From 62114466e4c5a8d2899b8996c027dd6bae34e993 Mon Sep 17 00:00:00 2001 From: Thomas Waldmann Date: Mon, 6 Nov 2023 14:34:15 +0100 Subject: [PATCH] CVE-2023-36811 upgrade docs: consider checkpoint archives, fixes #7802 The traceback seen there came from borg not showing a .checkpoint archive that didn't have a valid TAM and thus the user not see it / fix it: https://github.com/borgbackup/borg/issues/7802#issuecomment-1793860606 --- docs/changes_1.x.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/changes_1.x.rst b/docs/changes_1.x.rst index aaceb405e..719eff032 100644 --- a/docs/changes_1.x.rst +++ b/docs/changes_1.x.rst @@ -50,7 +50,7 @@ no matter what encryption mode they use, including "none"): b) If you get "Manifest TAM not found and not required", run ``borg upgrade --tam --force `` *on every client*. -3. Run ``BORG_WORKAROUNDS=ignore_invalid_archive_tam borg list --format='{name} {time} tam:{tam}{NL}' ``. +3. Run ``BORG_WORKAROUNDS=ignore_invalid_archive_tam borg list --consider-checkpoints --format='{name} {time} tam:{tam}{NL}' ``. "tam:verified" means that the archive has a valid TAM authentication. "tam:none" is expected as output for archives created by borg <1.0.9. "tam:none" is also expected for archives resulting from a borg rename @@ -66,7 +66,7 @@ no matter what encryption mode they use, including "none"): Run ``BORG_WORKAROUNDS=ignore_invalid_archive_tam borg upgrade --archives-tam ``. This will unconditionally add a correct archive TAM to all archives not having one. ``borg check`` would consider TAM-less or invalid-TAM archives as garbage or a potential attack. - To see that all archives now are "tam:verified" run: ``borg list --format='{name} {time} tam:{tam}{NL}' `` + To see that all archives now are "tam:verified" run: ``borg list --consider-checkpoints --format='{name} {time} tam:{tam}{NL}' `` 5. Please note that you should never use BORG_WORKAROUNDS=ignore_invalid_archive_tam for normal production operations - it is only needed once to get the archives in a