Sicherheit: Hash-Kollision in librsync

Lesezeichen hinzufügen

This is a multi-part message in MIME format...

------------=_1430118770-14093-0

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:204
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : librsync
Date : April 27, 2015
Affected: Business Server 1.0
_______________________________________________________________________

Problem Description:

Updated librsync packages fix security vulnerability:

librsync before 1.0.0 used a truncated MD4 strong check sum to match
blocks. However, MD4 is not cryptographically strong. It's possible
that an attacker who can control the contents of one part of a file
could use it to control other regions of the file, if it's
transferred
using librsync/rdiff (CVE-2014-8242).

The change to fix this is not backward compatible with older versions
of librsync. Backward compatibility can be obtained using the new
rdiff sig --hash=md4 option or through specifying the signature magic
in the API, but this should not be used when either the old or new
file contain untrusted data.

Also, any applications that use the librsync library will need to
be recompiled against the updated library. The rdiff-backup packages
have been rebuilt for this reason.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8242
http://advisories.mageia.org/MGASA-2015-0146.html
_______________________________________________________________________

Updated Packages:

Mandriva Business Server 1/X86_64:
e9e5dbb84ff6effa94d8b37d805e4500
mbs1/x86_64/lib64rsync2-1.0.0-1.mbs1.x86_64.rpm
db4b256939b54eb5919eceedf50f4192
mbs1/x86_64/lib64rsync-devel-1.0.0-1.mbs1.x86_64.rpm
ffaaf1c1364528d0c18bdda8cf514c34 mbs1/x86_64/rdiff-1.0.0-1.mbs1.x86_64.rpm
fd173f99aecfaa9d1d8d9af132b136b6
mbs1/x86_64/rdiff-backup-1.3.3-6.1.mbs1.x86_64.rpm
707dc6da51d7451541ce83400ee33f3a mbs1/SRPMS/librsync-1.0.0-1.mbs1.src.rpm
eb91121a971f6079d3b666419e08e0db
mbs1/SRPMS/rdiff-backup-1.3.3-6.1.mbs1.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVPdL8mqjQ0CJFipgRAprPAJ4l7XA1SlpS/qCd5HNzGYLW8whXcQCgr5/s
n+CANdFiuTkPt47IUCpSzlc=
=1RLm
-----END PGP SIGNATURE-----

------------=_1430118770-14093-0
Content-Type: text/plain; charset="UTF-8";
name="message-footer.txt"
Content-Disposition: inline; filename="message-footer.txt"
Content-Transfer-Encoding: 8bit

To unsubscribe, send a email to sympa@mandrivalinux.org
with this subject : unsubscribe security-announce
_______________________________________________________
Want to buy your Pack or Services from Mandriva?
Go to http://store.mandriva.com
_______________________________________________________

------------=_1430118770-14093-0--