2020-11-21

Passwords generated with previous versions of rclone might be unsafe

The latest rclone update to version 1.53.3 fixes CVE-2020-28924. From the release announcement:

Some passwords generated with rclone config may be insecure. In particular if you used the ‘g’ generate option with rclone v1.49 - v1.53.2 then your password will based on the second it was generated in. This means that there are fixed number of passwords in that period ~33 million.

We updated the rclone package to version 1.49.0, the first one affected, on August 27, 2019. The upstream project recommends using their passwordcheck utility to verify that your passwords aren’t among the ~33 million vulnerable ones. On a Void Linux system, you can obtain this utility by installing the go package and then building passwordcheck locally:

# xbps-install -S go
$ go get github.com/rclone/passwordcheck