1.2.5 upgrade procedure might crash #7791
Comments
ThomasWaldmann
changed the title
ThomasWaldmann
added a commit
to ThomasWaldmann/borg
that referenced
this issue
Aug 30, 2023
ThomasWaldmann
added a commit
to ThomasWaldmann/borg
that referenced
this issue
Aug 30, 2023
12 tasks
|
Fixed by #7792. |
bob-beck
pushed a commit
to openbsd/ports
that referenced
this issue
Sep 1, 2023
Basically it is the same as the 1.2.5 release, but fixes a possibly crashing upgrade (borgbackup/borg#7791). Upgrade procedure is detailed at https://github.com/borgbackup/borg/blob/1.2.6/docs/changes.rst#pre-125-archives-spoofing-vulnerability-cve-2023-36811
ThomasWaldmann
added a commit
to ThomasWaldmann/borg
that referenced
this issue
Sep 8, 2023
ThomasWaldmann
added a commit
to ThomasWaldmann/borg
that referenced
this issue
Sep 8, 2023
ThomasWaldmann
added a commit
to ThomasWaldmann/borg
that referenced
this issue
Sep 8, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
background
borg createadds a TAM (a cryptographic authentication tag) to each archive since borg 1.0.9.But
borg rename(and alsoborg recreate, which internally also renames) did just keep the previous (now invalid) TAM instead of re-computing a correct one for the target archive.Affected: archives created by borg <= 1.2.4 rename/recreate. Fixed in: borg 1.2.5
broken 1.2.5 upgrade procedure
borg 1.2.5 upgrade procedure stumbles over these "invalid TAM" archives because it either expects no TAM (very old archives of borg < 1.0.9) or a correct TAM. See discussion there: #7787
In that case the upgrade to 1.2.5 must be aborted and borg < 1.2.5 must be used until a fixed version is released.
fix will come with borg 1.2.6, ASAP.
The text was updated successfully, but these errors were encountered: