CVE-2009-3369

Publication date 24 September 2009

Last updated 24 July 2024

Ubuntu priority

Medium

Why this priority?

CgiUserConfigEdit in BackupPC 3.1.0, when SSH keys and Rsync are in use in a multi-user environment, does not restrict users from the ClientNameAlias function, which allows remote authenticated users to read and write sensitive files by modifying ClientNameAlias to match another system, then initiating a backup or restore.

Read the notes from the security team

Status

Package Ubuntu Release Status
backuppc 9.04 jaunty
Fixed 3.1.0-4ubuntu1.1
8.10 intrepid
Fixed 3.1.0-3ubuntu2.1
8.04 LTS hardy
Fixed 3.0.0-4ubuntu1.1
6.06 LTS dapper
Not affected

Notes

mdeslaur

debian patch is incomplete, see debian bug report

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package Patch details
backuppc

References

Related Ubuntu Security Notices (USN)

    • USN-843-1
    • BackupPC vulnerability
    • 6 October 2009

Other references