Bug 1413007 (CVE-2016-6225)

Summary: CVE-2016-6225 percona-xtrabackup: Encryption IV not being set properly
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: d.busby, pmackinn
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: percona-xtrabackup 2.3.6, percona-xtrabackup 2.4.5 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-02-27 09:41:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1413008, 1413009    
Bug Blocks:    

Description Andrej Nemec 2017-01-13 12:02:10 UTC 
Percona XtraBackup versions older than 2.3.6 or 2.4.5 suffered an issue of not properly setting the Initialization Vector (IV) for encryption. This could allow someone to carry out a Chosen-Plaintext Attack, which could recover decrypted content from the encrypted backup files without the need for a password.

External References:

https://www.percona.com/blog/2017/01/12/cve-2016-6225-percona-xtrabackup-encryption-iv-not-set-properly/
Comment 1 Andrej Nemec 2017-01-13 12:03:40 UTC 
Created percona-xtrabackup tracking bugs for this issue:

Affects: epel-7 [bug 1413008]
Affects: fedora-all [bug 1413009]
Comment 2 Andrej Nemec 2017-01-13 12:08:00 UTC 
Upstream patches:

https://github.com/percona/percona-xtrabackup/pull/266 
https://github.com/percona/percona-xtrabackup/pull/267
Comment 3 Pete MacKinnon 2017-01-19 15:51:23 UTC 
In the process of updating to 2.3.6 but koji appears to be having some issues. Tried 2.4.5 but there is code pulling in new boost dependencies which is failing to compile under rawhide.