Bareos 22.0.0 Security und Bugfix Release

Bareos (Backup Archiving Recovery Open Sourced) ist ein ehemaliger Fork (2010) von Bacula und stellt eine Open-Source Backuplösung auf Enterpriseniveau dar. Die neuste Version 22.0.0 enthält Bugfixes, führt Änderungen und Neuerungen durch und schließt Sicherheitslücken.

Bareos 22.0.0 Release Notes

Breaking Changes

• when using PAM Bareos will now check authorization, too. If authorization is not configured, login will fail. See updated documentation on how to proceed PR #1115.
• Bareos 22 removes the make_catalog_backup.pl perl script in favor of an improved make_catalog_backup shell script. There is a compatibility-wrapper, but that only supports simple cases. If you applied changes to BackupCatalog Job, you should immediately migrate to use make_catalog_backup. See catalog documentation PR #1081
• Bareos changed the way its binaries parse CLI arguments. Four existing options now require two minus signs (--) instead of one (-) :
  • -xc -> --xc to export all configuration at once.
  • -xc[resource[=<name>]] -> --xc [resource [ressource-name]] to export a specific resource.
  • -xs -> --xs to export configuration JSON schema.
  • -dt -> --dt to print the debug timestamp. The rest of the options stay the same. PR #1187
• Previously deprecated rados/ceph backend and cephfs plugin have been removed. Instead, please use the droplet backend to store into ceph via S3, and backup cephfs filesystems by backing up a mount point.
  • packages bareos-storage-ceph and bareos-filedaemon-ceph-plugin if previously installed need to be removed manually.
• Bareos 22 removes bareos-webui support for RHEL 7 and CentOS 7
• Bareos 22 uses the VMware VDDK 8.0.0 for the VMware Plugin. PR #1295. VDDK 8.0.0 supports vSphere 8 and is backward compatible with vSphere 6.7 and 7. vSphere 6.5 is not supported anymore.
• Bareos 22 bareos-webui now uses php_fpm instead of mod_php. PR #1287. Update should run smoothly, for details check the „Installing Bareos Webui“ chapter in the docs.

Added

• The bareos repositories now contain add_bareos_repositories.sh which will setup the corresponding repository automatically
• VMware Plugin: Save VM configuration and recreate VM before restore PR #1295
• python plugins: enable direct I/O in core instead of calling python for read and write PR #1297
• NDMP_BAREOS: add support for autoxflate plugin PR #1013
• stored: dird: add backup checkpoints that save backup metadata to the Catalog during the execution of the backup. PR #1074
• dird: add command line feature to print specific resources PR #1153
• dird: extend the list command to be able to query volumes and pools by ID PR #1041
• ndmp: introduce workaround for isilon 9.1.0.0 ‚Invalid nlist.tape_offset -1‘ error PR #1043
• packaging: installation and upgrade will check for the presence of :file:.enable-cap_sys_rawio in your bareos config dir and will configure the required cap_sys_rawio capabilities PR #1057
• webui: analytics module: show stored data per jobname in treemap PR #1082
• webui: add pool column to volume lists PR #1120
• webui: introduce themes PR #1281
• dird: console: add jobtype parameter to (l)list jobs PR #1149
• contrib: add support for building and packaging PR #768:
  • bareos-contrib-director-python-plugins
  • bareos-contrib-filedaemon-python-plugins
  • bareos-contrib-tools
• tests: py3plug-fd-contrib-mysql_dump PR #768
• tests: py*plug-fd-contrib-bareos_tasks_mysql PR #768
• webui: introduce rerun of multiple jobs at once PR #1109
• dird: console: add the ability to rerun multiple commas separated jobids PR #1170
• build: Add support for Ubuntu 22.04, Fedora 36, EL 9, openSUSE 15.4 PR #1179
• build: Add support for SLE_15_SP4 PR #1205
• libcloud plugin: allow to configure the storage provider PR #1226
• core/platform: Adding Bareos firewalld service xml files PR #1237
• dird: Added FS Type = vfat in LinuxAll.conf for UEFI partition PR #1236
• bareos tools: reintegrate testfind binary PR #1176
• fd: add support for role switching on PostgreSQL add-on Issue #1456 PR #1178
• build: switch from FreeBSD 13.0 to 13.1 PR #1253
• build: run a build and test with sanitizers enabled PR #1244
• catalog: update fileset text in fileset record PR #1300
• stored: emit warnings for Maximum Concurrent Jobs in device configs PR #1282
• webui: extend restore to handle plugin options PR #1276
• webui: introduce subscription backup unit report PR #1280

Fixed

• webui: fix job timeline x-axis UTC timestamp issue PR #1283
• dird: fix possible crash in tls context on configuration reload PR #1249
• dird: RunScript fixes PR #1217
• fix file count mismatch on restores that use recycled volumes PR #1330
  • fix show command output for RunScript RunsOnClient
  • fix show verbose for RunScripts
  • execute console runscripts only on the Director
• VMware file daemon plugin: fix restore with localvmdk=yes requires an API connection to vCenter PR #1219
• python plugins: store architecture specific modules in sitearch (instead of sitelib) PR #698
• debian: fix package dependencies for webui and Ceph PR #1183
• Python plugins: fix handling of additional pluginoptions parameter PR #1177
• debian: Let dbconfig create the Bareos catalog also with LC_COLLATE='C' and LC_CTYPE='C'. The create_bareos_database script did always do so. Requires dbconfig >= 2.0.21 PR #1031
• fix wrong packages_dir in restapi workflow, so restapi packages will be released to PyPI PR #1033
• core cats: Add IF EXISTS in drop table statements fix for bug #1409 (Allow usage of ExitOnFatal) PR #1035
• sql_get.cc: fix error logging in GetJobRecord() for jobname PR #1042
• webui: fix empty job timeline issue if date.timezone is not set in php.ini PR #1051
• Fix for wrong update message when updating all volumes from all pools with no existing volumes PR #1015
• Fix context confusion in Director’s Python plugins PR #1047
• Fix several cases of undefined behaviour, memory corruption and memory leaks PR #1060
• webui: fix undefined array key warning PR #1098
• webui: fix deprecated notice required param follows optional param PR #1097
• webui: fix uncaught TypeError if node.data is null PR #1087
• core cats: Add DROP VIEWS instruction in drop_bareos_table script PR #1092
• Don’t keep volume open after acquiring a read-storage failed in migrate/copy/virtual full PR #1106
• webui: show DIR message if ACL prevents a job rerun PR #1110
• webui: fix restore file tree rendering PR #1127
• dir: fix crash when there are no jobs to consolidate PR #1131
• webui: get volume and pool params from query instead of route PR #1139
• packaging: FreeBSD add missing ddl/update 2171_2192 and 2192_2210 files PR #1147
• Fix director connects to client while Connection From Director To Client is disabled. PR #1099
• cats: make .bvfs_update and .bvfs_versions take archive jobs into consideration PR #1152
• Fix always-incremental-consolidate systemtest sporadic fails, and rename it. PR #1154
• packaging: FreeBSD place all scripts into „normal“ location /usr/local/lib/bareos/scripts PR #1163
• Issue #1445 adding quotes to director name when using configure export. PR #1171
• dir: miscalculation when using always incremental keep number PR #1159
• Windows Installer: made ‚Director PotsgreSQL Backend Support‘ checked by default if ‚Full PostgreSQL‘ installation selected. PR #1185
• SQL: queries: fix sql queries to handle negative job duration value PR #1198
• dird: fix TLS-PSK credential not found error with very long job names PR #1204
• dird: Add missing newline to job message for TLS handshake PR #1209
• devtools/dist-tarball.sh: fix name if version contains „~pre“ PR #1221
• dird: fix odd-even weeks parsing bug in schedule PR #1210
• bcopy: fix crash in bcopy when using certain cli arguments PR #1211
• webui: fix password string length limitation Issue #1480
• systemtest: fixed issues with systemtests not succeeding on first try PR #1186
• btape: dumplabel only when label is valid PR #1266
• dird: fix crash in .jobstatus PR #1278
• testfind: remove unnecessary libraries and fix systemtest PR #1250
• stored: systemtests: docs: checkpoints improvements PR #1277
• winbareos.nsi: fix working directory in configure.sed PR #1288
• core: BareosDb::FindLastJobStartTimeForJobAndClient: take into account Running job Issue #1466 PR #1265
• backup.cc: fail backup when Write Bootstrap to pipe fails PR #1296
• webui: fix pool link in job details formatter Issue #1489 PR #1303
• webui: patch zf2 to eliminate a php warning caused by zend-stdlib PR #1305
• dird: fix director resource not showing when using show director or the --xc director cli option PR #1315
• webui: add timeline chart by jobs PR #1059
• bareos-fd-postgres: properly close database connection PR #1326
• filed: fix handling of STREAM_ACL_PLUGIN during restore PR #1308
• dird: fix tls protocol shown and document TLS Protocol & ciphers restriction PR #1319
• dird: fix for crash when starting rescheduled jobs PR #1327
• VMware Plugin: fix restore of backups taken before version 22 PR #1337

Changed

• contrib: rename Python modules to satisfy PEP8 PR #768
• contrib: adapt to Python interface of Bareos >= 20 PR #768
• Qmsg: in case of syslog logging use adapted log priority instead of always LOG_ERR PR #1134
• webui: remove an unnecessary .bvfs_get_jobids and buildSubtree() call PR #1050
• git: set merge strategy for CHANGELOG.md to union PR #1062
• stored: enable labeling of tapes in drives even if autoselect=no PR #1021
• dir, stored: start statistics threads only if needed PR #1040
• gitignore: cleanup .gitignore files PR #1067
• webui: update jstree from v3.3.8 to v3.3.12 PR #1088
• webui: update jstree-grid plugin PR #1089
• dird: Consolidation now purges candidate jobs with no files instead of ignoring them PR #1056
• dird: Virtual Full will now terminate if one of the input jobs had its files pruned PR #1070
• webui: new login screen background and adapted logo to support Ukraine PR #1122
• console: multicolumn output: fill columns first PR #1072
• cats: include only jobtypes in list jobtotals that write data to volumes PR #1135
• jstreegrid: remove handling of IE < 8 using navigator interface to avoid warnings in chrome PR #1140
• dird: bvfs_update now uses unordered_map instead of htable for the pathid cache PR #1138
• cats: filtered zero file jobs list is now sorted PR #1172
• dird: console: changed list jobs jobstatus argument to accept comma separated value PR #1169
• cats: management scripts remove db_driver support PR #1081
• bconsole: multiple identical successive commands are only added to history once PR #1162
• build: Now use solaris 11.4-11.4.42.0.0.111.0 PR #1189
• bconsole: removed commas from jobid attribute in list jobs and llist jobs outputs PR #1126
• testing: matrix.yml: run multiple tests sequentially PR #1193
• console: aborting job run if jobid doesn’t exist in catalog PR #1188
• daemons: changed daemon CLI arguments parsing PR #1187
• config parser: Refactor config reloading by using shared pointers instead of callbacks PR #1151
• tests: remove unused config files PR #1247
• dird: fix config reload and unit tests dependency issue PR #1161
• pruning: prune jobs doesn’t ask for jobtypes anymore, and prunes all jobtypes except Archives (A) PR #1215
• dird: cats: remove copy and migration jobs with no data from catalog PR #1262
• build: enable compiling on ARM PR #1270
• core and webui: adapt binary info messages to new wording PR #1298
• build: enable -Wextra warning level and apply required changes PR #1261
• lib: make foreach_res() reload-safe PR #1279
• build: prepare Bareos for an upgrade to the C++20 standard PR #1271
• stored: refactor the SD’s backend interface PR #1272
• core: use distinct names for JobControlRecordPrivate PR #1307
• webui-selenium-test: use options instead of chrome_options PR #1306
• systemtests: improve webui testing PR #1313
• dird: prohibit PAM usage with user ACL and Profiles in consoles PR #1318
• webui: cleanup webui source tree PR #1314
• dird: do device reservation as late as possible, i.e. after run before job scripts PR #1273
• ndmp_tape.cc: do not log current rctx->rec in joblog PR #1324
• dird: stored: set statistics collection as deprecated PR #1320
• webui: switch from mod_php to php-fpm PR #1287
• dird: status subscription: extend output PR #1312
• build: unify and merge builds where possible PR #1309
• python plugins: give python3 plugins priority over python2 plugins in packages PR #1332
• btraceback: make the gdb script processing failsafe PR #1334
• Python plugins: add default module_path to search path PR #1038
• systemtests: wait for mariadb shutdown PR #1048
• tests: simplify test coverage analysis PR #1010
• tests: skip mysql tests if root PR #1197
• webui: adapt links to new URLs after website relaunch. PR #1275

Deprecated

• make_catalog_backup.pl is now a shell wrapper script which will be removed in version 23.
• marked config directive Compatible as deprecated PR #1284
• deprecated Maximum Connections directive from all daemons and removed all uses in code. Directive has no effect anymore PR #1285
• deprecate python2 plugins PR #1331

Removed

• removed the -r run job option. PR #1206
• removed ceph/rados backend and filedaemon plugin PR #1216

Security

• webui: update jquery from v3.2.0 to v3.6.0 PR #1083
• dird: check authorization on PAM login PR #1115 CVE-2022-24755
• dird: fix memory leak on failed PAM login PR #1115 CVE-2022-24756
• webui: update moment.js to version 2.29.2 PR #1155CVE-2022-24785
  • webui is NOT affected
  • webui does NOT use the npm server
  • webui does NOT use a user-provided locale string to directly switch moment locale
• webui: Fix URL rewrite vulnerability in zend-http component PR #1213 No known CVE

Documentation

• Univention Corporate Server (UCS) has no longer extended integration, just normal Linux integration PR #1242
• cleanup update section PR #1054
• clarifies MySQL catalog migration process PR #1054
• split Howtos.rst file into one file per section PR #1054
• split the very long Plugins.rst file into one file per Bareos plugin PR #1046
• rework SD plugin scsicrypto linux sg_io ioctl subsection for cap_sys_rawio PR #1057
• improve action Python plugin documentation, by removing File in Fileset example PR #1079
• improve Mysql – PostgreSQL howto PR #1093 fixing Issue #1429
• clarifies Sphinx bareos-extension parallel_read_safe status to False PR #1037
• fix incorrect link in contrib PythonFdPlugin Issue #1450 PR #1065
• clarifies CheckFileChanges option not intended to be used with plugin Issue #1452
• fix broken links with sphinx linkcheck PR #1200
• add security FIPS section PR #1181
• add instruction to run sphinx linkcheck before release PR #1218
• FreeBSD install create /usr/local/etc/pkg/repos directory PR #1227
• remove deprecated rados & ceph references from documentation PR #1216
• improve Wild(*) section with links to example PR #1228
• add example to selection type = sql query PR #1229
• dir-job-RescheduleTimes remove wrong default sentence PR #1225
• update Appendix/HardwareSizing DB size with new numbers and formulas Issue #1477
• add description to fileset signature sha256 and sha512 parameter PR #1230
• improve troubleshooting and debugging chapter PR #1233
• mssql add a warning in case of pitr to run another backup full or diff afterwards PR #1235
• docs: Added Developer FAQ section with first question. PR #1202
• describe Debian installation based on add_bareos_repositories.sh PR #1238
• update Pull Request workflow description PR #1243
• docs: improve operating system table PR #1254
• add FAQ entry about howto upgrade from Bareos < 20 with Bareos Python packages installed PR #1260
• describe usage of the add_bareos_repositories.sh script PR #1248
• Appendix/Bareos Programs improvements PR #1255
• obsolete comments removed PR #1268
• fix bsmtp get-usage.sh call PR #1267
• add new VSS troubleshooting instruction to Windows chapter PR #1317
• update installation and renew update chapters PR #1329
• add chapter about Bareos Binary Release Policy PR #1333
• add chapter for mariabackup db plugin PR #1016

Quelle: bareos/CHANGELOG.md at Release/22.0.0 · bareos/bareos · GitHub