Hi Steve, On Fri, 30 May 2025, Steven Benbow wrote:
You noted, I think, that rsync-bpc should not be vulnerable to https://ubuntu.com/security/CVE-2024-12085.? But according to https://www.cve.org/CVERecord?id=CVE-2024-12085 it seems that affected rsync versions are "from 0 through 3.3.0 ", so perhaps this might be just cause for a patch?? Or I may have misunderstood.
The notice to which you linked, that is https://ubuntu.com/blog/rsync-remote-code-execution has a section entitled "How the exploits work" which says "Google researchers discovered that the rsync server is vulnerable to a heap buffer overflow (CVE-2024-12084) and an information leak of uninitialized stack data (CVE-2024-12085). By combining the two vulnerabilities, a malicious client with anonymous read-access can defeat ASLR (address space layout randomization) and remotely execute arbitrary code on the rsync server machine. These vulnerabilities were introduced in rsync v3.2.7, so Ubuntu 20.04 LTS and earlier releases are not vulnerable to this attack chain." So as I said it's clear that rsync versions earlier than 3.2.7 - and hence the latest version of rsync-bpc - are unaffected. There is no vulnerability to be patched.
We would be happy to consider supporting some ongoing maintenance of BackupPC with occasional donations etc.? I guess if a few other organisations might also consider it then it may be sufficient to fund a little ongoing maintenance / patching and occasional releases for an interested team of developers.
AFAIK there's no such team in existence and no mechanism for donations to be collected and/or funding to be applied. I can imagine all sorts of arguments cropping up about what qualifies and what doesn't, and my experience of other vaguely similiar projects (I'm an ASF Member) makes me think I'd have no time to get involved in that kind of thing. That doesn't mean it's a bad idea, but there might be a lot more work on the admin than there is now and as you likely guessed I'm not fond of admin. Maybe the best I could offer would be to fork the project on Github and undertake to maintain the fork. Could that help you? -- 73, Ged. _______________________________________________ BackupPC-users mailing list BackupPC-users@lists.sourceforge.net List: https://lists.sourceforge.net/lists/listinfo/backuppc-users Wiki: https://github.com/backuppc/backuppc/wiki Project: https://backuppc.github.io/backuppc/
