Description of problem: xbcrypt in versions < 2.3.5 && < 2.4.5 does not handle the setting of the IV correctly resulting in the produced ciphertext being vulnerable to a chosen plaintext attack. More here: https://www.percona.com/blog/2017/01/12/cve-2016-6225-percona-xtrabackup-encryption-iv-not-set-properly/ Version-Release number of selected component (if applicable): 2.3.6 && 2.4.5 How reproducible: PoC code may be available on request, and on NDA signing. Additional info: Code changes here: https://github.com/percona/percona-xtrabackup/pull/266 https://github.com/percona/percona-xtrabackup/pull/267 Affected package is here: https://koji.fedoraproject.org/koji/packageinfo?packageID=20906
Hello David, Thank you for the information. I have filed a security bug and added tracking bugs to it. Marking this as duplicate, if you need anything else please comment in the CVE bug. *** This bug has been marked as a duplicate of bug 1413008 ***