[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

CVE-2016-6225 percona-xtrabackup Encryption IV Not Being Set Properly

Dear Debian Maintainers,

Please note percona-xtrabackup < 2.3.6 && < 2.4.5 is vulnerable to a Chosen-Plaintext attack when running xbcrypt to encrypt backups.

Backup plaintext data can be retrieved in this manner without the original password.

We have blogged about the fix for the issue here https://www.percona.com/blog/2017/01/12/cve-2016-6225-percona-xtrabackup-encryption-iv-not-set-properly and our packages are available with the fix in place.

Please note the version as per https://packages.debian.org/search?keywords=percona-xtrabackup (2.2.3-2.1).

Is vulnerable to this attack and I would encourage you to check the code changes here: https://github.com/percona/percona-xtrabackup/pull/266 https://github.com/percona/percona-xtrabackup/pull/267 ( If the intent is to backport the fix rather than jump the version ).



David Busby, CISSP,
Information Security Architect,
skype: Ascrethy
office:  +1-919-794-5190
Shropshire, UK. GMT (UTC)
GPG: 5422AA2AB636DA5A https://keybase.io/oneiroi

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

Reply to: