On Mon, Jan 27, 2020 at 03:56:07PM +0100, Moritz Buhl wrote: > Hi ports@, > > The gnu licensed rsync port in it's current release is shipping with a > few CVEs: CVE-2016-9843, CVE-2016-9842, CVE-2016-9841, CVE-2016-9840 > They all come from the zlib rsync is bundling. The OpenBSD port uses > this zlib since Jun 2014 to support compression that was introduced > in rsync-3.1.1. > > The fixes are available in the public git repository: > https://git.samba.org/?p=rsync.git > But there has not been a release yet. > > I took the patches and added them to the port, the inflate_c patch > required a 2 byte adjustment (braces). > > Any thoughts or comments? > The maintainer did not answer my previous mail.
I can't seem to find a trace of that previous email... somehow it got lost somewhere, sorry. I'll have a look soon.
