From upstream changelog: https://borgbackup.readthedocs.io/en/stable/changes.html#version-1-0-7-2016-08-19 "borg serve: fix security issue with remote repository access, #1428 If you used e.g. –restrict-to-path /path/client1/ (with or without trailing slash does not make a difference), it acted like a path prefix match using /path/client1 (note the missing trailing slash) - the code then also allowed working in e.g. /path/client13 or /path/client1000. As this could accidentally lead to major security/privacy issues depending on the pathes you use, the behaviour was changed to be a strict directory match. That means –restrict-to-path /path/client1 (with or without trailing slash does not make a difference) now uses /path/client1/ internally (note the trailing slash here!) for matching and allows precisely that path AND any path below it. So, /path/client1 is allowed, /path/client1/repo1 is allowed, but not /path/client13 or /path/client1000. If you willingly used the undocumented (dangerous) previous behaviour, you may need to rearrange your –restrict-to-path pathes now. We are sorry if that causes work for you, but we did not want a potentially dangerous behaviour in the software (not even using a for-backwards-compat option)." Please update to 1.0.7.
(In reply to Hanno Boeck from comment #0) > > Please update to 1.0.7. thanks Hanno. i've put 1.0.7 on the tree and removed the older vulnerable versions.
Fixed version is in repository, repository is clean. Package wasn't stable at this time. All done.
