Dear Debian Maintainers, Please note percona-xtrabackup < 2.3.6 && < 2.4.5 is vulnerable to a Chosen-Plaintext attack when running xbcrypt to encrypt backups. Backup plaintext data can be retrieved in this manner without the original password. We have blogged about the fix for the issue here https://www.percona.com/blog/2017/01/12/cve-2016-6225-percona-xtrabackup-encryption-iv-not-set-properly and our packages are available with the fix in place. Please note the version as per https://packages.debian.org/search?keywords=percona-xtrabackup (2.2.3-2.1). Is vulnerable to this attack and I would encourage you to check the code changes here: https://github.com/percona/percona-xtrabackup/pull/266 https://github.com/percona/percona-xtrabackup/pull/267 ( If the intent is to backport the fix rather than jump the version ). Cheers David David Busby, CISSP, Information Security Architect, Percona GPG: 5422AA2AB636DA5A https://keybase.io/oneiroi |
Attachment:
signature.asc
Description: Message signed with OpenPGP using GPGMail