More NEWS.

This commit is contained in:
Wayne Davison
2022-08-01 18:34:39 -07:00
parent 2f7c583143
commit da5c72da4b

17
NEWS.md
View File

@@ -6,12 +6,12 @@
- Added some file-list safety checking that helps to ensure that a rogue
sending rsync can't add unrequested top-level names and/or include recursive
names that should have been excluded by the sender. This extra safety check
only requires the client side rsync to be udateed. When dealing with an
untrusted sending host using an older rsync, it is safest to copy into a
dedicated destination directory for the remote content (i.e. don't copy into
a destination directory that contains files that aren't from the remote
host unless you trust the remote host). Fixes CVE-2022-29154.
names that should have been excluded by the sender. These extra safety
checks only require the receiver rsync to be udateed. When dealing with an
untrusted sending host, it is safest to copy into a dedicated destination
directory for the remote content (i.e. don't copy into a destination
directory that contains files that aren't from the remote host unless you
trust the remote host). Fixes CVE-2022-29154.
### BUG FIXES:
@@ -20,6 +20,9 @@
made rsync send mostly literal data for a copy instead of finding matching
data in the receiver's basis file.
- Lots of manpage improvements, including an attempt to better desdribe how
include/exclude filters work.
### PACKAGING RELATED:
- The build date that goes into the manpages is now based on the developer's
@@ -27,6 +30,8 @@
### DEVELOPER RELATED:
- Configure now defaults GETGROUPS_T to gid_t when cross compiling.
- Configure now looks for the bsd/string.h include file in order to fix the
build on a host that has strlcpy() in the main libc but not defined in the
main string.h file.