CVE-2020-11061

NameCVE-2020-11061
DescriptionIn Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in Bareos versions 19.2.8, 18.2.9 and 17.2.10.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium
Debian Bugs965985

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
bareos (PTS)stretch16.2.4-3+deb9u2vulnerable
buster16.2.6-5vulnerable
sid17.2.7-2.1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
bareossource(unstable)(unfixed)965985

Notes

[stretch] - bareos <no-dsa> (minor issue, low priority)
https://github.com/bareos/bareos/security/advisories/GHSA-mm45-cg35-54j4

Search for package or bug name: Reporting problems