Daniel Burrows wrote: > I notice that pwsafe is linked against openssl. Is it affected by the > recent debacle and if so, how? Do I need to regenerate all my > randomized passwords, or somehow re-encrypt the pwsafe database?
I've looked briefly into it: The Blowfish encryption key is constructed from a SHA1 built from an initial random value, two zero bytes and the passphrase. So if an unmodified database created using a broken libssl copy is exposed to an attacker, it's more open to brute forcing attempts, but still safe-guarded by the passphrase. Fortunately the random part is renewed whenever the database is saved. By my understanding - I don't use pwsafe myself - this should happen whever an entry is added or modified. Please double-check that with upstream and send a finalised version to [EMAIL PROTECTED], so that we can add it to http://www.debian.org/security/key-rollover/ once confirmed. Cheers, Moritz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
