Your message dated Fri, 5 Jul 2019 21:38:27 +0200
with message-id <[email protected]>
and subject line Re: Bug#931428: release-notes: Mention FDE security issue when
installing with Calamares (CVE-2019-13179)
has caused the Debian Bug report #931428,
regarding release-notes: Mention FDE security issue when installing with
Calamares (CVE-2019-13179)
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
931428: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931428
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release-notes
Severity: normal
When installing Debian from live media using the Calamares installer and
selecting the full disk encryption feature, the disk's unlock key is stored in
the initramfs which is world readable. This allows users with local filesystem
access to gain access to the private key and gain access to the filesystem
again in the future.
This can be worked around by adding "UMASK=0077" to
/etc/initramfs-tools/conf.d/initramfs-permissions and running "update-initramfs
-u". This will recreate the initramfs without world-readable permissions.
A fix for the installer is being planned and will be uploaded to
debian-security. In the meantime users of full disk encryption should apply the
above workaround.
Debian bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931373
CVE: https://security-tracker.debian.org/tracker/CVE-2019-13179
--- End Message ---
--- Begin Message ---
Hi Jonathan,
On 04-07-2019 21:24, Justin B Rye wrote:
> diff --git a/en/issues.dbk b/en/issues.dbk
> index b5c1d004..8cc72d44 100644
> --- a/en/issues.dbk
> +++ b/en/issues.dbk
> @@ -692,6 +692,33 @@ $ sudo update-initramfs -u
> </para>
> </section>
>
> + <section id="calamares-creates-readable-key">
> + <!-- stretch to buster -->
> + <title>
> + Calamares installer leaves disk encryption keys readable
> + </title>
> + <para>
> + When installing Debian from live media using the Calamares installer
> + (<ulink url="&url-wiki;calamares-installer">new in buster</ulink>)
> + and selecting the full disk encryption feature, the disk's unlock key
> + is stored in the initramfs which is world readable. This allows users
> + with local filesystem access to read the private key and gain access
> + to the filesystem again in the future.
> + </para>
> + <para>
> + This can be worked around by adding <literal>UMASK=0077</literal> to
> + <filename>/etc/initramfs-tools/conf.d/initramfs-permissions</filename>
> + and running <command>update-initramfs -u</command>. This will recreate
> + the initramfs without world-readable permissions.
> + </para>
> + <para>
> + A fix for the installer is being planned (see <ulink
> + url="&url-bts;931373">bug #931373</ulink>) and will be uploaded to
> + debian-security. In the meantime users of full disk encryption should
> + apply the above workaround.
> + </para>
> + </section>
> +
> </section>
>
> </chapter>
>
>
> evolution.diff
>
> diff --git a/en/issues.dbk b/en/issues.dbk
> index b5c1d004..720bdfc0 100644
> --- a/en/issues.dbk
> +++ b/en/issues.dbk
> @@ -684,9 +684,9 @@ $ sudo update-initramfs -u
> Users using <systemitem role="package">evolution</systemitem> as their
> email client and connecting to a server running Exchange, Office365 or
> Outlook using the <systemitem role="package">evolution-ews</systemitem>
> - plugin should not upgrade to Buster without backing up data and
> finding an
> + plugin should not upgrade to buster without backing up data and
> finding an
> alternative solution beforehand, as evolution-ews has been dropped due
> to
> - <ulink url="&url-bts;926712">bug (#926712)</ulink> and their email
> + <ulink url="&url-bts;926712">bug #926712</ulink> and their email
> inboxes, calendar, contact lists and tasks will be removed and will no
> longer be usable.
> </para>
>
These are both pushed.
Thanks.
Paul
signature.asc
Description: OpenPGP digital signature
--- End Message ---
