-NEWS for rsync version 2.5.8
-Protocol: 27 (changed)
-Changes since version 2.5.7:
-
- ENHANCEMENTS:
-
- * Added --files-from, --no-relative, --no-implied-dirs, and --from0.
- Note that --from0 affects the line-ending character for all the
- --*-from options. (Wayne Davison)
-
- * Length of csum2 is now per-file starting with protocol verison
- 27. (J.W. Schultz)
-
- * Per-file dynamic block size is now sqrt(file length).
- The per-file checksum size is determined according
- to an algorythm provided by Donovan Baarda which
- reduces the probability of rsync algorithm
- corrupting data and falling back using the whole md4
- checksums. (J.W. Schultz, Donovan Baarda)
-
- * The --stats option no longer includes the (debug) malloc summary
- unless the verbose option was specified at least twice.
+NEWS for rsync 2.6.3 (UNRELEASED)
+Protocol: 28 (unchanged)
+Changes since 2.6.2:
+
+ SECURITY FIXES:
+
+ - A bug in the sanitize_path routine (which affects a non-chrooted
+ rsync daemon) could allow a user to craft a pathname that would get
+ transformed into an absolute path for certain options (but not for
+ file-transfer names). If you're running an rsync daemon with chroot
+ disabled, *please upgrade*, ESPECIALLY if the user privs you run
+ rsync under is anything above "nobody".
+
+ OUTPUT CHANGES (ATTN: those using a script to parse the verbose output):
+
+ - Please note that the 2-line footer (output when verbose) now uses the
+ term "sent" instead of "wrote" and "received" instead of "read". If
+ you are not parsing the numeric values out of this footer, a script
+ would be better off using the empty line prior to the footer as the
+ indicator that the verbose output is over.
+
+ - The output from the --stats option was similarly affected to change
+ "written" to "sent" and "read" to "received".
+
+ - Rsync ensures that a filename that contains a newline gets mentioned
+ with each newline transformed into a question mark (which prevents a
+ filename from causing an empty line to be output).