CVE-2022-26944: Percona XtraBackup 2.4.20 unintentionally writes the command line to any resulting backup file output. This may include sensitive arguments passed at run time. In addition, when --history is passed at run time, this command line is also written to the PERCONA_SCHEMA.xtrabackup_history table. NOTE: this issue exists because of an incomplete fix for CVE-2020-10997. Fixed in 2.4.25, but there seems to be newer versions in tree for the non-bin?
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=398e7bf822fb1f93466348bfc5d123f92de610e9 commit 398e7bf822fb1f93466348bfc5d123f92de610e9 Author: John Helmert III <ajak@gentoo.org> AuthorDate: 2022-11-24 16:16:28 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-11-24 16:18:56 +0000 profiles: last rite dev-db/percona-xtrabackup-bin Bug: https://bugs.gentoo.org/849389 Bug: https://bugs.gentoo.org/864367 Bug: https://bugs.gentoo.org/882783 Signed-off-by: John Helmert III <ajak@gentoo.org> profiles/package.mask | 6 ++++++ 1 file changed, 6 insertions(+)
Looks like this was also affected in 8.x and fixed in 8.0.28-20, PXB-2722. https://github.com/percona/percona-xtrabackup/blob/trunk/storage/innobase/xtrabackup/doc/docs/release-notes/8.0/8.0.28-20.0.md#bugs-fixed With the commit: https://github.com/percona/percona-xtrabackup/commit/c0848e8b3ac5b380f8fa96bb3e7982077578745e
