Bug#1050881: borgbackup: Mention required documentation for upgrading repositories for fixes for CVE-2023-36811
On Wed, 30 Aug 2023 21:22:07 +0200 Salvatore Bonaccorso
<carnil@debian.org> wrote:
> borgbackup/1.2.5-1 contained a fix for CVE-2023-36811. But
> additionally to the package upgrades, users need to follow the upgrade
> procedure as documented.
>
> After an update of the package one is not really aware of it, so I
> suggest a NEWS.Debian entry at least referring to the needed
> documentation.
>
> Would it be a good idea to document this as well in the release notes
> for trixie, for users updating from bookworm to trixie? (Cloning this
> bugreport accordingly to the release-notes).
Can you maybe suggest some text -- a user would want to know:
what do i have to do (maybe link to where is "the upgrade procdure" documented)
when do i have to do it (before i next use borgbackup? before
restoring? if i forget to it what happens - do i need to delete all my
old backups? are they silently broken)
why do i have to do it (because of security issues in an older version
of borgbackup? are old backups stored elsewhere still "vulnerable"?)
Reply to: