Processed: Re: Bug#923009: seafile: CVE-2013-7469
Processing control commands: > severity -1 important Bug #923009 [src:seafile] seafile: CVE-2013-7469 Severity set to 'important' from 'grave' > tags -1 - buster-ignore Bug #923009 [src:seafile] seafile: CVE-2013-7469 Removed tag(s) buster-ignore. -- 923009: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=923009 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#923009: seafile: CVE-2013-7469
Control: severity -1 important Control: tags -1 - buster-ignore Hi Christoph, On Thu, Mar 07, 2019 at 10:16:46AM +0100, Christoph Martin wrote: > Hi Salvatore, > > Am 06.03.19 um 23:15 schrieb Salvatore Bonaccorso: > > Hi Christoph, > > > > On Tue, Mar 05, 2019 at 12:12:31PM +0100, Christoph Martin wrote: > > > > Yes I think we can agree on that! > > > > So, I'd like to lower the severity to important, > > > Quick note on the buster-ignore tag addition, keep in mind that this > > is technically only to be used/added by release managers themself, but > > maintainers can obviously suggest that to the release managers, cf. > > https://www.debian.org/Bugs/Developer#tags > > Sorry for that. Is it ok to leave the tag or is a severity change to > important better? The autoremove flag is still active. Yes that sounds good and just doing so now, and as well removing the tag buster-ignore as raised by Ivo on IRC. Btw, the autoremove flag should have disaperared otherwise next. Regards, Salvatore
Bug#923009: seafile: CVE-2013-7469
Hi Salvatore, Am 06.03.19 um 23:15 schrieb Salvatore Bonaccorso: > Hi Christoph, > > On Tue, Mar 05, 2019 at 12:12:31PM +0100, Christoph Martin wrote: > > Yes I think we can agree on that! > So, I'd like to lower the severity to important, > Quick note on the buster-ignore tag addition, keep in mind that this > is technically only to be used/added by release managers themself, but > maintainers can obviously suggest that to the release managers, cf. > https://www.debian.org/Bugs/Developer#tags Sorry for that. Is it ok to leave the tag or is a severity change to important better? The autoremove flag is still active. Christoph signature.asc Description: OpenPGP digital signature
Bug#923009: seafile: CVE-2013-7469
Hi Christoph, On Tue, Mar 05, 2019 at 12:12:31PM +0100, Christoph Martin wrote: > Control: tags -1 buster-ignore > > Am 22.02.19 um 23:46 schrieb Salvatore Bonaccorso: > > Source: seafile > > Version: 6.2.11-1 > > Severity: grave > > Tags: security upstream > > Forwarded: https://github.com/haiwen/seafile/issues/350 > > > > Hi, > > > > The following vulnerability was published for seafile. > > > > CVE-2013-7469[0]: > > | Seafile through 6.2.11 always uses the same Initialization Vector (IV) > > | with Cipher Block Chaining (CBC) Mode to encrypt private data, making > > | it easier to conduct chosen-plaintext attacks or dictionary attacks. > > > > If you fix the vulnerability please also make sure to include the > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > > > For further information see: > > > > [0] https://security-tracker.debian.org/tracker/CVE-2013-7469 > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7469 > > [1] https://github.com/haiwen/seafile/issues/350 > > This bug report is pretty late in the release cycle. Also the CVE is > unspecific about the impact of the problem. > > As far as I see the problem is only with libraries where the user > enabled encryption for. > > Since the transport of the files is secured via a normal webserver with > TLS etc. you encrypted library can only be tried to access locally on > the client or the server. > > The cryptographic weekness should at least be documented with the hint > to additionaly use an gpg or zip encrypted file in the library if the > files data is really sensible. > > So, I don't consider this bug as a release critical bug for buster. It > can not be fixed the short time which is left for the release. Yes I think we can agree on that! Regards, Salvatore Quick note on the buster-ignore tag addition, keep in mind that this is technically only to be used/added by release managers themself, but maintainers can obviously suggest that to the release managers, cf. https://www.debian.org/Bugs/Developer#tags
Processed: Re: Bug#923009: seafile: CVE-2013-7469
Processing control commands: > tags -1 buster-ignore Bug #923009 [src:seafile] seafile: CVE-2013-7469 Added tag(s) buster-ignore. -- 923009: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=923009 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#923009: seafile: CVE-2013-7469
Control: tags -1 buster-ignore Am 22.02.19 um 23:46 schrieb Salvatore Bonaccorso: > Source: seafile > Version: 6.2.11-1 > Severity: grave > Tags: security upstream > Forwarded: https://github.com/haiwen/seafile/issues/350 > > Hi, > > The following vulnerability was published for seafile. > > CVE-2013-7469[0]: > | Seafile through 6.2.11 always uses the same Initialization Vector (IV) > | with Cipher Block Chaining (CBC) Mode to encrypt private data, making > | it easier to conduct chosen-plaintext attacks or dictionary attacks. > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2013-7469 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7469 > [1] https://github.com/haiwen/seafile/issues/350 This bug report is pretty late in the release cycle. Also the CVE is unspecific about the impact of the problem. As far as I see the problem is only with libraries where the user enabled encryption for. Since the transport of the files is secured via a normal webserver with TLS etc. you encrypted library can only be tried to access locally on the client or the server. The cryptographic weekness should at least be documented with the hint to additionaly use an gpg or zip encrypted file in the library if the files data is really sensible. So, I don't consider this bug as a release critical bug for buster. It can not be fixed the short time which is left for the release. Christoph -- Christoph Martin, Leiter Unix-Systeme Zentrum für Datenverarbeitung, Uni-Mainz, Germany Anselm Franz von Bentzel-Weg 12, 55128 Mainz Telefon: +49(6131)3926337 Instant-Messaging: Jabber/XMPP: mar...@jabber.uni-mainz.de signature.asc Description: OpenPGP digital signature
Bug#923009: seafile: CVE-2013-7469
Source: seafile Version: 6.2.11-1 Severity: grave Tags: security upstream Forwarded: https://github.com/haiwen/seafile/issues/350 Hi, The following vulnerability was published for seafile. CVE-2013-7469[0]: | Seafile through 6.2.11 always uses the same Initialization Vector (IV) | with Cipher Block Chaining (CBC) Mode to encrypt private data, making | it easier to conduct chosen-plaintext attacks or dictionary attacks. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2013-7469 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7469 [1] https://github.com/haiwen/seafile/issues/350 Regards, Salvatore