A flaw in the cryptographic authentication scheme in Borg allowed an attacker to
fake archives and potentially indirectly cause backup data loss in the repository.
The attack requires an attacker to be able to
insert files (with no additional headers) into backups
gain write access to the repository
This vulnerability does not disclose plaintext to the attacker, nor does it
affect the authenticity of existing archives.
Creating plausible fake archives may be feasible for empty or small archives,
but is unlikely for large archives.
The fix enforces checking the TAM authentication tag of archives at critical
places. Borg now considers archives without TAM as garbage or an attack.
We are not aware of others having discovered, disclosed or exploited this vulnerability.
Below, if we speak of borg 1.2.5, we mean a borg version >= 1.2.5 or a
borg version that has the relevant security patches for this vulnerability applied
(could be also an older version in that case).
Steps you must take to upgrade a repository:
Upgrade all clients using this repository to borg 1.2.5.
Note: it is not required to upgrade a server, except if the server-side borg
is also used as a client (and not just for "borg serve").
Do not run borg check with borg 1.2.5 before completing the upgrade steps.
Run borg info --debug <repository> 2>&1 | grep TAM | grep -i manifest.
a) If you get "TAM-verified manifest", continue with 3.
b) If you get "Manifest TAM not found and not required", run
borg upgrade --tam --force <repository>on every client.
Run borg list --format='{name} {time} tam:{tam}{NL}' <repository>.
"tam:verified" means that the archive has a valid TAM authentication.
"tam:none" is expected as output for archives created by borg <1.0.9.
"tam:none" could also come from archives created by an attacker.
You should verify that "tam:none" archives are authentic and not malicious
(== have good content, have correct timestamp, can be extracted successfully).
In case you find crappy/malicious archives, you must delete them before proceeding.
In low-risk, trusted environments, you may decide on your own risk to skip step 3
and just trust in everything being OK.
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/borgmatic-collective/docker-borgmatic/network/alerts).
Bumps borgbackup from 1.2.4 to 1.2.5.
Release notes
Sourced from borgbackup's releases.
Changelog
Sourced from borgbackup's changelog.
... (truncated)
Commits
509a5fd
build_usage / build_maned1ab84
update CHANGES9e63abb
document vulnerability, repo upgrade procedure5e0632a
add tests for archive TAMs, upgraded78ed69
rebuild_refcounts: keep archive ID, if possible85b173d
TAM msgs: be more specific: archives vs. manifest7d0d11b
upgrade: allow enable/disable manifest TAM for unencrypted repos19a7809
upgrade --archives-tam: make sure all archives are TAM authenticated75518d9
list: support {tam} placeholder. check archive TAM.155d8ee
cache sync: check archive TAMDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show