- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202405-13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: High Title: borgmatic: Shell Injection Date: May 05, 2024 Bugs: #924892 ID: 202405-13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== A vulnerability has been discovered in borgmatic, which can lead to shell injection. Background ========== borgmatic is simple, configuration-driven backup software for servers and workstations. Affected packages ================= Package Vulnerable Unaffected -------------------- ------------ ------------ app-backup/borgmatic < 1.8.8 >= 1.8.8 Description =========== Prevent shell injection attacks within the PostgreSQL hook, the MongoDB hook, the SQLite hook, the "borgmatic borg" action, and command hook variable/constant interpolation. Impact ====== Shell injection may be used in several borgmatic backends to execute arbitrary code. Workaround ========== There is no known workaround at this time. Resolution ========== All borgmatic users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-backup/borgmatic-1.8.8" References ========== Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202405-13 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5
signature.asc
Description: OpenPGP digital signature