On Fri, Aug 19, 2016 at 10:42:19PM +0000, Leo Famulari wrote: > lfam pushed a commit to branch master > in repository guix. > > commit d760a2fc18c2ba89a183c9071133b8a113279f8a > Author: Leo Famulari <l...@famulari.name> > Date: Mon Aug 8 01:37:11 2016 -0400 > > gnu: borg: Update to 1.0.7. > > * gnu/packages/backup.scm (borg): Update to 1.0.7.
FYI this update contains a security fix that may require you to change the flags you pass when invoking Borg on a remote server. >From the release announcement [0]: borg serve: fix security issue with remote repository access, #1428 If you used e.g. --restrict-to-path /path/client1/ (with or without trailing slash does not make a difference), it acted like a path prefix match using /path/client1 (note the missing trailing slash) - the code then also allowed working in e.g. /path/client13 or /path/client1000. As this could accidentally lead to major security/privacy issues depending on the pathes you use, the behaviour was changed to be a strict directory match. That means --restrict-to-path /path/client1 (with or without trailing slash does not make a difference) now uses /path/client1/ internally (note the trailing slash here!) for matching and allows precisely that path AND any path below it. So, /path/client1 is allowed, /path/client1/repo1 is allowed, but not /path/client13 or /path/client1000. If you willingly used the undocumented (dangerous) previous behaviour, you may need to rearrange your --restrict-to-path pathes now. We are sorry if that causes work for you, but we did not want a potentially dangerous behaviour in the software (not even using a for-backwards-compat option). [0] https://github.com/borgbackup/borg/blob/1.0.7/docs/changes.rst#version-107-2016-08-19
