-NEWS for rsync 2.6.1 (UNRELEASED)
-Protocol: 27 (unchanged)
-Changes since 2.6.0:
-
- ENHANCEMENTS:
-
- * Lower memory use and more optimal transfer of data over
- the socket (see the INTERNAL section for details).
-
- * The RSYNC_PROXY environment variable can now contain a
- "USER:PASS@" prefix before the "HOST:PORT" information.
- (Bardur Arantsson)
-
- * The --progress output now mentions how far along in the
- transfer we are, including both a count of files transferred
- and a percentage of the total file-count that we're processed.
-
- BUG FIXES:
-
- * When -x (--one-file-system) is combined with -L (--copy-links)
- or --copy-unsafe-links, no symlinked files are skipped, even
- if the referant file is on a different filesystem.
-
- * The --link-dest code now works properly for a non-root user
- when the UIDs of the source and destination differ and -o was
- specified, and when the group of the source can't be used on
- the destination and -g was specified. (Wayne Davison)
-
- * Fixed a bug in the handling of -H (hard-links) that might
- cause the expanded PATH/NAME value of the current item to
- get overwritten (due to an expanded-name caching bug).
- (Wayne Davison)
+NEWS for rsync 2.6.3 (UNRELEASED)
+Protocol: 28 (unchanged)
+Changes since 2.6.2:
+
+ SECURITY FIXES:
+
+ - A bug in the sanitize_path routine (which affects a non-chrooted
+ rsync daemon) could allow a user to craft a pathname that would get
+ transformed into an absolute path for certain options (but not for
+ file-transfer names). If you're running an rsync daemon with chroot
+ disabled, *please upgrade*, ESPECIALLY if the user privs you run
+ rsync under is anything above "nobody".
+
+ OUTPUT CHANGES (ATTN: those using a script to parse the verbose output):
+
+ - Please note that the 2-line footer (output when verbose) now uses the
+ term "sent" instead of "wrote" and "received" instead of "read". If
+ you are not parsing the numeric values out of this footer, a script
+ would be better off using the empty line prior to the footer as the
+ indicator that the verbose output is over.