Description A security issue has been reported in Bacula, which can be exploited by malicious users to bypass certain security restrictions. The security issue is caused due to an error within the implementation of console ACLs, which can be exploited to gain access to certain restricted functionality and e.g. dump resources. The security issue is reported in versions prior to 5.2.11. Solution Update to version 5.2.11.
(In reply to comment #0) > Description > A security issue has been reported in Bacula, which can be exploited by > malicious users to bypass certain security restrictions. > > The security issue is caused due to an error within the implementation of > console ACLs, which can be exploited to gain access to certain restricted > functionality and e.g. dump resources. > > The security issue is reported in versions prior to 5.2.11. > > > Solution > Update to version 5.2.11. Version 5.2.11 got withdrawn by upstream (see bug #435018) and replaced by 5.2.12.
Just wait few days as per maintainer request on irc.
(In reply to comment #2) > Just wait few days as per maintainer request on irc. bacula-5.2.12 should be ready to go. So arches please stabilize.
ppc stable
amd64 stable
I have moved HPPA to unstable because of bug #409229 and this bug.
sparc/x86 stable
cleanup done, please vote
Thanks, everyone. GLSA Vote: yes.
CVE-2012-4430 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4430): The dump_resource function in dird/dird_conf.c in Bacula before 5.2.11 does not properly enforce ACL rules, which allows remote authenticated users to obtain resource dump information via unspecified vectors.
Yes. GLSA request created.
This issue was resolved and addressed in GLSA 201405-11 at http://security.gentoo.org/glsa/glsa-201405-11.xml by GLSA coordinator Sean Amoss (ackle).
Guys, 5.0.3-r3 is not affected, see ChangeLog. Can you please edit the GLSA and exclude it from the affected ranges?
5.0.3-r3 is no longer in the tree. GLSA was never modified but that is no longer an issue.