Hi!
I was pointed to rsync CVE-2022-29154 and noted that both Debian and Ubuntu didn't apply the fix on
the security repos. From what I can tell they've been treated as mild, seemingly in part due to an
assumption that clients rarely fetch data from untrusted servers?
At least in the context of packages like rpki-client, a security vulnerability allowing a malicious
server to overwrite arbitrary files on the client's filesystem would allow said server to remove any
internet network from the global routing table of most large ISPs, allowing them to effectively nuke
any network on the internet for some time.
I hope I'm misinformed and I'm simply misreading the description provided.
Thanks,
Matt
