From the 1.1.3 ChangeLog, Security Fix for CVE-2017-15914: Incorrect implementation of access controls allows remote users to override repository restrictions in Borg servers. A user able to access a remote Borg SSH server is able to circumvent access controls post-authentication. Affected releases: 1.1.0, 1.1.1, 1.1.2. Releases 1.0.x are NOT affected. The fixed version is already in the tree but will need an amd64 stabilization.
okay i just stabilized 1.1.3 and removed all vulnerable versions.
(In reply to Anthony Basile from comment #1) > okay i just stabilized 1.1.3 and removed all vulnerable versions. Sorry for the delay, Anthony. Downgrading to B3. Ambiguous "access control" details from upstream and no PoC for ACE/RCE. Tree is clean.