[packages/rsync] up to 3.4.3 (SECURITY)

Wed May 20 10:12:51 CEST 2026

commit bbc98921e19704496decc31b190f15ab4c9f24c9
Author: Arkadiusz Miśkiewicz <arekm at maven.pl>
Date:   Wed May 20 10:11:22 2026 +0200

    up to 3.4.3 (SECURITY)
    
    - CVE-2026-29518 - TOCTOU symlink race in daemon "use chroot = no"
      enabling local privilege escalation.
    - CVE-2026-43617 - hostname/ACL bypass when daemon chroot lacks
      resolver fixtures.
    - CVE-2026-43618 - integer overflow in compressed-token decoder
      leaking process memory to authenticated daemon peers.
    - CVE-2026-43619 - symlink races on path-based syscalls in
      "use chroot = no" daemon mode (follow-on to CVE-2026-29518).
    - CVE-2026-43620 - out-of-bounds read in recv_files() crashing any
      client pulling from a malicious server.
    - CVE-2026-45232 - off-by-one stack write in HTTP CONNECT proxy
      response handling.

 rsync.spec | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
---

diff --git a/rsync.spec b/rsync.spec
index ed9b7b2..6cc341f 100644
--- a/rsync.spec
+++ b/rsync.spec
@@ -17,13 +17,13 @@ Summary(uk.UTF-8):	Програма для ефективного віддале
 Summary(zh_CN.UTF-8):	[通讯]传输工具
 Summary(zh_TW.UTF-8):	[喙啪]$(B6G?i火(c(B
 Name:		rsync
-Version:	3.4.2
+Version:	3.4.3
 Release:	1
 Epoch:		1
 License:	GPL v3+
 Group:		Networking/Utilities
 Source0:	https://download.samba.org/pub/rsync/src/%{name}-%{version}.tar.gz
-# Source0-md5:	352650b73e30cc0ba54707ae72bdac43
+# Source0-md5:	1c53fa0fd42ba4700ba6fa96a0b5bbb6
 Source2:	%{name}.inet
 Source3:	%{name}.init
 Source4:	%{name}.sysconfig
================================================================

---- gitweb:

http://git.pld-linux.org/gitweb.cgi/packages/rsync.git/commitdiff/bbc98921e19704496decc31b190f15ab4c9f24c9

