There is a path-sanitizing bug that affects daemon mode in all
recent rsync versions (including 2.6.2) but only if chroot is
disabled. It does NOT affect the normal send/receive filenames
that specify what files should be transferred. It does affect
certain option paths that cause auxiliary files to be read or
written.
http://rsync.samba.org/#security_aug04
SECURITY:
Paths sent to an rsync daemon are more thoroughly sanitized when
chroot is not used. If you're running a non-read-only rsync daemon
with chroot disabled, *please upgrade*, especially if the user privs
you run rsync under is anything above "nobody".
(this happened when the pipe to rsync got broken, because rsync would
then try to write to stderr, find out it didn't work, and call exit_cleanup,
which would then try it all over again... oops.
- change ftp site to a non-australian site.
- add `recovery site' for old versions.
rsync 2.4.6 fixes a long-standing half-bug, where the writer would sit
in a tight loop if the outgoing connection was slow, chewing all cpu.
See package cvs.log for details.
This includes fixing an obscure security hole.
Patch to avoid spinning in select on non-blocking descriptors (will
probably be fixed in rsync 2.3.3)
Specifically, it fixes the security hole that is described in
pkg/SECURITY...
Wedged in as security fixes are important, especially when they're small.
Real 2.3.1 will wait after tree thaws.
Porters: please make sure you use bsd.port.mk 1.75 or later when
updating ports. That version of the makefile adds all sums. Previous
versions of the makefile will still work for people installing ports.
To make a long story short, it was just your standard port cut&paste
(it isn't needed, but it can't hurt you, and may even help updating the
port).
Since it does seem to trip Marco, and may be scanned for by people with
shared library problems, it's probably better to kill it.
