Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 126048 - dev-perl/crypt-cbc: insecure initialization vector
Summary: dev-perl/crypt-cbc: insecure initialization vector
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
Whiteboard: B4 [glsa] DerCorny
Depends on:
Reported: 2006-03-13 09:33 UTC by Stefan Cornelius (RETIRED)
Modified: 2006-03-24 06:04 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Cornelius (RETIRED) gentoo-dev 2006-03-13 09:33:13 UTC
Crypt::CBC Perl module 2.16 and earlier, when running in RandomIV mode, uses an initialization vector (IV) of 8 bytes, which results in weaker encryption when used with a cipher that requires a larger block size than 8 bytes, such as Rijndael.
Comment 1 Stefan Cornelius (RETIRED) gentoo-dev 2006-03-13 09:34:25 UTC
Perl, please provide fixed ebuilds, thank you.
Comment 2 Michael Cummings (RETIRED) gentoo-dev 2006-03-13 11:08:19 UTC
bumped to 2.17
Comment 3 Stefan Cornelius (RETIRED) gentoo-dev 2006-03-13 11:10:51 UTC
arches, please test and mark stable, thanks
Comment 4 Gustavo Zacarias (RETIRED) gentoo-dev 2006-03-13 12:04:56 UTC
Stable on hppa & sparc (yeah i have an hppa box again).
Comment 5 Fernando J. Pereda (RETIRED) gentoo-dev 2006-03-13 12:21:34 UTC
Giving Alpha keywords for free.. who else wants another one ?
Comment 6 Chris White (RETIRED) gentoo-dev 2006-03-13 12:58:03 UTC
amd64 stable.
ppc stable.
Comment 7 Chris White (RETIRED) gentoo-dev 2006-03-13 13:37:52 UTC
x86 stable.
Comment 8 Stefan Cornelius (RETIRED) gentoo-dev 2006-03-13 13:39:17 UTC
ready for glsa vote. I tend to say yes - weak crypto is no funny thing.
Comment 9 Markus Rothe (RETIRED) gentoo-dev 2006-03-13 17:23:58 UTC
stable on ppc64, too
Comment 10 Thierry Carrez (RETIRED) gentoo-dev 2006-03-14 13:26:08 UTC
I vote yes.
Comment 11 Stefan Cornelius (RETIRED) gentoo-dev 2006-03-17 10:25:51 UTC
GLSA 200603-15

Thanks everybody