[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Tarsnap 1.0.36



On 08/21/15 20:46, Andrei Zvonimir Crnkovic wrote:
> when will the update be available on homebrew?

I'm not sure... I don't know who did the homebrew packaging of tarsnap,
either.  Does anyone else know?

Colin Percival

> 
> Thanks!
> 
> 
>> On 21 Aug 2015, at 15:57, Colin Percival <cperciva@tarsnap.com> wrote:
>>
>> In case anyone is not subscribed to the announce list: Tarsnap 1.0.36 is
>> now available, and you should probably upgrade. (GPG signed announcement
>> email at http://mail.tarsnap.com/tarsnap-announce/msg00032.html )
>>
>> Colin Percival
>>
>> -------- Forwarded Message --------
>> Subject: Tarsnap 1.0.36
>> Date: Fri, 21 Aug 2015 06:51:16 -0700
>> From: Colin Percival <cperciva@tarsnap.com>
>> To: tarsnap-announce@tarsnap.com
>>
>> Hi all,
>>
>> Tarsnap 1.0.36 is now available.  Due to the presence of security fixes (and
>> some fairly significant bug fixes) upgrading is strongly recommended.  This
>> new version brings:
>>
>> 1. SECURITY FIX: When constructing paths of objects being archived, a buffer
>> could overflow by one byte upon encountering 1024, 2048, 4096, etc. byte
>> paths. Theoretically this could be exploited by an unprivileged user whose
>> files are being archived; I do not believe it is exploitable in practice,
>> but I am offering a $1000 bounty for the first person who can prove me wrong:
>> http://www.daemonology.net/blog/2015-08-21-tarsnap-1000-exploit-bounty.html
>>
>> 2. SECURITY FIX: An attacker with a machine's write keys, or with read keys
>> and control of the tarsnap service, could make tarsnap allocate a large
>> amount of memory upon listing archives or reading an archive the attacker
>> created; on 32-bit machines, tarsnap can be caused to crash under the
>> aforementioned conditions.
>>
>> 3. BUG FIX: Tarsnap no longer crashes if its first DNS lookup fails.
>>
>> 4. BUG FIX: Tarsnap no longer exits with "Callbacks uninitialized" when
>> running on a dual-stack network if the first IP stack it attempts fails to
>> connect.
>>
>> 5. tarsnap now avoids opening devices nodes on linux if it is instructed to
>> archive /dev/.  This change may prevent "watchdog"-triggered reboots.
>>
>> 6. tarsnap -c --dry-run can now run without a keyfile, allowing users to
>> predict how much Tarsnap will cost before signing up.
>>
>> 7. tarsnap now has bash completion scripts.
>>
>> 8. tarsnap now takes a --retry-forever option.
>>
>> 9. tarsnap now automatically detects and uses AESNI and SSE2.
>>
>> As usual, there are also many minor build fixes, harmless bug fixes, and code
>> refactoring / cleanup changes.  For a full listing of changes, consult the
>> tarsnap git repository: https://github.com/Tarsnap/tarsnap
>>
>> The new release is available from the usual location:
>>  https://www.tarsnap.com/download.html
>>
> 
> 
> 

-- 
Colin Percival
Security Officer Emeritus, FreeBSD | The power to serve
Founder, Tarsnap | www.tarsnap.com | Online backups for the truly paranoid