Re: CVE-2016-6225 percona-xtrabackup Encryption IV Not Being Set Properly
Hi,
On Fri, Jan 13, 2017 at 09:28:30AM +0000, David Busby wrote:
> Dear Debian Maintainers,
>
> Please note percona-xtrabackup < 2.3.6 && < 2.4.5 is vulnerable to a
> Chosen-Plaintext attack when running xbcrypt to encrypt backups.
>
> Backup plaintext data can be retrieved in this manner without the
> original password.
>
> We have blogged about the fix for the issue here
> https://www.percona.com/blog/2017/01/12/cve-2016-6225-percona-xtrabackup-encryption-iv-not-set-properly
> <https://www.percona.com/blog/2017/01/12/cve-2016-6225-percona-xtrabackup-encryption-iv-not-set-properly>
> and our packages are available with the fix in place.
>
> Please note the version as per
> https://packages.debian.org/search?keywords=percona-xtrabackup
> <https://packages.debian.org/search?keywords=percona-xtrabackup>
> (2.2.3-2.1).
>
> Is vulnerable to this attack and I would encourage you to check the
> code changes here:
> https://github.com/percona/percona-xtrabackup/pull/266
> <https://github.com/percona/percona-xtrabackup/pull/266>
> https://github.com/percona/percona-xtrabackup/pull/267
> <https://github.com/percona/percona-xtrabackup/pull/267> ( If the
> intent is to backport the fix rather than jump the version ).
Thank you. I have added this entry to the security-tracker.
Regards,
Salvatore
Reply to: