|
|
|
|
|
|
by newtonsmethod
13 days ago
|
|
|
Yes, the actual issues seem to be: * People with linux < 5.6 can't build this from GitHub. This to me seems like a fairly minor regression: people using maintained versions of 5.6 (mostly extended security) will have distro maintainers pick up that the build is failing, allowing for it to be corrected in a timely manner. * Hardening against path-traversals causes failures for users with: no chroot; using the native rsync protocol. Ironically: chroot = no is deeply discouraged;
you shouldn't really be using native rsync in an automated manner (and perhaps it seems I wouldn't advise using it at all); the CVEs the commits fix apply exactly to this use case. https://www.cve.org/CVERecord?id=CVE-2026-29518 Requires daemon + no chroot. " daemon runs with elevated privileges. This vulnerability can only be triggered if the chroot setting is false." So the workflows affected are those which are the most vulnerable, and yet people are recommending that people revert versions. * Furthermore, if a regression test picked this up, it would've been written previously. |
|
|