Rsync CVE-2024-12084 and CVE-2024-12085 fedora 41 still rsync <3.4.0

hello,

maybe not everyone notice CVE-2024-12084 and CVE-2024-12085 ultimately allow remote code execution (RCE) and fedora 41 still on rsync <3.4.0 since 4+ days.

there are multiple regression on version 3.4.0 and 3.4.1 which i vote for at FEDORA-2025-ec87287710 — security update for rsync — Fedora Updates System and FEDORA-2025-3ec637e6e9 — security update for rsync — Fedora Updates System.

Now what? still waiting for 3.4.2 ?

Find it interesting that one down vote seems to be enough?!

Disclaimer i’m not a security expert nor maintainer !

I hope this reaches the right people and trust in fedora can be strengthened.

No, a single downvote is (almost never) enough. Whether negative feedback is enough to withdraw an update is up to the package maintainer. In this case:

Pushing to stable due to a bigger amount of CVEs that are waiting to be fixed. I will file a separate bug for the regression and deal with it in next update.

see FEDORA-2025-3ec637e6e9 — security update for rsync — Fedora Updates System

1 Like