablaufen.
Einige Shell-Kommandos interaktiv gemacht.
AdoDB ins Paket von Openmailadmin hinzugefuegt.
Prompt ist wieder farbig.
Das MySQL-Setup ist noch nicht so besonders fit.
Der Server braucht zu lange zum starten - somit kann noch kein Passwort gesetzt werden.
git-svn-id: http://svn.ipfire.org/svn/ipfire/trunk@971 ea5c0bd1-69bd-2848-81d8-4f18e57aeed8
Das System ist nun wieder auf dem letzten Stand vor unserem Unfall mit dem Kernel.
git-svn-id: http://svn.ipfire.org/svn/ipfire/trunk@740 ea5c0bd1-69bd-2848-81d8-4f18e57aeed8
* Clamav - Antivirus
* rsync - Backuptool
Geändert:
* Einige neue Prozeduren in der make.sh
* Ein paar Backupdateien gelöscht/aufgeräumt
* Credits bearbeitet. Noch nicht vollständig.
* XAMPP jetzt nichtmehr in der ISO sondern als Paket.
* ISO bedeutend kleiner: 144MB -> 61MB
* GNUMP3D-Paket erstellt.
* Kernel schonmal angepasst für NFS, noch nicht getestet!!
git-svn-id: http://svn.ipfire.org/svn/ipfire/trunk@113 ea5c0bd1-69bd-2848-81d8-4f18e57aeed8
