New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
1.2.5 upgrade procedure might crash #7791
Comments
ThomasWaldmann
changed the title
borg rename / borg recreate do not re-compute a correct archive TAM
1.2.5 upgrade procedure might crash
Aug 30, 2023
ThomasWaldmann
added a commit
to ThomasWaldmann/borg
that referenced
this issue
Aug 30, 2023
ThomasWaldmann
added a commit
to ThomasWaldmann/borg
that referenced
this issue
Aug 30, 2023
12 tasks
Fixed by #7792. |
bob-beck
pushed a commit
to openbsd/ports
that referenced
this issue
Sep 1, 2023
Basically it is the same as the 1.2.5 release, but fixes a possibly crashing upgrade (borgbackup/borg#7791). Upgrade procedure is detailed at https://github.com/borgbackup/borg/blob/1.2.6/docs/changes.rst#pre-125-archives-spoofing-vulnerability-cve-2023-36811
ThomasWaldmann
added a commit
to ThomasWaldmann/borg
that referenced
this issue
Sep 8, 2023
ThomasWaldmann
added a commit
to ThomasWaldmann/borg
that referenced
this issue
Sep 8, 2023
ThomasWaldmann
added a commit
to ThomasWaldmann/borg
that referenced
this issue
Sep 8, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
background
borg create
adds a TAM (a cryptographic authentication tag) to each archive since borg 1.0.9.But
borg rename
(and alsoborg recreate
, which internally also renames) did just keep the previous (now invalid) TAM instead of re-computing a correct one for the target archive.Affected: archives created by borg <= 1.2.4 rename/recreate. Fixed in: borg 1.2.5
broken 1.2.5 upgrade procedure
borg 1.2.5 upgrade procedure stumbles over these "invalid TAM" archives because it either expects no TAM (very old archives of borg < 1.0.9) or a correct TAM. See discussion there: #7787
In that case the upgrade to 1.2.5 must be aborted and borg < 1.2.5 must be used until a fixed version is released.
fix will come with borg 1.2.6, ASAP.
The text was updated successfully, but these errors were encountered: