From a19ebe5eccb4281c452b85369b6cbc78287fa0d9 Mon Sep 17 00:00:00 2001 From: Thomas Waldmann Date: Wed, 1 Nov 2023 17:18:32 +0100 Subject: [PATCH 1/4] docs: consequences of borg check, fixes #7816 --- docs/changes.rst | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/changes.rst b/docs/changes.rst index ed3817e11..edc23bf0d 100644 --- a/docs/changes.rst +++ b/docs/changes.rst @@ -39,8 +39,10 @@ Steps you must take to upgrade a repository: Note: it is not required to upgrade a server, except if the server-side borg is also used as a client (and not just for "borg serve"). - Do **not** run ``borg check`` with borg > 1.2.4 before completing the upgrade steps. + Do **not** run ``borg check`` with borg > 1.2.4 before completing the upgrade steps: + - ``borg check`` would complain about archives without a valid archive TAM. + - ``borg check --repair`` would remove such archives! 2. Run ``BORG_WORKAROUNDS=ignore_invalid_archive_tam borg info --debug 2>&1 | grep TAM | grep -i manifest``. a) If you get "TAM-verified manifest", continue with 3. From 136e3ed1d66dae6450c787ec665dd9958afec114 Mon Sep 17 00:00:00 2001 From: Thomas Waldmann Date: Wed, 1 Nov 2023 17:24:23 +0100 Subject: [PATCH 2/4] docs: upgrade steps needed for all kinds of repos, fixes #7813 Repos with encryption=none of course can not do real authentication (because there is no secret key material to work with). But the code always works the same way and such repos also use (and expect) TAMs, so the instructions should be followed in any case. --- docs/changes.rst | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/changes.rst b/docs/changes.rst index edc23bf0d..86f53f3bb 100644 --- a/docs/changes.rst +++ b/docs/changes.rst @@ -33,7 +33,8 @@ Below, if we speak of borg 1.2.6, we mean a borg version >= 1.2.6 **or** a borg version that has the relevant security patches for this vulnerability applied (could be also an older version in that case). -Steps you must take to upgrade a repository: +Steps you must take to upgrade a repository (this applies to all kinds of repos +no matter what encryption mode they use, including "none"): 1. Upgrade all clients using this repository to borg 1.2.6. Note: it is not required to upgrade a server, except if the server-side borg From da4fcc5a66798da68e2e9db280e4b3629de34c53 Mon Sep 17 00:00:00 2001 From: Thomas Waldmann Date: Wed, 1 Nov 2023 17:31:16 +0100 Subject: [PATCH 3/4] docs: point to CVE-2023-36811 upgrade steps from borg 1.1 to 1.2 upgrade steps, fixes #7899 also: use 1.2.6 to refer to the fixed version 1.2.5 had issues and was superseded by 1.2.6 just 1 day later, so we do not need to talk about that. Also, the docs point out that: """ Below, if we speak of borg 1.2.6, we mean a borg version >= 1.2.6 **or** a borg version that has the relevant security patches for this vulnerability applied (could be also an older version in that case). """ So, it now just talks about "1.2.6" at the relevant places. --- docs/changes.rst | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/changes.rst b/docs/changes.rst index 86f53f3bb..530ba2629 100644 --- a/docs/changes.rst +++ b/docs/changes.rst @@ -40,7 +40,7 @@ no matter what encryption mode they use, including "none"): Note: it is not required to upgrade a server, except if the server-side borg is also used as a client (and not just for "borg serve"). - Do **not** run ``borg check`` with borg > 1.2.4 before completing the upgrade steps: + Do **not** run ``borg check`` with borg 1.2.6 before completing the upgrade steps: - ``borg check`` would complain about archives without a valid archive TAM. - ``borg check --repair`` would remove such archives! @@ -310,6 +310,8 @@ Some things can be recommended for the upgrade process from borg 1.1.x - if you want to play safer, first **create a backup of your borg repository**. - upgrade to latest borg 1.2.x release (you could use the fat binary from github releases page) +- borg 1.2.6 has a security fix for the pre-1.2.5 archives spoofing vulnerability + (CVE-2023-36811), see details and necessary upgrade procedure described above. - run `borg compact --cleanup-commits` to clean up a ton of 17 bytes long files in your repo caused by a borg 1.1 bug - run `borg check` again (now with borg 1.2.x) and check if there is anything @@ -318,8 +320,6 @@ Some things can be recommended for the upgrade process from borg 1.1.x take significant time, but after that it will be fast) - for more details see below. - check the compatibility notes (see below) and adapt your scripts, if needed. -- borg 1.2.5 has a security fix for the pre-1.2.5 archives spoofing vulnerability - (CVE-2023-36811), see details and necessary upgrade procedure described above. - if you run into any issues, please check the github issue tracker before posting new issues there or elsewhere. From 6b928dac93a7a198811a939d1c1d7e6274dbc291 Mon Sep 17 00:00:00 2001 From: Thomas Waldmann Date: Wed, 1 Nov 2023 17:40:47 +0100 Subject: [PATCH 4/4] docs: not only attack/unsafe, can also be a fs issue, fixes #7853 --- docs/faq.rst | 3 +++ 1 file changed, 3 insertions(+) diff --git a/docs/faq.rst b/docs/faq.rst index 550b7f2e7..f782629f8 100644 --- a/docs/faq.rst +++ b/docs/faq.rst @@ -113,6 +113,9 @@ run into this by yourself by restoring an older copy of your repository. "attack": maybe an attacker has replaced your repo by an older copy, trying to trick you into AES counter reuse, trying to break your repo encryption. +Borg users have also reported that fs issues (like hw issues / I/O errors causing +the fs to become read-only) can cause this warning, see :issue:`7853`. + If you'ld decide to ignore this and accept unsafe operation for this repository, you could delete the manifest-timestamp and the local cache: