From ${URL} : Seafile through 6.2.11 always uses the same Initialization Vector (IV) with Cipher Block Chaining (CBC) Mode to encrypt private data, making it easier to conduct chosen-plaintext attacks or dictionary attacks References: https://drive.google.com/file/d/1rwYsnuhZZxmSR6Zs8rJlWW3R27XBOSJU/view https://github.com/haiwen/seafile/issues/350 @maintainer(s): since the package or the affected version has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
After reading through the code thoroughly, I want to add the clarification, that the summary of the CVE is not really correct: Every encrypted library uses the same salt. (That will be fixed by upstream). For each encrypted library, PBKDF2 is used to generate the encryption key and IV from the user-supplied password for that library (and the salt). That concludes that two libraries only have the same IV, if users used the same password for them.
@maintainer(s), please cleanup!