mirror
/
borg
mirror of https://github.com/borgbackup/borg.git
1
0
Fork 0
Code Issues Releases Wiki Activity

docs: point to CVE-2023-36811 upgrade steps from borg 1.1 to 1.2 upgrade steps, fixes #7899 

also: use 1.2.6 to refer to the fixed version

1.2.5 had issues and was superseded by 1.2.6 just 1 day later,
so we do not need to talk about that.

Also, the docs point out that:
"""
Below, if we speak of borg 1.2.6, we mean a borg version >= 1.2.6 **or** a
borg version that has the relevant security patches for this vulnerability applied
(could be also an older version in that case).
"""

So, it now just talks about "1.2.6" at the relevant places.
This commit is contained in:
Thomas Waldmann 2023-11-01 17:31:16 +01:00
parent 136e3ed1d6
commit da4fcc5a66
No known key found for this signature in database
GPG Key ID: 243ACFA951F78E01
1 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
docs/changes.rst
View File

@ -40,7 +40,7 @@ no matter what encryption mode they use, including "none"):
Note: it is not required to upgrade a server, except if the server-side borg
is also used as a client (and not just for "borg serve").
Do **not** run ``borg check`` with borg > 1.2.4 before completing the upgrade steps:
Do **not** run ``borg check`` with borg 1.2.6 before completing the upgrade steps:
- ``borg check`` would complain about archives without a valid archive TAM.
- ``borg check --repair`` would remove such archives!
@ -310,6 +310,8 @@ Some things can be recommended for the upgrade process from borg 1.1.x
- if you want to play safer, first **create a backup of your borg repository**.
- upgrade to latest borg 1.2.x release (you could use the fat binary from
github releases page)
- borg 1.2.6 has a security fix for the pre-1.2.5 archives spoofing vulnerability
(CVE-2023-36811), see details and necessary upgrade procedure described above.
- run `borg compact --cleanup-commits` to clean up a ton of 17 bytes long files
in your repo caused by a borg 1.1 bug
- run `borg check` again (now with borg 1.2.x) and check if there is anything
@ -318,8 +320,6 @@ Some things can be recommended for the upgrade process from borg 1.1.x
take significant time, but after that it will be fast) - for more details
see below.
- check the compatibility notes (see below) and adapt your scripts, if needed.
- borg 1.2.5 has a security fix for the pre-1.2.5 archives spoofing vulnerability
(CVE-2023-36811), see details and necessary upgrade procedure described above.
- if you run into any issues, please check the github issue tracker before
posting new issues there or elsewhere.