From: Wayne Davison <wayne@opencoder.net>
Date: Sun, 31 Jul 2022 23:59:52 +0000 (-0700)
Subject: The latest NEWS.
X-Git-Tag: v3.2.5pre1~8
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=43f70b961e92d88387fecd3c7f6dbefc044ce4a3;p=thirdparty%2Frsync.git

The latest NEWS.
---

diff --git a/NEWS.md b/NEWS.md
index ecaac28c..4cb98a63 100644
--- a/NEWS.md
+++ b/NEWS.md
@@ -2,9 +2,34 @@
 
 ## Changes in this version:
 
+### SECURITY FIXES:
+
+- Added some file-list safety checking that helps to ensure that a rogue
+  sending rsync can't add unrequested top-level names and/or include recursive
+  names that should have been excluded by the sender.  This extra safety check
+  only requires the client side rsync to be udateed.  When dealing with an
+  untrusted sending host using an older rsync, it is safest to copy into a
+  dedicated destination directory for the remote content (i.e. don't copy into
+  a destination directory that contains files that aren't from the remote
+  host unless you trust the remote host). Fixes CVE-2022-29154.
+
 ### BUG FIXES:
 
-- ...
+- Fixed the configure check for signed char that was causing a host that
+  defaults to unsigned characters to generate bogus rolling checksums. This
+  made rsync send mostly literal data for a copy instead of finding matching
+  data in the receiver's basis file.
+
+### PACKAGING RELATED:
+
+- The build date that goes into the manpages is now based on the developer's
+  release date, not on the build's local-timezone interpretation of the date.
+
+### DEVELOPER RELATED:
+
+- Configure now looks for the bsd/string.h include file in order to fix the
+  build on a host that has strlcpy() in the main libc but not defined in the
+  main string.h file.
 
 ------------------------------------------------------------------------------