Navigation:
Browse pkgsrc
(this page)
sysutils py-borgb..
CVSweb ] [ 
Homepage ] [ 
RSS ] [ 
Required by ] [ 
Add to tracker ]| 2024-11-11 08:29:31 by Thomas Klausner | Files touched by this commit (862) |
Log message: py-*: remove unused tool dependency py-setuptools includes the py-wheel functionality nowadays |
| 2024-10-28 10:59:34 by Havard Eidnes | Files touched by this commit (4) |
Log message: sysutils/py-borgbackup: make this accept a newer py-msgpack. This is in contravention to the upstream policy which insists that because the maintainers of py-msgpack in the distant past made a non-compatible change (apparently in a version before 0.5.6 of py-msgpack, many, many years ago), they now insist that you *cannot* use a newer version of py-msgpack than what the code insists on, ref. https://github.com/borgbackup/borg/issues/3753 This collides (hard) with the pkgsrc default stance which is to "upgrade everything to the newest available version", and makes this package break each time a new version of py-msgpack is integrated in pkgsrc. For now just patch this to accept py-msgpack versions between 0.5.6 and 1.1.0 and not just between 0.5.6 and 1.0.8. At least testing by doing a backup run makes that backup run complete successfully with py-mgspack 1.1.0 installed, instead of a sour error message that a non-supported version of msgpack is installed. |
| 2024-10-07 22:42:01 by Thomas Klausner | Files touched by this commit (1) |
Log message: py-borgbackup: add comment how to run the self tests once 2.x is released |
2024-04-26 19:24:33 by Adam Ciarcinski | Files touched by this commit (2) |  |
Log message:
py-borgbackup: updated to 1.2.8
Version 1.2.8 (2024-03-29)
For upgrade and compatibility hints, please also read the section "Upgrade \
Notes"
above.
Fixes:
- check: fix return code and log level for index entry value discrepancies
- with-lock: catch FileNotFoundError exception, print error msg
- benchmark: inherit options --rsh --remote-path
- fix Ctrl-C / SIGINT behaviour for pyinstaller-made binaries
New features:
- upgrade --check-tam: check manifest TAM auth,
exit with rc=1 if there are issues.
- upgrade --check-archives-tam: check archives TAM auth,
exit with rc=1 if there are issues.
Other changes:
- allow msgpack 1.0.8 (this might fix memory leaks with Python 3.12)
- use the latest Cython 0.29.x
- vagrant:
- use / build binaries with python 3.9.19
- use generic/openbsd7 box
- docs:
- simplify TAM-related upgrade docs using the new commands
- improve docs for borg with-lock
- add more infos borg check --repair recreating the shadow index
to change log
|
| 2024-02-16 21:37:05 by Adam Ciarcinski | Files touched by this commit (4) | |
Log message: py-borgbackup: updated to 1.2.7 Version 1.2.7 (2023-12-02) -------------------------- For upgrade and compatibility hints, please also read the section "Upgrade \ Notes" above. Fixes: - docs: CVE-2023-36811 upgrade steps: consider checkpoint archives, - check/compact: fix spurious reappearance of orphan chunks since borg 1.2, this consists of 2 fixes: - for existing chunks: check --repair: recreate shadow index, - for newly created chunks: update shadow index when doing a double-put, - LockRoster.modify: no KeyError if element was already gone, - create --X-from-command: run subcommands with a clean environment, - list --sort-by: support "archive" as alias of "name", - fix rc and msg if arg parsing throws an exception, Other changes: - support and test on Python 3.12 - include unistd.h in _chunker.c (fix for Python 3.13) - allow msgpack 1.0.6 and 1.0.7 - TAM issues: show tracebacks, improve borg check logging, - replace "datetime.utcfromtimestamp" with custom helper to avoid deprecation warnings when using Python 3.12 - vagrant: - use generic/debian9 box, fixes - add VM with debian bookworm / test on OpenSSL 3.0.x. - docs: - not only attack/unsafe, can also be a fs issue, - point to CVE-2023-36811 upgrade steps from borg 1.1 to 1.2 upgrade steps, - upgrade steps needed for all kinds of repos (including "none" \ encryption mode), - upgrade steps: talk about consequences of borg check, - upgrade steps: remove period that could be interpreted as part of the command - automated-local.rst: use GPT UUID for consistent udev rule - create disk/partition sector backup by disk serial number, - update macOS hint about full disk access - clarify borg prune -a option description, - readthedocs: also build offline docs (HTMLzip), - frontends: add "check.rebuild_refcounts" message |
| 2023-10-25 00:11:51 by Thomas Klausner | Files touched by this commit (2298) |
Log message: *: bump for openssl 3 |
| 2023-09-29 10:10:33 by Thomas Klausner | Files touched by this commit (3) |
Log message: py-borgbackup: accept newer py-msgpack versions Bump PKGREVISION. |
| 2023-09-06 09:21:21 by Thomas Klausner | Files touched by this commit (2) | |
Log message:
py-borgbackup: update to 1.2.6.
Pre-1.2.5 archives spoofing vulnerability (CVE-2023-36811)
----------------------------------------------------------
A flaw in the cryptographic authentication scheme in Borg allowed an attacker to
fake archives and potentially indirectly cause backup data loss in the repository.
The attack requires an attacker to be able to
1. insert files (with no additional headers) into backups
2. gain write access to the repository
This vulnerability does not disclose plaintext to the attacker, nor does it
affect the authenticity of existing archives.
Creating plausible fake archives may be feasible for empty or small archives,
but is unlikely for large archives.
The fix enforces checking the TAM authentication tag of archives at critical
places. Borg now considers archives without TAM as garbage or an attack.
We are not aware of others having discovered, disclosed or exploited this \
vulnerability.
Below, if we speak of borg 1.2.5, we mean a borg version >= 1.2.5 **or** a
borg version that has the relevant security patches for this vulnerability applied
(could be also an older version in that case).
Steps you must take to upgrade a repository:
1. Upgrade all clients using this repository to borg 1.2.6.
Note: it is not required to upgrade a server, except if the server-side borg
is also used as a client (and not just for "borg serve").
Do **not** run ``borg check`` with borg > 1.2.4 before completing the \
upgrade steps.
2. Run ``BORG_WORKAROUNDS=ignore_invalid_archive_tam borg info --debug \
<repo> 2>&1 | grep TAM | grep -i manifest``.
a) If you get "TAM-verified manifest", continue with 3.
b) If you get "Manifest TAM not found and not required", run
``borg upgrade --tam --force <repository>`` *on every client*.
3. Run ``BORG_WORKAROUNDS=ignore_invalid_archive_tam borg list --format='{name} \
{time} tam:{tam}{NL}' <repo>``.
"tam:verified" means that the archive has a valid TAM authentication.
"tam:none" is expected as output for archives created by borg <1.0.9.
"tam:none" is also expected for archives resulting from a borg rename
or borg recreate operation (see #7791).
"tam:none" could also come from archives created by an attacker.
You should verify that "tam:none" archives are authentic and not \
malicious
(== have good content, have correct timestamp, can be extracted successfully).
In case you find crappy/malicious archives, you must delete them before \
proceeding.
In low-risk, trusted environments, you may decide on your own risk to skip step 3
and just trust in everything being OK.
4. If there are no tam:none archives left at this point, you can skip this step.
Run ``BORG_WORKAROUNDS=ignore_invalid_archive_tam borg upgrade --archives-tam \
<repo>``.
This will unconditionally add a correct archive TAM to all archives not \
having one.
``borg check`` would consider TAM-less or invalid-TAM archives as garbage or \
a potential attack.
To see that all archives now are "tam:verified" run: ``borg list \
--format='{name} {time} tam:{tam}{NL}' <repo>``
5. Please note that you should never use BORG_WORKAROUNDS=ignore_invalid_archive_tam
for normal production operations - it is only needed once to get the archives in a
repository into a good state. All archives have a valid TAM now.
Vulnerability time line:
* 2023-06-13: Vulnerability discovered during code review by Thomas Waldmann
* 2023-06-13...: Work on fixing the issue, upgrade procedure, docs.
* 2023-06-30: CVE was assigned via Github CNA
* 2023-06-30 .. 2023-08-29: Fixed issue, code review, docs, testing.
* 2023-08-30: Released fixed version 1.2.5 (broken upgrade procedure for some repos)
* 2023-08-31: Released fixed version 1.2.6 (fixes upgrade procedure)
Version 1.2.6 (2023-08-31)
--------------------------
For upgrade and compatibility hints, please also read the section "Upgrade \
Notes"
above.
Fixes:
- The upgrade procedure docs as published with borg 1.2.5 did not work, if the
repository had archives resulting from a borg rename or borg recreate operation.
The updated docs now use BORG_WORKAROUNDS=ignore_invalid_archive_tam at some
places to avoid that issue, #7791.
See: fix pre-1.2.5 archives spoofing vulnerability (CVE-2023-36811),
details and necessary upgrade procedure described above.
Other changes:
- updated 1.2.5 changelog entry: 1.2.5 already has the fix for rename/recreate.
- remove cython restrictions. recommended is to build with cython 0.29.latest,
because borg 1.2.x uses this since years and it is very stable.
you can also try to build with cython 3.0.x, there is a good chance that it works.
as a 3rd option, we also bundle the `*.c` files cython outputs in the release
pypi package, so you can also just use these and not need cython at all.
|
New packages: