Six CVEs are fixed in this release. All six are assigned by VulnCheck as CNA.
Affected versions are 3.4.2 and earlier in every case.
In addition to the six CVE fixes, this release adds defence-in-depth
hardening on several adjacent paths: bounded wire-supplied counts and
lengths in flist/io/acls/xattrs, a guard against length underflow in
cumulative snprintf() callers, a parent block-index bounds check on the
receiver, a NULL check in read_delay_line(), a lower ceiling on
MAX_WIRE_DEL_STAT to avoid signed-int overflow in the read_del_stats()
accumulator, rejection of hyphen-prefixed remote-shell hostnames
(defence-in-depth against argv-injection in tooling that forwards untrusted
input into the hostspec position; reported by Aisle Research via Michal
Ruprich), and a NULL-check on localtime_r() in timestring() to keep a
malicious server from crashing the client by advertising a file with an
out-of-range modtime.