Package: dar
Version: 2.3.3-1
Severity: normal
A new upstream version of dar (2.3.4) has been released two weeks ago,
which fixes the weakened blowfish encryption code as discovered and
resolved by Dwayne C. Litzenberger.
However, there is a minor difference to the patch which is included
in the current Debian version (2.3.3-1). Instead of assigning the
fixed blowfish encryption mode a new cipher name (blowfish2), the
archive header version has been incremented, thus preserving
backwards compatibility.
With dar 2.3.4, archives created with a previous version will be
decrypted with the weakened blowfish cipher, while newly created
archives are decrypted in fixed blowfish mode cipher mode.
Unfortunately, this renders all encrypted archives created with
the current Debian version unreadable[1]. Thus, the package should
be updated to the latest upstream version as soon as possible.
(To paraphrase: There's a new upstream version available... ;-).)
Regards,
Peter
[1] Just for reference, the script I employed to fix my dar archives.
#!/usr/bin/python
#
# Fix dar archive header version
#
# Copyright (C) 2007 Peter Colberg <[EMAIL PROTECTED]>
# Licensed under the terms of the GNU General Public License.
#
# This script overwrites the dar archive header
# version for archives encrypted with the blowfish2
# cipher in Debian's dar version 2.3.3-1, thus
# making them readable by dar 2.3.4.
#
import sys, os
for fn in sys.argv[1:]:
f = os.open(fn, os.O_WRONLY)
os.lseek(f, 0x10, 0)
os.write(f, '06')
os.close(f)
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
