CVE-2023-36811

Advisory

Borgbackup is affected by a archives spoofing vulnerability. A flaw in the cryptographic authentication scheme in Borg allowed an attacker to fake archives and potentially indirectly cause backup data loss in the repository.
https://github.com/borgbackup/borg/blob/1.2.6/docs/changes.rst#pre-125-archives-spoofing-vulnerability-cve-2023-36811

Affected package

Affected versions

Fixed versions

Vulnerability changelog

**Warning:** if you ever used `borg recreate` or `borg rename` in a repo, the upgrade instructions will not work, because borg will crash because it can not verify the TAM of some archive(s). In that case, please revert to borg 1.2.4 until a fix is released. Details: https://github.com/borgbackup/borg/discussions/7787

This release includes a security fix plus related upgrade instructions at the top of the change log:

https://github.com/borgbackup/borg/blob/1.2.5-cvedocs/docs/changes.rst#pre-125-archives-spoofing-vulnerability-cve-2023-36811

Long changelog:

https://github.com/borgbackup/borg/blob/1.2.5/docs/changes.rst#version-125-2023-08-30

Short borg 1.2 overview (from a borg 1.1 perspective):

https://www.borgbackup.org/releases/borg-1.2.html

Installation

If you use pip to install this, use: pip install pkgconfig ; pip install "borgbackup==1.2.5"

For other installation methods and more details, please see: https://borgbackup.org/

Resources

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36811
• https://github.com/borgbackup/borg/blob/1.2.5-cvedocs/docs/changes.rst#pre-125-archives-spoofing-vulnerability-cve-2023-36811
• https://github.com/borgbackup/borg/commit/3eb070191da10c2d3f7bc6484cf3d51c3045f884
• https://github.com/borgbackup/borg/security/advisories/GHSA-8fjr-hghr-4m99