Wednesday, August 30, 2023

SECURITY UPDATE sysutils/borgbackup/1.2 to 1.2.5

Below a simple diff for bringing sysutils/borgbackup/1.2 to 1.2.5, which
fixes a flaw in the cryptographic authentication scheme in Borg allowing
an attacker to fake archives and potentially indirectly cause backup
data loss in the repository (CVE-2023-36811). Please note that this diff
also contains changes to devel/quirks.

https://github.com/borgbackup/borg/blob/1.2.5-cvedocs/docs/changes.rst#pre-125-archives-spoofing-vulnerability-cve-2023-36811
describes steps that must be taken to check/upgrade a repository.

Overview on changes:
https://github.com/borgbackup/borg/blob/1.2.5-cvedocs/docs/changes.rst#version-125-2023-08-30

Passes all tests on amd64. Run tested on amd64

I think it makes sense to update current as well.

OK to commit to -current and -stable?


diff --git devel/quirks/Makefile devel/quirks/Makefile
index a5075fcc435..815dcced1ab 100644
--- devel/quirks/Makefile
+++ devel/quirks/Makefile
@@ -3,7 +3,7 @@ CATEGORIES = devel databases
DISTFILES =

# API.rev
-PKGNAME = quirks-6.140
+PKGNAME = quirks-6.141
PKG_ARCH = *
MAINTAINER = Marc Espie <espie@openbsd.org>

diff --git devel/quirks/files/Quirks.pm devel/quirks/files/Quirks.pm
index 96790d33884..e0677ecdb4d 100644
--- devel/quirks/files/Quirks.pm
+++ devel/quirks/files/Quirks.pm
@@ -2101,6 +2101,7 @@ my $cve = {
'security/sudo' => 'sudo-<1.8.31',
'shells/bash' => 'bash-<4.3.27',
'sysutils/ansible,-main' => 'ansible-<2.7.1',
+ 'sysutils/borgbackup/1.2' => 'borgbackup-<1.2.5',
'sysutils/mcollective' => 'mcollective-<2.5.3',
'sysutils/rclone' => 'rclone-<1.53.3',
'sysutils/salt' => 'salt-<3002',
diff --git sysutils/borgbackup/1.2/Makefile sysutils/borgbackup/1.2/Makefile
index 257193414ef..8935ff064d9 100644
--- sysutils/borgbackup/1.2/Makefile
+++ sysutils/borgbackup/1.2/Makefile
@@ -1,4 +1,4 @@
-MODPY_EGG_VERSION = 1.2.4
+MODPY_EGG_VERSION = 1.2.5

WANTLIB = crypto

diff --git sysutils/borgbackup/1.2/distinfo sysutils/borgbackup/1.2/distinfo
index 63d310e016d..6d38753a245 100644
--- sysutils/borgbackup/1.2/distinfo
+++ sysutils/borgbackup/1.2/distinfo
@@ -1,2 +1,2 @@
-SHA256 (borgbackup-1.2.4.tar.gz) = pL1U6UaegbejCmcRQjEVq8gY2c2ETsscoOYQS8U3Tag=
-SIZE (borgbackup-1.2.4.tar.gz) = 4056513
+SHA256 (borgbackup-1.2.5.tar.gz) = clgHeUWbpy6n59LiouvU83fEAyNt0OoUhgYDbktjGHY=
+SIZE (borgbackup-1.2.5.tar.gz) = 4074588

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)