vulnerabilities in LUKS
Teddy Hogeborn
teddy at recompile.se
Wed Dec 7 10:46:40 CET 2016
Teddy Hogeborn <teddy at recompile.se> writes:
> Valerio Bellizzomi <valerio at selnet.org> writes:
>
> > I believe this should be documented somehow, at least by this
> > message
>
> Some context:
[…]
> The second issue (as noted in the second link,
> <http://seclists.org/oss-sec/2016/q4/432>) is not fixed yet by the
> Debian security team, since they deem it to have a "Negligable
> security impact"
> (<https://security-tracker.debian.org/tracker/CVE-2016-4484>). The
> issue is that if a person is physically present at the console, they
> can reach a debug shell by simply inputting the wrong password for a
> little over a minute. You may or may not deem this a problem, since
> physical access is always difficult to defend against, and the debug
> shell can't access any encrypted data. The only fix, if one is
> desired, is to use the version of "cryptsetup" from Debian unstable.
> Like the first issue, this is *not* a Mandos issue and there is
> nothing which Mandos can do about this, even though Mandos users are
> very likely to be affected.
Followup: Here is a blog post by Jonas Meurer (the Debian maintainer of
the cryptsetup package) which, among other things, explains the issue in
some more detail:
https://blog.freesources.org//posts/2016/12/CVE-2016-4484/
/Teddy Hogeborn
--
The Mandos Project
https://www.recompile.se/mandos
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 818 bytes
Desc: not available
URL: <http://mail.recompile.se/pipermail/mandos-dev/attachments/20161207/4e2bd335/attachment.sig>
More information about the Mandos-Dev
mailing list