[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: rssh security update breaks rsync via Synology's "hyper backup"

Antoine Beaupré <anarcat@orangeseeds.org> writes:

> That said, if we do fix this in jessie, we should do it at the same time
> as the regression identified in stretch (DSA-4377-2).

> Russ, do you want to handle the Jessie update or should the LTS team do
> it?

> Should we wait for resolution on this issue before shipping the errata?

Apologies for the delayed reply -- I had company for the holiday weekend
in the US.

I think the regression identified at:


is sufficiently serious to warrant another regression fix in stable, if
the security team agrees.  I'm going to prepare a new package for
unstable and stable with a fix for that regression, and can do oldstable
at the same time and roll in the DSA-4377-2 regression fix.

While I agree that using undocumented features of rsync is a little
dubious, I'm also willing to include a fix to allow the specific command
line "rsync --server --daemon <path>" since (a) it seems to be safe, (b)
looks easy enough to do, and (c) my only goal with rssh at this point is
to keep it working through the stable support period, so I'm not too
worried about the long-term maintenance burden of one-off hacks like that.

I should be able to do this later today.

Does this plan sound good to everyone?  I'll follow up with the proposed
diffs for stable and oldstable.

Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to: