You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Six CVEs are fixed in this release. All six are assigned by
VulnCheck as CNA. Affected versions are 3.4.2 and earlier in every
case. Three of the six (CVE-2026-29518, CVE-2026-43617, CVE-2026-43619) require non-default daemon configuration to reach:
the first and third need use chroot = no for a module, the second
needs daemon chroot = ... set in rsyncd.conf. Two (CVE-2026-43618, CVE-2026-43620) are reachable from a normal pull or a normal
authenticated daemon connection. The sixth (CVE-2026-45232) is
reachable only when RSYNC_PROXY is set and the proxy (or a MITM)
returns a pathological response. Many thanks to the external
researchers who reported these issues.
CVE-2026-29518 (CVSS v4.0 7.3, HIGH): TOCTOU symlink race condition
allowing local privilege escalation in daemon mode without chroot.
An rsync daemon configured with "use chroot = no" was exposed to a
time-of-check / time-of-use race on parent path components: a local
attacker with write access to a module could replace a parent
directory component with a symlink between the receiver's check and
its open(), redirecting reads (basis-file disclosure) and writes
(file overwrite) outside the module. Default "use chroot = yes" is
not exposed. secure_relative_open() (added in 3.4.0 for CVE-2024-12086) was previously unused in the daemon-no-chroot
case; the fix enables it there and reroutes the sender's
read-path opens through it. Reported by Nullx3D (Batuhan Sancak),
Damien Neil and Michael Stapelberg.
CVE-2026-43617 (CVSS v3.1 4.8, MEDIUM): Hostname/ACL bypass on an
rsync daemon configured with daemon chroot = /X in rsyncd.conf
when the chroot tree lacks DNS resolution support. The
reverse-DNS lookup of the connecting client was performed after
the daemon chroot had been entered; if /X did not contain the
libc resolver fixtures (/etc/resolv.conf, /etc/nsswitch.conf, /etc/hosts, NSS service modules) the lookup failed and the
connecting hostname was set to "UNKNOWN", causing hostname-based
deny rules to silently fail open. IP-based ACLs are unaffected.
The per-module use chroot setting is unrelated to this issue.
The fix performs the lookup before entering the daemon chroot.
Reported by MegaManSec.
CVE-2026-43618 (CVSS v3.1 8.1, HIGH): Integer overflow in the
compressed-token decoder enabling remote memory disclosure to an
authenticated daemon peer. The receiver accumulated a 32-bit
signed counter without overflow checking; a malicious sender could
trigger an overflow that, with careful manipulation, leaked process
memory contents to the attacker -- environment variables,
passwords, heap and library pointers -- significantly weakening
ASLR. The fix bounds the counter and adds wire-input validation in
several adjacent places (defence-in-depth). Workaround for older
releases: refuse options = compress in rsyncd.conf. Reported by
Omar Elsayed.
CVE-2026-43619 (CVSS v3.1 6.3, MEDIUM): Symlink races on path-based
system calls in "use chroot = no" daemon mode (generalisation of CVE-2026-29518). Earlier fixes for symlink races on the receiver's
open() call missed the same race class on every other path-based
system call: chmod, lchown, utimes, rename, unlink, mkdir, symlink,
mknod, link, rmdir and lstat. The fix routes each affected
path-based syscall through a parent dirfd opened under
RESOLVE_BENEATH-equivalent kernel-enforced confinement (openat2 on
Linux 5.6+, O_RESOLVE_BENEATH on FreeBSD 13+ and macOS 15+,
per-component O_NOFOLLOW walk elsewhere). Default "use chroot =
yes" is not exposed. Reported by Andrew Tridgell as a follow-on
audit of CVE-2026-29518.
CVE-2026-43620 (CVSS v3.1 6.5, MEDIUM): Out-of-bounds read in the
receiver's recv_files() enabling remote denial-of-service of any
client pulling from a malicious server (incomplete fix of commit
797e17f). The earlier parent_ndx<0 guard added to send_files() was
not applied to the visually-identical block in recv_files(). A
malicious rsync server can drive any connecting client into a
deterministic SIGSEGV by setting CF_INC_RECURSE in the
compatibility flags and sending a crafted file list and transfer
record. inc_recurse is the protocol-30+ default, so no special
options are required on the victim. Workaround for older
releases: --no-inc-recursive on the client. Reported by Pratham
Gupta.
CVE-2026-45232 (CVSS v3.1 3.1, LOW): Off-by-one out-of-bounds stack
write in the rsync client's HTTP CONNECT proxy handler
(establish_proxy_connection() in socket.c). After issuing the
CONNECT request, rsync read the proxy's first response line one
byte at a time into a 1024-byte stack buffer with the bound cp < &buffer[sizeof buffer - 1]. If the proxy (or a MITM in
front of it) returned 1023+ bytes on that first line without a
newline terminator, cp exited the loop pointing at a buffer slot
the loop never wrote, leaving *cp holding stale stack data from
the earlier snprintf() of the outgoing CONNECT request. The
post-loop logic then wrote a single \0 one byte past the end of
the buffer on the stack. Reach is client-side only, and only when RSYNC_PROXY is set so rsync tunnels an rsync:// connection
through an HTTP CONNECT proxy. The written byte is always \0
and the offset is fixed by the buffer size, not attacker-chosen,
so this is not an arbitrary-write primitive: practical impact is
corruption of one adjacent stack byte and possible later
misbehaviour or crash. The fix detects the "buffer filled without
finding \n" case explicitly by position and refuses the response
with "proxy response line too long". Reported by Aisle Research
via Michal Ruprich (rsync-3.4.1-2.el10 QE).
In addition to the six CVE fixes, this release adds defence-in-depth
hardening on several adjacent paths: bounded wire-supplied counts and
lengths in flist/io/acls/xattrs, a guard against length underflow in
cumulative snprintf() callers, a parent block-index bounds check on
the receiver, a NULL check in read_delay_line(), a lower ceiling on MAX_WIRE_DEL_STAT to avoid signed-int overflow in the read_del_stats() accumulator, rejection of hyphen-prefixed
remote-shell hostnames (defence-in-depth against argv-injection in
tooling that forwards untrusted input into the hostspec position;
reported by Aisle Research via Michal Ruprich), and a NULL-check on localtime_r() in timestring() to keep a malicious server from
crashing the client by advertising a file with an out-of-range
modtime.
BUG FIXES:
Fixed a regression introduced by the 3.4.0 secure_relative_open()
CVE fix where legitimate directory symlinks on the receiver side
(e.g. when using -K / --copy-dirlinks) caused "failed
verification -- update discarded" errors on delta transfers. The
old code rejected every symlink in the path with a per-component O_NOFOLLOW walk; the receiver now uses kernel-enforced "stay
below dirfd" path resolution where available. Fixes Add fallible message buffer extension helper #715.
PORTABILITY / BUILD:
secure_relative_open() now uses openat2(RESOLVE_BENEATH | RESOLVE_NO_MAGICLINKS) on Linux 5.6+, and openat() with O_RESOLVE_BENEATH on FreeBSD 13+ and macOS 15+ (Sequoia) /
iOS 18+. The kernel rejects ".." escapes, absolute symlinks, and
symlinks whose target lies outside the starting directory, while
still following symlinks that resolve within it -- the same
trade-off that fixes the issue Add fallible message buffer extension helper #715 regression without weakening
the original CVE protection. Other platforms (Solaris, OpenBSD,
NetBSD, Cygwin) retain the previous per-component O_NOFOLLOW
walk; on those platforms the issue Add fallible message buffer extension helper #715 regression remains
visible.
testsuite/xattrs: ignore SUNWattr_* in the Solaris xls
helper.
Added regression tests for the new security fixes: chmod-symlink-race.test, chdir-symlink-race.test, bare-do-open-symlink-race.test, alt-dest-symlink-race.test, copy-dest-source-symlink.test, sender-flist-symlink-leak.test, secure-relpath-validation.test, daemon-chroot-acl.test and daemon-refuse-compress.test. The symlink-race tests skip on
Cygwin, Solaris, OpenBSD and NetBSD (no RESOLVE_BENEATH
equivalent on those platforms).
runtests.py now errors early with a clear message when any of
the test helper programs (tls, trimslash, t_unsafe, t_chmod_secure, t_secure_relpath, wildtest, getgroups, getfsdev) are missing, instead of letting many tests fail with
confusing "not found" errors.
Added OpenBSD and NetBSD CI jobs that run make check on those
platforms.
Added Ubuntu 22.04 and AlmaLinux 8 CI workflows so future
backports to the two mainstream LTS families build and test on
the same CI surface as trunk.
testsuite/protected-regular.test now runs unprivileged via unshare with user-namespace UID mapping, falling back to skip
if unshare/uidmap is not available; previously it required
real root.
Added symlink-dirlink-basis to the Cygwin CI's expected-skipped
list.
Removed the old release system (replaced by the new release
script in 3.4.2).
Upstream rsync 3.4.3 is available; this repository pins 3.4.2.
Source: https://download.samba.org/pub/rsync/NEWS
NEWS for rsync 3.4.3
NEWS for rsync 3.4.3 (20 May 2026)
Changes in this version:
SECURITY FIXES:
Six CVEs are fixed in this release. All six are assigned by
VulnCheck as CNA. Affected versions are 3.4.2 and earlier in every
case. Three of the six (CVE-2026-29518, CVE-2026-43617,
CVE-2026-43619) require non-default daemon configuration to reach:
the first and third need
use chroot = nofor a module, the secondneeds
daemon chroot = ...set in rsyncd.conf. Two (CVE-2026-43618,CVE-2026-43620) are reachable from a normal pull or a normal
authenticated daemon connection. The sixth (CVE-2026-45232) is
reachable only when
RSYNC_PROXYis set and the proxy (or a MITM)returns a pathological response. Many thanks to the external
researchers who reported these issues.
CVE-2026-29518 (CVSS v4.0 7.3, HIGH): TOCTOU symlink race condition
allowing local privilege escalation in daemon mode without chroot.
An rsync daemon configured with "use chroot = no" was exposed to a
time-of-check / time-of-use race on parent path components: a local
attacker with write access to a module could replace a parent
directory component with a symlink between the receiver's check and
its open(), redirecting reads (basis-file disclosure) and writes
(file overwrite) outside the module. Default "use chroot = yes" is
not exposed.
secure_relative_open()(added in 3.4.0 forCVE-2024-12086) was previously unused in the daemon-no-chroot
case; the fix enables it there and reroutes the sender's
read-path opens through it. Reported by Nullx3D (Batuhan Sancak),
Damien Neil and Michael Stapelberg.
CVE-2026-43617 (CVSS v3.1 4.8, MEDIUM): Hostname/ACL bypass on an
rsync daemon configured with
daemon chroot = /Xin rsyncd.confwhen the chroot tree lacks DNS resolution support. The
reverse-DNS lookup of the connecting client was performed after
the daemon chroot had been entered; if /X did not contain the
libc resolver fixtures (
/etc/resolv.conf,/etc/nsswitch.conf,/etc/hosts, NSS service modules) the lookup failed and theconnecting hostname was set to "UNKNOWN", causing hostname-based
deny rules to silently fail open. IP-based ACLs are unaffected.
The per-module
use chrootsetting is unrelated to this issue.The fix performs the lookup before entering the daemon chroot.
Reported by MegaManSec.
CVE-2026-43618 (CVSS v3.1 8.1, HIGH): Integer overflow in the
compressed-token decoder enabling remote memory disclosure to an
authenticated daemon peer. The receiver accumulated a 32-bit
signed counter without overflow checking; a malicious sender could
trigger an overflow that, with careful manipulation, leaked process
memory contents to the attacker -- environment variables,
passwords, heap and library pointers -- significantly weakening
ASLR. The fix bounds the counter and adds wire-input validation in
several adjacent places (defence-in-depth). Workaround for older
releases:
refuse options = compressin rsyncd.conf. Reported byOmar Elsayed.
CVE-2026-43619 (CVSS v3.1 6.3, MEDIUM): Symlink races on path-based
system calls in "use chroot = no" daemon mode (generalisation of
CVE-2026-29518). Earlier fixes for symlink races on the receiver's
open() call missed the same race class on every other path-based
system call: chmod, lchown, utimes, rename, unlink, mkdir, symlink,
mknod, link, rmdir and lstat. The fix routes each affected
path-based syscall through a parent dirfd opened under
RESOLVE_BENEATH-equivalent kernel-enforced confinement (openat2 on
Linux 5.6+, O_RESOLVE_BENEATH on FreeBSD 13+ and macOS 15+,
per-component O_NOFOLLOW walk elsewhere). Default "use chroot =
yes" is not exposed. Reported by Andrew Tridgell as a follow-on
audit of CVE-2026-29518.
CVE-2026-43620 (CVSS v3.1 6.5, MEDIUM): Out-of-bounds read in the
receiver's recv_files() enabling remote denial-of-service of any
client pulling from a malicious server (incomplete fix of commit
797e17f). The earlier parent_ndx<0 guard added to send_files() was
not applied to the visually-identical block in recv_files(). A
malicious rsync server can drive any connecting client into a
deterministic SIGSEGV by setting CF_INC_RECURSE in the
compatibility flags and sending a crafted file list and transfer
record. inc_recurse is the protocol-30+ default, so no special
options are required on the victim. Workaround for older
releases:
--no-inc-recursiveon the client. Reported by PrathamGupta.
CVE-2026-45232 (CVSS v3.1 3.1, LOW): Off-by-one out-of-bounds stack
write in the rsync client's HTTP CONNECT proxy handler
(
establish_proxy_connection()insocket.c). After issuing theCONNECT request, rsync read the proxy's first response line one
byte at a time into a 1024-byte stack buffer with the bound
cp < &buffer[sizeof buffer - 1]. If the proxy (or a MITM infront of it) returned 1023+ bytes on that first line without a
newline terminator,
cpexited the loop pointing at a buffer slotthe loop never wrote, leaving
*cpholding stale stack data fromthe earlier
snprintf()of the outgoing CONNECT request. Thepost-loop logic then wrote a single
\0one byte past the end ofthe buffer on the stack. Reach is client-side only, and only when
RSYNC_PROXYis set so rsync tunnels anrsync://connectionthrough an HTTP CONNECT proxy. The written byte is always
\0and the offset is fixed by the buffer size, not attacker-chosen,
so this is not an arbitrary-write primitive: practical impact is
corruption of one adjacent stack byte and possible later
misbehaviour or crash. The fix detects the "buffer filled without
finding
\n" case explicitly by position and refuses the responsewith "proxy response line too long". Reported by Aisle Research
via Michal Ruprich (rsync-3.4.1-2.el10 QE).
In addition to the six CVE fixes, this release adds defence-in-depth
hardening on several adjacent paths: bounded wire-supplied counts and
lengths in flist/io/acls/xattrs, a guard against length underflow in
cumulative
snprintf()callers, a parent block-index bounds check onthe receiver, a NULL check in
read_delay_line(), a lower ceiling onMAX_WIRE_DEL_STATto avoid signed-int overflow in theread_del_stats()accumulator, rejection of hyphen-prefixedremote-shell hostnames (defence-in-depth against argv-injection in
tooling that forwards untrusted input into the hostspec position;
reported by Aisle Research via Michal Ruprich), and a NULL-check on
localtime_r()intimestring()to keep a malicious server fromcrashing the client by advertising a file with an out-of-range
modtime.
BUG FIXES:
CVE fix where legitimate directory symlinks on the receiver side
(e.g. when using
-K/--copy-dirlinks) caused "failedverification -- update discarded" errors on delta transfers. The
old code rejected every symlink in the path with a per-component
O_NOFOLLOWwalk; the receiver now uses kernel-enforced "staybelow dirfd" path resolution where available. Fixes Add fallible message buffer extension helper #715.
PORTABILITY / BUILD:
secure_relative_open() now uses
openat2(RESOLVE_BENEATH | RESOLVE_NO_MAGICLINKS)on Linux 5.6+, andopenat()withO_RESOLVE_BENEATHon FreeBSD 13+ and macOS 15+ (Sequoia) /iOS 18+. The kernel rejects ".." escapes, absolute symlinks, and
symlinks whose target lies outside the starting directory, while
still following symlinks that resolve within it -- the same
trade-off that fixes the issue Add fallible message buffer extension helper #715 regression without weakening
the original CVE protection. Other platforms (Solaris, OpenBSD,
NetBSD, Cygwin) retain the previous per-component
O_NOFOLLOWwalk; on those platforms the issue Add fallible message buffer extension helper #715 regression remains
visible.
testsuite/xattrs: ignore
SUNWattr_*in the Solarisxlshelper.
DEVELOPER RELATED:
Added testsuite/symlink-dirlink-basis.test (taken from PR Add support for --delete-excluded in local copy engine #864
by Samuel Henrique) covering the issue Add fallible message buffer extension helper #715 regression and
several edge cases (
--backup,--inplace,--partial-dirwith protocol < 29, top-level files). The test skips on
platforms without a RESOLVE_BENEATH equivalent.
Added regression tests for the new security fixes:
chmod-symlink-race.test,chdir-symlink-race.test,bare-do-open-symlink-race.test,alt-dest-symlink-race.test,copy-dest-source-symlink.test,sender-flist-symlink-leak.test,secure-relpath-validation.test,daemon-chroot-acl.testanddaemon-refuse-compress.test. The symlink-race tests skip onCygwin, Solaris, OpenBSD and NetBSD (no RESOLVE_BENEATH
equivalent on those platforms).
runtests.py now errors early with a clear message when any of
the test helper programs (
tls,trimslash,t_unsafe,t_chmod_secure,t_secure_relpath,wildtest,getgroups,getfsdev) are missing, instead of letting many tests fail withconfusing "not found" errors.
Added OpenBSD and NetBSD CI jobs that run
make checkon thoseplatforms.
Added Ubuntu 22.04 and AlmaLinux 8 CI workflows so future
backports to the two mainstream LTS families build and test on
the same CI surface as trunk.
testsuite/protected-regular.test now runs unprivileged via
unsharewith user-namespace UID mapping, falling back to skipif
unshare/uidmapis not available; previously it requiredreal root.
Added
symlink-dirlink-basisto the Cygwin CI's expected-skippedlist.
Removed the old release system (replaced by the new release
script in 3.4.2).