352071 – <app-backup/tarsnap-1.0.28: Weak AES-CTR encryption

Bug 352071 - <app-backup/tarsnap-1.0.28: Weak AES-CTR encryption

Summary: <app-backup/tarsnap-1.0.28: Weak AES-CTR encryption

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High trivial (vote)
Assignee:	Gentoo Security

URL:	http://www.daemonology.net/blog/2011-...
Whiteboard:	~3 [noglsa]
Keywords:

Duplicates (1):	355431 (view as bug list)
Depends on:
Blocks:

Reported:	2011-01-18 22:33 UTC by Rafael Martins (RETIRED)
Modified:	2011-02-18 15:52 UTC (History)
CC List:	4 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Rafael Martins (RETIRED) gentoo-dev

2011-01-18 22:33:02 UTC

Tarsnap versions 1.0.22 through 1.0.27 have a critical security bug, as widely spread  by Colin Perciva (see the URL for reference).

Please bump it asap.

Comment 1 Rafael Martins (RETIRED) gentoo-dev

2011-01-19 16:34:48 UTC

reassigning to security@g.o

Comment 2 Greg Kroah-Hartman (RETIRED) gentoo-dev

2011-01-19 16:37:52 UTC

Already committed in cvs.

Comment 3 Alex Legler (RETIRED) archtester

2011-02-18 15:15:49 UTC

*** Bug 355431 has been marked as a duplicate of this bug. ***

Comment 4 Alex Legler (RETIRED) archtester

2011-02-18 15:16:55 UTC

Greg, please remove older versions from the tree or give your ack on us doing so.

Comment 5 Greg Kroah-Hartman (RETIRED) gentoo-dev

2011-02-18 15:52:00 UTC

Please feel free to remove older versions of tarsnap from the portage tree, I can't get to my gentoo development machine for a few days to do this myself, sorry.