Your message dated Fri, 27 Nov 2020 04:04:10 +0000 with message-id <e1kiuzs-000bxs...@fasolo.debian.org> and subject line Bug#975324: fixed in rclone 1.53.3-1 has caused the Debian Bug report #975324, regarding rclone: CVE-2020-28924: generating weak passwords to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 975324: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=975324 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: rclone Version: 1.53.1-2 Severity: grave Tags: security upstream Justification: user security hole Forwarded: https://github.com/rclone/rclone/issues/4783 X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerability was published for rclone. CVE-2020-28924[0]: | An issue was discovered in Rclone before 1.53.3. Due to the use of a | weak random number generator, the password generator has been | producing weak passwords with much less entropy than advertised. The | suggested passwords depend deterministically on the time the second | rclone was started. This limits the entropy of the passwords | enormously. These passwords are often used in the crypt backend for | encryption of data. It would be possible to make a dictionary of all | possible passwords with about 38 million entries per password length. | This would make decryption of secret material possible with a | plausible amount of effort. NOTE: all passwords generated by affected | versions should be changed. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-28924 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28924 [1] https://github.com/rclone/rclone/issues/4783 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: rclone Source-Version: 1.53.3-1 Done: Shengjing Zhu <z...@debian.org> We believe that the bug you reported is fixed in the latest version of rclone, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 975...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Shengjing Zhu <z...@debian.org> (supplier of updated rclone package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Fri, 27 Nov 2020 02:07:54 +0800 Source: rclone Architecture: source Version: 1.53.3-1 Distribution: unstable Urgency: medium Maintainer: Debian Go Packaging Team <team+pkg...@tracker.debian.org> Changed-By: Shengjing Zhu <z...@debian.org> Closes: 975324 Changes: rclone (1.53.3-1) unstable; urgency=medium . * Team upload. * New upstream version 1.53.3 Closes: #975324 CVE-2020-28924 * Bump debhelper-compat to 13 * Bump Standards-Version to 4.5.1 (no changes) * Change devel package Section to golang Checksums-Sha1: 505d5d480f42efd4918333d229deb0090c169e5c 3315 rclone_1.53.3-1.dsc 31349b13050ef4c9b6ae93872ee0ea4cdd0130ca 14714224 rclone_1.53.3.orig.tar.gz b77ed202c76d36d156d68c490b78bf6c84be4496 20328 rclone_1.53.3-1.debian.tar.xz eb456c4daec4bf4f781fcb15cf7eddc6c2d328f9 14574 rclone_1.53.3-1_amd64.buildinfo Checksums-Sha256: f1badc0170c94102441512424312a2806262d63ff548d18cdf1b9a877381b67e 3315 rclone_1.53.3-1.dsc 46fb317057ada21add1fa683a004e1ad5b2a1523c381f59b40ed1b18f2856ad0 14714224 rclone_1.53.3.orig.tar.gz ef67daea0e88a7ac2a09fe751fe6958a60406e1eb525f887fd8b37f61846892a 20328 rclone_1.53.3-1.debian.tar.xz 0adaedb391843110b0c16c74fc9809b9a78096eaf0df4d1056e7527bbc0100de 14574 rclone_1.53.3-1_amd64.buildinfo Files: db05b8fa916360fc648a8c897511dd69 3315 net optional rclone_1.53.3-1.dsc 9de3e061778554095c145bbc08c55eec 14714224 net optional rclone_1.53.3.orig.tar.gz 86e89f9b82f826864de2e389e164daf5 20328 net optional rclone_1.53.3-1.debian.tar.xz 77886ecea8ec24a41c1d34fbaab17a11 14574 net optional rclone_1.53.3-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iIYEARYIAC4WIQTiXc95jUQrjt9HgU3EhUo4GOCwFgUCX7/0vxAcemhzakBkZWJp YW4ub3JnAAoJEMSFSjgY4LAWlJsBANtVbdIWzTq/SV9ATzif0SgDQ1gWAJ9P7pyU gDdsxDIeAQDReWUAutujRqeu0fTaegevLK/BQlznf6lqvdjFH7mgDw== =Sfni -----END PGP SIGNATURE-----
--- End Message ---
