Name | CVE-2020-11061 |
Description | In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in Bareos versions 19.2.8, 18.2.9 and 17.2.10. |
Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
References | DLA-2353-1 |
Debian Bugs | 968957 |
The table below lists information on source packages.
Source Package | Release | Version | Status |
---|---|---|---|
bacula (PTS) | jessie | 5.2.6+dfsg-9.3 | vulnerable |
stretch (security), stretch (lts), stretch | 7.4.4+dfsg-6+deb9u2 | fixed | |
buster | 9.4.2-2+deb10u1 | fixed | |
bullseye | 9.6.7-3 | fixed | |
bookworm | 9.6.7-7 | fixed | |
trixie | 13.0.4-3 | fixed | |
sid | 13.0.4-4 | fixed | |
bareos (PTS) | jessie | 14.2.1+20141017gitc6c5b56-3+deb8u3 | vulnerable |
stretch | 16.2.4-3+deb9u2 | vulnerable | |
buster | 16.2.6-5 | vulnerable |
The information below is based on the following data on fixed versions.
Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
---|---|---|---|---|---|---|
bacula | source | jessie | (unfixed) | end-of-life | ||
bacula | source | stretch | 7.4.4+dfsg-6+deb9u2 | DLA-2353-1 | ||
bacula | source | buster | 9.4.2-2+deb10u1 | |||
bacula | source | (unstable) | 9.6.5-1 | |||
bareos | source | jessie | (unfixed) | end-of-life | ||
bareos | source | (unstable) | (unfixed) | 968957 |
[buster] - bareos <no-dsa> (Minor issue; can be fixed via point release)
[stretch] - bareos <no-dsa> (minor issue, low priority)
https://github.com/bareos/bareos/security/advisories/GHSA-mm45-cg35-54j4
https://bugs.bareos.org/view.php?id=1210
https://github.com/bareos/bareos/commit/86c6fa479a21a1464366babb74e6cf33770ed7ae (master)
https://www.bacula.org/git/cgit.cgi/bacula/commit/?id=f9472227317b8e1d26a781d042e0efdf432a633f (Release-9.6.4)