Hi, > See https://github.com/librsync/librsync/issues/5 . librsync uses MD4 > as part of syncing; given the low strength and size of MD4, and the > relative ease of computing collisions/preimages, that makes librsync > unsafe to use on untrusted data, such as when running a duplicity > backup. > > The upstream fix involves changing the signature format to use a strong > hash. The new version of librsync supports reading the old signature > format, but always writes the new one. So, fixing this has some of the > same implications as Berkeley DB upgrades. In particular, any > applications using librsync and its data format across multiple systems > will require upgrading any readers along with writers. I'd suggest > coordinating this with the reverse dependencies of librsync1.
Although a genuine issue, the fix is indeed too invasive to deploy in a stable release and requires something of a transition. We should therefore start this in sid for stretch. Cheers, Thijs -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
