Your message dated Fri, 27 Feb 2026 21:31:42 +0000
with message-id <[email protected]>
and subject line Bug#1088107: fixed in rclone 1.69.3+dfsg-1
has caused the Debian Bug report #1088107,
regarding rclone: CVE-2024-52522
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1088107: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1088107
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: rclone
Version: 1.60.1+dfsg-4
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for rclone.
CVE-2024-52522[0]:
| Rclone is a command-line program to sync files and directories to
| and from different cloud storage providers. Insecure handling of
| symlinks with --links and --metadata in rclone while copying to
| local disk allows unprivileged users to indirectly modify ownership
| and permissions on symlink target files when a superuser or
| privileged process performs a copy. This vulnerability could enable
| privilege escalation and unauthorized access to critical system
| files, compromising system integrity, confidentiality, and
| availability. This vulnerability is fixed in 1.68.2.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-52522
https://www.cve.org/CVERecord?id=CVE-2024-52522
[1] https://github.com/rclone/rclone/security/advisories/GHSA-hrxh-9w67-g4cv
[2]
https://github.com/rclone/rclone/commit/669b2f2669cacd634faa2bcecb589b76e1402533
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: rclone
Source-Version: 1.69.3+dfsg-1
Done: Drew Parsons <[email protected]>
We believe that the bug you reported is fixed in the latest version of
rclone, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Drew Parsons <[email protected]> (supplier of updated rclone package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 27 Feb 2026 19:24:39 +0100
Source: rclone
Architecture: source
Version: 1.69.3+dfsg-1
Distribution: experimental
Urgency: medium
Maintainer: Debian Go Packaging Team <[email protected]>
Changed-By: Drew Parsons <[email protected]>
Closes: 1088107 1115963
Changes:
rclone (1.69.3+dfsg-1) experimental; urgency=medium
.
* Team upload.
* New upstream release
- fixes metadata symlink security bug [CVE-2024-52522]
Closes: #1088107
- supports gitannex. Closes: #1115963
- applies debian patch 0015-Update-go-smb2.patch
Depends: golang-github-cloudsoda-go-smb2-dev
(>= 0.0~20241223.52b943b~)
* add debian patches to drop features which debian cannot yet
support due to unpackaged dependencies
- disable_backend_cloudinary.patch for backend/cloudinary
(github.com/cloudinary/cloudinary-go/v2)
- disable_backend_file.patch for
backend/filescom (github.com/Files-com/files-sdk-go/v3)
backend/iclouddrive (github.com/oracle/oci-go-sdk)
* debian patch drop_generated_docs.patch drops generation of .md
files, which are present in source but not acknowledged, causing
the build to fail
* drop debian patches 0016-Remove-metadata-support.patch and
0017-Remove-checksum-support.patch. golang-google-api-dev 0.214.0
is now available which supports these features.
Depends: golang-google-api-dev (>= 0.211.0~)
* use go-md2man and mandoc as an alternative to pandoc to build the
rclone man page and html manual on architectures without pandoc.
Build-Depends: pandoc | go-md2man, mandoc
* add PATH to newly built rclone when building docs, since
make_manual.py now calls rclone for help_output
* Build-Depends: fuse3 [linux-any]
(fuse is available on linux only, not hurd)
* update debian/watch to v5 GitHub template
* Standards-Version: 4.7.3
Checksums-Sha1:
9c3cafde4cf37a6b7e7d3d2745f4a4c2fa6b3158 5093 rclone_1.69.3+dfsg-1.dsc
821088a9cd95c0582c8a4798d51749e0b5e952c1 14262364
rclone_1.69.3+dfsg.orig.tar.xz
59d98affd375487c0f7118e2caf204f9c6d251df 25000
rclone_1.69.3+dfsg-1.debian.tar.xz
9174a28ff59b2752d247c4d52542edae110eb717 21801
rclone_1.69.3+dfsg-1_amd64.buildinfo
Checksums-Sha256:
63335ee034ffb37f87d12784a1be58382ea96d66db8f4f49f6b31da73b94cdba 5093
rclone_1.69.3+dfsg-1.dsc
8d0e6a698a851d935c57c93a7788fca289eaa978ef67743f061bd4f29b5846f8 14262364
rclone_1.69.3+dfsg.orig.tar.xz
3d51a8ff36f09270ed5739913eef9937a1e4a3252951f992ac46db7d57ab903d 25000
rclone_1.69.3+dfsg-1.debian.tar.xz
4b2e359e9fea38598f12af8a29d67aafe9f4430bf71828f9c1f1afa00f95151f 21801
rclone_1.69.3+dfsg-1_amd64.buildinfo
Files:
4ab23afbdf9b9d56aacfe0465fd51a2d 5093 net optional rclone_1.69.3+dfsg-1.dsc
5b93c5f0acd805d634bb402f5d66378d 14262364 net optional
rclone_1.69.3+dfsg.orig.tar.xz
0216b56822714440fb70fe7fe2ed0a43 25000 net optional
rclone_1.69.3+dfsg-1.debian.tar.xz
a8939a2099d5ff26c0693c46294a95d7 21801 net optional
rclone_1.69.3+dfsg-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEI8mpPlhYGekSbQo2Vz7x5L1aAfoFAmmiBxYACgkQVz7x5L1a
AfrMmw/9HEPZ2pGnc+y1+2V0ZZ22STKUAXfsr5Y0CnZu+Dv6XXNq0GqdE9VuBQzI
C5SeG5srzXB2LSsxQ/ffDUDhPAWOkSpSi8ee/w8TcfTOLYj4a6W3J9YQdfxNkbXa
p+s+xqf+hmmFR+Jwi4gczKjd8VTw06zFh4cnF3rPRhDJgywVDgdF9WUBY3h7gxHI
gAM7fyWDKxqFexfmDhKB/Pr4zo6TcYBQt4MQHXO6IgJN9D8ZbjsHtQSBY56hcrKu
rMNAlslFvRWM410RVbRkavzsDmg2zgN1ub+TdGU4Og7vzfmfh8IYxfc40bdtSRc8
QjjW1AfNUxc7XKDPXsVusTWTGQaEaJ2frmJTZ2uSAjBsB6guE5kedFwXztBPuw7X
eXuUrkBOncUUVMAjvo4fmd1N5ROP4B/KmOYHN80eY1Wbw2C1lFm2YWv9DQHDLD2y
wT1WoBCR9NnkPWpkm8A0iHS563MLM8nmJzQa+AiqVxurE7B4fABysVsHRZoE4tY4
Eb2l2EXq9qRc1h6S1JvS0TPwXPInqpz83fc/cySCy6RmvOAFma5Q1HEepMxdoh6y
OipfLCXAuZlhwL5Vk6Qe0Gl8pe0dxu8F+YuPFkV7QJ22IHXxfdl6UDGBppSTDtUl
xcCZHjolqdUN+yej1iERgeXLWtBj/Ck9fOu4fGxPrsytf8OpS8g=
=Z0uP
-----END PGP SIGNATURE-----
pgpmCJdW2YsYj.pgp
Description: PGP signature
--- End Message ---
