Bugzilla – Bug 1179005
VUL-0: CVE-2020-28924: rclone: weak password generation due to limited entropy
Last modified: 2021-02-10 23:18:04 UTC
CVE-2020-28924 An issue was discovered in Rclone before 1.53.3. Due to the use of a weak random number generator, the password generator has been producing weak passwords with much less entropy than advertised. The suggested passwords depend deterministically on the time the second rclone was started. This limits the entropy of the passwords enormously. These passwords are often used in the crypt backend for encryption of data. It would be possible to make a dictionary of all possible passwords with about 38 million entries per password length. This would make decryption of secret material possible with a plausible amount of effort. NOTE: all passwords generated by affected versions should be changed. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-28924 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28924 https://github.com/rclone/rclone/issues/4783 https://rclone.org/downloads/
All versions from 1.49 and on are affected. OpenSUSE 15.1 ships 1.47 and thus is not affected. OpenSUSE 15.2 and Factory are affected. Please apply the patch [1][2]in 15.2 and upgrade in Factory. More information at [3] References [1]https://github.com/rclone/rclone/commit/7985df37681f54d013816a4641da4f9b085b3aa5 [2]https://github.com/rclone/rclone/commit/f0905499e340f9e73e2552cf0c8b79cbf14ecbc4 [3]https://github.com/x0b/rcx/issues/101
This is an autogenerated message for OBS integration: This bug (1179005) was mentioned in https://build.opensuse.org/request/show/849567 Factory / rclone https://build.opensuse.org/request/show/849568 15.1 / rclone https://build.opensuse.org/request/show/849569 15.2 / rclone
openSUSE-SU-2020:2008-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1179005 CVE References: CVE-2020-28924 JIRA References: Sources used: openSUSE Leap 15.2 (src): rclone-1.53.3-lp152.2.3.1
openSUSE-SU-2020:2035-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1179005 CVE References: CVE-2020-28924 JIRA References: Sources used: openSUSE Leap 15.1 (src): rclone-1.53.3-lp151.3.6.1
openSUSE-SU-2020:2168-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1179005 CVE References: CVE-2020-28924 JIRA References: Sources used: openSUSE Backports SLE-15-SP1 (src): rclone-1.53.3-bp151.4.6.1
openSUSE-SU-2021:0272-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1179005 CVE References: CVE-2020-28924 JIRA References: Sources used: openSUSE Backports SLE-15-SP2 (src): rclone-1.53.3-bp152.2.4.11