-
-
Notifications
You must be signed in to change notification settings - Fork 829
CVEs
enkore edited this page May 7, 2017
·
6 revisions
This page is an overview of the CVEs assigned to borg (and attic). All of these are in the changelogs as well.
| Vulnerable: | All versions prior to 1.0.9 |
|---|---|
| Fixed in: | 1.0.9, 1.1.0b3 |
| Important Notice: | https://borgbackup.readthedocs.io/en/stable/changes.html#tam-vuln |
| Mitre: | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10099 |
| Description: | A flaw in the cryptographic protocol used to authenticate the manifest (list of archives), potentially allowing an attacker to spoof the list of archives. |
| Vulnerable: | All versions prior to 1.0.9 |
|---|---|
| Fixed in: | 1.0.9, 1.1.0b3 |
| Important Notice: | n/a |
| Mitre: | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10100 |
| Description: | borg check: When rebuilding the manifest (which should only be needed very rarely) duplicate archive names would be handled on a “first come first serve” basis, allowing an attacker to apparently replace archives. |
| Vulnerable: | No Borg releases were affected. |
|---|---|
| Fixed in: | Borg |
| Important Notice: | n/a |
| Mitre: | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4082 |
| Description: | An attacker with write access to a backup store can cause future backups to |
be uploaded without encryption.