The latest rsync version 3.4.0 fixes a wide variety of CVE's:
CVE-2024-12084 - Heap Buffer Overflow in Checksum Parsing.
CVE-2024-12085 - Info Leak via uninitialized Stack contents defeats ASLR.
CVE-2024-12086 - Server leaks arbitrary client files.
CVE-2024-12087 - Server can make client write files outside of destination directory using symbolic links.
CVE-2024-12088 - --safe-links Bypass.
CVE-2024-12747 - symlink race condition.
See their press release: https://download.samba.org/pub/rsync/NEWS#3.4.0
The latest action version 7.0.2 is using rsync 3.4.0, so please use that.
- Added `set -euo pipefail` to ensure the script exits on errors, undefined variables, or failed pipelines.
- Enhanced error handling for SSH agent start and key addition, with clear error messages.
- Replaced `echo` with `printf` for more reliable and formatted output.
- Introduced optional legacy RSA hostkey handling based on input parameters.
- Improved overall script readability with clearer variable names and structured conditionals.
- Pin @JoshPiper [drinternet/rsync](https://github.com/JoshPiper/rsync-docker) image by SHA-256 hash rather than version. (Immutability)
Added via #60
The docker image of this action is now pinned to the specific SHA-256 hash of the version rather than just the version.
This means for the latest `drinternet/rsync:v1.4.4` the corresponding hash is `drinternet/rsync@sha256:15b2949838074bd93c49421c22380396a0cd53a322439e799ac87afcadcfe234`
Check for validation: https://hub.docker.com/layers/drinternet/rsync/v1.4.4/images/sha256-15b2949838074bd93c49421c22380396a0cd53a322439e799ac87afcadcfe234
With that, usage of this action is even more secure due to a consistent dependency chain of trust,
since changes accompanied by a docker image hash are immutable.
Thanks to @XComp
- All versions 4.x are now EOL and no longer maintained
- All versions 5.x are now DEPRECATED and will become EOL within Q2 2024
- All versions 6.x are now MAINTENANCE and will become DEPRECATED within Q4 2024
- It is no longer possible to use an empty string as remote_path (Fixes#44) (Thanks to @maximilliangeorge)
- Updated checkout action in examples from v2 to v3
- Added disclaimer to media site-links
- Overall readme improvements
