SECURITY UPDATE sysutils/borgbackup/1.2 to 1.2.5

Wed, 30 Aug 2023 07:47:56 -0700 

Below a simple diff for bringing sysutils/borgbackup/1.2 to 1.2.5, which
fixes a flaw in the cryptographic authentication scheme in Borg allowing
an attacker to fake archives and potentially indirectly cause backup
data loss in the repository (CVE-2023-36811). Please note that this diff
also contains changes to devel/quirks.

https://github.com/borgbackup/borg/blob/1.2.5-cvedocs/docs/changes.rst#pre-125-archives-spoofing-vulnerability-cve-2023-36811
describes steps that must be taken to check/upgrade a repository.

Overview on changes:
https://github.com/borgbackup/borg/blob/1.2.5-cvedocs/docs/changes.rst#version-125-2023-08-30

Passes all tests on amd64. Run tested on amd64

I think it makes sense to update current as well.

OK to commit to -current and -stable?


diff --git devel/quirks/Makefile devel/quirks/Makefile
index a5075fcc435..815dcced1ab 100644
--- devel/quirks/Makefile
+++ devel/quirks/Makefile
@@ -3,7 +3,7 @@ CATEGORIES =    devel databases
 DISTFILES =
 
 # API.rev
-PKGNAME =      quirks-6.140
+PKGNAME =      quirks-6.141
 PKG_ARCH =     *
 MAINTAINER =   Marc Espie <es...@openbsd.org>
 
diff --git devel/quirks/files/Quirks.pm devel/quirks/files/Quirks.pm
index 96790d33884..e0677ecdb4d 100644
--- devel/quirks/files/Quirks.pm
+++ devel/quirks/files/Quirks.pm
@@ -2101,6 +2101,7 @@ my $cve = {
        'security/sudo' => 'sudo-<1.8.31',
        'shells/bash' => 'bash-<4.3.27',
        'sysutils/ansible,-main' => 'ansible-<2.7.1',
+       'sysutils/borgbackup/1.2' => 'borgbackup-<1.2.5',
        'sysutils/mcollective' => 'mcollective-<2.5.3',
        'sysutils/rclone' => 'rclone-<1.53.3',
        'sysutils/salt' => 'salt-<3002',
diff --git sysutils/borgbackup/1.2/Makefile sysutils/borgbackup/1.2/Makefile
index 257193414ef..8935ff064d9 100644
--- sysutils/borgbackup/1.2/Makefile
+++ sysutils/borgbackup/1.2/Makefile
@@ -1,4 +1,4 @@
-MODPY_EGG_VERSION =    1.2.4
+MODPY_EGG_VERSION =    1.2.5
 
 WANTLIB =              crypto
 
diff --git sysutils/borgbackup/1.2/distinfo sysutils/borgbackup/1.2/distinfo
index 63d310e016d..6d38753a245 100644
--- sysutils/borgbackup/1.2/distinfo
+++ sysutils/borgbackup/1.2/distinfo
@@ -1,2 +1,2 @@
-SHA256 (borgbackup-1.2.4.tar.gz) = pL1U6UaegbejCmcRQjEVq8gY2c2ETsscoOYQS8U3Tag=
-SIZE (borgbackup-1.2.4.tar.gz) = 4056513
+SHA256 (borgbackup-1.2.5.tar.gz) = clgHeUWbpy6n59LiouvU83fEAyNt0OoUhgYDbktjGHY=
+SIZE (borgbackup-1.2.5.tar.gz) = 4074588

Reply via email to