Bug#984709: yubikey-luks: Stop exposing challenge in process list
On 08.03.21 20:26, Markus Frosch wrote: > Thanks for reporting, haven't been following upstream for a while since I > don't > use the package actively anymore. Admittedly, this particular information was somewhat buried. > Due to lack of time, I'll upload a minimal patch for now. Feel free to join in > maintaining. Sounds good. Best, Christian
Bug#984709: yubikey-luks: Stop exposing challenge in process list
Hi Christian, On Sun, 2021-03-07 at 15:44 +0100, Christian Kastner wrote: > Looking at the upstream yubikey-luks repository, I noticed what seems to > be an important recent fix, namely for the password (used as the yubikey > challenge) being exposed in the process list: > > https://github.com/cornelinux/yubikey-luks/pull/63 > > This affects stable, too. > > The fix from the PR seems simple enough, it just changes four LOC. > > I looked at the (non-whitespace, non-documentation) diff between our > current version and HEAD, and it's not that big. Perhaps the RT would be > even be willing to ACK an update to HEAD. Thanks for reporting, haven't been following upstream for a while since I don't use the package actively anymore. Due to lack of time, I'll upload a minimal patch for now. Feel free to join in maintaining. Regards Markus
Bug#984709: yubikey-luks: Stop exposing challenge in process list
Package: yubikey-luks Version: 0.5.1+29.g5df2b95-5 Severity: grave Justification: confidential information leak Tags: security Hi, Looking at the upstream yubikey-luks repository, I noticed what seems to be an important recent fix, namely for the password (used as the yubikey challenge) being exposed in the process list: https://github.com/cornelinux/yubikey-luks/pull/63 This affects stable, too. The fix from the PR seems simple enough, it just changes four LOC. I looked at the (non-whitespace, non-documentation) diff between our current version and HEAD, and it's not that big. Perhaps the RT would be even be willing to ACK an update to HEAD. Best, Christian
