Hi Christoph, On Tue, Mar 05, 2019 at 12:12:31PM +0100, Christoph Martin wrote: > Control: tags -1 buster-ignore > > Am 22.02.19 um 23:46 schrieb Salvatore Bonaccorso: > > Source: seafile > > Version: 6.2.11-1 > > Severity: grave > > Tags: security upstream > > Forwarded: https://github.com/haiwen/seafile/issues/350 > > > > Hi, > > > > The following vulnerability was published for seafile. > > > > CVE-2013-7469[0]: > > | Seafile through 6.2.11 always uses the same Initialization Vector (IV) > > | with Cipher Block Chaining (CBC) Mode to encrypt private data, making > > | it easier to conduct chosen-plaintext attacks or dictionary attacks. > > > > If you fix the vulnerability please also make sure to include the > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > > > For further information see: > > > > [0] https://security-tracker.debian.org/tracker/CVE-2013-7469 > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7469 > > [1] https://github.com/haiwen/seafile/issues/350 > > This bug report is pretty late in the release cycle. Also the CVE is > unspecific about the impact of the problem. > > As far as I see the problem is only with libraries where the user > enabled encryption for. > > Since the transport of the files is secured via a normal webserver with > TLS etc. you encrypted library can only be tried to access locally on > the client or the server. > > The cryptographic weekness should at least be documented with the hint > to additionaly use an gpg or zip encrypted file in the library if the > files data is really sensible. > > So, I don't consider this bug as a release critical bug for buster. It > can not be fixed the short time which is left for the release.
Yes I think we can agree on that! Regards, Salvatore Quick note on the buster-ignore tag addition, keep in mind that this is technically only to be used/added by release managers themself, but maintainers can obviously suggest that to the release managers, cf. https://www.debian.org/Bugs/Developer#tags
