cwRsync server 6.9.0 (security)

release date:

2025-01-16

Changelog

Rsync 3.4.1 with security fixes for (see https://kb.cert.org/vuls/id/952657 for more info)

CVE-2024-12084 -⁠ Heap Buffer Overflow in Checksum Parsing.

CVE-2024-12085 -⁠ Info Leak via uninitialized Stack contents defeats ASLR.

CVE-2024-12086 -⁠ Server leaks arbitrary client files.

CVE-2024-12087 -⁠ Server can make client write files outside of destination directory using symbolic links.

CVE-2024-12088 -⁠ -⁠-⁠safe-⁠links Bypass.

CVE-2024-12747 -⁠ symlink race condition.

Output of rsync --version:

rsync  version 3.4.1  protocol version 32
Copyright (C) 1996-2025 by Andrew Tridgell, Wayne Davison, and others.
Web site: https://rsync.samba.org/
Capabilities:
    64-bit files, 64-bit inums, 64-bit timestamps, 64-bit long ints,
    socketpairs, symlinks, symtimes, hardlinks, no hardlink-specials,
    hardlink-symlinks, IPv6, atimes, batchfiles, inplace, append, no ACLs,
    no xattrs, optional secluded-args, iconv, prealloc, stop-at, crtimes
Optimizations:
    no SIMD-roll, no asm-roll, openssl-crypto, no asm-MD5
Checksum list:
    xxh128 xxh3 xxh64 (xxhash) md5 md4 sha1 none
Compress list:
    zstd lz4 zlibx zlib none
Daemon auth list:
    sha512 sha256 sha1 md5 md4

rsync comes with ABSOLUTELY NO WARRANTY.  This is free software, and you
are welcome to redistribute it under certain conditions.  See the GNU
General Public Licence for details.

component name	component version	component license	component source
Rsync	3.4.1	Rsync license (GPL)	Source code for Rsync
cwRsync Server Admin GUI	1.0.0	Itefix EULA
Cygwin	3.5.5	Cygwin license (GPL/LGPL)	Source code for Cygwin
OpenSSL	3.0.15	OpenSSL license
cwRsync server	6.9.0	Itefix EULA

2025

itefix.net

cwRsync server 6.9.0 (security)

Release news