| Name | CVE-2020-11061 |
| Description | In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in Bareos versions 19.2.8, 18.2.9 and 17.2.10. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DLA-2353-1 |
| Debian Bugs | 968957 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| bacula (PTS) | bullseye | 9.6.7-3 | fixed |
| bookworm | 9.6.7-7 | fixed | |
| trixie | 13.0.4-3 | fixed | |
| sid | 13.0.4-4 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| bacula | source | stretch | 7.4.4+dfsg-6+deb9u2 | DLA-2353-1 | ||
| bacula | source | buster | 9.4.2-2+deb10u1 | |||
| bacula | source | (unstable) | 9.6.5-1 | |||
| bareos | source | (unstable) | (unfixed) | 968957 |
[buster] - bareos <no-dsa> (Minor issue; can be fixed via point release)
[stretch] - bareos <no-dsa> (minor issue, low priority)
https://github.com/bareos/bareos/security/advisories/GHSA-mm45-cg35-54j4
https://bugs.bareos.org/view.php?id=1210
https://github.com/bareos/bareos/commit/86c6fa479a21a1464366babb74e6cf33770ed7ae (master)
https://www.bacula.org/git/cgit.cgi/bacula/commit/?id=f9472227317b8e1d26a781d042e0efdf432a633f (Release-9.6.4)