Re: rssh security update breaks rsync via Synology's "hyper backup"

To: Antoine Beaupré <anarcat@orangeseeds.org>
Cc: Roman Medina-Heigl Hernandez <roman@rs-labs.com>, Chris Lamb <lamby@debian.org>, Holger Levsen <holger@layer-acht.org>, debian-lts@lists.debian.org, debian-security@lists.debian.org
Subject: Re: rssh security update breaks rsync via Synology's "hyper backup"
From: Russ Allbery <rra@debian.org>
Date: Mon, 18 Feb 2019 09:27:37 -0800
Message-id: <[🔎] 87va1h6m7q.fsf@hope.eyrie.org>
In-reply-to: <[🔎] 871s4aql1m.fsf@curie.anarc.at> ("Antoine Beaupré"'s message of "Thu, 14 Feb 2019 13:31:17 -0500")
References: <75a71a7b-4022-0f43-5963-964a36a3ae53@rs-labs.com> <[🔎] 20190214173443.cupioumebaklmlab@layer-acht.org> <[🔎] 1550166453.328076.1658087792.7E953D37@webmail.messagingengine.com> <[🔎] ad2e1037-dbe9-4180-9dfd-d458faaac610@rs-labs.com> <[🔎] 875ztmi6on.fsf@hope.eyrie.org> <[🔎] 871s4aql1m.fsf@curie.anarc.at>

Antoine Beaupré <anarcat@orangeseeds.org> writes:

> That said, if we do fix this in jessie, we should do it at the same time
> as the regression identified in stretch (DSA-4377-2).

> Russ, do you want to handle the Jessie update or should the LTS team do
> it?

> Should we wait for resolution on this issue before shipping the errata?

Apologies for the delayed reply -- I had company for the holiday weekend
in the US.

I think the regression identified at:

    https://bugs.launchpad.net/ubuntu/+source/rssh/+bug/1815935

is sufficiently serious to warrant another regression fix in stable, if
the security team agrees.  I'm going to prepare a new package for
unstable and stable with a fix for that regression, and can do oldstable
at the same time and roll in the DSA-4377-2 regression fix.

While I agree that using undocumented features of rsync is a little
dubious, I'm also willing to include a fix to allow the specific command
line "rsync --server --daemon <path>" since (a) it seems to be safe, (b)
looks easy enough to do, and (c) my only goal with rssh at this point is
to keep it working through the stable support period, so I'm not too
worried about the long-term maintenance burden of one-off hacks like that.

I should be able to do this later today.

Does this plan sound good to everyone?  I'll follow up with the proposed
diffs for stable and oldstable.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to:

Follow-Ups:
- Re: rssh security update breaks rsync via Synology's "hyper backup"
  - From: Roman Medina-Heigl Hernandez <roman@rs-labs.com>
- Re: rssh security update breaks rsync via Synology's "hyper backup"
  - From: Antoine Beaupré <anarcat@orangeseeds.org>
- Re: rssh security update breaks rsync via Synology's "hyper backup"
  - From: Russ Allbery <eagle@eyrie.org>

References:
- Re: rssh security update breaks rsync via Synology's "hyper backup"
  - From: Holger Levsen <holger@layer-acht.org>
- Re: rssh security update breaks rsync via Synology's "hyper backup"
  - From: Chris Lamb <lamby@debian.org>
- Re: rssh security update breaks rsync via Synology's "hyper backup"
  - From: Roman Medina-Heigl Hernandez <roman@rs-labs.com>
- Re: rssh security update breaks rsync via Synology's "hyper backup"
  - From: Russ Allbery <rra@debian.org>
- Re: rssh security update breaks rsync via Synology's "hyper backup"
  - From: Antoine Beaupré <anarcat@orangeseeds.org>

Prev by Date: Re: Bug#922384: jessie-pu: package gsoap/2.8.17-1+deb8u2
Next by Date: Re: rssh security update breaks rsync via Synology's "hyper backup"
Previous by thread: Re: rssh security update breaks rsync via Synology's "hyper backup"
Next by thread: Re: rssh security update breaks rsync via Synology's "hyper backup"
Index(es):
- Date
- Thread