Re: pwsafe and OpenSSL?

To: debian-devel@lists.debian.org
Subject: Re: pwsafe and OpenSSL?
From: Moritz Muehlenhoff <jmm@inutil.org>
Date: Fri, 16 May 2008 23:46:13 +0200
Message-id: <[🔎] slrng2s055.4es.jmm@inutil.org>
References: <[🔎] 20080516024720.GA31959@alpaca>

Daniel Burrows wrote:
>   I notice that pwsafe is linked against openssl.  Is it affected by the
> recent debacle and if so, how?  Do I need to regenerate all my
> randomized passwords, or somehow re-encrypt the pwsafe database?

I've looked briefly into it: The Blowfish encryption key is constructed
from a SHA1 built from an initial random value, two zero bytes and the
passphrase. So if an unmodified database created using a broken libssl
copy is exposed to an attacker, it's more open to brute forcing attempts,
but still safe-guarded by the passphrase.

Fortunately the random part is renewed whenever the database is saved.
By my understanding - I don't use pwsafe myself - this should happen
whever an entry is added or modified.

Please double-check that with upstream and send a finalised version
to team@security.debian.org, so that we can add it to
http://www.debian.org/security/key-rollover/ once confirmed.

Cheers,
        Moritz

Reply to:

Follow-Ups:
- Re: pwsafe and OpenSSL?
  - From: Daniel Burrows <dburrows@debian.org>

References:
- pwsafe and OpenSSL?
  - From: Daniel Burrows <dburrows@debian.org>

Prev by Date: Re: How to handle Debian patches
Next by Date: Re: How to handle Debian patches
Previous by thread: pwsafe and OpenSSL?
Next by thread: Re: pwsafe and OpenSSL?
Index(es):
- Date
- Thread