Debian Bug report logs -
#730544
percona-xtrabackup: CVE-2013-6394: static IV used in Percona XtraBackup
Reported by: "Thijs Kinkhorst" <thijs@debian.org>
Date: Tue, 26 Nov 2013 11:27:06 UTC
Severity: serious
Tags: fixed-upstream, security
Fixed in version percona-xtrabackup/2.1.6-2
Done: clint@fewbar.com (Clint Byrum)
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>:
Bug#730544; Package percona-xtrabackup.
(Tue, 26 Nov 2013 11:27:10 GMT) (full text, mbox, link).
Acknowledgement sent
to "Thijs Kinkhorst" <thijs@debian.org>:
New Bug report received and forwarded. Copy sent to Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>.
(Tue, 26 Nov 2013 11:27:10 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: percona-xtrabackup
Severity: serious
Tags: security fixed-upstream
Hi,
Upstream discovered and fixed use of a static IV in encrypting backups:
"A fixed initialization vector (constant string) was used while encrypting
the data. This opened the encrypted stream/data to plaintext attacks among
others. Bug fixed #1185343."
http://www.percona.com/doc/percona-xtrabackup/2.1/release-notes/2.1/2.1.6.html
https://bugs.launchpad.net/percona-xtrabackup/+bug/1185343
Fixed in upstream 2.1.6. Can you please ensure that this gets into Debian?
Cheers,
Thijs
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>:
Bug#730544; Package percona-xtrabackup.
(Tue, 26 Nov 2013 19:09:09 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>.
(Tue, 26 Nov 2013 19:09:09 GMT) (full text, mbox, link).
Message #10 received at 730544@bugs.debian.org (full text, mbox, reply):
Control: retitle -1 percona-xtrabackup: CVE-2013-6394: static IV used in Percona XtraBackup
Hi,
On Tue, Nov 26, 2013 at 12:24:34PM +0100, Thijs Kinkhorst wrote:
> Package: percona-xtrabackup
> Severity: serious
> Tags: security fixed-upstream
>
> Hi,
>
> Upstream discovered and fixed use of a static IV in encrypting backups:
> "A fixed initialization vector (constant string) was used while encrypting
> the data. This opened the encrypted stream/data to plaintext attacks among
> others. Bug fixed #1185343."
> http://www.percona.com/doc/percona-xtrabackup/2.1/release-notes/2.1/2.1.6.html
> https://bugs.launchpad.net/percona-xtrabackup/+bug/1185343
>
> Fixed in upstream 2.1.6. Can you please ensure that this gets into Debian?
Jus a short note that a CVE was asigned now for this issue:
CVE-2013-6394.
Regards,
Salvatore
Changed Bug title to 'percona-xtrabackup: CVE-2013-6394: static IV used in Percona XtraBackup' from 'static IV used in Percona XtraBackup'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 730544-submit@bugs.debian.org.
(Tue, 26 Nov 2013 19:09:09 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>:
Bug#730544; Package percona-xtrabackup.
(Wed, 27 Nov 2013 03:36:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Stewart Smith <stewart.smith@percona.com>:
Extra info received and forwarded to list. Copy sent to Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>.
(Wed, 27 Nov 2013 03:36:05 GMT) (full text, mbox, link).
Message #17 received at 730544@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Salvatore Bonaccorso <carnil@debian.org> writes:
> On Tue, Nov 26, 2013 at 12:24:34PM +0100, Thijs Kinkhorst wrote:
>> Upstream discovered and fixed use of a static IV in encrypting backups:
>> "A fixed initialization vector (constant string) was used while encrypting
>> the data. This opened the encrypted stream/data to plaintext attacks among
>> others. Bug fixed #1185343."
>> http://www.percona.com/doc/percona-xtrabackup/2.1/release-notes/2.1/2.1.6.html
>> https://bugs.launchpad.net/percona-xtrabackup/+bug/1185343
>>
>> Fixed in upstream 2.1.6. Can you please ensure that this gets into Debian?
>
> Jus a short note that a CVE was asigned now for this issue:
> CVE-2013-6394.
I'm actively working on packaging 2.1.6 and should have packages today/tomorrow.
--
Stewart Smith
[Message part 2 (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>:
Bug#730544; Package percona-xtrabackup.
(Wed, 27 Nov 2013 06:00:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Stewart Smith <stewart.smith@percona.com>:
Extra info received and forwarded to list. Copy sent to Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>.
(Wed, 27 Nov 2013 06:00:05 GMT) (full text, mbox, link).
Message #22 received at 730544@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Stewart Smith <stewart.smith@percona.com> writes:
> Salvatore Bonaccorso <carnil@debian.org> writes:
>> On Tue, Nov 26, 2013 at 12:24:34PM +0100, Thijs Kinkhorst wrote:
>>> Upstream discovered and fixed use of a static IV in encrypting backups:
>>> "A fixed initialization vector (constant string) was used while encrypting
>>> the data. This opened the encrypted stream/data to plaintext attacks among
>>> others. Bug fixed #1185343."
>>> http://www.percona.com/doc/percona-xtrabackup/2.1/release-notes/2.1/2.1.6.html
>>> https://bugs.launchpad.net/percona-xtrabackup/+bug/1185343
>>>
>>> Fixed in upstream 2.1.6. Can you please ensure that this gets into Debian?
>>
>> Jus a short note that a CVE was asigned now for this issue:
>> CVE-2013-6394.
>
> I'm actively working on packaging 2.1.6 and should have packages
> today/tomorrow.
I've uploaded source packages (and amd64 binaries build with sbuild
locally) up to:
https://flamingspork.com/junk/percona-xtrabackup-2.1.6-debian/
I'd appreciate any review/sponsor for getting them in.
--
Stewart Smith
[Message part 2 (application/pgp-signature, inline)]
Marked as fixed in versions percona-xtrabackup/2.1.6-2.
Request was from clint@fewbar.com (Clint Byrum)
to control@bugs.debian.org.
(Thu, 26 Dec 2013 16:51:04 GMT) (full text, mbox, link).
Marked Bug as done
Request was from clint@fewbar.com (Clint Byrum)
to control@bugs.debian.org.
(Thu, 26 Dec 2013 16:51:05 GMT) (full text, mbox, link).
Notification sent
to "Thijs Kinkhorst" <thijs@debian.org>:
Bug acknowledged by developer.
(Thu, 26 Dec 2013 16:51:06 GMT) (full text, mbox, link).
Message sent on
to "Thijs Kinkhorst" <thijs@debian.org>:
Bug#730544.
(Thu, 26 Dec 2013 16:57:09 GMT) (full text, mbox, link).
Message #31 received at 730544-submitter@bugs.debian.org (full text, mbox, reply):
close 730544 2.1.6-2
thanks
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 24 Jan 2014 07:30:58 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:26:09 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon