The security team maintains the stance outlined in the previous review.
As mentioned in the security review, the package is lacking many modern
quality expectations. To summarize some of them:
- CRAM-MD5 authentication. This type of authentication was recommended to be
retired in 2008, and in general, MD5 is now widely considered to be a weak
cryptographic hashing algorithm with many security issues. It is still unclear
whether it is being used by bacula during authentication.
- Cryptographic hashing algorithms. It appears that most of the cryptographic
functions only support MD5 and SHA1 hashing algorithms, both of which are
considered to be weak and contain security flaws.
- Disallowing specific characters during code execution commands instead of
whitelisting only allowed characters, which can lead to arbitrary code
execution.
- NULL checks after using the variable.
- Self inducing SEGFAULT.
- Many copy paste and quality control issues.
- No QA/CI pipelines.
- No usage of merge requests.
- Project not receiving much support due to the low number of maintainers.
- Many issues that have been open for years on the GitLab platform without
closure.
and more...
While it is clear that the project is a very comprehensive backup
solution, and can provide value to the community, from a security
perspective the combination of these shortcomings prevent the security
team from ultimately giving a positive result on the review.
If the package were to be used without promotion, it is recommended that
an Ubuntu Pro subscription is included on the running servers to benefit
from the security maintenance.
** Changed in: bacula (Ubuntu)
Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2112455
Title:
[MIR] bacula
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/bacula/+bug/2112455/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
