mirror of
https://github.com/borgbackup/borg.git
synced 2024-12-27 10:18:12 +00:00
Merge pull request #2107 from enkore/issue/2106
docs: add CVE numbers for issues fixed in 1.0.9
This commit is contained in:
commit
4e2171548e
1 changed files with 9 additions and 3 deletions
|
@ -5,8 +5,8 @@ This section is used for infos about security and corruption issues.
|
||||||
|
|
||||||
.. _tam_vuln:
|
.. _tam_vuln:
|
||||||
|
|
||||||
Pre-1.0.9 manifest spoofing vulnerability
|
Pre-1.0.9 manifest spoofing vulnerability (CVE-2016-10099)
|
||||||
-----------------------------------------
|
----------------------------------------------------------
|
||||||
|
|
||||||
A flaw in the cryptographic authentication scheme in Borg allowed an attacker
|
A flaw in the cryptographic authentication scheme in Borg allowed an attacker
|
||||||
to spoof the manifest. The attack requires an attacker to be able to
|
to spoof the manifest. The attack requires an attacker to be able to
|
||||||
|
@ -54,7 +54,9 @@ Vulnerability time line:
|
||||||
|
|
||||||
* 2016-11-14: Vulnerability and fix discovered during review of cryptography by Marian Beermann (@enkore)
|
* 2016-11-14: Vulnerability and fix discovered during review of cryptography by Marian Beermann (@enkore)
|
||||||
* 2016-11-20: First patch
|
* 2016-11-20: First patch
|
||||||
* 2016-12-18: Released fixed versions: 1.0.9, 1.1.0b3
|
* 2016-12-20: Released fixed version 1.0.9
|
||||||
|
* 2017-01-02: CVE was assigned
|
||||||
|
* 2017-01-15: Released fixed version 1.1.0b3 (fix was previously only available from source)
|
||||||
|
|
||||||
.. _attic013_check_corruption:
|
.. _attic013_check_corruption:
|
||||||
|
|
||||||
|
@ -183,10 +185,14 @@ Security fixes:
|
||||||
- A flaw in the cryptographic authentication scheme in Borg allowed an attacker
|
- A flaw in the cryptographic authentication scheme in Borg allowed an attacker
|
||||||
to spoof the manifest. See :ref:`tam_vuln` above for the steps you should
|
to spoof the manifest. See :ref:`tam_vuln` above for the steps you should
|
||||||
take.
|
take.
|
||||||
|
|
||||||
|
CVE-2016-10099 was assigned to this vulnerability.
|
||||||
- borg check: When rebuilding the manifest (which should only be needed very rarely)
|
- borg check: When rebuilding the manifest (which should only be needed very rarely)
|
||||||
duplicate archive names would be handled on a "first come first serve" basis, allowing
|
duplicate archive names would be handled on a "first come first serve" basis, allowing
|
||||||
an attacker to apparently replace archives.
|
an attacker to apparently replace archives.
|
||||||
|
|
||||||
|
CVE-2016-10100 was assigned to this vulnerability.
|
||||||
|
|
||||||
Bug fixes:
|
Bug fixes:
|
||||||
|
|
||||||
- borg check:
|
- borg check:
|
||||||
|
|
Loading…
Reference in a new issue