- update to version 1.0.9 (2016-12-20)
- Security fixes:
- A flaw in the cryptographic authentication scheme in Borg allowed
an attacker to spoof the manifest. See :ref:`tam_vuln` above for
the steps you should take.
Fixes CVE-2016-10099
- borg check: When rebuilding the manifest (which should only be
needed very rarely) duplicate archive names would be handled on a
"first come first serve" basis, allowing an attacker to apparently
replace archives.
Fixes CVE-2016-10100
- Bug fixes:
- borg check:
rebuild manifest if it's corrupted
skip corrupted chunks during manifest rebuild
- fix TypeError in integrity error handler, #1903, #1894
- fix location parser for archives with @ char (regression introduced
in 1.0.8), #1930
- fix wrong duration/timestamps if system clock jumped during a create
- fix progress display not updating if system clock jumps backwards
- fix checkpoint interval being incorrect if system clock jumps
- update to version 1.0.9rc1 (2016-11-27)
- Bug fixes:
- files cache: fix determination of newest mtime in backup set (which
is used in cache cleanup and led to wrong "A" [added] status for
unchanged files in next backup), #1860.
- borg check:
- fix incorrectly reporting attic 0.13 and earlier archives as corrupt
- handle repo w/o objects gracefully and also bail out early if repo
is completely empty, #1815.