CVE-2009-3369 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3369): CgiUserConfigEdit in BackupPC 3.1.0, when SSH keys and Rsync are in use in a multi-user environment, does not restrict users from the ClientNameAlias function, which allows remote authenticated users to read and write sensitive files by modifying ClientNameAlias to match another system, then initiating a backup or restore.
Hi, we have the ancient version 2.1.2-r1, can you quickly advise if this bug is relevant for us, too?
In ebuild for version 3.1.0 discussed in Bug#: 287133, this vulnerability seems have been fixed. Unfortunately this ebuild has not yet made into the tree after almost a year of discussion.
Yeah, 3.2.0 has been released in the meantime as well.
There are some patches, and maybe there is a more recent upstream release that fixes it. Maintainers, your move. This bug is now overdue. Maybe we should mask the package?
3.2.1 in tree, feel free to proceed as needed.
Thanks, Patrick. Arches, please test and mark stable: =app-backup/backuppc-3.2.1 Target keywords : "amd64"
only warning about -c/--chuid but amd64 ok.
amd64: ditto Ago
version 3.2.1-r2 is present in the tree
amd64 ok
+ 01 Sep 2011; Tony Vroon <chainsaw@gentoo.org> backuppc-3.2.1-r2.ebuild: + Marked stable on AMD64 based on arch testing by Agostino "ago" Sarubbo, Ian + "idella4" Delaney & Tomáš "Mepho" Pružina in security bug #308013 filed by + Stefan "craig" Behte.
Thanks, folks. GLSA vote: yes.
Looks like 3.2.1 also fixed a XSS vulnerability. Upstream diff at http://backuppc.cvs.sourceforge.net/viewvc/backuppc/BackupPC/lib/BackupPC/CGI/Browse.pm?r1=1.23&r2=1.24.
Re-rated C4 due to the specific requirements, closing [noglsa].
CVE-2011-3361 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3361): Cross-site scripting (XSS) vulnerability in CGI/Browse.pm in BackupPC 3.2.0 and possibly other versions before 3.2.1 allows remote attackers to inject arbitrary web script or HTML via the num parameter in a browse action to index.cgi.
