[ASA-202011-17] rclone: private key recovery
foxboron at archlinux.org
Sun Nov 29 17:18:16 UTC 2020
Arch Linux Security Advisory ASA-202011-17
Date : 2020-11-19
CVE-ID : CVE-2020-28924
Package : rclone
Type : private key recovery
Remote : No
Link : https://security.archlinux.org/AVG-1286
The package rclone before version 1.53.3-1 is vulnerable to private key
Upgrade to 1.53.3-1.
# pacman -Syu "rclone>=1.53.3-1"
The problem has been fixed upstream in version 1.53.3.
All passwords generated by rclone 1.49.0 up to 1.53.2 should be
changed. Rclone provides a password checker to find weak passwords as a
separate tool called passwordcheck.
An issue was discovered in rclone 1.49.0 up to 1.53.2. Due to the use
of a weak random number generator, the password generator has been
producing weak passwords with much less entropy than advertised. The
suggested passwords depend deterministically on the time rclone was
started. This limits the entropy of the passwords enormously. These
passwords are often used in the crypt backend for encryption of data.
It would be possible to make a dictionary of all possible passwords
with about 38 million entries per password length. This would make
decryption of secret material possible with a plausible amount of
effort. NOTE: all passwords generated by affected versions should be
A malicious user might be able to brute force the weak passwords.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: not available
More information about the arch-security