Hi, when will the update be available on homebrew?
Thanks! > On 21 Aug 2015, at 15:57, Colin Percival <cperc...@tarsnap.com> wrote: > > In case anyone is not subscribed to the announce list: Tarsnap 1.0.36 is > now available, and you should probably upgrade. (GPG signed announcement > email at http://mail.tarsnap.com/tarsnap-announce/msg00032.html ) > > Colin Percival > > -------- Forwarded Message -------- > Subject: Tarsnap 1.0.36 > Date: Fri, 21 Aug 2015 06:51:16 -0700 > From: Colin Percival <cperc...@tarsnap.com> > To: tarsnap-annou...@tarsnap.com > > Hi all, > > Tarsnap 1.0.36 is now available. Due to the presence of security fixes (and > some fairly significant bug fixes) upgrading is strongly recommended. This > new version brings: > > 1. SECURITY FIX: When constructing paths of objects being archived, a buffer > could overflow by one byte upon encountering 1024, 2048, 4096, etc. byte > paths. Theoretically this could be exploited by an unprivileged user whose > files are being archived; I do not believe it is exploitable in practice, > but I am offering a $1000 bounty for the first person who can prove me wrong: > http://www.daemonology.net/blog/2015-08-21-tarsnap-1000-exploit-bounty.html > > 2. SECURITY FIX: An attacker with a machine's write keys, or with read keys > and control of the tarsnap service, could make tarsnap allocate a large > amount of memory upon listing archives or reading an archive the attacker > created; on 32-bit machines, tarsnap can be caused to crash under the > aforementioned conditions. > > 3. BUG FIX: Tarsnap no longer crashes if its first DNS lookup fails. > > 4. BUG FIX: Tarsnap no longer exits with "Callbacks uninitialized" when > running on a dual-stack network if the first IP stack it attempts fails to > connect. > > 5. tarsnap now avoids opening devices nodes on linux if it is instructed to > archive /dev/. This change may prevent "watchdog"-triggered reboots. > > 6. tarsnap -c --dry-run can now run without a keyfile, allowing users to > predict how much Tarsnap will cost before signing up. > > 7. tarsnap now has bash completion scripts. > > 8. tarsnap now takes a --retry-forever option. > > 9. tarsnap now automatically detects and uses AESNI and SSE2. > > As usual, there are also many minor build fixes, harmless bug fixes, and code > refactoring / cleanup changes. For a full listing of changes, consult the > tarsnap git repository: https://github.com/Tarsnap/tarsnap > > The new release is available from the usual location: > https://www.tarsnap.com/download.html >
