-
-
Notifications
You must be signed in to change notification settings - Fork 743
CVEs
enkore edited this page Jun 16, 2017
·
6 revisions
This page is an overview of the CVEs assigned to borg (and attic). All of these are in the changelogs as well. This page is purely informational and might be out of date. Always consult security trackers and the latest changelogs for the latest information.
| Vulnerable: | All versions prior to 1.0.9 |
|---|---|
| Fixed in: | 1.0.9, 1.1.0b3 |
| Important Note: | n/a |
| Mitre: | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10100 |
| Description: | borg check: When rebuilding the manifest (which should only be needed very rarely) duplicate archive names would be handled on a “first come first serve” basis, allowing an attacker to apparently replace archives. |
| Vulnerable: | All versions prior to 1.0.9 |
|---|---|
| Fixed in: | 1.0.9, 1.1.0b3 |
| Important Note: | https://borgbackup.readthedocs.io/en/stable/changes.html#tam-vuln |
| Mitre: | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10099 |
| Description: | A flaw in the cryptographic protocol used to authenticate the manifest (list of archives), potentially allowing an attacker to spoof the list of archives. |
| Vulnerable: | No Borg releases were affected. |
|---|---|
| Fixed in: | Borg |
| Important Note: | n/a |
| Mitre: | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4082 |
| Description: | An attacker with write access to a backup store can cause future backups to be uploaded without encryption. |