From fbaefc98c9842291578f54b55a4399b44dd0a109 Mon Sep 17 00:00:00 2001 From: Marian Beermann Date: Fri, 27 Jan 2017 11:54:20 +0100 Subject: [PATCH] docs: add CVE numbers for issues fixed in 1.0.9 https://www.cvedetails.com/product/35461/Borg-Borg.html?vendor_id=16008 --- docs/changes.rst | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/docs/changes.rst b/docs/changes.rst index 24e360606..e0efe3f57 100644 --- a/docs/changes.rst +++ b/docs/changes.rst @@ -5,8 +5,8 @@ This section is used for infos about security and corruption issues. .. _tam_vuln: -Pre-1.0.9 manifest spoofing vulnerability ------------------------------------------ +Pre-1.0.9 manifest spoofing vulnerability (CVE-2016-10099) +---------------------------------------------------------- A flaw in the cryptographic authentication scheme in Borg allowed an attacker to spoof the manifest. The attack requires an attacker to be able to @@ -54,7 +54,9 @@ Vulnerability time line: * 2016-11-14: Vulnerability and fix discovered during review of cryptography by Marian Beermann (@enkore) * 2016-11-20: First patch -* 2016-12-18: Released fixed versions: 1.0.9, 1.1.0b3 +* 2016-12-20: Released fixed version 1.0.9 +* 2017-01-02: CVE was assigned +* 2017-01-15: Released fixed version 1.1.0b3 (fix was previously only available from source) .. _attic013_check_corruption: @@ -183,10 +185,14 @@ Security fixes: - A flaw in the cryptographic authentication scheme in Borg allowed an attacker to spoof the manifest. See :ref:`tam_vuln` above for the steps you should take. + + CVE-2016-10099 was assigned to this vulnerability. - borg check: When rebuilding the manifest (which should only be needed very rarely) duplicate archive names would be handled on a "first come first serve" basis, allowing an attacker to apparently replace archives. + CVE-2016-10100 was assigned to this vulnerability. + Bug fixes: - borg check: