[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Fwd: Tarsnap 1.0.41
- To: tarsnap alphatesters <tarsnap-alphatest@tarsnap.com>
- Subject: Fwd: Tarsnap 1.0.41
- From: Colin Percival <cperciva@tarsnap.com>
- Date: Fri, 21 Mar 2025 10:13:17 -0700
- Autocrypt: addr=cperciva@tarsnap.com; keydata= xsFNBGWMSrYBEACdWRqDn3B3SKO7IG0/fGHYtfs26f3Q5QeAcasy1fQLniwGQWn5rlILhbCD K/jdNoDm5Zxq20eqyffoDNObCjnHgg4tGANdi+RmDy+7CDpE789H8dss9y7Pt5DlGGAXQQnt hxush3EYS/Ctprd9UUL/lzOOLOU1aNtzB84tNrJBtcJmL7OYHfyTSNFxvedqJrrasejIQOLI t/DQ89BPzz+vsKHz7FJPXh3fsVkzLA00DJYcfkgxyABfJNA7U6yMwd4DVSdx/SsvfIDMVXnu UXCXswo106WPZbYGlZPpq0wW6iibtTerJix+8AeuwXvl9O1p8yESK4ErkIxCnmghTSz+pdzj z/6xBRkdDM9VdZ0r+CzsaNXMpDOzFuKyjaiYBdgCLljbDnXIHFcqXenrZ7Xwkm09g/M4uVSh pIUG2RYa6tsHSQoGCp3f2RZv1znfViKQFbbL83QjtPA20AhseZSYbHp1FPhXyy9J0wkGL16L e99g6gdGeIRE82BZjBjKGDkoyDPq+oDRSFl8NtzmIKy+cfz00nViqcTF4bREXEawFGhlpO0X O9q8mijI9iFB6zaPBiSdJGBL5ML5qLTNCl8Zlf4m1TBvmRTqF/lzMHVXHidDoUhpSh/y3AFZ 1KrYc27ztJQywDJPJPWPbtY8YhFLFs377gfP8WldsZjzp8nvoQARAQABzSVDb2xpbiBQZXJj aXZhbCA8Y3BlcmNpdmFAdGFyc25hcC5jb20+wsGRBBMBCAA7FiEEglY7hNBiDtwN+4ZBOJfy 4i5lrT8FAmWMSyYCGwMICwkNCAwHCwMFFQoJCAsFFgMCAQACHgUCF4AACgkQOJfy4i5lrT+i Yg/+PYyJNoFuygtV5t/skcjYmvEC93mnazEvh+x99vGYZnGKeJ8NDOF4QCUzeHquOWxDi8Zl reXyswKcrIquPxxX6+YyGe97VbvLnez3ksfzOYRj1F4qV0Rq8ZNK51+bvIrbcS3SfDaRioAk D7WWwFor8y/hSwxYkfsKbtP5PRcem20JUxuC085zqWLaKv5t5n2CBzAGMjwJaQ3tM3AXVwWJ uJaHA6ot/6fntJlmkfcyCYyyr0D6b0guRj3STbZ2hNn5o2AI+f6LJJ31s2sPFjl6rs7fORf3 hFSNOHDd2HxfVBXFdQy24ROkC4orBBz2xh9GScjxxT/hbXkfufkubFubw7n0HkvHzA3UF+Qq A8JiI3n+d7ocsP0/5BQ2sZdeqPGJgHx6RkAMuW1tJ29wSvCN1qMgFwhYkpQdfvHlociQrimU fvlRfSrBEe8o7tvIuEdpvwvCZSTJqQbVoMw8UHFE7nzyCXUSab5h6PbjakCqim13ekVO2KFF TTPcz5o5jEeUY75tzbIwcDfFbT5KqNjWy06TVdM9VEJDHSfOfxHR3kSEwZ+tT2aTvL3grsUn gFwSNcj4Cl4CRFfUw8zVZY+7O7RiMlhBqykikvUurrdGKc1Scwa0yuppdA6eVvylyTWSQGrQ +uLWtV1LUKN7ZqKJWBkLPt9nS4XZWGyBvxOHYqjOwU0EZYxKtgEQANYfgbtUMVnhjxDHhWLp g5kLHK3YW0TfJKzpXqDB7NiqxHofn4OcbZnVC3MKggcbs9o1/UtsjnlsG8550PfiYkDXvPiO RJwgbGs6MGIDK797C6cnBLQ8xwBa9SL4cl5iQFnhWmt6vwnJ+an/cm5JpYves3wL7jV09qU9 57hkHXEUcl38r4FssZzVcLKPUVTa3Un+QGRTGDGe/f4ctjMaqv0ZCM+l2ixPhf/vqESrfSLv V/+T3dmtUfXjazO3SABvsHwxgGuTTYOlKoPCaebr+BRdqm0xeIShoIlhvTI8y4clchqx/Uxg UG5X2kvU13k3DS3Q8uLE4Et9x1CcZT6WGgBZSR6R0WfD0SDnzufNnRWJ0dEPA2MtJHE7+85R Vi9j/IgZV+y5Ur+bnPkjDG1s2SVciX5v9HQ0oilcBhvx0j5lGE9hhurD9F+fCvkr4KdbCknE 6Y8ce8pCNBUoB/DqibJivOzTk9K9MGB5x0De5TerIrFiaw3/mQC9nGeO9dtE7wvDJetWeoTq 4BEaCzpufNqbkpOaTQILr4V6Gp7M6v97g83TVAwZntz/q8ptwuKQPZ2JaSFLZn7oWUpYXA5s +SIODFHLn6iMoYpBQskHQjnj4lEPJadl4qj+ZKA89iDAKsniyoFXsbJe2CPbMS1yzBxKZq6K D/jpt7BOnuHr/JrXABEBAAHCwXYEGAEIACAWIQSCVjuE0GIO3A37hkE4l/LiLmWtPwUCZYxK tgIbDAAKCRA4l/LiLmWtP3jmEACQrh9gWe8F1Tkw3m6VoHKwLc5he4tX3WpQa//soPO6iGG3 S3WPruQ46NrAaAojoOcKI9UONDO5rxG0ZTX53S+lu2EO47jbcLwOCjaEpjKpDRt9ZXBQE8Xl mtBE9Bp3W9gpjB1nE3KNM1mJYgsK0QdRpwwfh4pVgGpOj8j23I6MCK+v99zEBnpgCn2GX8W/ kctRXHqWwndHysOJtRP/zrl7dDaABF1f9efUl0LL3TD3GJ9VDz+DNOin/uK2a1hiJo8QzTRk PpfUQ2ebzDsrd1i/pOWkMSkdH+rEu4AGrXWtaBwrMyrGkL6Icb6yO+P9/z0W2wlgBf3P1YRt JPgQt/Dj3yvA/UnaV/QmuVQPjl13o24UnJGsZM8XGnNdfWBKkC1Q6VXC4QT+dyBHYH9MuE9d 6oGl8pFM1+cTfEfbM62/rRoPkF1yHMsI/903VxEvuUIKfhEZAVLFyHldooNxuchntHQP9y8J 8Ou9bWYQP7MnEn+kwSwrZkjurfPkan+xQvp6dDYnj3V0GwA5pprBMaB928VIDVOv+1PNQI3t Cvk5VPv/skq+TJRMHW7bFSt8PRa91cUf1FOLIz9APDiJOzXkwxUEHGV3zPSaUhs1JYjyBeGT wDAvtLUdjOnRhEUOwlnIrztmvyciutjJoVzKEEjj5WXnHk9L9kQ1bpAjkjTONw==
- In-reply-to: <af5e196d-e9ef-4a46-99d4-d786cbfd6e38@tarsnap.com>
- References: <af5e196d-e9ef-4a46-99d4-d786cbfd6e38@tarsnap.com>
Hi alphatesters,
Please note that contrary to normal practice, 1.0.41 is not exactly the
same as 1.0.40.99 -- I added some security-related commits (mitigations
for a chosen-plaintext attack on the chunking algorithm, see the first
bullet point below) before I rolled the release.
So please update to 1.0.41 even if you're already running 1.0.40.99. :-)
Colin Percival
-------- Forwarded Message --------
Subject: Tarsnap 1.0.41
Date: Fri, 21 Mar 2025 10:01:59 -0700
From: Colin Percival <cperciva@tarsnap.com>
To: tarsnap-announce@tarsnap.com
Hi all,
Tarsnap 1.0.41 is now available. This version brings a security improvement
and several new features compared to tarsnap 1.0.40:
* [security] Tarsnap now has mitigations to defend against information leakage
via chunking: Chunks are padded using the PADME scheme, and small-alphabet
cycles are prohibited in chunking to block a chosen-plaintext attack. For
more details on the attack, see my blog post
https://www.daemonology.net/blog/2025-03-21-Chunking-attacks-on-Tarsnap.html
and the paper
"Chunking Attacks on File Backup Services using Content-Defined Chunking"
which should be available on the Cryptology ePrint Archive shortly.
* tarsnap -c now accepts --dry-run-metadata, which simulates creating an
archive without reading any file data. This is significantly faster than a
regular --dry-run, and is suitable for checking which filesystem entries
will be archived (with -v) or checking the total archive size (with --totals
or --progress-bytes).
* tarsnap now accepts --noatime with -c mode, which requests that the
operating system does not update atime when reading files or directories.
Not supported by all operating systems or filesystems.
* If the server-side state was modified and tarsnap exits with an error, it
will now have an exit code of 2.
* tarsnap will read a config file in $XDG_CONFIG_HOME/tarsnap/tarsnap.conf;
or ~/.config/tarsnap/tarsnap.conf if $XDG_CONFIG_HOME is not set. The
previous config file ~/.tarsnaprc is still supported, and will not be
deprecated.
* tarsnap now accepts --null-input as a synonym for --null. For compatibility
reasons, --null is still supported, and will not be deprecated.
* tarsnap now accepts --null-output with --print-stats, --list-archives, -x,
and -t, which produces NUL-separated output from those commands.
* A bug in tarsnap's scrypt code which caused a self-test failure when
tarsnap is compiled on gcc and passphrased key files are used on systems
without SSE2 (e.g. non-x86 systems) has been fixed.
As usual, there are also lots of minor build fixes, harmless bug fixes, and
code cleanups.
The new release is available from the usual location
https://www.tarsnap.com/download.html
and the full set of changes can be see in the git repository:
https://github.com/tarsnap/tarsnap
Users of the .deb packages we ship should find that their systems can now
fetch tarsnap 1.0.41. Users of other packaging systems (FreeBSD / NetBSD
/ OpenBSD / Homebrew / MacPorts / Gentoo / OpenSUSE / etc.) should be able
to fetch tarsnap 1.0.41 once the maintainers of the respective ports have
updated them.
--
Colin Percival
Security Officer Emeritus, FreeBSD | The power to serve
Founder, Tarsnap | www.tarsnap.com | Online backups for the truly paranoid