duplicity-talk
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Duplicity-talk] librsync failure

From: Ken Bass
Subject: Re: [Duplicity-talk] librsync failure
Date: Fri, 01 May 2015 11:42:01 -0400
User-agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0
As I mentioned in my original email, I am currently using 0.6 via the source tarball (rather than an RPM package from the official distro). That was only because I previously had a custom backend I wrote and it was easier to debug and maintain a local tree outside of the RPM process. To save you some time, I just looked at the changelog on the Centos/EPEL and the last change was: "- Rebuild for librsync 1.0.0 (#1126712)".

So it would appear that the Centos/EPEL packager backported this compatibility workaround to the RPM already for Centos 5,6, and 7 EPEL. So this issue will only impact people running the source tar ball, not the RPM packages.

As I mentioned before, the reason librsync was changed is because it was reported as a security issue. See http://lists.nongnu.org/archive/html/duplicity-talk/2015-01/msg00022.html which was the initial report by the librsync people.
See https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-8242 for the RedHat security report.
That might be why a distro felt they needed to upgrade to the latest librsync. To be honest, the real fix is to use a stronger hash algorithm instead of MD4. The backport/fix being used simply uses the weaker MD4 rather than the stronger default that librsync now uses. That is why that initial mailing list thread mentioned the true fix being in 0.8 since it renders current backup sets incompatible for writing.

On 5/1/2015 8:54 AM, Kenneth Loafman wrote:
I did not put the fix into the 0.6 trunk because I did not see them upgrading to a new version of librsync.  Most distros have a rule whereby they limit changes to minor version changes only.  Things get out of sync very quickly as development moves forward.

Since we no longer have a PPA for the 0.6 trunk and since this is ongoing, I guess a release of 0.6.26 is called for.  This weekend, maybe.

Meanwhile, I've attached a patch that will correct the problem in the meantime.

...Ken

On Fri, May 1, 2015 at 5:05 AM, <address@hidden> wrote:
On 30.04.2015 23:51, Ken Bass wrote:
> I updated my Centos 7 server yesterday which updated the system librsync and librsync-devel packages to librsync-1.0.0-1.el7.x86_64 and librsync-devel-1.0.0-1.el7.x86_64.
> I noticed since that time duplicity no longer runs.

ok, i see that Centos/EPEL upgraded librsync but not duplicity. please contact their package maintainer to upgrade to duplicity 0.7.02 .

SNIP
> If not, is the librsync fix going to be applied to the 0.6 series.
>

Ken, the maintainer, committed the patch probably consciously in 0.7 only. let's ask him :)..
Ken? what's your take on this (also see his original message)?

..ede/duply.net



_______________________________________________
Duplicity-talk mailing list
address@hidden
https://lists.nongnu.org/mailman/listinfo/duplicity-talk

reply via email to
[Prev in Thread] Current Thread [Next in Thread]