[Freedombox-discuss] FreedomBox security issue - CVE-2025-68462

[James Valleroy]

A security issue has been found in FreedomBox, related to private data used for backups of several applications. If your 
FreedomBox has not already automatically updated to 25.17.1, please update it as soon as possible.

Versions affected by the issue:
- At least all versions between 21.3 and 25.17.

Versions that include a fix for the issue:
- 25.17.1 in trixie-backports, testing, and unstable
- 25.9.3+deb13u1, which should be included in the next stable point release.

Debian security tracker link:
https://security-tracker.debian.org/tracker/CVE-2025-68462

Salsa issue:
https://salsa.debian.org/freedombox-team/freedombox/-/issues/2554

The issue is due to the permissions on the directory /var/lib/plinth/backups-data, which could allow any user or program 
on the FreedomBox to access data stored in this directory. This directory is used when creating a backup for the 
following apps:
- Dynamic DNS
- Miniflux
- Nextcloud
- WordPress
- Zoph

In the case of Dynamic DNS, the stored data includes the password for the configured DDNS service. In the case of the 
other apps, they are database dumps that include private data for the users of those apps.

Commit that fixes the issue:
https://salsa.debian.org/freedombox-team/freedombox/-/commit/8ba444990b4af6eec4b6b2b26482b107d7ff1229

The issue is fixed with the following changes:
- Update permissions on the backups-data directory so that files are only accessible by root users.
- Ensure that the directory is created by the 'backups' app and not by each of the apps that take the backup.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/freedombox-discuss/attachments/20251218/192b0870/attachment.sig>