Skip to content

release 3.4.0 #696

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
tridge merged 12 commits into from
Jan 14, 2025
Merged

release 3.4.0 #696

tridge merged 12 commits into from
Jan 14, 2025

Conversation

@tridge
Copy link
Member

@tridge tridge commented Jan 14, 2025
edited
Loading

This prepares for the release of 3.4.0, which is a security release coordinated with CERT and VINCE
See https://kb.cert.org/vuls/id/952657

tridge and others added 12 commits January 15, 2025 05:20
@tridge
prevent information leak off the stack
e954e88 
prevent leak of uninitialised stack data in hash_search
@tridge
refuse fuzzy options when fuzzy not selected
2621452 
this prevents a malicious server providing a file to compare to when
the user has not given the fuzzy option
@tridge
added secure_relative_open()
4a7aef0 
this is an open that enforces no symlink following for all path
components in a relative path
@tridge
receiver: use secure_relative_open() for basis file
852af00 
this prevents attacks where the basis file is manipulated by a
malicious sender to gain information about files outside the
destination tree
@tridge
disallow ../ elements in relpath for secure_relative_open
f9b8b6a
@WayneD @tridge
Refuse a duplicate dirlist.
22b41c1
@tridge
range check dir_ndx before use
a052605
@tridge
make --safe-links stricter
e2715ef 
when --safe-links is used also reject links where a '../' component is
included in the destination as other than the leading part of the
filename
@tridge
fixed symlink race condition in sender
f6917bf 
when we open a file that we don't expect to be a symlink use
O_NOFOLLOW to prevent a race condition where an attacker could change
a file between being a normal file and a symlink
@tridge
raise protocol version to 32
655e712 
make it easier to spot unpatched servers
@tridge
change version to 3.4.0
cda20f7
@tridge
update NEWS for 3.4.0
a6b6c75
@tridge tridge merged commit 870b7d9 into master Jan 14, 2025
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@tridge @WayneD