Control: tags -1 buster-ignore Am 22.02.19 um 23:46 schrieb Salvatore Bonaccorso: > Source: seafile > Version: 6.2.11-1 > Severity: grave > Tags: security upstream > Forwarded: https://github.com/haiwen/seafile/issues/350 > > Hi, > > The following vulnerability was published for seafile. > > CVE-2013-7469[0]: > | Seafile through 6.2.11 always uses the same Initialization Vector (IV) > | with Cipher Block Chaining (CBC) Mode to encrypt private data, making > | it easier to conduct chosen-plaintext attacks or dictionary attacks. > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2013-7469 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7469 > [1] https://github.com/haiwen/seafile/issues/350
This bug report is pretty late in the release cycle. Also the CVE is unspecific about the impact of the problem. As far as I see the problem is only with libraries where the user enabled encryption for. Since the transport of the files is secured via a normal webserver with TLS etc. you encrypted library can only be tried to access locally on the client or the server. The cryptographic weekness should at least be documented with the hint to additionaly use an gpg or zip encrypted file in the library if the files data is really sensible. So, I don't consider this bug as a release critical bug for buster. It can not be fixed the short time which is left for the release. Christoph -- ============================================================================ Christoph Martin, Leiter Unix-Systeme Zentrum für Datenverarbeitung, Uni-Mainz, Germany Anselm Franz von Bentzel-Weg 12, 55128 Mainz Telefon: +49(6131)3926337 Instant-Messaging: Jabber/XMPP: mar...@jabber.uni-mainz.de
signature.asc
Description: OpenPGP digital signature