[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Please test tarsnap 1.0.36

Hash: SHA1

Hi all,

A potential version 1.0.36 of the Tarsnap client code is ready for testing.

You can find the new code at
and the tarball has SHA256 hash
  c1230f29054ce68fb3fe43712942f38583bd715a32c003e4a4ff96cf66ff7c8b .

You can also see all the changes between 1.0.35 and this version in the
newly-public git repository at

Substantive changes in this code compared to tarsnap 1.0.35:

SECURITY: An attacker with a machine's write keys, or with read keys and
control of the tarsnap service, can make tarsnap allocate a large amount of
memory upon listing archives or reading an archive the attacker created; on
32-bit machines, tarsnap can be caused to crash under the aforementioned

BUG FIX: Tarsnap no longer crashes if its first DNS lookup fails.

BUG FIX: Tarsnap no longer exits with "Callbacks uninitialized" when running
on a dual-stack network if the first IP stack it attempts fails to connect.

New features:
* tarsnap -c --dry-run can now run without a keyfile, allowing users to
predict how much Tarsnap will cost before signing up.

* tarsnap now has bash completion scripts.

* tarsnap now takes a --retry-forever option.

* tarsnap now automatically detects and uses AESNI and SSE2.

And as usual, lots of minor build fixes, harmless bug fixes, and code
refactoring / cleanups.

Assuming I don't get any emails complaining that something is broken, I'll
be releasing this officially as version 1.0.36 in about a week.  As always,
if you find any newly introduced bugs before the official release, you'll
be eligible for double the normal Tarsnap bug bounties.

- -- 
Colin Percival
Security Officer Emeritus, FreeBSD | The power to serve
Founder, Tarsnap | www.tarsnap.com | Online backups for the truly paranoid
Version: GnuPG v2