Bug 126048

Summary:	dev-perl/crypt-cbc: insecure initialization vector
Product:	Gentoo Security	Reporter:	Stefan Cornelius (RETIRED) <dercorny>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	perl
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0898
Whiteboard:	B4 [glsa] DerCorny
Package list:		Runtime testing required:	---

Description Stefan Cornelius (RETIRED) gentoo-dev

2006-03-13 09:33:13 UTC

Crypt::CBC Perl module 2.16 and earlier, when running in RandomIV mode, uses an initialization vector (IV) of 8 bytes, which results in weaker encryption when used with a cipher that requires a larger block size than 8 bytes, such as Rijndael.

Comment 1 Stefan Cornelius (RETIRED) gentoo-dev

2006-03-13 09:34:25 UTC

Perl, please provide fixed ebuilds, thank you.

Comment 2 Michael Cummings (RETIRED) gentoo-dev

2006-03-13 11:08:19 UTC

bumped to 2.17

Comment 3 Stefan Cornelius (RETIRED) gentoo-dev

2006-03-13 11:10:51 UTC

arches, please test and mark stable, thanks

Comment 4 Gustavo Zacarias (RETIRED) gentoo-dev

2006-03-13 12:04:56 UTC

Stable on hppa & sparc (yeah i have an hppa box again).

Comment 5 Fernando J. Pereda (RETIRED) gentoo-dev

2006-03-13 12:21:34 UTC

Giving Alpha keywords for free.. who else wants another one ?

Comment 6 Chris White (RETIRED) gentoo-dev

2006-03-13 12:58:03 UTC

amd64 stable.
ppc stable.

Comment 7 Chris White (RETIRED) gentoo-dev

2006-03-13 13:37:52 UTC

x86 stable.

Comment 8 Stefan Cornelius (RETIRED) gentoo-dev

2006-03-13 13:39:17 UTC

ready for glsa vote. I tend to say yes - weak crypto is no funny thing.

Comment 9 Markus Rothe (RETIRED) gentoo-dev

2006-03-13 17:23:58 UTC

stable on ppc64, too

Comment 10 Thierry Carrez (RETIRED) gentoo-dev

2006-03-14 13:26:08 UTC

I vote yes.

Comment 11 Stefan Cornelius (RETIRED) gentoo-dev

2006-03-17 10:25:51 UTC

GLSA 200603-15

Thanks everybody