search

borgmatic-collective / docker-borgmatic

Borgmatic in Docker
GNU General Public License v3.0
314 stars 88 forks source link

Bump borgbackup from 1.2.4 to 1.2.5 #258

Closed dependabot[bot] closed 10 months ago

dependabot[bot] commented 10 months ago

Bumps borgbackup from 1.2.4 to 1.2.5.

Release notes

Sourced from borgbackup's releases.

Release 1.2.5 (with security fix)

borgbackup 1.2.5 release

This release includes a security fix plus related upgrade instructions at the top of the change log:

https://github.com/borgbackup/borg/blob/1.2.5-cvedocs/docs/changes.rst#pre-125-archives-spoofing-vulnerability-cve-2023-36811

Long changelog:

https://github.com/borgbackup/borg/blob/1.2.5/docs/changes.rst#version-125-2023-08-30

Short borg 1.2 overview (from a borg 1.1 perspective):

https://www.borgbackup.org/releases/borg-1.2.html

Installation

If you use pip to install this, use: pip install pkgconfig ; pip install "borgbackup==1.2.5"

For other installation methods and more details, please see: https://borgbackup.org/

Changelog

Sourced from borgbackup's changelog.

Pre-1.2.5 archives spoofing vulnerability (CVE-2023-36811)

A flaw in the cryptographic authentication scheme in Borg allowed an attacker to fake archives and potentially indirectly cause backup data loss in the repository.

The attack requires an attacker to be able to

  1. insert files (with no additional headers) into backups
  2. gain write access to the repository

This vulnerability does not disclose plaintext to the attacker, nor does it affect the authenticity of existing archives.

Creating plausible fake archives may be feasible for empty or small archives, but is unlikely for large archives.

The fix enforces checking the TAM authentication tag of archives at critical places. Borg now considers archives without TAM as garbage or an attack.

We are not aware of others having discovered, disclosed or exploited this vulnerability.

Below, if we speak of borg 1.2.5, we mean a borg version >= 1.2.5 or a borg version that has the relevant security patches for this vulnerability applied (could be also an older version in that case).

Steps you must take to upgrade a repository:

  1. Upgrade all clients using this repository to borg 1.2.5. Note: it is not required to upgrade a server, except if the server-side borg is also used as a client (and not just for "borg serve").

    Do not run borg check with borg 1.2.5 before completing the upgrade steps.

  2. Run borg info --debug <repository> 2>&1 | grep TAM | grep -i manifest.

    a) If you get "TAM-verified manifest", continue with 3. b) If you get "Manifest TAM not found and not required", run borg upgrade --tam --force <repository> on every client.

  3. Run borg list --format='{name} {time} tam:{tam}{NL}' <repository>. "tam:verified" means that the archive has a valid TAM authentication. "tam:none" is expected as output for archives created by borg <1.0.9. "tam:none" could also come from archives created by an attacker. You should verify that "tam:none" archives are authentic and not malicious (== have good content, have correct timestamp, can be extracted successfully). In case you find crappy/malicious archives, you must delete them before proceeding. In low-risk, trusted environments, you may decide on your own risk to skip step 3 and just trust in everything being OK.

... (truncated)

Commits
  • 509a5fd build_usage / build_man
  • ed1ab84 update CHANGES
  • 9e63abb document vulnerability, repo upgrade procedure
  • 5e0632a add tests for archive TAMs, upgrade
  • d78ed69 rebuild_refcounts: keep archive ID, if possible
  • 85b173d TAM msgs: be more specific: archives vs. manifest
  • 7d0d11b upgrade: allow enable/disable manifest TAM for unencrypted repos
  • 19a7809 upgrade --archives-tam: make sure all archives are TAM authenticated
  • 75518d9 list: support {tam} placeholder. check archive TAM.
  • 155d8ee cache sync: check archive TAM
  • Additional commits viewable in compare view


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/borgmatic-collective/docker-borgmatic/network/alerts).
dependabot[bot] commented 10 months ago

Superseded by #259.