Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 496104 - <dev-db/xtrabackup-bin-2.1.6: Information disclosure (CVE-2013-6394)
Summary: <dev-db/xtrabackup-bin-2.1.6: Information disclosure (CVE-2013-6394)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL:
Whiteboard: ~4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-12-27 00:15 UTC by GLSAMaker/CVETool Bot
Modified: 2014-05-26 11:09 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2013-12-27 00:15:43 UTC 
CVE-2013-6394 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6394):
  Percona XtraBackup before 2.1.6 uses a constant string for the
  initialization vector (IV), which makes it easier for local users to defeat
  cryptographic protection mechanisms and conduct plaintext attacks.
Comment 1 Christian Ruppert (idl0r) gentoo-dev 2013-12-27 00:46:32 UTC 
2.1.6 has been added to the tree.
Is 2.0.x affected?
Comment 2 Chris Reffett (RETIRED) gentoo-dev Security 2013-12-27 01:07:37 UTC 
It isn't specifically mentioned in any of the advisories, only 2.1 and 2.2. That said, probably safer to clean the older version unless there's a specific need for the 2.0 version.
Comment 3 Christian Ruppert (idl0r) gentoo-dev 2013-12-27 14:45:01 UTC 
I'd like to keep it somewhat longer. 2.0.x is for MySQL 5.4 and 5.5. 2.1.x for 5.5 and 5.6.
Comment 4 Yury German Gentoo Infrastructure gentoo-dev 2014-05-21 03:54:29 UTC 
(In reply to Christian Ruppert (idl0r) from comment #3)
> I'd like to keep it somewhat longer. 2.0.x is for MySQL 5.4 and 5.5. 2.1.x
> for 5.5 and 5.6.

Can we clean up 2.0.x or do you still need it for older MySQL?
Comment 5 Christian Ruppert (idl0r) gentoo-dev 2014-05-22 18:34:19 UTC 
(In reply to Yury German from comment #4)
> (In reply to Christian Ruppert (idl0r) from comment #3)
> > I'd like to keep it somewhat longer. 2.0.x is for MySQL 5.4 and 5.5. 2.1.x
> > for 5.5 and 5.6.
> 
> Can we clean up 2.0.x or do you still need it for older MySQL?

It's needed for older MySQL. 2.0.x is AFAIK not affected.
Comment 6 Yury German Gentoo Infrastructure gentoo-dev 2014-05-24 03:13:59 UTC 
Thank you for verifications since 2.0.8 is not affecting. 

Closing - noglsa needed since no stable version.