Hi, On Fri, Jan 17, 2025 at 03:42:48AM +0100, poc...@homemail.com wrote: > > From: "Andy Smith" <a...@strugglers.net> > > You can verify this at: > > > > https://security-tracker.debian.org/tracker/source-package/rsync > > https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-rsync-could-allow-for-remote-code-execution_2025-007
Okay, I'll try one more time. The link you gave above talks about the following security issues: CVE-2024-12085 CVE-2024-12086 CVE-2024-12087 CVE-2024-12088 CVE-2024-12747 The link that I gave you shows that all of the above already have fixes backported to Debian stable-security. Since there is no new information here and I am just re-stating what has already been shown to you, I wonder if the problem here is that you don't understand what backporting is? The version of rsync that was first released in Debian 12 is what will be in Debian 12 forever. Barring some exceptional circumstances there will never be a newer release of rsync in Debian 12. There will never be version 3.4.1 of rsync in Debian 12. Any security issues found in the version of rsync that is in Debian 12 will have fixes backported to it. So it follows that just because the program's --version says 3.2.7, it does not mean that it is still vulnerable to all issues found between 3.2.7 and 3.4.1 inclusive. You would have to look at the Debian package version and check which fixes have been backported. Thanks, Andy -- https://bitfolk.com/ -- No-nonsense VPS hosting
