New ftpsync version 20171017 (security update)

To: debian-mirrors-announce@lists.debian.org
Cc: debian-mirrors@lists.debian.org
Subject: New ftpsync version 20171017 (security update)
From: Bastian Blank <waldi@debian.org>
Date: Tue, 17 Oct 2017 18:20:09 +0200
Message-id: <[🔎] 20171017162009.anmoxmj7bghrytzh@waldi.eu.org>
Mail-followup-to: debian-mirrors-announce@lists.debian.org, debian-mirrors@lists.debian.org

Hello mirror operators

We released ftpsync 20171017 today.  This is a security update, it fixes
CVE-2017-8805.

rsync was called without --safe-links.  This allowed the creating of
symlinks to files outside of the mirrored tree.  If the mirror also
provides access via HTTP, the server will usually follow symlinks and
allow access to arbitrary files or directories.

Other notable changes are:

* We added support for rsync-over-SSH,

* We tried to really add documentation that is not example configs.
  Several parts are still missing, but we are getting there.

You can find the new ftpsync version on a Debian mirror near you.

Regards,
Bastian

-- 
Suffocating together ... would create heroic camaraderie.
		-- Khan Noonian Singh, "Space Seed", stardate 3142.8

Attachment: signature.asc
Description: PGP signature

Reply to:

Next by Date: New ftpsync version 20171018 (regression update)
Next by thread: New ftpsync version 20171018 (regression update)
Index(es):
- Date
- Thread