Your message dated Mon, 14 Nov 2005 15:32:05 -0800
with message-id <[EMAIL PROTECTED]>
and subject line Bug#334490: fixed in cryptsetup 20050111-4
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 18 Oct 2005 09:39:24 +0000
>From [EMAIL PROTECTED] Tue Oct 18 02:39:24 2005
Return-path: <[EMAIL PROTECTED]>
Received: from zak.rp-online.de (mail.rp-pro.de) [149.221.232.5]
by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
id 1ERnwK-00019B-00; Tue, 18 Oct 2005 02:39:24 -0700
Received: from emil.fus-soft.de (ad96e0b75.dsl.de.colt.net [217.110.11.117])
by mail.rp-pro.de (Postfix) with ESMTP id 72E1211B1DE
for <[EMAIL PROTECTED]>; Tue, 18 Oct 2005 11:39:23 +0200 (CEST)
Received: from sebastianl.fus-soft.fus ([10.0.0.39]) by emil.fus-soft.de with
SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13)
id VAAH2TKP; Tue, 18 Oct 2005 11:39:22 +0200
From: Sebastian Leske <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Document use of ESSIV to avoid watermark attack
Date: Tue, 18 Oct 2005 11:39:23 +0200
User-Agent: KMail/1.5.4
MIME-Version: 1.0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <[EMAIL PROTECTED]>
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2005_01_02
Package: cryptsetup
Version: 20050111-3
Cryptsetup with the default parameters is vulnerable to a watermark attack
(just like cryptoloop). See
http://mareichelt.de/pub/notmine/diskenc.pdf for details.
This attack can be avoided by using the IV generation mode "ESSIV", which is
supported from Kernel 2.6.10 onwards.
This is documented in the current version of the dm-crypt README at
http://www.saout.de/misc/dm-crypt/
(search for "watermark").
A similar comment should be added to the (otherwise excellent)
CryptoRoot.HowTo, warning users that the default parameters are vulnerable to
the attack. I propose the following wording:
Change
# Edit /etc/crypttab and add the following line
# Replace /dev/hda4 with your backing device (lvm is ok, as is raid)
root /dev/hda4
to
# Edit /etc/crypttab and add the following line
# Replace /dev/hda4 with your backing device (lvm is ok, as is raid)
root /dev/hda4 none cipher=aes-cbc-essiv:sha256
# Note: Specifying this cipher and IV generation through the "cipher="
# parameter mode avoids the watermark
# attack mentioned in README.html. However, unlike the default parameters,
# it creates an encrypted partition that is incompatible with the old
# cryptoloop implementation. If that matters to you, omit the cipher
# specification (and live with the watermark attack).
(Note: Didn't test this line, as I do not have a kernel with dm-crypt handy,
but it should work. Maybe you can run a quick test.)
---------------------------------------
Received: (at 334490-close) by bugs.debian.org; 14 Nov 2005 23:42:36 +0000
>From [EMAIL PROTECTED] Mon Nov 14 15:42:36 2005
Return-path: <[EMAIL PROTECTED]>
Received: from katie by spohr.debian.org with local (Exim 4.50)
id 1Ebnnx-0002fK-6O; Mon, 14 Nov 2005 15:32:05 -0800
From: Jonas Meurer <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.56 $
Subject: Bug#334490: fixed in cryptsetup 20050111-4
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Mon, 14 Nov 2005 15:32:05 -0800
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-CrossAssassin-Score: 3
Source: cryptsetup
Source-Version: 20050111-4
We believe that the bug you reported is fixed in the latest version of
cryptsetup, which is due to be installed in the Debian FTP archive:
cryptsetup_20050111-4.diff.gz
to pool/main/c/cryptsetup/cryptsetup_20050111-4.diff.gz
cryptsetup_20050111-4.dsc
to pool/main/c/cryptsetup/cryptsetup_20050111-4.dsc
cryptsetup_20050111-4_i386.deb
to pool/main/c/cryptsetup/cryptsetup_20050111-4_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jonas Meurer <[EMAIL PROTECTED]> (supplier of updated cryptsetup package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 14 Nov 2005 23:24:43 +0100
Source: cryptsetup
Binary: cryptsetup
Architecture: source i386
Version: 20050111-4
Distribution: unstable
Urgency: low
Maintainer: Debian Cryptsetup Team <[EMAIL PROTECTED]>
Changed-By: Jonas Meurer <[EMAIL PROTECTED]>
Description:
cryptsetup - configures encrypted block devices
Closes: 298944 303484 306021 310295 330370 334485 334490 335359 335604
Changes:
cryptsetup (20050111-4) unstable; urgency=low
.
* Change Maintainer field to the Debian Cryptsetup Team, add wesley and
myself to Uploaders
* Bump standards-version to 3.6.2.1, no changes needed
* Document that -d option disables hashing (closes: #335604, #298944)
Thanks to Bastian Kleineidam <[EMAIL PROTECTED]> for the patch
* Document -r and --readonly options in the manpage (closes: #306021)
* Split documentation of --help and --usage in manpage
* Remove /etc/keys and /etc/crypttab on purge (closes: #330370)
* Update README.html (closes: #334485)
* Document how to prevent a watermark attack weakness in CryptoRoot.HowTo
(closes: #334490)
* Document shortness of /dev/random in CryptoSwap.HowTo (closes: #310295)
* Fix the first line of usbcrypto.initrd, fixes half of #324353
* Set permissions for /tmp in cryptdisks script (closes: #303484)
Thanks to Stefan Reuter <[EMAIL PROTECTED]> for the patch
* Added LSB initscript headers to cryptdisks script (closes: #335359)
* renamed cryptsetup.{preinst,postinst,postrm} to preinst, postinst and
postrm
* Fix use of update-rc.d in postinst, cryptdisks should be stopped at
runlevel 0 and 6, and be started at runlevel S. Instead it has been
started in all tree runlevels up to now.
Files:
a39fe7c2609060864ea40b70d624b461 838 admin optional cryptsetup_20050111-4.dsc
b2f2b2cd6646936297328db2f8ccd255 23269 admin optional
cryptsetup_20050111-4.diff.gz
ade422c32985301050f5cfece49ee791 196972 admin optional
cryptsetup_20050111-4_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFDeRn4d6lUs+JfIQIRAnHXAJ9XcytK7UrbwYDTU+us6DSATjY6wgCcCtI2
cf7gO0lzbtKMfAXekmUeWAo=
=FcJr
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
