On 02/21/2015 09:05 PM, Frank Crawford wrote:
Folks,
By the looks of it, the following security change to librsync will have
some effect on rdiff-backup:
====
Changes in librsync 1.0.0 (2015-01-23)
* SECURITY: CVE-2014-8242: librsync previously used a truncated MD4
"strong" check sum to match blocks. However, MD4 is not
cryptographically strong. It's possible that an attacker who can control
the contents of one part of a file could use it to control other regions
of the file, if it's transferred using librsync/rdiff. For example this
might occur in a database, mailbox, or VM image containing some
attacker-controlled data.
To mitigate this issue, signatures will by default be computed with a
256-bit BLAKE2 hash. Old versions of librsync will complain about a bad
magic number when given these signature files.
[SNIP]
So, does anyone know what the effect will be on rdiff-backup?
The only sums that rdiff-backup retains are SHA1 sums, so I doubt that
whatever librsync uses internally would have any effect.
--
Bob Nichols "NOSPAM" is really part of my email address.
Do NOT delete it.
_______________________________________________
rdiff-backup-users mailing list at rdiff-backup-users@nongnu.org
https://lists.nongnu.org/mailman/listinfo/rdiff-backup-users
Wiki URL: http://rdiff-backup.solutionsfirst.com.au/index.php/RdiffBackupWiki
