Log message:
rsync: update to 3.4.4.

# NEWS for rsync 3.4.4 (8 Jun 2026)

## Changes in this version:

This is a conservative point release that backports regression fixes
on top of 3.4.3.  No new features are included.

### BUG FIXES:

- Honour a relative alt-basis directory (e.g. `--link-dest=../sibling`,
  `--copy-dest`, `--compare-dest`) on a daemon receiver running with
  `use chroot = no`.  Such a path is re-anchored at the module root but
  was then rejected by the receiver's secure open; it now works where
  kernel-enforced confinement is available.  See the PORTABILITY note
  below for the platform limitation.  Fixes #915.

- sender: open a module-root-absolute path for a `path = /` module so a
  daemon serving the filesystem root can satisfy absolute request
  paths again.  Fixes #897.

- flist: accept the missing-args mode-0 entry in recv_file_entry.
  Fixes #910.

- receiver: fix a false "failed verification -- update discarded" when
  resuming a delta transfer with an absolute `--partial-dir`.

- receiver: fix a NULL dereference on the delta discard path.

- generator: cap the block s2length at the negotiated checksum length.

- main: fix `--mkpath` with `--dry-run` for a file-to-file copy.
  Fixes #880.

- daemon: un-backslash escaped option args.  Fixes #829.

- token: drain the matched-block insert deflate.  Fixes #951.

- Fix the "update skips a file of a different type" case and the
  daemon upload delete stats.

- alloc: revert "zero all new memory from allocations".  Fixes #959.

- Always clear the stat buffer and validate nanoseconds before use.

### PORTABILITY / BUILD:

- The relative alt-basis fix for daemon receivers (#915) relies on
  kernel "stay below dirfd" path resolution -- `openat2(RESOLVE_BENEATH)`
  on Linux 5.6+, or `openat()` with `O_RESOLVE_BENEATH` on FreeBSD 13+
  and macOS 15+.  On platforms that lack it (Solaris, OpenBSD, NetBSD,
  Cygwin and older Linux) `secure_relative_open()` deliberately rejects
  any path with a `..` component, so relative alt-basis directories
  remain unavailable there -- function traded for safety, matching the
  trade-off already documented for the #715 fix.  Absolute alt-basis
  paths are unaffected on every platform.

- openat2 is now autodetected at configure time (HAVE_OPENAT2): the
  `openat2(RESOLVE_BENEATH)` resolver is compiled in only when both
  `<linux/openat2.h>` and the `SYS_openat2` syscall number are present,
  fixing the build on older kernels/headers.  Fixes #924, #905, #900,
  #904.

- Fall back to do_mknod() when mknodat() / mkfifoat() are unavailable.
  Fixes #896.

- Install generated manpages correctly in an out-of-tree build.

Log message:
rsync: updated to 3.4.3

rsync 3.4.3 (20 May 2026)

Changes in this version:

SECURITY FIXES:

Six CVEs are fixed in this release.  All six are assigned by
VulnCheck as CNA.  Affected versions are 3.4.2 and earlier in every
case.  Three of the six (CVE-2026-29518, CVE-2026-43617,
CVE-2026-43619) require non-default daemon configuration to reach:
the first and third need `use chroot = no` for a module, the second
needs `daemon chroot = ...` set in rsyncd.conf.  Two (CVE-2026-43618,
CVE-2026-43620) are reachable from a normal pull or a normal
authenticated daemon connection.  The sixth (CVE-2026-45232) is
reachable only when `RSYNC_PROXY` is set and the proxy (or a MITM)
returns a pathological response.  Many thanks to the external
researchers who reported these issues.

- CVE-2026-29518 (CVSS v4.0 7.3, HIGH): TOCTOU symlink race condition
  allowing local privilege escalation in daemon mode without chroot.
  An rsync daemon configured with "use chroot = no" was exposed to a
  time-of-check / time-of-use race on parent path components: a local
  attacker with write access to a module could replace a parent
  directory component with a symlink between the receiver's check and
  its open(), redirecting reads (basis-file disclosure) and writes
  (file overwrite) outside the module.  Default "use chroot = yes" is
  not exposed.  `secure_relative_open()` (added in 3.4.0 for
  CVE-2024-12086) was previously unused in the daemon-no-chroot
  case; the fix enables it there and reroutes the sender's
  read-path opens through it.  Reported by Nullx3D (Batuhan Sancak),
  Damien Neil and Michael Stapelberg.

- CVE-2026-43617 (CVSS v3.1 4.8, MEDIUM): Hostname/ACL bypass on an
  rsync daemon configured with `daemon chroot = /X` in rsyncd.conf
  when the chroot tree lacks DNS resolution support.  The
  reverse-DNS lookup of the connecting client was performed *after*
  the daemon chroot had been entered; if /X did not contain the
  libc resolver fixtures (`/etc/resolv.conf`, `/etc/nsswitch.conf`,
  `/etc/hosts`, NSS service modules) the lookup failed and the
  connecting hostname was set to "UNKNOWN", causing hostname-based
  deny rules to silently fail open.  IP-based ACLs are unaffected.
  The per-module `use chroot` setting is unrelated to this issue.
  The fix performs the lookup before entering the daemon chroot.
  Reported by MegaManSec.

- CVE-2026-43618 (CVSS v3.1 8.1, HIGH): Integer overflow in the
  compressed-token decoder enabling remote memory disclosure to an
  authenticated daemon peer.  The receiver accumulated a 32-bit
  signed counter without overflow checking; a malicious sender could
  trigger an overflow that, with careful manipulation, leaked process
  memory contents to the attacker -- environment variables,
  passwords, heap and library pointers -- significantly weakening
  ASLR.  The fix bounds the counter and adds wire-input validation in
  several adjacent places (defence-in-depth).  Workaround for older
  releases: `refuse options = compress` in rsyncd.conf.  Reported by
  Omar Elsayed.

- CVE-2026-43619 (CVSS v3.1 6.3, MEDIUM): Symlink races on path-based
  system calls in "use chroot = no" daemon mode (generalisation of
  CVE-2026-29518).  Earlier fixes for symlink races on the receiver's
  open() call missed the same race class on every other path-based
  system call: chmod, lchown, utimes, rename, unlink, mkdir, symlink,
  mknod, link, rmdir and lstat.  The fix routes each affected
  path-based syscall through a parent dirfd opened under
  RESOLVE_BENEATH-equivalent kernel-enforced confinement (openat2 on
  Linux 5.6+, O_RESOLVE_BENEATH on FreeBSD 13+ and macOS 15+,
  per-component O_NOFOLLOW walk elsewhere).  Default "use chroot =
  yes" is not exposed.  Reported by Andrew Tridgell as a follow-on
  audit of CVE-2026-29518.

- CVE-2026-43620 (CVSS v3.1 6.5, MEDIUM): Out-of-bounds read in the
  receiver's recv_files() enabling remote denial-of-service of any
  client pulling from a malicious server (incomplete fix of commit
  797e17f).  The earlier parent_ndx<0 guard added to send_files() was
  not applied to the visually-identical block in recv_files().  A
  malicious rsync server can drive any connecting client into a
  deterministic SIGSEGV by setting CF_INC_RECURSE in the
  compatibility flags and sending a crafted file list and transfer
  record.  inc_recurse is the protocol-30+ default, so no special
  options are required on the victim.  Workaround for older
  releases: `--no-inc-recursive` on the client.  Reported by Pratham
  Gupta.

- CVE-2026-45232 (CVSS v3.1 3.1, LOW): Off-by-one out-of-bounds stack
  write in the rsync client's HTTP CONNECT proxy handler
  (`establish_proxy_connection()` in `socket.c`).  After issuing the
  CONNECT request, rsync read the proxy's first response line one
  byte at a time into a 1024-byte stack buffer with the bound
  `cp < &buffer[sizeof buffer - 1]`.  If the proxy (or a MITM in
  front of it) returned 1023+ bytes on that first line without a
  newline terminator, `cp` exited the loop pointing at a buffer slot
  the loop never wrote, leaving `*cp` holding stale stack data from
  the earlier `snprintf()` of the outgoing CONNECT request.  The
  post-loop logic then wrote a single `\0` one byte past the end of
  the buffer on the stack.  Reach is client-side only, and only when
  `RSYNC_PROXY` is set so rsync tunnels an `rsync://` connection
  through an HTTP CONNECT proxy.  The written byte is always `\0`
  and the offset is fixed by the buffer size, not attacker-chosen,
  so this is not an arbitrary-write primitive: practical impact is
  corruption of one adjacent stack byte and possible later
  misbehaviour or crash.  The fix detects the "buffer filled without
  finding `\n`" case explicitly by position and refuses the response
  with "proxy response line too long".  Reported by Aisle Research
  via Michal Ruprich (rsync-3.4.1-2.el10 QE).

In addition to the six CVE fixes, this release adds defence-in-depth
hardening on several adjacent paths: bounded wire-supplied counts and
lengths in flist/io/acls/xattrs, a guard against length underflow in
cumulative `snprintf()` callers, a parent block-index bounds check on
the receiver, a NULL check in `read_delay_line()`, a lower ceiling on
`MAX_WIRE_DEL_STAT` to avoid signed-int overflow in the
`read_del_stats()` accumulator, rejection of hyphen-prefixed
remote-shell hostnames (defence-in-depth against argv-injection in
tooling that forwards untrusted input into the hostspec position;
reported by Aisle Research via Michal Ruprich), and a NULL-check on
`localtime_r()` in `timestring()` to keep a malicious server from
crashing the client by advertising a file with an out-of-range
modtime.

BUG FIXES:

- Fixed a regression introduced by the 3.4.0 secure_relative_open()
  CVE fix where legitimate directory symlinks on the receiver side
  (e.g. when using `-K` / `--copy-dirlinks`) caused "failed
  verification -- update discarded" errors on delta transfers. The
  old code rejected every symlink in the path with a per-component
  `O_NOFOLLOW` walk; the receiver now uses kernel-enforced "stay
  below dirfd" path resolution where available.

PORTABILITY / BUILD:

- secure_relative_open() now uses `openat2(RESOLVE_BENEATH |
  RESOLVE_NO_MAGICLINKS)` on Linux 5.6+, and `openat()` with
  `O_RESOLVE_BENEATH` on FreeBSD 13+ and macOS 15+ (Sequoia) /
  iOS 18+. The kernel rejects ".." escapes, absolute symlinks, and
  symlinks whose target lies outside the starting directory, while
  still following symlinks that resolve within it -- the same
  trade-off that fixes the issue 715 regression without weakening
  the original CVE protection. Other platforms (Solaris, OpenBSD,
  NetBSD, Cygwin) retain the previous per-component `O_NOFOLLOW`
  walk; on those platforms the issue 715 regression remains
  visible.

- testsuite/xattrs: ignore `SUNWattr_*` in the Solaris `xls`
  helper.

Log message:
rsync: updated to 3.4.2

rsync 3.4.2 (28 Apr 2026)

Changes in this version:

SECURITY RELATED:

Several security-relevant defects were reported and fixed since 3.4.1. None were \ 
assigned a CVE — rsync's fork-per-connection design scopes the impact of each \ 
of these to the attacker's own connection, which is equivalent to the client \ 
closing the socket itself — but they are fixed here as a matter of hygiene and \ 
to reduce the chances of a future exploitable combination. Many thanks to the \ 
external researchers who reported these issues.

Fixed a signed integer overflow in the PROXY protocol v2 header parser: a \ 
negative len field could bypass the size check and cause a stack buffer overflow \ 
in read_buf(). Reported by John Walker of ZeroPath.

Fixed an invalid access to the files array. Reported by Calum Hutton of Rapid7.

Reject negative token values in the compressed-stream token decoder; a negative \ 
value could cause callers to misinterpret a missing data pointer as literal \ 
data. Reported by Will Sergeant.

Fixed the element count passed to the xattr qsort() (see \ 
https://www.openwall.com/lists/oss-security/2026/04/16/2).

Fixed a buffer underflow in clean_fname(), and added a regression test.

Fixed an uninitialized mul_one in the AVX2 get_checksum1 path (undefined \ 
behaviour), and added a SIMD-checksum self-test that cross-checks SSE2, SSSE3 \ 
and AVX2 against the C reference on both aligned and unaligned buffers.

Fixed an uninitialized buf1 on the first call to get_checksum2() in the MD4 path.

Zero all new memory from internal allocations: my_alloc() now uses calloc, and \ 
expand_item_list() zeros the expanded portion after realloc. This gives more \ 
predictable behaviour if stale or uninitialised memory is ever accidentally \ 
read.

BUG FIXES:

Call tzset() before chroot so that log timestamps continue to reflect the \ 
configured local timezone after the daemon chroots (glibc needs /etc/localtime, \ 
which is unreachable post-chroot).

Use the correct time when writing to the log file.

Do not clear DISPLAY unconditionally.

Fixed a Y2038 bug in syscall.c by replacing the Int32x32To64 macro (which \ 
truncates its arguments to 32 bits) with a plain 64-bit multiplication.

Fixed ACL ID mapping for non-root users.

Fixed handling of objects with many xattrs on FreeBSD.

Fixed --open-noatime not taking effect when opening regular files: O_NOATIME is \ 
now also passed to do_open_nofollow(), which has been used for regular files \ 
since the CVE fix "fixed symlink race condition in sender".

Ignore "directory has vanished" errors.

Fixed the removal of multiple leading slashes.

Added the missing --dirs long option.

Fixed a segfault if poptGetContext() returns NULL (e.g. under OOM) by not \ 
passing NULL to poptReadDefaultConfig(). Reported by Ronnie Sahlberg; found with \ 
malloc-fail-tester.

Fixed a build error on ia64 NonStop (which treats missing prototypes as an \ 
error, not a warning).

Fixed a flaky hardlinks test.

ENHANCEMENTS:

Added multi-threaded zstd compression, gated by a new --compress-threads=N \ 
option, with validation and man-page coverage.

Documented the temp dir parameter in the rsyncd.conf man page.

Improved rendering of interior dashes in long-option names in md-convert.

PORTABILITY / BUILD:

Fixed glibc 2.43 const-preserving overloads of strtok(), strchr() etc. by \ 
declaring the affected locals with the right constness. Contributed by Holger \ 
Hoffstätte.

Converted the bundled zlib 1.2.8 from K&R-style function definitions to ANSI \ 
prototypes, so it builds with clang 16+.

Avoid using bool as an identifier; it is a keyword in C23.

configure.ac: check for xattr functions in libc first and only fall back to \ 
-lattr, avoiding spurious overlinking when -lattr happens to be installed. \ 
Contributed by Eli Schwartz.

Made the build reproducible by honouring SOURCE_DATE_EPOCH for the manpage date.

Removed obsolete popt/findme.c and popt/findme.h that upstream popt 1.14 folded \ 
into popt.c. Contributed by Alan Coopersmith.

INTERNAL:

Made many module-global variables const so they can live in .rodata and enable \ 
additional compiler optimization.

Log message:
rsync: Patch for CVE-2025-10158

Log message:
rsync: bump to 3.4.1

The 3.4.0 distfile was revoked by upstream due to regressions in
the build on some platforms.

Log message:
rsync: update to 3.4.0.

Release 3.4.0 is a security release that fixes a number of important vulnerabilities.

For more details on the vulnerabilities please see the CERT report
https://kb.cert.org/vuls/id/952657

## Changes in this version:

### PROTOCOL NUMBER:

 - The protocol number was changed to 32 to make it easier for
   administrators to check their servers have been updated

### SECURITY FIXES:

Many thanks to Simon Scannell, Pedro Gallegos, and Jasiel Spelman at
Google Cloud Vulnerability Research and Aleksei Gorban (Loqpa) for
discovering these vulnerabilities and working with the rsync project
to develop and test fixes.

- CVE-2024-12084 - Heap Buffer Overflow in Checksum Parsing.

- CVE-2024-12085 - Info Leak via uninitialized Stack contents defeats ASLR.

- CVE-2024-12086 - Server leaks arbitrary client files.

- CVE-2024-12087 - Server can make client write files outside of destination \ 
directory using symbolic links.

- CVE-2024-12088 - --safe-links Bypass.

- CVE-2024-12747 - symlink race condition.

### BUG FIXES:

- Fixed the included popt to avoid a memory error on modern gcc versions.

- Fixed an incorrect extern variable's type that caused an ACL issue on macOS.

- Fixed IPv6 configure check

### INTERNAL:

- Updated included popt to version 1.19.

### DEVELOPER RELATED:

- Various improvements to the release scripts and git setup.

- Improved packaging/var-checker to identify variable type issues.

- added FreeBSD and Solaris CI builds

Log message:
Properly handle EOPNOTSUPP by making sure we don't end up with two
identical case values on OSes that #define one as the other; lifted
from a lang/tcl85 patch.

Unbreaks FreeBSD build.

Log message:
Handle EOPNOTSUPP the same way as ENOTSUP.
Silent
default_perms_for_dir: sys_acl_get_file(some_path, ACL_TYPE_DEFAULT): Operation \ 
not supported, falling back on umask
warnings on NetBSD 10.0 with --chmod
Bump PKGREVISION