Package: librsync1 Version: 0.9.7-10 Severity: grave Tags: security upstream
See https://github.com/librsync/librsync/issues/5 . librsync uses MD4 as part of syncing; given the low strength and size of MD4, and the relative ease of computing collisions/preimages, that makes librsync unsafe to use on untrusted data, such as when running a duplicity backup. The upstream fix involves changing the signature format to use a strong hash. The new version of librsync supports reading the old signature format, but always writes the new one. So, fixing this has some of the same implications as Berkeley DB upgrades. In particular, any applications using librsync and its data format across multiple systems will require upgrading any readers along with writers. I'd suggest coordinating this with the reverse dependencies of librsync1. - Josh Triplett -- System Information: Debian Release: 8.0 APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.18.0-trunk-amd64 (SMP w/4 CPU cores) Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages librsync1 depends on: ii libc6 2.19-13 ii multiarch-support 2.19-13 librsync1 recommends no packages. librsync1 suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
