Versions affected by the issue: - At least all versions between 21.3 and 25.17.
Versions that include a fix for the issue: - 25.17.1 in trixie-backports, testing, and unstable - 25.9.3+deb13u1, which should be included in the next stable point release. Debian security tracker link: https://security-tracker.debian.org/tracker/CVE-2025-68462 Salsa issue: https://salsa.debian.org/freedombox-team/freedombox/-/issues/2554The issue is due to the permissions on the directory /var/lib/plinth/backups-data, which could allow any user or program on the FreedomBox to access data stored in this directory. This directory is used when creating a backup for the following apps:
- Dynamic DNS - Miniflux - Nextcloud - WordPress - ZophIn the case of Dynamic DNS, the stored data includes the password for the configured DDNS service. In the case of the other apps, they are database dumps that include private data for the users of those apps.
Commit that fixes the issue: https://salsa.debian.org/freedombox-team/freedombox/-/commit/8ba444990b4af6eec4b6b2b26482b107d7ff1229 The issue is fixed with the following changes: - Update permissions on the backups-data directory so that files are only accessible by root users. - Ensure that the directory is created by the 'backups' app and not by each of the apps that take the backup.
OpenPGP_signature.asc
Description: OpenPGP digital signature
_______________________________________________ Freedombox-discuss mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/freedombox-discuss
