Dear Debian Maintainers,
Please note percona-xtrabackup < 2.3.6 && < 2.4.5 is vulnerable to a Chosen-Plaintext attack when running xbcrypt to encrypt backups.
Backup plaintext data can be retrieved in this manner without the original password.
We have blogged about the fix for the issue here https://www.percona.com/blog/2017/01/12/cve-2016-6225-percona-xtrabackup-encryption-iv-not-set-properly and our packages are available with the fix in place.
Please note the version as per https://packages.debian.org/search?keywords=percona-xtrabackup (2.2.3-2.1).
Is vulnerable to this attack and I would encourage you to check the code changes here: https://github.com/percona/percona-xtrabackup/pull/266 https://github.com/percona/percona-xtrabackup/pull/267 ( If the intent is to backport the fix rather than jump the version ).
Description: Message signed with OpenPGP using GPGMail