CVE-2022-25834 (https://www.percona.com/doc/percona-xtrabackup/2.4/index.html): https://docs.percona.com/percona-xtrabackup/8.0/release-notes/8.0/8.0.32-26.0.html#improvements In Percona XtraBackup (PXB) through 2.2.24 and 3.x through 8.0.27-19, a crafted filename on the local file system could trigger unexpected command shell execution of arbitrary commands. Based on https://docs.percona.com/percona-xtrabackup/2.4/release-notes/2.4/2.4.28.html, it seems like 2.2.24 should be 2.4.24. Please cleanup.
percona-xtrabackup 2.4.24 is still in the tree (and the summary was incorrectly referring to this version as fixed). Please either add 2.4.28 of remove the vulnerable version.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fe82ebe78dd6c3fd85932228c3f093d0d6e17350 commit fe82ebe78dd6c3fd85932228c3f093d0d6e17350 Author: Hans de Graaff <graaff@gentoo.org> AuthorDate: 2023-11-02 14:47:25 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2023-11-02 14:48:14 +0000 dev-db/percona-xtrabackup: drop 2.4.24 Bug: https://bugs.gentoo.org/908033 Signed-off-by: Hans de Graaff <graaff@gentoo.org> dev-db/percona-xtrabackup/Manifest | 2 - .../percona-xtrabackup-2.4.24.ebuild | 67 ---------------------- 2 files changed, 69 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=2b5bbd4f1445dc34005f336c882dfa513aef8a89 commit 2b5bbd4f1445dc34005f336c882dfa513aef8a89 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-08-09 06:59:52 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-08-09 07:00:07 +0000 [ GLSA 202408-15 ] Percona XtraBackup: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/849389 Bug: https://bugs.gentoo.org/908033 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202408-15.xml | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 54 insertions(+)
