CVE-2020-11061

NameCVE-2020-11061
DescriptionIn Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in Bareos versions 19.2.8, 18.2.9 and 17.2.10.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-2353-1
NVD severitymedium
Debian Bugs968957

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
bacula (PTS)stretch7.4.4+dfsg-6+deb9u1vulnerable
stretch (security)7.4.4+dfsg-6+deb9u2fixed
buster9.4.2-2+deb10u1fixed
bullseye, sid9.6.6-2fixed
bareos (PTS)stretch16.2.4-3+deb9u2vulnerable
buster16.2.6-5vulnerable
sid17.2.7-2.1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
baculasourcestretch7.4.4+dfsg-6+deb9u2DLA-2353-1
baculasourcebuster9.4.2-2+deb10u1
baculasource(unstable)9.6.5-1
bareossource(unstable)(unfixed)968957

Notes

[buster] - bareos <no-dsa> (Minor issue; can be fixed via point release)
[stretch] - bareos <no-dsa> (minor issue, low priority)
https://github.com/bareos/bareos/security/advisories/GHSA-mm45-cg35-54j4
https://bugs.bareos.org/view.php?id=1210
https://github.com/bareos/bareos/commit/86c6fa479a21a1464366babb74e6cf33770ed7ae (master)
https://www.bacula.org/git/cgit.cgi/bacula/commit/?id=f9472227317b8e1d26a781d042e0efdf432a633f (Release-9.6.4)

Search for package or bug name: Reporting problems