- * Fixed a bug in the handling of -H (hard-links) that might
- cause the expanded PATH/NAME value of the current item to
- get overwritten (due to an expanded-name caching bug).
- (Wayne Davison)
+\f
+NEWS for rsync 2.6.3 (30 Sep 2004)
+Protocol: 28 (unchanged)
+Changes since 2.6.2:
+
+ SECURITY FIXES:
+
+ - A bug in the sanitize_path routine (which affects a non-chrooted
+ rsync daemon) could allow a user to craft a pathname that would get
+ transformed into an absolute path for certain options (but not for
+ file-transfer names). If you're running an rsync daemon with chroot
+ disabled, *please upgrade*, ESPECIALLY if the user privs you run
+ rsync under is anything above "nobody".
+
+ OUTPUT CHANGES (ATTN: those using a script to parse the verbose output):
+
+ - Please note that the 2-line footer (output when verbose) now uses the
+ term "sent" instead of "wrote" and "received" instead of "read". If
+ you are not parsing the numeric values out of this footer, a script
+ would be better off using the empty line prior to the footer as the
+ indicator that the verbose output is over.