Package: borgbackup Version: 1.0.9-1 Severity: normal Dear Maintainer,
The two ways of delivering a passphrase from an external program to borg (command line, environment) are not secure. Some other processes in the system may access the passphrase via /proc filesystem. The patches[1][2][3] recently merged upstream enables reading passphrases from a file descriptor (e.g. a pipe) prepared by a parent process. [1] https://github.com/borgbackup/borg/commit/c9c1403685fd1b7af8bbd94a88090f2ce35185e8 [2] https://github.com/borgbackup/borg/commit/82e37fbd03ee0722da340952440f1a1e3d1ca925 [3] https://github.com/borgbackup/borg/commit/548355125e554b099f7181fa0627b9dfe9f3830c -- System Information: Debian Release: 9.6 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: armel, arm64 Kernel: Linux 4.9.0-6-amd64 (SMP w/8 CPU cores) Locale: LANG=pl_PL.UTF-8, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8), LANGUAGE=pl_PL.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages borgbackup depends on: ii libacl1 2.2.52-3+b1 ii libc6 2.24-11+deb9u3 ii liblz4-1 0.0~r131-2+b1 ii libssl1.1 1.1.0f-3+deb9u2 ii python3 3.5.3-1 ii python3-llfuse 1.2+dfsg-1 ii python3-msgpack 0.4.8-1 ii python3-pkg-resources 33.1.1-1 borgbackup recommends no packages. Versions of packages borgbackup suggests: pn borgbackup-doc <none> -- no debconf information -- Łukasz Stelmach Samsung R&D Institute Poland Samsung Electronics
signature.asc
Description: PGP signature