Fix for CVE-2024-12085

Fix for CVE-2024-12086
Fix for CVE-2024-12087
Fix for CVE-2024-12088
Fix for CVE-2024-12747

SOURCES/rsync-3.1.3-cve-2024-12085.patch

@@ -12,3 +12,4 @@ index 36e78ed..dfd6af2 100644
  	/* want_i is used to encourage adjacent matches, allowing the RLL
  	 * coding of the output to work more efficiently. */
  	want_i = 0;
+

SOURCES/rsync-3.1.3-cve-2024-12086.patch

@@ -0,0 +1,197 @@
+diff --git a/receiver.c b/receiver.c
+index 6b4b369..8031b8f 100644
+--- a/receiver.c
++++ b/receiver.c
+@@ -66,6 +66,7 @@ extern char sender_file_sum[MAX_DIGEST_LEN];
+ extern struct file_list *cur_flist, *first_flist, *dir_flist;
+ extern filter_rule_list daemon_filter_list;
+ extern OFF_T preallocated_len;
++extern int fuzzy_basis;
+
+ static struct bitbag *delayed_bits = NULL;
+ static int phase = 0, redoing = 0;
+@@ -551,6 +552,8 @@ int recv_files(int f_in, int f_out, char *local_name)
+ 		delayed_bits = bitbag_create(cur_flist->used + 1);
+ 
+ 	while (1) {
++		const char *basedir = NULL;
++
+ 		cleanup_disable();
+ 
+ 		/* This call also sets cur_flist. */
+@@ -716,28 +719,34 @@ int recv_files(int f_in, int f_out, char *local_name)
+ 				fnamecmp = get_backup_name(fname);
+ 				break;
+ 			case FNAMECMP_FUZZY:
++				if (fuzzy_basis == 0) {
++					rprintf(FERROR_XFER, "rsync: refusing malicious fuzzy operation for %s\n", xname);
++					exit_cleanup(RERR_PROTOCOL);
++				}
+ 				if (file->dirname) {
+-					pathjoin(fnamecmpbuf, sizeof fnamecmpbuf, file->dirname, xname);
+-					fnamecmp = fnamecmpbuf;
+-				} else
+-					fnamecmp = xname;
++					basedir = file->dirname;
++				}
++				fnamecmp = xname;
+ 				break;
+ 			default:
+ 				if (fnamecmp_type > FNAMECMP_FUZZY && fnamecmp_type-FNAMECMP_FUZZY <= basis_dir_cnt) {
+ 					fnamecmp_type -= FNAMECMP_FUZZY + 1;
+ 					if (file->dirname) {
+-						stringjoin(fnamecmpbuf, sizeof fnamecmpbuf,
+-							   basis_dir[fnamecmp_type], "/", file->dirname, "/", xname, NULL);
+-					} else
+-						pathjoin(fnamecmpbuf, sizeof fnamecmpbuf, basis_dir[fnamecmp_type], xname);
++						pathjoin(fnamecmpbuf, sizeof fnamecmpbuf, basis_dir[fnamecmp_type], file->dirname);
++						basedir = fnamecmpbuf;
++					} else {
++						basedir = basis_dir[fnamecmp_type];
++					}
++					fnamecmp = xname;
+ 				} else if (fnamecmp_type >= basis_dir_cnt) {
+ 					rprintf(FERROR,
+ 						"invalid basis_dir index: %d.\n",
+ 						fnamecmp_type);
+ 					exit_cleanup(RERR_PROTOCOL);
+-				} else
+-					pathjoin(fnamecmpbuf, sizeof fnamecmpbuf, basis_dir[fnamecmp_type], fname);
+-				fnamecmp = fnamecmpbuf;
++				} else {
++					basedir = basis_dir[fnamecmp_type];
++					fnamecmp = fname;
++				}
+ 				break;
+ 			}
+ 			if (!fnamecmp || (daemon_filter_list.head
+@@ -760,7 +769,7 @@ int recv_files(int f_in, int f_out, char *local_name)
+ 		}
+ 
+ 		/* open the file */
+-		fd1 = do_open(fnamecmp, O_RDONLY, 0);
++		fd1 = secure_relative_open(basedir, fnamecmp, O_RDONLY, 0);
+ 
+ 		if (fd1 == -1 && protocol_version < 29) {
+ 			if (fnamecmp != fname) {
+@@ -761,13 +761,19 @@ int recv_files(int f_in, int f_out, char *local_name)
+ 
+ 			if (fd1 == -1 && basis_dir[0]) {
+ 				/* pre-29 allowed only one alternate basis */
+-				pathjoin(fnamecmpbuf, sizeof fnamecmpbuf,
+-					 basis_dir[0], fname);
+-				fnamecmp = fnamecmpbuf;
+-				fd1 = do_open(fnamecmp, O_RDONLY, 0);
++				basedir = basis_dir[0];
++				fnamecmp = fname;
++				fd1 = secure_relative_open(basedir, fnamecmp, O_RDONLY, 0);
+ 			}
+ 		}
+ 
++		if (basedir) {
++			// for the following code we need the full
++			// path name as a single string
++			pathjoin(fnamecmpbuf, sizeof fnamecmpbuf, basedir, fnamecmp);
++			fnamecmp = fnamecmpbuf;
++		}
++
+ 		updating_basis_or_equiv = inplace
+ 		    && (fnamecmp == fname || fnamecmp_type == FNAMECMP_BACKUP);
+ 
+diff --git a/syscall.c b/syscall.c
+index d92074a..47c5ea5 100644
+--- a/syscall.c
++++ b/syscall.c
+@@ -33,6 +33,8 @@
+ #include <sys/syscall.h>
+ #endif
+ 
++#include "ifuncs.h"
++
+ extern int dry_run;
+ extern int am_root;
+ extern int am_sender;
+@@ -712,3 +714,82 @@ int do_open_nofollow(const char *pathname, int flags)
+ 
+ 	return fd;
+ }
++
++/*
++  open a file relative to a base directory. The basedir can be NULL,
++  in which case the current working directory is used. The relpath
++  must be a relative path, and the relpath must not contain any
++  elements in the path which follow symlinks (ie. like O_NOFOLLOW, but
++  applies to all path components, not just the last component)
++
++  The relpath must also not contain any ../ elements in the path
++*/
++int secure_relative_open(const char *basedir, const char *relpath, int flags, mode_t mode)
++{
++	if (!relpath || relpath[0] == '/') {
++		// must be a relative path
++		errno = EINVAL;
++		return -1;
++	}
++	if (strncmp(relpath, "../", 3) == 0 || strstr(relpath, "/../")) {
++		// no ../ elements allowed in the relpath
++		errno = EINVAL;
++		return -1;
++	}
++
++#if !defined(O_NOFOLLOW) || !defined(O_DIRECTORY)
++	// really old system, all we can do is live with the risks
++	if (!basedir) {
++		return open(relpath, flags, mode);
++	}
++	char fullpath[MAXPATHLEN];
++	pathjoin(fullpath, sizeof fullpath, basedir, relpath);
++	return open(fullpath, flags, mode);
++#else
++	int dirfd = AT_FDCWD;
++	if (basedir != NULL) {
++		dirfd = openat(AT_FDCWD, basedir, O_RDONLY | O_DIRECTORY);
++		if (dirfd == -1) {
++			return -1;
++		}
++	}
++	int retfd = -1;
++
++	char *path_copy = strdup(relpath);
++	if (!path_copy) {
++		return -1;
++	}
++	
++	for (const char *part = strtok(path_copy, "/");
++	     part != NULL;
++	     part = strtok(NULL, "/"))
++	{
++		int next_fd = openat(dirfd, part, O_RDONLY | O_DIRECTORY | O_NOFOLLOW);
++		if (next_fd == -1 && errno == ENOTDIR) {
++			if (strtok(NULL, "/") != NULL) {
++				// this is not the last component of the path
++				errno = ELOOP;
++				goto cleanup;
++			}
++			// this could be the last component of the path, try as a file
++			retfd = openat(dirfd, part, flags | O_NOFOLLOW, mode);
++			goto cleanup;
++		}
++		if (next_fd == -1) {
++			goto cleanup;
++		}
++		if (dirfd != AT_FDCWD) close(dirfd);
++		dirfd = next_fd;
++	}
++
++	// the path must be a directory
++	errno = EINVAL;
++
++cleanup:
++	free(path_copy);
++	if (dirfd != AT_FDCWD) {
++		close(dirfd);
++	}
++	return retfd;
++#endif // O_NOFOLLOW, O_DIRECTORY
++}
+

SOURCES/rsync-3.1.3-cve-2024-12087.patch

@@ -23,14 +23,15 @@ index 464d556..087f9da 100644
  
  	if (inc_recurse) {
 diff --git a/rsync.h b/rsync.h
-index b357dad..bc9abac 100644
+index 0f9e277..b9a7101 100644
 --- a/rsync.h
 +++ b/rsync.h
-@@ -83,6 +83,7 @@
- #define FLAG_SKIP_GROUP (1<<10)	/* receiver/generator */
- #define FLAG_TIME_FAILED (1<<11)/* generator */
- #define FLAG_MOD_NSEC (1<<12)	/* sender/receiver/generator */
-+#define FLAG_GOT_DIR_FLIST (1<<13)/* sender/receiver/generator - dir_flist only */
- 
- /* These flags are passed to functions but not stored. */
- 
+@@ -84,6 +84,7 @@
+ #define FLAG_DUPLICATE (1<<4)	/* sender */
+ #define FLAG_MISSING_DIR (1<<4)	/* generator */
+ #define FLAG_HLINKED (1<<5)	/* receiver/generator (checked on all types) */
++#define FLAG_GOT_DIR_FLIST (1<<5)/* sender/receiver/generator - dir_flist only */
+ #define FLAG_HLINK_FIRST (1<<6)	/* receiver/generator (w/FLAG_HLINKED) */
+ #define FLAG_IMPLIED_DIR (1<<6)	/* sender/receiver/generator (dirs only) */
+ #define FLAG_HLINK_LAST (1<<7)	/* receiver/generator */
+

SOURCES/rsync-3.1.3-cve-2024-12088.patch

@@ -55,3 +55,4 @@ index da50ff1..f260d39 100644
  	/* find out what our safety margin is */
  	for (name = src; (slash = strchr(name, '/')) != 0; name = slash+1) {
  		/* ".." segment starts the count over.  "." segment is ignored. */
+

SOURCES/rsync-3.1.3-cve-2024-12747.patch

@@ -63,9 +63,9 @@ index 47c5ea5..c55ae5f 100644
  
  #ifndef S_BLKSIZE
  # if defined hpux || defined __hpux__ || defined __hpux
-@@ -575,3 +575,21 @@ int do_open_nofollow(const char *pathname, int flags)
- 
- 	return fd;
+@@ -793,3 +795,21 @@ cleanup:
+ 	return retfd;
+ #endif // O_NOFOLLOW, O_DIRECTORY
  }
 +
 +/*
@@ -80,10 +80,10 @@ index 47c5ea5..c55ae5f 100644
 + */
 +int do_open_checklinks(const char *pathname)
 +{
-+ if (copy_links || copy_unsafe_links) {
-+   return do_open(pathname, O_RDONLY, 0);
-+ }
-+ return do_open_nofollow(pathname, O_RDONLY);
++	if (copy_links || copy_unsafe_links) {
++		return do_open(pathname, O_RDONLY, 0);
++	}
++	return do_open_nofollow(pathname, O_RDONLY);
 +}
 diff --git a/t_unsafe.c b/t_unsafe.c
 index 010cac5..e10619a 100644
@@ -139,3 +139,4 @@ index f260d39..d84bc41 100644
  		int save_errno = errno;
  		rsyserr(FERROR_XFER, errno, "open %s", full_fname(source));
  		errno = save_errno;
+

SOURCES/rsync-3.1.3-cve-2025-4638.patch

@@ -1,54 +0,0 @@
-diff --git a/zlib/inftrees.c b/zlib/inftrees.c
-index 44d89cf2..571e8100 100644
---- a/zlib/inftrees.c
-+++ b/zlib/inftrees.c
-@@ -54,7 +54,7 @@ unsigned short FAR *work;
-     code FAR *next;             /* next available space in table */
-     const unsigned short FAR *base;     /* base value table to use */
-     const unsigned short FAR *extra;    /* extra bits table to use */
--    int end;                    /* use base and extra for symbol > end */
-+    unsigned match;             /* use base and extra for symbol >= match */
-     unsigned short count[MAXBITS+1];    /* number of codes of each length */
-     unsigned short offs[MAXBITS+1];     /* offsets in table for each length */
-     static const unsigned short lbase[31] = { /* Length codes 257..285 base */
-@@ -181,19 +181,17 @@ unsigned short FAR *work;
-     switch (type) {
-     case CODES:
-         base = extra = work;    /* dummy value--not used */
--        end = 19;
-+        match = 20;
-         break;
-     case LENS:
-         base = lbase;
--        base -= 257;
-         extra = lext;
--        extra -= 257;
--        end = 256;
-+        match = 257;
-         break;
-     default:            /* DISTS */
-         base = dbase;
-         extra = dext;
--        end = -1;
-+        match = 0;
-     }
- 
-     /* initialize state for loop */
-@@ -216,13 +214,13 @@ unsigned short FAR *work;
-     for (;;) {
-         /* create table entry */
-         here.bits = (unsigned char)(len - drop);
--        if ((int)(work[sym]) < end) {
-+        if (work[sym] + 1u < match) {
-             here.op = (unsigned char)0;
-             here.val = work[sym];
-         }
--        else if ((int)(work[sym]) > end) {
--            here.op = (unsigned char)(extra[work[sym]]);
--            here.val = base[work[sym]];
-+        else if (work[sym] >= match) {
-+            here.op = (unsigned char)(extra[work[sym] - match]);
-+            here.val = base[work[sym] - match];
-         }
-         else {
-             here.op = (unsigned char)(32 + 64);         /* end of block */

SOURCES/rsync-3.1.3-trust-sender.patch

@@ -1,218 +0,0 @@
-diff --git a/exclude.c b/exclude.c
-index d36a105e..da25661b 100644
---- a/exclude.c
-+++ b/exclude.c
-@@ -33,18 +33,15 @@ extern int recurse;
- extern int local_server;
- extern int prune_empty_dirs;
- extern int ignore_perishable;
--extern int old_style_args;
- extern int relative_paths;
- extern int delete_mode;
- extern int delete_excluded;
- extern int cvs_exclude;
- extern int sanitize_paths;
- extern int protocol_version;
--extern int read_batch;
--extern int list_only;
-+extern int trust_sender_args;
- extern int module_id;
- 
--extern char *filesfrom_host;
- extern char curr_dir[MAXPATHLEN];
- extern unsigned int curr_dir_len;
- extern unsigned int module_dirlen;
-@@ -55,6 +52,7 @@ filter_rule_list daemon_filter_list = { .debug_type = " [daemon]" };
- filter_rule_list implied_filter_list = { .debug_type = " [implied]" };
- 
- int saw_xattr_filter = 0;
-+int trust_sender_args = 0;
- int trust_sender_filter = 0;
- 
- /* Need room enough for ":MODS " prefix plus some room to grow. */
-@@ -377,7 +375,7 @@ void add_implied_include(const char *arg, int skip_daemon_module)
- 	int slash_cnt = 0;
- 	const char *cp;
- 	char *p;
--	if (am_server || old_style_args || list_only || read_batch || filesfrom_host != NULL)
-+	if (trust_sender_args)
- 		return;
- 	if (partial_string_len) {
- 		arg_len = strlen(arg);
-diff --git a/main.c b/main.c
-index 6721ceb7..9ebfbea7 100644
---- a/main.c
-+++ b/main.c
-@@ -89,7 +89,6 @@ extern int backup_dir_len;
- extern BOOL shutting_down;
- extern int backup_dir_len;
- extern int basis_dir_cnt;
--extern int trust_sender_filter;
- extern struct stats stats;
- extern char *stdout_format;
- extern char *logfile_format;
-@@ -636,7 +635,6 @@ static pid_t do_cmd(char *cmd, char *machine, char *user, char **remote_argv, in
- #ifdef ICONV_CONST
- 		setup_iconv();
- #endif
--		trust_sender_filter = 1;
- 	} else if (local_server) {
- 		/* If the user didn't request --[no-]whole-file, force
- 		 * it on, but only if we're not batch processing. */
-diff --git a/options.c b/options.c
-index e7a9fcae..4feeb7e0 100644
---- a/options.c
-+++ b/options.c
-@@ -27,6 +27,8 @@
- extern int local_server;
- extern int sanitize_paths;
- extern int daemon_over_rsh;
-+extern int trust_sender_args;
-+extern int trust_sender_filter;
- extern unsigned int module_dirlen;
- extern filter_rule_list filter_list;
- extern filter_rule_list daemon_filter_list;
-@@ -64,6 +66,7 @@ int preserve_atimes = 0;
- static int daemon_opt;   /* sets am_daemon after option error-reporting */
- static int omit_dir_times = 0;
- static int omit_link_times = 0;
-+int trust_sender = 0;
- static int F_option_cnt = 0;
- static int modify_window_set;
- static int itemize_changes = 0;
-@@ -788,6 +791,7 @@ static struct poptOption long_options[] = {
-   {"protect-args",    's', POPT_ARG_VAL,    &protect_args, 1, 0, 0},
-   {"no-protect-args",  0,  POPT_ARG_VAL,    &protect_args, 0, 0, 0},
-   {"no-s",             0,  POPT_ARG_VAL,    &protect_args, 0, 0, 0},
-+  {"trust-sender",     0,  POPT_ARG_VAL,    &trust_sender, 1, 0, 0},
-   {"numeric-ids",      0,  POPT_ARG_VAL,    &numeric_ids, 1, 0, 0 },
-   {"no-numeric-ids",   0,  POPT_ARG_VAL,    &numeric_ids, 0, 0, 0 },
-   {"usermap",          0,  POPT_ARG_STRING, 0, OPT_USERMAP, 0, 0 },
-@@ -2465,6 +2469,11 @@ int parse_arguments(int *argc_p, const char ***argv_p)
- 		}
- 	}
- 
-+	if (trust_sender || am_server || read_batch)
-+		trust_sender_args = trust_sender_filter = 1;
-+	else if (old_style_args || filesfrom_host != NULL)
-+		trust_sender_args = 1;
-+
- 	am_starting_up = 0;
- 
- 	return 1;
-@@ -2438,9 +2438,7 @@ char *safe_arg(const char *opt, const char *arg)
- 	char *ret;
- 	if (!protect_args && old_style_args < 2 && (!old_style_args || (!is_filename_arg && opt != SPLIT_ARG_WHEN_OLD))) {
- 		const char *f;
--		if (!old_style_args && *arg == '~' 
--				&& ((relative_paths && !strstr(arg, "/./")) 
--				|| !strchr(arg, '/'))) {
-+		if (!trust_sender_args && *arg == '~' && (relative_paths || !strchr(arg, '/'))) {
- 			extras++;
- 			escape_leading_tilde = 1;
- 		}
-diff --git a/rsync.1.old b/rsync.1
-index 839f5ad..6882cf5 100644
---- a/rsync.1.old
-+++ b/rsync.1
-@@ -182,9 +182,39 @@ particular rsync daemon by leaving off the module name:
- \f(CWrsync somehost.mydomain.com::\fP
- .RE
- 
--.PP 
--See the following section for more details.
--.PP 
-+.SH "MULTI-HOST SECURITY"
-+
-+.PP
-+Rsync takes steps to ensure that the file requests that are shared in a
-+transfer are protected against various security issues.  Most of the potential
-+problems arise on the receiving side where rsync takes steps to ensure that the
-+list of files being transferred remains within the bounds of what was
-+requested.
-+.PP
-+Toward this end, rsync 3.1.2 and later have aborted when a file list contains
-+an absolute or relative path that tries to escape out of the top of the
-+transfer.  Also, beginning with version 3.2.5, rsync does two more safety
-+checks of the file list to (1) ensure that no extra source arguments were added
-+into the transfer other than those that the client requested and (2) ensure
-+that the file list obeys the exclude rules that we sent to the sender.
-+.PP
-+For those that don't yet have a 3.2.5 client rsync, it is safest to do a copy
-+into a dedicated destination directory for the remote files rather than
-+requesting the remote content get mixed in with other local content.  For
-+example, doing an rsync copy into your home directory is potentially unsafe on
-+an older rsync if the remote rsync is being controlled by a bad actor:
-+.PP
-+.RS
-+\f(CWrsync \-aiv host:dir1 ~\fP
-+.RE
-+.PP
-+A safer command would be:
-+.RS
-+\f(CWrsync \-aiv host:dir1 ~/host-files\fP
-+.RE
-+.PP
-+See the \fB\-\-trust\-sender\fP option for additional details.
-+
- .SH "ADVANCED USAGE"
- 
- .PP 
-@@ -519,6 +549,7 @@ to the detailed description below for a complete description.
-  \-0, \-\-from0                 all *from/filter files are delimited by 0s
-      \-\-old\-args              disable the modern arg-protection idiom
-  \-s, \-\-protect\-args          no space\-splitting; wildcard chars only
-+     \-\-trust\-sender          trust the remote sender's file list
-      \-\-address=ADDRESS       bind address for outgoing socket to daemon
-      \-\-port=PORT             specify double\-colon alternate port number
-      \-\-sockopts=OPTIONS      specify custom TCP options
-@@ -2119,6 +2150,49 @@ This option conflicts with the \fB\-\-old\-args\fP option.
- Note that this option is incompatible with the use of the restricted rsync
- script (`rrsync`) since it hides options from the script's inspection.
- .IP
-+.IP "\fB\-\-trust\-sender\fP"
-+This option disables two extra validation checks that a local client
-+performs on the file list generated by a remote sender.  This option should
-+only be used if you trust the sender to not put something malicious in the
-+file list (something that could possibly be done via a modified rsync, a
-+modified shell, or some other similar manipulation).
-+.IP
-+Normally, the rsync client (as of version 3.2.5) runs two extra validation
-+checks when pulling files from a remote rsync:
-+.RS
-+.IP o
-+It verifies that additional arg items didn't get added at the top of the
-+transfer.
-+.IP o
-+It verifies that none of the items in the file list are names that should
-+have been excluded (if filter rules were specified).
-+.RE
-+.IP
-+Note that various options can turn off one or both of these checks if the
-+option interferes with the validation.  For instance:
-+.RS
-+.IP o
-+Using a per-directory filter file reads filter rules that only the server
-+knows about, so the filter checking is disabled.
-+.IP o
-+Using the \fB\-\-old\-args\fP option allows the sender to manipulate the
-+requested args, so the arg checking is disabled.
-+.IP o
-+Reading the files-from list from the server side means that the client
-+doesn't know the arg list, so the arg checking is disabled.
-+.IP o
-+Using \fB\-\-read\-batch\fP disables both checks since the batch file's
-+contents will have been verified when it was created.
-+.RE
-+.IP
-+This option may help an under-powered client server if the extra pattern
-+matching is slowing things down on a huge transfer.  It can also be used
-+work around a currently-unknown bug in the verification logic for a transfer
-+from a trusted sender.
-+.IP
-+When using this option it is a good idea to specify a dedicated destination
-+directory, as discussed in the \(dq\&MULTI-HOST SECURITY\(dq\& section.
-+.IP
- .IP "\fB\-T, \-\-temp\-dir=DIR\fP"
- This option instructs rsync to use DIR as a
- scratch directory when creating temporary copies of the files transferred

SPECS/rsync.spec

@@ -9,7 +9,7 @@
 Summary: A program for synchronizing files over a network
 Name: rsync
 Version: 3.1.3
-Release: 23%{?dist}
+Release: 19%{?dist}.1.alma.1
 Group: Applications/Internet
 URL: http://rsync.samba.org/
 
@@ -43,12 +43,10 @@ Patch12: rsync-3.1.3-cve-2022-37434.patch
 Patch13: rsync-3.1.3-filtering-rules.patch
 Patch14: rsync-3.1.3-missing-xattr-filter.patch
 Patch15: rsync-3.1.3-cve-2024-12085.patch
-Patch16: rsync-3.1.3-cve-2024-12087.patch
-Patch17: rsync-3.1.3-cve-2024-12088.patch
-Patch18: rsync-3.1.3-cve-2024-12747.patch
-# a fix for CVE-2016-9840 in zlib but marked as CVE-2025-4638 for a different component
-Patch19: rsync-3.1.3-cve-2025-4638.patch
-Patch20: rsync-3.1.3-trust-sender.patch
+Patch16: rsync-3.1.3-cve-2024-12086.patch
+Patch17: rsync-3.1.3-cve-2024-12087.patch
+Patch18: rsync-3.1.3-cve-2024-12088.patch
+Patch19: rsync-3.1.3-cve-2024-12747.patch
 
 %description
 Rsync uses a reliable algorithm to bring remote and host files into
@@ -102,11 +100,10 @@ patch -p1 -i patches/copy-devices.diff
 %patch13 -p1 -b .filtering-rules
 %patch14 -p1 -b .xattr-filter
 %patch15 -p1 -b .cve-2024-12085
-%patch16 -p1 -b .cve-2024-12087
-%patch17 -p1 -b .cve-2024-12088
-%patch18 -p1 -b .cve-2024-12747
-%patch19 -p1 -b .cve-2025-4638
-%patch20 -p1 -b .trust-sender
+%patch16 -p1 -b .cve-2024-12086
+%patch17 -p1 -b .cve-2024-12087
+%patch18 -p1 -b .cve-2024-12088
+%patch19 -p1 -b .cve-2024-12747
 
 %build
 %configure
@@ -153,20 +150,12 @@ chmod -x support/*
 %systemd_postun_with_restart rsyncd.service
 
 %changelog
-* Wed May 28 2025 Michal Ruprich <mruprich@redhat.com> - 3.1.3-23
-- Resolves: RHEL-52004 - Slowness in rsync due to extra validation steps
-
-* Mon May 26 2025 Michal Ruprich <mruprich@redhat.com> - 3.1.3-22
-- Resolves: RHEL-91519 - Improper Pointer Arithmetic in pcl
-
-* Tue Feb 04 2025 Michal Ruprich <mruprich@redhat.com> - 3.1.3-21
-- Resolves: RHEL-70207 - Path traversal vulnerability in rsync
-
-* Mon Feb 03 2025 Michal Ruprich <mruprich@redhat.com> - 3.1.3-20
-- Resolves: RHEL-70207 - Path traversal vulnerability in rsync
-- Resolves: RHEL-70209 - --safe-links option bypass leads to path traversal
-- Resolves: RHEL-72502 - Race Condition in rsync Handling Symbolic Links
-- Resolves: RHEL-70157 - Info Leak via Uninitialized Stack Contents
+* Tue Jan 14 2025 Jonathan Wright <jonathan@almalinux.org> - 3.1.3-19.1.alma.1
+- Fix for CVE-2024-12085
+- Fix for CVE-2024-12086
+- Fix for CVE-2024-12087
+- Fix for CVE-2024-12088
+- Fix for CVE-2024-12747
 
 * Wed Nov 02 2022 Michal Ruprich <mruprich@redhat.com> - 3.1.3-19.1
 - Resolves: #2139118 - rsync-daemon fail on 3.1.3