|
From: | Ken Bass |
Subject: | Re: [Duplicity-talk] librsync failure |
Date: | Fri, 01 May 2015 11:42:01 -0400 |
User-agent: | Mozilla/5.0 (Windows NT 6.3; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0 |
As I mentioned in my original email, I
am currently using 0.6 via the source tarball (rather than an RPM
package from the official distro). That was only because I
previously had a custom backend I wrote and it was easier to debug
and maintain a local tree outside of the RPM process. To save you
some time, I just looked at the changelog on the Centos/EPEL and
the last change was: "- Rebuild for librsync 1.0.0 (#1126712)".
So it would appear that the Centos/EPEL packager backported this compatibility workaround to the RPM already for Centos 5,6, and 7 EPEL. So this issue will only impact people running the source tar ball, not the RPM packages. As I mentioned before, the reason librsync was changed is because it was reported as a security issue. See http://lists.nongnu.org/archive/html/duplicity-talk/2015-01/msg00022.html which was the initial report by the librsync people. See https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-8242 for the RedHat security report. That might be why a distro felt they needed to upgrade to the latest librsync. To be honest, the real fix is to use a stronger hash algorithm instead of MD4. The backport/fix being used simply uses the weaker MD4 rather than the stronger default that librsync now uses. That is why that initial mailing list thread mentioned the true fix being in 0.8 since it renders current backup sets incompatible for writing. On 5/1/2015 8:54 AM, Kenneth Loafman wrote:
|
[Prev in Thread] | Current Thread | [Next in Thread] |