Hi, On Fri, Jan 13, 2017 at 09:28:30AM +0000, David Busby wrote: > Dear Debian Maintainers, > > Please note percona-xtrabackup < 2.3.6 && < 2.4.5 is vulnerable to a > Chosen-Plaintext attack when running xbcrypt to encrypt backups. > > Backup plaintext data can be retrieved in this manner without the > original password. > > We have blogged about the fix for the issue here > https://www.percona.com/blog/2017/01/12/cve-2016-6225-percona-xtrabackup-encryption-iv-not-set-properly > <https://www.percona.com/blog/2017/01/12/cve-2016-6225-percona-xtrabackup-encryption-iv-not-set-properly> > and our packages are available with the fix in place. > > Please note the version as per > https://packages.debian.org/search?keywords=percona-xtrabackup > <https://packages.debian.org/search?keywords=percona-xtrabackup> > (2.2.3-2.1). > > Is vulnerable to this attack and I would encourage you to check the > code changes here: > https://github.com/percona/percona-xtrabackup/pull/266 > <https://github.com/percona/percona-xtrabackup/pull/266> > https://github.com/percona/percona-xtrabackup/pull/267 > <https://github.com/percona/percona-xtrabackup/pull/267> ( If the > intent is to backport the fix rather than jump the version ).
Thank you. I have added this entry to the security-tracker. Regards, Salvatore
