[Borgbackup] TAM authentication issue
Thomas Waldmann
tw at waldmann-edv.de
Mon Oct 16 10:48:42 EDT 2023
> I perform daily backups using the Borg client version 1.1.18 in a remote
> repository that is not under my control. All I know about it is that two
> versions are simultaneously offered: 1.1.18 and 1.2.4 (default).
These versions do not yet know anything about this CVE:
> I perform weekly archive checks, and during the last one, I received a
> warning regarding the "Pre-1.2.5 archives spoofing vulnerability
> (CVE-2023-36811)":
>
> /"Archive TAM authentication issue for archive
> blocked_NX-2023-05-24T14:03:36: Data integrity error: Archive
> authentication did not verify
> This archive will be *removed* from the manifest! It will be deleted."/
This sounds like "borg check" from borg 1.2.6.
Please read the 1.2.6 changelog and especially the CVE-related upgrade
notes at top of the changelog.
The steps you need to do are described there.
> What I would like to know is:
> - if I create a backup using client version 1.1.18 and I don't specify
> a version during the operation, in what way (version) will the data be
> written to the server, 1.1.18 or 1.2.4?
1.1.18 (because the TAM authentication happens clientside).
> - with access to the files created by Borg on the server, can I find
> out in which version they were written/saved?
No. Usually they are even encrypted.
> - why am I getting the warning if neither the client nor the server
> has a version greater than 1.2.4?
Well, I doubt that.
The error msg you quoted does not exist in <= 1.2.4.
Maybe you have multiple borg versions installed in misc. paths?
Or some automated upgrade happened you did not notice yet?
"borg -V" on the client side will tell you the version.
Be careful: different users might have different search PATH set.
> - the solution to avoid losing those archives is to run the commands
> with the "BORG_WORKAROUNDS" switch, using client version 1.2.4?
You need to run the commands from the upgrade notes in the changelog
using borg >= 1.2.6. Versions <= 1.2.4 do not know all the commands needed.
BTW, version 1.2.5 had issues, this is why I released 1.2.6 a day later.
--
GPG Fingerprint: 6D5B EF9A DD20 7580 5747 B70F 9F88 FB52 FAF7 B393
Encrypted E-Mail is preferred / Verschluesselte E-Mail wird bevorzugt.
More information about the Borgbackup
mailing list