Thanks for the fast fix of Subiquity. Personally, I continue to consider
Ubuntu installers to be affected. To me, the ability to live upgrade
Subiquity (where Internet access is available) is a nice workaround.
Could we clarify which Ubuntu releases (or their installers) are (not)
affected in
On Fri, 15 May 2020 at 21:32, Christian Sarrasin <1878...@bugs.launchpad.net>
wrote:
> Just to clarify, is it correct that this issue only affects systems
> initially deployed with 20.04? On my 19.10 upgraded system, `grep -r`
> didn't reveal anything suspicious. I'm sorry if this is obvious
On Fri, 15 May 2020 at 20:01, Zbigniew Jędrzejewski-Szmek
wrote:
> Oh, man. Once the password is written to a file on a real disk
> (/var/...), it should be considered compromised. Using shred or rm makes
> no guarantee that the bytes are removed from the device. In particular,
> it would be
Just to clarify, is it correct that this issue only affects systems
initially deployed with 20.04? On my 19.10 upgraded system, `grep -r`
didn't reveal anything suspicious. I'm sorry if this is obvious from
the launchpad metadata (it's not to me)
--
You received this bug notification because
Oh, man. Once the password is written to a file on a real disk
(/var/...), it should be considered compromised. Using shred or rm makes
no guarantee that the bytes are removed from the device. In particular,
it would be fairly trivial to do something like "grep 'merged config'
/dev/sda" and
@geertjohan: Many modern filesystems are using a journal, so way more
reasonable seems to take the password as compromised and change it:
Changing LUKS passphrase can be achieved interactively via gnome-disks
or manually via commandline:
cryptsetup luksChangeKey -S
--
You received this bug
@geertjohan => that sounds good enough. Or you might want to back up
/var/log/installer and encrypt it.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1878115
Title:
logged luks passwords
To manage
What would be the proper way to remove these logs when they contain a
pasword? `shred /var/log/installer && rm -rf /var/log/installer`?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1878115
Title:
** Changed in: subiquity (Ubuntu)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1878115
Title:
logged luks passwords
To manage notifications about this
CVE-2020-11932 has been assigned for this issue.
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-11932
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1878115
Title:
logged luks
curtin already accepts either plaintext or a keyfile, so only changes in
subiquity needed to start using keyfile.
** Changed in: curtin (Ubuntu)
Status: Confirmed => Invalid
** Description changed:
+
+ Fix published in
+ latest amd64stable 20.05.2 1874
I intend to fix this by passing the passphrase via a temporary file in
/run/subiquity instead of in the curtin config.
** Changed in: subiquity (Ubuntu)
Status: Confirmed => Triaged
** Changed in: subiquity (Ubuntu)
Importance: Undecided => Critical
--
You received this bug
I've confirmed on a 20.04 system recently installed from the official
server ISO that the passphrase for the newly-created LUKS volume appears
in the following files in /var/log/installer after install:
autoinstall-user-data curtin-install-cfg.yaml curtin-install.log
installer-journal.txt
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: subiquity (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1878115
Title:
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: curtin (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1878115
Title:
** Information type changed from Private Security to Public Security
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1878115
Title:
logged luks passwords
To manage notifications about this bug go
16 matches
Mail list logo
