CVE-2020-11061

NameCVE-2020-11061
DescriptionIn Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in Bareos versions 19.2.8, 18.2.9 and 17.2.10.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-2353-1
Debian Bugs968957

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
bacula (PTS)jessie5.2.6+dfsg-9.3vulnerable
stretch (security), stretch (lts), stretch7.4.4+dfsg-6+deb9u2fixed
buster9.4.2-2+deb10u1fixed
bullseye9.6.7-3fixed
bookworm9.6.7-7fixed
sid, trixie13.0.4-1fixed
bareos (PTS)jessie14.2.1+20141017gitc6c5b56-3+deb8u3vulnerable
stretch16.2.4-3+deb9u2vulnerable
buster16.2.6-5vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
baculasourcejessie(unfixed)end-of-life
baculasourcestretch7.4.4+dfsg-6+deb9u2DLA-2353-1
baculasourcebuster9.4.2-2+deb10u1
baculasource(unstable)9.6.5-1
bareossourcejessie(unfixed)end-of-life
bareossource(unstable)(unfixed)968957

Notes

[buster] - bareos <no-dsa> (Minor issue; can be fixed via point release)
[stretch] - bareos <no-dsa> (minor issue, low priority)
https://github.com/bareos/bareos/security/advisories/GHSA-mm45-cg35-54j4
https://bugs.bareos.org/view.php?id=1210
https://github.com/bareos/bareos/commit/86c6fa479a21a1464366babb74e6cf33770ed7ae (master)
https://www.bacula.org/git/cgit.cgi/bacula/commit/?id=f9472227317b8e1d26a781d042e0efdf432a633f (Release-9.6.4)
Search for package or bug name: Reporting problems