| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 27 Apr 2015 09:11:00 +0200 From: security@...driva.com To: bugtraq@...urityfocus.com Subject: [ MDVSA-2015:204 ] librsync -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2015:204 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : librsync Date : April 27, 2015 Affected: Business Server 1.0 _______________________________________________________________________ Problem Description: Updated librsync packages fix security vulnerability: librsync before 1.0.0 used a truncated MD4 strong check sum to match blocks. However, MD4 is not cryptographically strong. It's possible that an attacker who can control the contents of one part of a file could use it to control other regions of the file, if it's transferred using librsync/rdiff (CVE-2014-8242). The change to fix this is not backward compatible with older versions of librsync. Backward compatibility can be obtained using the new rdiff sig --hash=md4 option or through specifying the signature magic in the API, but this should not be used when either the old or new file contain untrusted data. Also, any applications that use the librsync library will need to be recompiled against the updated library. The rdiff-backup packages have been rebuilt for this reason. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8242 http://advisories.mageia.org/MGASA-2015-0146.html _______________________________________________________________________ Updated Packages: Mandriva Business Server 1/X86_64: e9e5dbb84ff6effa94d8b37d805e4500 mbs1/x86_64/lib64rsync2-1.0.0-1.mbs1.x86_64.rpm db4b256939b54eb5919eceedf50f4192 mbs1/x86_64/lib64rsync-devel-1.0.0-1.mbs1.x86_64.rpm ffaaf1c1364528d0c18bdda8cf514c34 mbs1/x86_64/rdiff-1.0.0-1.mbs1.x86_64.rpm fd173f99aecfaa9d1d8d9af132b136b6 mbs1/x86_64/rdiff-backup-1.3.3-6.1.mbs1.x86_64.rpm 707dc6da51d7451541ce83400ee33f3a mbs1/SRPMS/librsync-1.0.0-1.mbs1.src.rpm eb91121a971f6079d3b666419e08e0db mbs1/SRPMS/rdiff-backup-1.3.3-6.1.mbs1.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFVPdL8mqjQ0CJFipgRAprPAJ4l7XA1SlpS/qCd5HNzGYLW8whXcQCgr5/s n+CANdFiuTkPt47IUCpSzlc= =1RLm -----END PGP SIGNATURE-----
Powered by blists - more mailing lists