Hi Samuel, On Tue, Aug 02, 2022 at 09:30:07PM +0100, Samuel Henrique wrote: > Hello Salvatore, thanks for reporting this. > > I've been following the discussions around this during the day and I > did notice there were multiple commits related to it indeed. > > My take so far is that we should wait a bit before releasing the fix > on unstable, as there might be regressions in the fix itself. There > isn't even a proper release with the fix yet (only v3.2.5pre1). After > confirming that there's no regressions in 3.2.5, then we can consider > backporting it [0]. > > [0] That is, of course, just a suggestion, if someone from the > Security team is willing to do all the investigative work to look out > for regressions earlier, they're free to go ahead.
I agree, let's wait for 3.2.5 even for unstable. The issue is not that urgent and when rsync'ing from an untrusted server, as described, it's safest to copy into a dedicated destination directory for the remote content. Regards, Salvatore