Bacula 5.2.11 was released with this in the changelog: - Make dump_resource respect console ACL's (security fix) I'm not sure what the impact is here. Here's the fix: http://www.bacula.org/git/cgit.cgi/bacula/commit/?id=67debcecd3d530c429e817e1d778e79dcd1db905
In fact, that's not the only security issue fixed in Bacula since the version we have in Mageia 1 and 2. I looked at the changelogs and found a few others, and added patches for them in Cauldron (but they were removed when Oden updated it to the newest version). Here is the revision where those were added: http://svnweb.mageia.org/packages?view=revision&revision=293377 The only other security issue in bacula I missed was this one: - Additional security against injection of illegal characters from looks like the 5.2.1 changelog or maybe 5.2.0: http://www.bacula.org/git/cgit.cgi/bacula/tree/bacula/ReleaseNotes should be in 2010-2011 range pre-5.2.1: http://www.bacula.org/git/cgit.cgi/bacula/tree/bacula/ChangeLog GIT is here: http://www.bacula.org/git/cgit.cgi/bacula/log/ Probably upstream would need to be asked to track down which GIT commits correspond to that fix. I doubt any of these are major issues, and IIRC, the only one that any distro vendors issued an update for was the autochanger tmpfiles one, which was very minor.
CC: (none) => luigiwalserWhiteboard: (none) => MGA1TOO
In other words, if any major security issue is ever fixed in Bacula, mandating an update for Mageia 1 and/or Mageia 2, it would be nice to include the patches mentioned above as well.
(only two commiters anne and ahmad so a real unmaintened package)
(In reply to comment #3) > (only two commiters anne and ahmad so a real unmaintened package) Yes, as a matter of fact it hasn't been touched for a long time in Cooker either, so it's *really* unmaintained. Fortunately, Oden has updated it in Cauldron.
This was assigned CVE-2012-4430 as per: http://www.openwall.com/lists/oss-security/2012/09/15/2 RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=857955
Summary: bacula - unknown security issue => CVE-2012-4430: bacula - Improper ACL rules enforcement by dumping resources
I asked the upstream author about the "injection of illegal characters fix" and here's the response I got: "Well, this wasn't really a security problem as such, we just tightened up the coding. The change is that the user (with ACLs if desired) can issue SQL commands within bconsole. Presumably he is already a trusted user or he wouldn't be permitted to issue them. However, we improved the coding to filter out what we consider "illegal" characters that the user might enter as an SQL command. To find the commit, probably the easiest way is to use gitk and search against the string above or the words "security" or "sql". Unfortunately, I don't have the time to do this myself. If it is logged in the ChangeLog, then the exact date will appear above the line, and you can easily find all commits that were made on that day." I looked through the ChangeLog for SQL changes and couldn't find anything that looked relevant, but it sounds like it's not that important, so I'm not going to worry about it. In other news.... Here's a reference for the autochanger tmpfiles issue, CVE-2008-5373: http://lwn.net/Vulnerabilities/508809/ I have checked the fixes into Mageia 1 and Mageia 2 SVN, but haven't pushed to the build system. These appear to all be very low-impact security issues. Oden, do you want to push this out now? Here's an advisory if we do. Advisory: ======================== Updated bacula packages fix security vulnerabilities: Some of the mtx-changer example autochangers in bacula before 5.2.1 could allow local users to overwrite any local file via a symlink attack, due to insecure temp file naming (CVE-2008-5373). An information leak flaw was found in the way Bacula before 5.2.11 enforced access control list (ACL) rules prior providing information about a particular resource. A remote attacker could use this flaw to obtain (possibly sensitive) information (CVE-2012-4430). Additionally, two other security-related fixes from upstream have been included. One is a fix for a possible fnmatch problem, and the other adds rate limiting of bad connections. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5373 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4430 http://www.bacula.org/git/cgit.cgi/bacula/tree/bacula/ReleaseNotes http://www.bacula.org/git/cgit.cgi/bacula/tree/bacula/ChangeLog http://lists.fedoraproject.org/pipermail/package-announce/2012-July/084347.html https://bugzilla.redhat.com/show_bug.cgi?id=857955
Debian has issued an advisory for this on October 8: http://www.debian.org/security/2012/dsa-2558
URL: http://www.bacula.org/git/cgit.cgi/bacula/commit/?id=67debcecd3d530c429e817e1d778e79dcd1db905 => http://lwn.net/Vulnerabilities/518925/Summary: CVE-2012-4430: bacula - Improper ACL rules enforcement by dumping resources => bacula - Improper ACL rules enforcement by dumping resources (CVE-2012-4430)
I tried submitting to the build system, but it doesn't build: http://pkgsubmit.mageia.org/uploads/failure/2/core/updates_testing/20121009113530.luigiwalser.valstar.18335/log/bacula-5.0.3-2.1.mga2/build.0.20121009113616.log http://pkgsubmit.mageia.org/uploads/failure/1/core/updates_testing/20121009113541.luigiwalser.valstar.18821/log/bacula-5.0.3-2.1.mga1/build.0.20121009113631.log
Please try again (r303909)
Thanks. Still doesn't build though: http://pkgsubmit.mageia.org/uploads/failure/2/core/updates_testing/20121009124631.luigiwalser.valstar.31960/log/bacula-5.0.3-2.1.mga2/build.0.20121009124717.log
Thanks Oden. Patched packages for Mageia 1 and Mageia 2 uploaded. Advisory: ======================== Updated bacula packages fix security vulnerabilities: Some of the mtx-changer example autochangers in bacula before 5.2.1 could allow local users to overwrite any local file via a symlink attack, due to insecure temp file naming (CVE-2008-5373). An information leak flaw was found in the way Bacula before 5.2.11 enforced access control list (ACL) rules prior providing information about a particular resource. A remote attacker could use this flaw to obtain (possibly sensitive) information (CVE-2012-4430). Additionally, two other security-related fixes from upstream have been included. One is a fix for a possible fnmatch problem, and the other adds rate limiting of bad connections. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5373 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4430 http://www.bacula.org/git/cgit.cgi/bacula/tree/bacula/ReleaseNotes http://www.bacula.org/git/cgit.cgi/bacula/tree/bacula/ChangeLog http://lists.fedoraproject.org/pipermail/package-announce/2012-July/084347.html https://bugzilla.redhat.com/show_bug.cgi?id=857955 http://www.debian.org/security/2012/dsa-2558 ======================== Updated packages in core/updates_testing: ======================== libbacula-5.0.3-2.1.mga1 bacula-common-5.0.3-2.1.mga1 bacula-dir-common-5.0.3-2.1.mga1 bacula-dir-mysql-5.0.3-2.1.mga1 bacula-dir-pgsql-5.0.3-2.1.mga1 bacula-dir-sqlite3-5.0.3-2.1.mga1 bacula-console-5.0.3-2.1.mga1 bacula-console-wx-5.0.3-2.1.mga1 bacula-bat-5.0.3-2.1.mga1 bacula-fd-5.0.3-2.1.mga1 bacula-sd-5.0.3-2.1.mga1 bacula-gui-web-5.0.3-2.1.mga1 bacula-gui-bimagemgr-5.0.3-2.1.mga1 bacula-gui-brestore-5.0.3-2.1.mga1 bacula-tray-monitor-5.0.3-2.1.mga1 libbacula-5.0.3-2.1.mga2 bacula-common-5.0.3-2.1.mga2 bacula-dir-common-5.0.3-2.1.mga2 bacula-dir-mysql-5.0.3-2.1.mga2 bacula-dir-pgsql-5.0.3-2.1.mga2 bacula-dir-sqlite3-5.0.3-2.1.mga2 bacula-console-5.0.3-2.1.mga2 bacula-console-wx-5.0.3-2.1.mga2 bacula-bat-5.0.3-2.1.mga1 bacula-fd-5.0.3-2.1.mga1 bacula-sd-5.0.3-2.1.mga1 bacula-gui-web-5.0.3-2.1.mga1 bacula-gui-bimagemgr-5.0.3-2.1.mga1 bacula-gui-brestore-5.0.3-2.1.mga1 bacula-tray-monitor-5.0.3-2.1.mga1 libbacula-5.0.3-2.1.mga2 bacula-common-5.0.3-2.1.mga2 bacula-dir-common-5.0.3-2.1.mga2 bacula-dir-mysql-5.0.3-2.1.mga2 bacula-dir-pgsql-5.0.3-2.1.mga2 bacula-dir-sqlite3-5.0.3-2.1.mga2 bacula-console-5.0.3-2.1.mga2 bacula-console-wx-5.0.3-2.1.mga2 bacula-bat-5.0.3-2.1.mga2 bacula-fd-5.0.3-2.1.mga2 bacula-sd-5.0.3-2.1.mga2 bacula-gui-web-5.0.3-2.1.mga2 bacula-gui-bimagemgr-5.0.3-2.1.mga2 bacula-gui-brestore-5.0.3-2.1.mga2 bacula-tray-monitor-5.0.3-2.1.mga2 from SRPMS: bacula-5.0.3-2.1.mga1.src.rpm bacula-5.0.3-2.1.mga2.src.rpm
Assignee: bugsquad => qa-bugs
Just removing some duplicates in the rpm list bacula-bat-5.0.3-2.1.mga1 bacula-common-5.0.3-2.1.mga1 bacula-console-5.0.3-2.1.mga1 bacula-console-wx-5.0.3-2.1.mga1 bacula-dir-common-5.0.3-2.1.mga1 bacula-dir-mysql-5.0.3-2.1.mga1 bacula-dir-pgsql-5.0.3-2.1.mga1 bacula-dir-sqlite3-5.0.3-2.1.mga1 bacula-fd-5.0.3-2.1.mga1 bacula-gui-bimagemgr-5.0.3-2.1.mga1 bacula-gui-brestore-5.0.3-2.1.mga1 bacula-gui-web-5.0.3-2.1.mga1 bacula-sd-5.0.3-2.1.mga1 bacula-tray-monitor-5.0.3-2.1.mga1 libbacula-5.0.3-2.1.mga1 bacula-bat-5.0.3-2.1.mga2 bacula-common-5.0.3-2.1.mga2 bacula-console-5.0.3-2.1.mga2 bacula-console-wx-5.0.3-2.1.mga2 bacula-dir-common-5.0.3-2.1.mga2 bacula-dir-mysql-5.0.3-2.1.mga2 bacula-dir-pgsql-5.0.3-2.1.mga2 bacula-dir-sqlite3-5.0.3-2.1.mga2 bacula-fd-5.0.3-2.1.mga2 bacula-gui-bimagemgr-5.0.3-2.1.mga2 bacula-gui-brestore-5.0.3-2.1.mga2 bacula-gui-web-5.0.3-2.1.mga2 bacula-sd-5.0.3-2.1.mga2 bacula-tray-monitor-5.0.3-2.1.mga2 libbacula-5.0.3-2.1.mga2
For mga2 the current version is 5.0.3-3 so the update needs a version bump Mga1 is ok as the current version is 5.0.3-2
Whiteboard: MGA1TOO => MGA1TOO feedback
WTF happened here? 3.mga2 in the changelog shows it was rebuilt by ahmad in July 2011, but that does not appear in SVN! Also I'm surprised the build system let me submit it as 2.1.mga2. Anyway, I bumped the release tag and resubmitted. Advisory: ======================== Updated bacula packages fix security vulnerabilities: Some of the mtx-changer example autochangers in bacula before 5.2.1 could allow local users to overwrite any local file via a symlink attack, due to insecure temp file naming (CVE-2008-5373). An information leak flaw was found in the way Bacula before 5.2.11 enforced access control list (ACL) rules prior providing information about a particular resource. A remote attacker could use this flaw to obtain (possibly sensitive) information (CVE-2012-4430). Additionally, two other security-related fixes from upstream have been included. One is a fix for a possible fnmatch problem, and the other adds rate limiting of bad connections. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5373 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4430 http://www.bacula.org/git/cgit.cgi/bacula/tree/bacula/ReleaseNotes http://www.bacula.org/git/cgit.cgi/bacula/tree/bacula/ChangeLog http://lists.fedoraproject.org/pipermail/package-announce/2012-July/084347.html https://bugzilla.redhat.com/show_bug.cgi?id=857955 http://www.debian.org/security/2012/dsa-2558 ======================== Updated packages in core/updates_testing: ======================== libbacula-5.0.3-2.1.mga1 bacula-common-5.0.3-2.1.mga1 bacula-dir-common-5.0.3-2.1.mga1 bacula-dir-mysql-5.0.3-2.1.mga1 bacula-dir-pgsql-5.0.3-2.1.mga1 bacula-dir-sqlite3-5.0.3-2.1.mga1 bacula-console-5.0.3-2.1.mga1 bacula-console-wx-5.0.3-2.1.mga1 bacula-bat-5.0.3-2.1.mga1 bacula-fd-5.0.3-2.1.mga1 bacula-sd-5.0.3-2.1.mga1 bacula-gui-web-5.0.3-2.1.mga1 bacula-gui-bimagemgr-5.0.3-2.1.mga1 bacula-gui-brestore-5.0.3-2.1.mga1 bacula-tray-monitor-5.0.3-2.1.mga1 libbacula-5.0.3-3.1.mga2 bacula-common-5.0.3-3.1.mga2 bacula-dir-common-5.0.3-3.1.mga2 bacula-dir-mysql-5.0.3-3.1.mga2 bacula-dir-pgsql-5.0.3-3.1.mga2 bacula-dir-sqlite3-5.0.3-3.1.mga2 bacula-console-5.0.3-3.1.mga2 bacula-console-wx-5.0.3-3.1.mga2 bacula-bat-5.0.3-3.1.mga2 bacula-fd-5.0.3-3.1.mga2 bacula-sd-5.0.3-3.1.mga2 bacula-gui-web-5.0.3-3.1.mga2 bacula-gui-bimagemgr-5.0.3-3.1.mga2 bacula-gui-brestore-5.0.3-3.1.mga2 bacula-tray-monitor-5.0.3-3.1.mga2 from SRPMS: bacula-5.0.3-2.1.mga1.src.rpm bacula-5.0.3-3.1.mga2.src.rpm
Whiteboard: MGA1TOO feedback => MGA1TOO
Testing complete on Mageia 1 i586. Found out that at least with postgresql, the database user has to be created before installing bacula. I used the guide at http://lucasmanual.com/mywiki/Bacula#Configure_Bacula with the default configuration files. Using the bconsole, was able to run a job, etc. The job failed with a message to the effect of "no appendable volume found", but that's clearly just a configuration problem. I'll test with mysql on Mageia 1 x86-64.
CC: (none) => davidwhodginsWhiteboard: MGA1TOO => MGA1TOO MGA1-32-OK
Testing complete on Mageia 1 x86-64. With mysql, have to remove the password from the db root user, before installing.
Whiteboard: MGA1TOO MGA1-32-OK => MGA1TOO MGA1-32-OK MGA1-64-OK
Testing complete on Mageia 2 i586. Used the default mysql. Using bconsole, created a label for the file system storage, than ran the job, which backed up the configured directories into /var/spool/bacula/label.
Whiteboard: MGA1TOO MGA1-32-OK MGA1-64-OK => MGA1TOO MGA1-32-OK MGA1-64-OK MGA1-32-OK
Testing complete on Mageia 2 x86-64. Could someone from the sysadmin team push the srpm bacula-5.0.3-3.1.mga2.src.rpm from Mageia 2 Core Updates Testing to Core Updates and the srpm bacula-5.0.3-2.1.mga1.src.rpm from Mageia 1 Core Updates Testing to Core Updates. Advisory: Updated bacula packages fix security vulnerabilities: Some of the mtx-changer example autochangers in bacula before 5.2.1 could allow local users to overwrite any local file via a symlink attack, due to insecure temp file naming (CVE-2008-5373). An information leak flaw was found in the way Bacula before 5.2.11 enforced access control list (ACL) rules prior providing information about a particular resource. A remote attacker could use this flaw to obtain (possibly sensitive) information (CVE-2012-4430). Additionally, two other security-related fixes from upstream have been included. One is a fix for a possible fnmatch problem, and the other adds rate limiting of bad connections. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5373 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4430 http://www.bacula.org/git/cgit.cgi/bacula/tree/bacula/ReleaseNotes http://www.bacula.org/git/cgit.cgi/bacula/tree/bacula/ChangeLog http://lists.fedoraproject.org/pipermail/package-announce/2012-July/084347.html https://bugzilla.redhat.com/show_bug.cgi?id=857955 http://www.debian.org/security/2012/dsa-2558
Forgot to actually validate the update. Could someone from the sysadmin team push the srpm bacula-5.0.3-3.1.mga2.src.rpm from Mageia 2 Core Updates Testing to Core Updates and the srpm bacula-5.0.3-2.1.mga1.src.rpm from Mageia 1 Core Updates Testing to Core Updates. Advisory: Updated bacula packages fix security vulnerabilities: Some of the mtx-changer example autochangers in bacula before 5.2.1 could allow local users to overwrite any local file via a symlink attack, due to insecure temp file naming (CVE-2008-5373). An information leak flaw was found in the way Bacula before 5.2.11 enforced access control list (ACL) rules prior providing information about a particular resource. A remote attacker could use this flaw to obtain (possibly sensitive) information (CVE-2012-4430). Additionally, two other security-related fixes from upstream have been included. One is a fix for a possible fnmatch problem, and the other adds rate limiting of bad connections. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5373 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4430 http://www.bacula.org/git/cgit.cgi/bacula/tree/bacula/ReleaseNotes http://www.bacula.org/git/cgit.cgi/bacula/tree/bacula/ChangeLog http://lists.fedoraproject.org/pipermail/package-announce/2012-July/084347.html https://bugzilla.redhat.com/show_bug.cgi?id=857955 http://www.debian.org/security/2012/dsa-2558 https://bugs.mageia.org/show_bug.cgi?id=7470
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsWhiteboard: MGA1TOO MGA1-32-OK MGA1-64-OK MGA1-32-OK => MGA1TOO MGA1-32-OK MGA1-64-OK MGA2-32-OK MGA2-64-OK
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0321
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED