CVE-2022-25834 (https://www.percona.com/doc/percona-xtrabackup/2.4/index.html): https://docs.percona.com/percona-xtrabackup/8.0/release-notes/8.0/8.0.32-26.0.html#improvements In Percona XtraBackup (PXB) through 2.2.24 and 3.x through 8.0.27-19, a crafted filename on the local file system could trigger unexpected command shell execution of arbitrary commands. Based on https://docs.percona.com/percona-xtrabackup/2.4/release-notes/2.4/2.4.28.html, it seems like 2.2.24 should be 2.4.24. Please cleanup.
percona-xtrabackup 2.4.24 is still in the tree (and the summary was incorrectly referring to this version as fixed). Please either add 2.4.28 of remove the vulnerable version.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fe82ebe78dd6c3fd85932228c3f093d0d6e17350 commit fe82ebe78dd6c3fd85932228c3f093d0d6e17350 Author: Hans de Graaff <graaff@gentoo.org> AuthorDate: 2023-11-02 14:47:25 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2023-11-02 14:48:14 +0000 dev-db/percona-xtrabackup: drop 2.4.24 Bug: https://bugs.gentoo.org/908033 Signed-off-by: Hans de Graaff <graaff@gentoo.org> dev-db/percona-xtrabackup/Manifest | 2 - .../percona-xtrabackup-2.4.24.ebuild | 67 ---------------------- 2 files changed, 69 deletions(-)
