Package: rsync Version: 3.2.7-1+deb12u1 Severity: serious Justification: renders package unusable in common use cases (backup server) Control: notfound -1 3.2.7-1 Control: found -1 3.2.7-1+deb12u2 Control: notfound -1 3.3.0+ds1-2 Control: found -1 3.3.0+ds1-3 Control: found -1 3.4.1+ds1-3 Control: affects dirvish Hi, I ran into this problem after upgrading a system from Debian 11 to Debian 12, and trying to back it up using dirvish (that uses rsync with --link-dest). A minimal reproducer is attached, to be executed with: # rsync -vlr --link-dest=/path-to/link-dest/ root@localhost:/path-to/source/ /path-to/dest/ This fails with: ---------------------------------------->8 receiving incremental file list created directory /root/rsync/dest libcrypt-dev/ libcrypt-dev/TODO.md.gz WARNING: libcrypt-dev/TODO.md.gz failed verification -- update discarded (will try again). libcrypt-dev/copyright WARNING: libcrypt-dev/copyright failed verification -- update discarded (will try again). libcrypt-dev/other_file_in_both libcrypt-dev/other_file_in_source libcrypt-dev/TODO.md.gz ERROR: libcrypt-dev/TODO.md.gz failed verification -- update discarded. libcrypt-dev/copyright ERROR: libcrypt-dev/copyright failed verification -- update discarded. sent 499 bytes received 7,860 bytes 16,718.00 bytes/sec total size is 8,292 speedup is 0.99 rsync error: some files/attrs were not transferred (see previous errors) (code 23) at main.c(1852) [generator=3.4.0] ---------------------------------------->8 I don't fully understand the issue (why does it affect TODO.md.gz and copyright, but not 'other_file_in_both'?) I bisected using snapshot.d.o. The problem was introduced between 3.2.7-1 and 3.2.7-1+deb12u1, or between 3.3.0+ds1-2 and 3.3.0+ds1-3. It affects the version in testing. I wondered about severity:important vs severity:serious, but decided for serious since I did not understand the impact of this issue (due to not understanding the issue). Workarounds include hacking the 'link-dest' dir to remove the problematic files. Lucas
I had the same problem with 3.4.1+ds1-5+deb13u1 on both source and destination with a single file among 500k. Adding -W fixed the problem. When trying to replicate the bug in order to create a minimal example, I failed and could not reproduce it at all.
We believe that the bug you reported is fixed in the latest version of
rsync, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1093160@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Samuel Henrique <samueloph@debian.org> (supplier of updated rsync package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Thu, 30 Apr 2026 09:50:10 -0300
Source: rsync
Architecture: source
Version: 3.4.2+ds1-2
Distribution: unstable
Urgency: medium
Maintainer: Samuel Henrique <samueloph@debian.org>
Changed-By: Samuel Henrique <samueloph@debian.org>
Closes: 1093160
Changes:
rsync (3.4.2+ds1-2) unstable; urgency=medium
.
* d/p/syscall_use_openat2...: New patch to fix symlink handling on the
receiver (closes: #1093160)
Checksums-Sha1:
e38b3307d8d0e220b5a1588b72a90478d61ffa13 2156 rsync_3.4.2+ds1-2.dsc
1a29a6f4a8c8129ad170f21dd1a058c53f7e436e 655380 rsync_3.4.2+ds1.orig.tar.xz
c76c1229801833f8b30a900b357399b9b75c0472 37844 rsync_3.4.2+ds1-2.debian.tar.xz
e3021290b000268f88df83bb681e7bb40e4349b4 6862 rsync_3.4.2+ds1-2_amd64.buildinfo
Checksums-Sha256:
1455d4845be8e7a8f96666328151f80ec982c7c38abae8c4d94740d02a735dc6 2156 rsync_3.4.2+ds1-2.dsc
0cc3e28aa7d2e735ede35f9b49b57171c375215bb533d03df7b795961704476f 655380 rsync_3.4.2+ds1.orig.tar.xz
dc9810cb07dd9d764cbf92227b5afce4c6ec4a9f7f17686422c93dfe971ef96b 37844 rsync_3.4.2+ds1-2.debian.tar.xz
149ec47a8294576d51b85013b8ec2475e44a50e154fe156bb32683992c358328 6862 rsync_3.4.2+ds1-2_amd64.buildinfo
Files:
c1834652f4297cae16f548912290dd42 2156 net optional rsync_3.4.2+ds1-2.dsc
0a90fe592f3ed3ebbd1c45831e6df830 655380 net optional rsync_3.4.2+ds1.orig.tar.xz
21cdaf735f2fb30ef64afd16731f2ddf 37844 net optional rsync_3.4.2+ds1-2.debian.tar.xz
a81ddc87edca8d96e65a6a9b210542f4 6862 net optional rsync_3.4.2+ds1-2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEBdtqg34QX0sdAsVfu6n6rcz7RwcFAmnzUYUACgkQu6n6rcz7
RwcfhhAA0xgo1WWxKq+FZTYbSPlarwcjifOsuj8uUI+FME2uNEnqMoHPMuFLFB0g
RJij3wmZ2N6TtvqbrDJpmTko8IlkrkMlW2KVdOVj6Ct57f/BYVSpmWW9ZhVhWcG9
EmaBtmmtgacbrs6xLoZdkQ6pWlOhov15WZgSu4qngWrrA4pLXu3b3lbI3BZzFd/b
m1gC740Un/AKNYh/RSHQBk6glaKkjjRwHDYaEpZxS4D0LK+RO5VzSKNR0pU9gL9P
S3ICg9MOXxviFbQA39sBLievShT0iqT+Pln2krkc8qo3x2Z4YDZy5oMKnp7GapEZ
sTfFZRWfxua/sO6ZIhSf6WHWU+8jm4r8E88O0kHzdZyh3yOwTu4XAZbFUHA6wkdD
Uza7uYKO8g1jEP9Ag5cAbKArU2/F66UJJhNhaEpK1QdlLtcoz0TVlGFErsfWSd1G
Ibd6Ij91azhXyjKiejXyRjcPNnzfpO9+lfXH7aCtsk5gnm9La30qPHFrgP2AvY5/
6KqvzklEbX2owy4AYv3NcjLTl79BtsH8SuT5jiyHL4rg0bBsxb9CQcG/BHPOdXLw
2pEgwdU0Y3IA3kqCd9uoHrD9VwTibk/qJgRvtdUpCAINet3bUJKULKKLZw76IR2l
KW4nmUvDyr34WIIaH8J18yZ3bbM4m6kNQMIANln1/EMl6N98j3Q=
=pAxH
-----END PGP SIGNATURE-----
We believe that the bug you reported is fixed in the latest version of
rsync, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1093160@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Samuel Henrique <samueloph@debian.org> (supplier of updated rsync package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Thu, 30 Apr 2026 10:05:39 -0300
Source: rsync
Architecture: source
Version: 3.4.1+ds1-5+deb13u2
Distribution: trixie
Urgency: medium
Maintainer: Samuel Henrique <samueloph@debian.org>
Changed-By: Samuel Henrique <samueloph@debian.org>
Closes: 1093160
Changes:
rsync (3.4.1+ds1-5+deb13u2) trixie; urgency=medium
.
* d/p/syscall_use_openat2...: New patch to fix symlink handling on the
receiver (closes: #1093160)
* Add patch for CVE-2026-41035
Checksums-Sha1:
61840aecd8b74687fb2396c2bcdf7a9132991e8d 2224 rsync_3.4.1+ds1-5+deb13u2.dsc
0afa2bd51aad7d236910c4144aa01963cdb4eb3a 646840 rsync_3.4.1+ds1.orig.tar.xz
aca0546d9d22f8a353fc4f9e45a676600c1cb6e7 40620 rsync_3.4.1+ds1-5+deb13u2.debian.tar.xz
60ac34346fe01cc2740359b81927f71b053991d2 6959 rsync_3.4.1+ds1-5+deb13u2_amd64.buildinfo
Checksums-Sha256:
0f80ada223dc21c23620cd84854a518ae3041304532f3faa939be26b5a367874 2224 rsync_3.4.1+ds1-5+deb13u2.dsc
bb9e2dda7e79d9639bc04bdafff6bb0b06a606ed915358b574696384215c9e5c 646840 rsync_3.4.1+ds1.orig.tar.xz
3dec355dba485a786cd94052c453dfe0ffb63f3b1e84871a05a991f52ea2e20d 40620 rsync_3.4.1+ds1-5+deb13u2.debian.tar.xz
ff230621516a16295f78fcc3e0aa52bb5da4078602f5af5642c4f8349c27d8b3 6959 rsync_3.4.1+ds1-5+deb13u2_amd64.buildinfo
Files:
e9bde6c03747026fcb4ee0bf85d0db9c 2224 net optional rsync_3.4.1+ds1-5+deb13u2.dsc
6ed869a0c4012385c8da8cc272cab3b8 646840 net optional rsync_3.4.1+ds1.orig.tar.xz
2cf7b6e2569cc09179c539859a6c841c 40620 net optional rsync_3.4.1+ds1-5+deb13u2.debian.tar.xz
d03a2eaefb95bfeef30a21632d90ae13 6959 net optional rsync_3.4.1+ds1-5+deb13u2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEBdtqg34QX0sdAsVfu6n6rcz7RwcFAmn8iv8ACgkQu6n6rcz7
RwdVFQ//W2uvu+OcCqMC2lNCDgIN5A5e12a2umNy6+hZLo/IHjf/5tawXBKzRafb
VseufG6SxY/h8sJap7GB2SPYByVO6f8amkk5o7dh+YBBRfxkjEJYWe2BeCZSwBCd
qB3xrrxZeqDcSIQvfvE3kwJfzDLg0sCzHqjmlZoYtj3bREZ4YDDPmH8FdYiumipq
qa7vmcoZrmOBMquBut8NQPfSds+V95lVWig8BNOaZGFWFq1KuuowEvNl4UwRpCJn
SV0yb9gn3YGfekLgz7Ef5cUvsY8I7g37lDLN8WX/cbApWfJVNdgA5ZLBhe0vWUTR
jYVO/6ra7lFv20BMM8V4h0NWi6862Xz3JC21nU2z0IQgzQOnl+agEGciV3DjW+Hz
z+4cj384fMBcD0CX2Tgv7iz6kNsbZUX+FOz7Fl3FndKTD/ct3y9LLmVUz41UHu2O
wzAiON1wICaOL7dS6Jh8s4Y8QR0/jdtiRfirsp+MZOqIyP+tk4WPs729FNbWqbP8
e3/phZHQmHRaX3mYopFWaKZ13J07O9pHYIlwBMqFD6IFjLtn3tuFbbQkTHF5gm7t
YZs/313+T87J7psL81+7TJKeDHQvToKboya2gyCgA+LcZp6ulV0Bxp8hJSM4XJ3t
JxfnEbXe2WBH0D6cTyH0ELiRCd8mgOdK4scf/7Wx92Bh21QSkBw=
=olE5
-----END PGP SIGNATURE-----