Log message:
rsync: updated to 3.4.2

rsync 3.4.2 (28 Apr 2026)

Changes in this version:

SECURITY RELATED:

Several security-relevant defects were reported and fixed since 3.4.1. None were \ 
assigned a CVE — rsync's fork-per-connection design scopes the impact of each \ 
of these to the attacker's own connection, which is equivalent to the client \ 
closing the socket itself — but they are fixed here as a matter of hygiene and \ 
to reduce the chances of a future exploitable combination. Many thanks to the \ 
external researchers who reported these issues.

Fixed a signed integer overflow in the PROXY protocol v2 header parser: a \ 
negative len field could bypass the size check and cause a stack buffer overflow \ 
in read_buf(). Reported by John Walker of ZeroPath.

Fixed an invalid access to the files array. Reported by Calum Hutton of Rapid7.

Reject negative token values in the compressed-stream token decoder; a negative \ 
value could cause callers to misinterpret a missing data pointer as literal \ 
data. Reported by Will Sergeant.

Fixed the element count passed to the xattr qsort() (see \ 
https://www.openwall.com/lists/oss-security/2026/04/16/2).

Fixed a buffer underflow in clean_fname(), and added a regression test.

Fixed an uninitialized mul_one in the AVX2 get_checksum1 path (undefined \ 
behaviour), and added a SIMD-checksum self-test that cross-checks SSE2, SSSE3 \ 
and AVX2 against the C reference on both aligned and unaligned buffers.

Fixed an uninitialized buf1 on the first call to get_checksum2() in the MD4 path.

Zero all new memory from internal allocations: my_alloc() now uses calloc, and \ 
expand_item_list() zeros the expanded portion after realloc. This gives more \ 
predictable behaviour if stale or uninitialised memory is ever accidentally \ 
read.

BUG FIXES:

Call tzset() before chroot so that log timestamps continue to reflect the \ 
configured local timezone after the daemon chroots (glibc needs /etc/localtime, \ 
which is unreachable post-chroot).

Use the correct time when writing to the log file.

Do not clear DISPLAY unconditionally.

Fixed a Y2038 bug in syscall.c by replacing the Int32x32To64 macro (which \ 
truncates its arguments to 32 bits) with a plain 64-bit multiplication.

Fixed ACL ID mapping for non-root users.

Fixed handling of objects with many xattrs on FreeBSD.

Fixed --open-noatime not taking effect when opening regular files: O_NOATIME is \ 
now also passed to do_open_nofollow(), which has been used for regular files \ 
since the CVE fix "fixed symlink race condition in sender".

Ignore "directory has vanished" errors.

Fixed the removal of multiple leading slashes.

Added the missing --dirs long option.

Fixed a segfault if poptGetContext() returns NULL (e.g. under OOM) by not \ 
passing NULL to poptReadDefaultConfig(). Reported by Ronnie Sahlberg; found with \ 
malloc-fail-tester.

Fixed a build error on ia64 NonStop (which treats missing prototypes as an \ 
error, not a warning).

Fixed a flaky hardlinks test.

ENHANCEMENTS:

Added multi-threaded zstd compression, gated by a new --compress-threads=N \ 
option, with validation and man-page coverage.

Documented the temp dir parameter in the rsyncd.conf man page.

Improved rendering of interior dashes in long-option names in md-convert.

PORTABILITY / BUILD:

Fixed glibc 2.43 const-preserving overloads of strtok(), strchr() etc. by \ 
declaring the affected locals with the right constness. Contributed by Holger \ 
Hoffstätte.

Converted the bundled zlib 1.2.8 from K&R-style function definitions to ANSI \ 
prototypes, so it builds with clang 16+.

Avoid using bool as an identifier; it is a keyword in C23.

configure.ac: check for xattr functions in libc first and only fall back to \ 
-lattr, avoiding spurious overlinking when -lattr happens to be installed. \ 
Contributed by Eli Schwartz.

Made the build reproducible by honouring SOURCE_DATE_EPOCH for the manpage date.

Removed obsolete popt/findme.c and popt/findme.h that upstream popt 1.14 folded \ 
into popt.c. Contributed by Alan Coopersmith.

INTERNAL:

Made many module-global variables const so they can live in .rodata and enable \ 
additional compiler optimization.

Log message:
rsync: Patch for CVE-2025-10158

Log message:
rsync: bump to 3.4.1

The 3.4.0 distfile was revoked by upstream due to regressions in
the build on some platforms.

Log message:
rsync: update to 3.4.0.

Release 3.4.0 is a security release that fixes a number of important vulnerabilities.

For more details on the vulnerabilities please see the CERT report
https://kb.cert.org/vuls/id/952657

## Changes in this version:

### PROTOCOL NUMBER:

 - The protocol number was changed to 32 to make it easier for
   administrators to check their servers have been updated

### SECURITY FIXES:

Many thanks to Simon Scannell, Pedro Gallegos, and Jasiel Spelman at
Google Cloud Vulnerability Research and Aleksei Gorban (Loqpa) for
discovering these vulnerabilities and working with the rsync project
to develop and test fixes.

- CVE-2024-12084 - Heap Buffer Overflow in Checksum Parsing.

- CVE-2024-12085 - Info Leak via uninitialized Stack contents defeats ASLR.

- CVE-2024-12086 - Server leaks arbitrary client files.

- CVE-2024-12087 - Server can make client write files outside of destination \ 
directory using symbolic links.

- CVE-2024-12088 - --safe-links Bypass.

- CVE-2024-12747 - symlink race condition.

### BUG FIXES:

- Fixed the included popt to avoid a memory error on modern gcc versions.

- Fixed an incorrect extern variable's type that caused an ACL issue on macOS.

- Fixed IPv6 configure check

### INTERNAL:

- Updated included popt to version 1.19.

### DEVELOPER RELATED:

- Various improvements to the release scripts and git setup.

- Improved packaging/var-checker to identify variable type issues.

- added FreeBSD and Solaris CI builds

Log message:
Properly handle EOPNOTSUPP by making sure we don't end up with two
identical case values on OSes that #define one as the other; lifted
from a lang/tcl85 patch.

Unbreaks FreeBSD build.

Log message:
Handle EOPNOTSUPP the same way as ENOTSUP.
Silent
default_perms_for_dir: sys_acl_get_file(some_path, ACL_TYPE_DEFAULT): Operation \ 
not supported, falling back on umask
warnings on NetBSD 10.0 with --chmod
Bump PKGREVISION

Log message:
rsync: updated to 3.3.0

NEWS for rsync 3.3.0 (6 Apr 2024)

Changes in this version:

BUG FIXES:

Fixed a bug with --sparse --inplace where a trailing gap in the source file \ 
would not clear out the trailing data in the destination file.

Fixed an buffer overflow in the checksum2 code if SHA1 is being used for the \ 
checksum2 algorithm.

Fixed an issue when rsync is compiled using _FORTIFY_SOURCE so that the extra \ 
tests don't complain about a strlcpy() limit value (which was too large, even \ 
though it wasn't possible for the larger value to cause an overflow).

Add a backtick to the list of characters that the filename quoting needs to \ 
escape using backslashes.

Fixed a string-comparison issue in the internal handling of --progress (a locale \ 
such as tr_TR.utf-8 needed the internal triggering of --info options to use \ 
upper-case flag names to ensure that they match).

Make sure that a local transfer marks the sender side as trusted.

Change the argv handling to work with a newer popt library -- one that likes to \ 
free more data than it used to.

Rsync now calls OpenSSL_add_all_algorithms() when compiled against an older \ 
openssl library.

Fixed a problem in the daemon auth for older protocols (29 and before) if the \ 
openssl library is being used to compute MD4 checksums.

Fixed rsync -VV on Cygwin -- it needed a flush of stdout.

Fixed an old stats bug that counted devices as symlinks.

ENHANCEMENTS:

Enhanced rrsync with the -no-overwrite option that allows you to ensure that \ 
existing files on your restricted but writable directory can't be modified.

Enhanced the manpages to mark links with .UR & .UE. If your nroff doesn't \ 
support these idioms, touch the file .md2man-force in the source directory so \ 
that md-convert gets called with the --force-link-text option, and that should \ 
ensure that your manpages are still readable even with the ignored markup.

Some manpage improvements on the handling of [global] modules.

Changed the mapfrom & mapto perl scripts (in the support dir) into a single \ 
python script named idmap. Converted a couple more perl scripts into python.

Changed the mnt-excl perl script (in the support dir) into a python script.

DEVELOPER RELATED:

Updated config.guess (timestamp 2023-01-01) and config.sub (timestamp 2023-01-21).

Log message:
rsync: Disable zstd by default on Darwin/powerpc, it doesn't like ld(1)