A security issue has been found in FreedomBox, related to private data used for backups of several applications. If your FreedomBox has not already automatically updated to 25.17.1, please update it as soon as possible.
Versions affected by the issue:
- At least all versions between 21.3 and 25.17.
Versions that include a fix for the issue:
- 25.17.1 in trixie-backports, testing, and unstable
- 25.9.3+deb13u1, which should be included in the next stable point release.
Debian security tracker link:
Salsa issue:
The issue is due to the permissions on the directory /var/lib/plinth/backups-data, which could allow any user or program on the FreedomBox to access data stored in this directory. This directory is used when creating a backup for the following apps:
- Dynamic DNS
- Miniflux
- Nextcloud
- WordPress
- Zoph
In the case of Dynamic DNS, the stored data includes the password for the configured DDNS service. In the case of the other apps, they are database dumps that include private data for the users of those apps.
Commit that fixes the issue:
The issue is fixed with the following changes:
- Update permissions on the backups-data directory so that files are only accessible by root users.
- Ensure that the directory is created by the ‘backups’ app and not by each of the apps that take the backup.