Bug#1050881: borgbackup: Mention required documentation for upgrading repositories for fixes for CVE-2023-36811

To: Richard Lewis <richard.lewis.debian@googlemail.com>, 1050881@bugs.debian.org
Subject: Bug#1050881: borgbackup: Mention required documentation for upgrading repositories for fixes for CVE-2023-36811
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Mon, 23 Jun 2025 19:20:22 +0200
Message-id: <[🔎] aFmM1jSzuPsVdIiR@eldamar.lan>
Reply-to: Salvatore Bonaccorso <carnil@debian.org>, 1050881@bugs.debian.org
In-reply-to: <[🔎] CAJ3BuoRqPevWZFYAXfMjRFzBZinbjENetBSezS7pFj_QQgbxag@mail.gmail.com>
References: <169342332752.2270811.8633971961986058134.reportbug@eldamar.lan> <[🔎] CAJ3BuoRqPevWZFYAXfMjRFzBZinbjENetBSezS7pFj_QQgbxag@mail.gmail.com> <169342332752.2270811.8633971961986058134.reportbug@eldamar.lan>

Hi,

On Mon, Jun 23, 2025 at 10:30:41AM +0100, Richard Lewis wrote:
> On Wed, 30 Aug 2023 21:22:07 +0200 Salvatore Bonaccorso
> <carnil@debian.org> wrote:
> 
> > borgbackup/1.2.5-1 contained a fix for CVE-2023-36811. But
> > additionally to the package upgrades, users need to follow the upgrade
> > procedure as documented.
> >
> > After an update of the package one is not really aware of it, so I
> > suggest a NEWS.Debian entry at least referring to the needed
> > documentation.
> >
> > Would it be a good idea to document this as well in the release notes
> > for trixie, for users updating from bookworm to trixie? (Cloning this
> > bugreport accordingly to the release-notes).
> 
> Can you maybe suggest some text -- a user would want to know:
> what do i have to do (maybe link to where is "the upgrade procdure" documented)
> when do i have to do it (before i next use borgbackup? before
> restoring? if i forget to it what happens - do i need to delete all my
> old backups? are they silently broken)
> why do i have to do it (because of security issues in an older version
> of borgbackup? are old backups stored elsewhere still "vulnerable"?)

Oh some years have passed :)

I think the easiest think would be to point out that the fixes for
CVE-2023-36811 will require manual actions, and point to the official
description in:
https://borgbackup.readthedocs.io/en/stable/changes.html#pre-1-2-5-archives-spoofing-vulnerability-cve-2023-36811

Regards,
Salvatore

Reply to:

References:
- Bug#1050881: borgbackup: Mention required documentation for upgrading repositories for fixes for CVE-2023-36811
  - From: Richard Lewis <richard.lewis.debian@googlemail.com>

Prev by Date: Bug#1105130: release-notes: uprading a minimal system with gnupg to trixie pulls in an MTA
Next by Date: Bug#1105130: release-notes: uprading a minimal system with gnupg to trixie pulls in an MTA
Previous by thread: Bug#1050881: borgbackup: Mention required documentation for upgrading repositories for fixes for CVE-2023-36811
Next by thread: Bug#1108214: old git branches in the repository
Index(es):
- Date
- Thread