Red Hat Bugzilla – Bug 246760
CVE-2007-3528 dar Blowfish-CBC weakness
Last modified: 2007-11-30 17:12:09 EST
"The blowfish mode in DAR before 2.3.4 uses weak Blowfish-CBC cryptography by
(1) discarding random bits by the blowfish::make_ivec function in
libdar/crypto.cpp that results in predictable and repeating IV values, and (2)
direct use of a password for keying, which makes it easier for context-dependent
attackers to decrypt files."
2.3.4 is in CVS for F-7+, FC-6 appears untreated at the moment.
Please mark the F-7 update as a security one in the updates system and add the
CVE reference to it (I have no permissions to do that).
Updated in bodhi, should roll out asap. Also updated FC-6 and Epel. This bug
should auto-close when F-7 rolls out.
dar-2.3.4-1.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.