[Bug 852224] New: Percona XtraBackup 2.1.6 maintenance release
https://bugzilla.novell.com/show_bug.cgi?id=852224 https://bugzilla.novell.com/show_bug.cgi?id=852224#c0 Summary: Percona XtraBackup 2.1.6 maintenance release Classification: openSUSE Product: openSUSE 13.1 Version: Final Platform: All OS/Version: openSUSE 13.1 Status: NEW Severity: Normal Priority: P5 - None Component: Maintenance AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: Andreas.Stieger@gmx.de QAContact: qa-bugs@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux i686; rv:25.0) Gecko/20100101 Firefox/25.0 http://www.percona.com/doc/percona-xtrabackup/2.1/release-notes/2.1/2.1.6.ht... stable upstream release New Features Percona XtraBackup now supports logs created with the new log block checksums option innodb_log_checksum_algorithm in Percona Server 5.6 New innobackupex --force-non-empty-directories option has been implemented. When specified, it makes innobackupex --copy-back option or innobackupex --move-back option transfer files to non-empty directories. No existing files will be overwritten. If --copy-back or --move-back has to copy a file from the backup directory which already exists in the destination directory, it will still fail with an error. Bugs Fixed innobackupex --copy-back would fail if innodb_data_home_dir is empty. Bug fixed #1049291. A fixed initialization vector (constant string) was used while encrypting the data. This opened the encrypted stream/data to plaintext attacks among others. Bug fixed #1185343. innobackupex --version-check is now on by default. Bug fixed #1227988. xtrabackup_slave_info didn’t contain any GTID information, which could cause master_auto_position not to work properly. Bug fixed #1239670. xtrabackup_56 was using CRC32 as the default checksum algorithm. This could cause error if the innodb_checksum_algorithm value was changed to strict_innodb value after a restore. Bug fixed #1247586. xtrabackup_56 binary didn’t store the server’s innodb_checksum_algorithm value to backup-my.cnf. This value is needed because it affects the on-disk data format. Bug fixed #1248065. Since Version Check is enabled by default in Percona XtraBackup 2.1.6, new innobackupex --no-version-check option has been introduced to disable it. Bug fixed #1248900. Percona XtraBackup now supports absolute paths in innodb_data_file_path variable. Bug fixed #382742. innobackupex wasn’t able to perform backups to the NFS mount in some NFS configurations, because it was trying to preserve file ownership. Bug fixed #943750. Percona XtraBackup wouldn’t back up the empty directory created with mkdir (i.e. test) outside of the server which could lead to inconsistencies during the Percona XtraDB Cluster State Snapshot Transfer. Bug fixed #1217426. If the innodb_log_arch_dir variable was specified in the Percona Server configuration file my.cnf Percona XtraBackup was unable to perform the backup. Bug fixed #1227240. Race condition in start_query_killer child code could cause parent MySQL connection to close. Bug fixed #1239728. Reproducible: Didn't try Steps to Reproduce: 1. 2. 3. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=852224 https://bugzilla.novell.com/show_bug.cgi?id=852224#c Andreas Stieger <Andreas.Stieger@gmx.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P3 - Medium Status|NEW |ASSIGNED AssignedTo|bnc-team-screening@forge.pr |Andreas.Stieger@gmx.de |ovo.novell.com | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=852224 https://bugzilla.novell.com/show_bug.cgi?id=852224#c1 Andreas Stieger <Andreas.Stieger@gmx.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |NEEDINFO CC| |security-team@suse.de InfoProvider| |maintenance@opensuse.org --- Comment #1 from Andreas Stieger <Andreas.Stieger@gmx.de> 2013-11-25 22:53:03 UTC --- (In reply to comment #0)
A fixed initialization vector (constant string) was used while encrypting the data. This opened the encrypted stream/data to plaintext attacks among others. Bug fixed #1185343.
https://bugs.launchpad.net/percona-xtrabackup/+bug/1185343 Weaker than intended encryption, is this a security issue? Maintenance request: https://build.opensuse.org/request/show/208354 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=852224 https://bugzilla.novell.com/show_bug.cgi?id=852224#c2 --- Comment #2 from Bernhard Wiedemann <bwiedemann@suse.com> 2013-11-26 00:00:19 CET --- This is an autogenerated message for OBS integration: This bug (852224) was mentioned in https://build.opensuse.org/request/show/208353 Factory / xtrabackup -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=852224 https://bugzilla.novell.com/show_bug.cgi?id=852224#c3 Benjamin Brunner <bbrunner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- InfoProvider|maintenance@opensuse.org |security-team@suse.de --- Comment #3 from Benjamin Brunner <bbrunner@suse.com> 2013-11-26 13:22:53 CET --- I have changed the needinfo to the security-team for clarification. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=852224 https://bugzilla.novell.com/show_bug.cgi?id=852224#c4 Marcus Meissner <meissner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |ASSIGNED CC| |meissner@suse.com InfoProvider|security-team@suse.de | Summary|Percona XtraBackup 2.1.6 |VUL-0: CVE-2013-6394: |maintenance release |Percona XtraBackup 2.1.6 | |maintenance release --- Comment #4 from Marcus Meissner <meissner@suse.com> 2013-11-27 08:16:43 UTC --- CVE-2013-6394 discussion on oss-security ongoing if IV fix is sufficiently random. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=852224 https://bugzilla.novell.com/show_bug.cgi?id=852224#c Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard| |obs:running:2311:moderate -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=852224 https://bugzilla.novell.com/show_bug.cgi?id=852224#c5 --- Comment #5 from Marcus Meissner <meissner@suse.com> 2013-11-30 10:08:38 UTC --- Is suppose this is part of the fix. +void +xb_crypt_init_iv() +{ + uint seed = time(NULL); + srandom(seed); +} + +void +xb_crypt_create_iv(void* ivbuf, size_t ivlen) +{ + size_t i; + ulong rndval; + + for (i = 0; i < ivlen; i++) { + if (i % 4 == 0) { + rndval = (ulong) random(); + } + ((uchar*)ivbuf)[i] = ((uchar*)&rndval)[i % 4]; + } +} This still risks keystream reuse because time() is fairly coarse. What's worse, on 64-bit big-endian architectures, it results in a constant zero IV because RAND_MAX is not large enough to reach the upper 32 bits in the first four bytes of the rndval variable. -- Florian Weimer / Red Hat Product Security Team -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=852224 https://bugzilla.novell.com/show_bug.cgi?id=852224#c6 --- Comment #6 from Marcus Meissner <meissner@suse.com> 2013-11-30 10:08:59 UTC --- From: Michael Samuel <mik@miknet.net> On 27 November 2013 05:17, Florian Weimer <fweimer@redhat.com> wrote:
Is suppose this is part of the fix.
+void +xb_crypt_init_iv() +{ + uint seed = time(NULL); + srandom(seed); +}
That's at-best a 32-bit nonce, but would only repeat of srandom() had collisions. Presumably more than 1 backup a second is rare? Just reading data from /dev/urandom would be more robust. On a side note, a constant IV isn't fatal so long as a unique key is used every time. Is the key random, password derived or constant? Regards, Michael -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=852224 https://bugzilla.novell.com/show_bug.cgi?id=852224#c Marcus Meissner <meissner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Alias| |CVE-2013-6394 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=852224 https://bugzilla.novell.com/show_bug.cgi?id=852224#c Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard|obs:running:2311:moderate | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=852224 https://bugzilla.novell.com/show_bug.cgi?id=852224#c7 --- Comment #7 from Swamp Workflow Management <swamp@suse.de> 2013-12-12 17:05:51 UTC --- openSUSE-SU-2013:1864-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 852224 CVE References: CVE-2013-6394 Sources used: openSUSE 13.1 (src): xtrabackup-2.1.6-5.1 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=852224 https://bugzilla.novell.com/show_bug.cgi?id=852224#c8 Andreas Stieger <Andreas.Stieger@gmx.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |CLOSED Resolution| |FIXED --- Comment #8 from Andreas Stieger <Andreas.Stieger@gmx.de> 2013-12-27 21:27:27 UTC --- update released -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=852224 https://bugzilla.novell.com/show_bug.cgi?id=852224#c9 Andreas Stieger <Andreas.Stieger@gmx.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|CLOSED |RESOLVED --- Comment #9 from Andreas Stieger <Andreas.Stieger@gmx.de> 2014-01-25 23:32:23 UTC --- 2.1.7 has a follow-up on the IV: Percona XtraBackup now uses libgcrypt built in randomization functions for setting the Initialization Vector. http://www.mysqlperformanceblog.com/2014/01/24/percona-xtrabackup-2-1-7-now-... https://bugs.launchpad.net/percona-xtrabackup/+bug/1255300 Tracking in #860488 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=852224 https://bugzilla.novell.com/show_bug.cgi?id=852224#c Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard| |obs:running:2531:moderate -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=852224 https://bugzilla.novell.com/show_bug.cgi?id=852224#c10 --- Comment #10 from Swamp Workflow Management <swamp@suse.de> 2014-02-18 09:04:46 UTC --- openSUSE-SU-2014:0245-1: An update that solves one vulnerability and has one errata is now available. Category: security (moderate) Bug References: 852224,860488 CVE References: CVE-2013-6394 Sources used: openSUSE 13.1 (src): xtrabackup-2.1.7-9.1 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=852224 Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|obs:running:2531:moderate | -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com