CVE-2009-3369

NameCVE-2009-3369
DescriptionCgiUserConfigEdit in BackupPC 3.1.0, when SSH keys and Rsync are in use in a multi-user environment, does not restrict users from the ClientNameAlias function, which allows remote authenticated users to read and write sensitive files by modifying ClientNameAlias to match another system, then initiating a backup or restore.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs542218

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
backuppc (PTS)jessie3.3.0-2+deb8u1fixed
stretch3.3.1-4fixed
buster3.3.2-2+deb10u1fixed
bullseye4.4.0-3fixed
bookworm4.4.0-8fixed
sid, trixie4.4.0-10fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
backuppcsourceetch(not affected)
backuppcsourcelenny3.1.0-4lenny2
backuppcsource(unstable)3.1.0-8low542218

Notes

[etch] - backuppc <not-affected> (No configuration GUI)
Search for package or bug name: Reporting problems