CVE-2007-5201

Name	CVE-2007-5201
Description	The FTP backend for Duplicity before 0.4.9 sends the password as a command line argument when calling ncftp, which might allow local users to read the password by listing the process and its arguments.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs	442840

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
duplicity (PTS)	buster	0.7.18.2-1	fixed
	bullseye	0.8.17-1	fixed
	bookworm	0.8.22-1	fixed
	sid, trixie	2.1.4-3	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Debian Bugs
duplicity	source	sarge	(not affected)
duplicity	source	etch	(not affected)
duplicity	source	(unstable)	0.4.3-2	low	442840

Notes

[etch] - duplicity <not-affected> (Vulnerable code introduced in 0.4.3)
[sarge] - duplicity <not-affected> (Vulnerable code introduced in 0.4.3)
ftp is an inherently insecure protocol, any security-sensitive data would
be transferred through the scp, sftp or rsync backends.
http://lists.debian.org/debian-release/2008/01/msg00190.html