Source: rclone Version: 1.53.1-2 Severity: grave Tags: security upstream Justification: user security hole Forwarded: https://github.com/rclone/rclone/issues/4783 X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for rclone. CVE-2020-28924[0]: | An issue was discovered in Rclone before 1.53.3. Due to the use of a | weak random number generator, the password generator has been | producing weak passwords with much less entropy than advertised. The | suggested passwords depend deterministically on the time the second | rclone was started. This limits the entropy of the passwords | enormously. These passwords are often used in the crypt backend for | encryption of data. It would be possible to make a dictionary of all | possible passwords with about 38 million entries per password length. | This would make decryption of secret material possible with a | plausible amount of effort. NOTE: all passwords generated by affected | versions should be changed. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-28924 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28924 [1] https://github.com/rclone/rclone/issues/4783 Regards, Salvatore
