Re: pwsafe and OpenSSL?
Daniel Burrows wrote:
> I notice that pwsafe is linked against openssl. Is it affected by the
> recent debacle and if so, how? Do I need to regenerate all my
> randomized passwords, or somehow re-encrypt the pwsafe database?
I've looked briefly into it: The Blowfish encryption key is constructed
from a SHA1 built from an initial random value, two zero bytes and the
passphrase. So if an unmodified database created using a broken libssl
copy is exposed to an attacker, it's more open to brute forcing attempts,
but still safe-guarded by the passphrase.
Fortunately the random part is renewed whenever the database is saved.
By my understanding - I don't use pwsafe myself - this should happen
whever an entry is added or modified.
Please double-check that with upstream and send a finalised version
to firstname.lastname@example.org, so that we can add it to
http://www.debian.org/security/key-rollover/ once confirmed.