David, A checksum collision vulnerability has been found in librsync (rdiff):
https://bugzilla.redhat.com/show_bug.cgi?id=1126712#c17 The solution is to update librsync to 1.0.0; you may wish to consider the following patch as well: http://pkgs.fedoraproject.org/cgit/librsync.git/plain/librsync-0.9.7-getopt.patch Please note that both Fedora and Debian call the main package librsync based on upstream packaging, from which rdiff could be a subpackage. The different naming of this package threw me off for a while. Any chance we could shuffle the packaging around (I can help with the server side)? Then, all librsync-dependent packages need to be rebuilt against 1.0.0, namely rdiff-backup, which requires the following patch: http://pkgs.fedoraproject.org/cgit/rdiff-backup.git/plain/rdiff-backup-1.2.8-librsync-1.0.0.patch You may wish to consider the following patches for rdiff-backup as well: http://pkgs.fedoraproject.org/cgit/rdiff-backup.git/plain/rdiff-backup--popen2.patch http://pkgs.fedoraproject.org/cgit/rdiff-backup.git/plain/rdiff-backup-1.2.8-docdir.patch TIA, Yaakov
