We’ve just published three Bareos point releases: 19.2.8, 18.2.9, and 17.2.10. The updates fix two security issues, which – especially in combination with each other – can become a serious problem.
1. Authentication Bypass in Director, CVE-2020-4042 (Issue #1250)
The first problem affects the communication between Bareos Director and a File Daemon (client). If the director allows client-initiated connections (which is disabled by default), it’s theoratically possible to bring in a malicious client which can communicate with the director without knowledge of the shared secret.
Bareos 19.2.8 fixes the issue. As a result, Users who are running Bareos 18.x or 17.x should only allow communication in one direction (Director to File Daemon or File Daemon to Director) or immediately upgrade their system if they need the two-way communication.
2. Buffer Overrun in Verify Jobs, CVE-2020-11061 (Issue #1210)
A heap overflow in Bareos Director (< 19.2.8, 18.2.9, and 17.2.10) allows a malicious File Daemon to corrupt the Director’s memory via oversized digest strings sent during initialization of a verify job. This makes it potentially possible to execute arbitrary program code in the Director.
The issue has been fixed in Bareos 19.2.8, 18.2.9, and 17.2.10.
3. Various Improvements in 19.2.8
The oVirt plugin now accepts the unique ID (UUID) of virtual machines instead of their names in the configuration file. In the past, defining a name caused some failures when someone re-named the VM. We have also fixed a problem that occurred when an image file was defined instead of the oVirt cluster when restoring backups.
The Python-Bareos module is now available via the Python Package Index (PyPI), which means users can install and update it using the pip tool (Python package manager).
The bareos-dbcopy tool for converting MySQL to PostgreSQL databases is now much faster.