Hi, On Mon, Jun 23, 2025 at 10:30:41AM +0100, Richard Lewis wrote: > On Wed, 30 Aug 2023 21:22:07 +0200 Salvatore Bonaccorso > <[email protected]> wrote: > > > borgbackup/1.2.5-1 contained a fix for CVE-2023-36811. But > > additionally to the package upgrades, users need to follow the upgrade > > procedure as documented. > > > > After an update of the package one is not really aware of it, so I > > suggest a NEWS.Debian entry at least referring to the needed > > documentation. > > > > Would it be a good idea to document this as well in the release notes > > for trixie, for users updating from bookworm to trixie? (Cloning this > > bugreport accordingly to the release-notes). > > Can you maybe suggest some text -- a user would want to know: > what do i have to do (maybe link to where is "the upgrade procdure" > documented) > when do i have to do it (before i next use borgbackup? before > restoring? if i forget to it what happens - do i need to delete all my > old backups? are they silently broken) > why do i have to do it (because of security issues in an older version > of borgbackup? are old backups stored elsewhere still "vulnerable"?)
Oh some years have passed :) I think the easiest think would be to point out that the fixes for CVE-2023-36811 will require manual actions, and point to the official description in: https://borgbackup.readthedocs.io/en/stable/changes.html#pre-1-2-5-archives-spoofing-vulnerability-cve-2023-36811 Regards, Salvatore
