vulnerabilities in LUKS
Valerio Bellizzomi
valerio at selnet.org
Sun Nov 20 17:56:04 CET 2016
On Sun, 2016-11-20 at 16:03 +0100, Teddy Hogeborn wrote:
> Valerio Bellizzomi <valerio at selnet.org> writes:
>
> > > > I guess mandos is affected by such
> > > >
> > > > http://www.jakoblell.com/blog/2013/12/22/practical-malleability-attack-against-cbc-encrypted-luks-partitions/
> > > >
> > > > http://seclists.org/oss-sec/2016/q4/432
> > >
> > > No, Mandos itself is not affected. Users of Mandos, however, are
> > > likely to be affected, since these issues affect surrounding
> > > software used by Mandos itself. But we cannot fix these issues from
> > > Mandos.
> >
> > Users of a old installed LUKS encrypted partition are likely to be
> > affected by the first issue I listed
>
> Yes, that is what I meant by "Users of Mandos, however, are likely to be
> affected [...]". There is still nothing we can do about this from
> Mandos.
>
> > > The second issue is more easily fixed by simply upgrading the
> > > initramfs-tools package to its version from Debian unstable.
> >
> > No, I'm using jessie standard repository
>
> If you have chosen to use the standard repository and *only* the
> standard repository, you have implicitly chosen to accept the assessment
> of Debian's security team regarding the severity of security issues. In
> this case, they have apparently not classified this bug as sufficiently
> severe to merit a security update to Debian 7 (jessie). If you disagree
> with their assessment, you have three options:
>
> 1. Upgrade to Debian testing or unstable, where the bug *is* fixed.
>
> 2. Backport the fix to Debian 7 yourself.
>
> 3. Find someone else to backport the fix for you; either find someone
> who has done it already and is willing to share the fix to you, or
> hire somebody to do the work necessary.
>
> In *any* case, there is nothing we can do about any of these bugs from
> within Mandos. You are free to use the Mandos public mailing list to
> alert other users of Mandos (especially about the CBC issue), but
> otherwise I can't see what we can do to help.
>
> /Teddy Hogeborn
>
I believe this should be documented somehow, at least by this message
Valerio Bellizzomi
More information about the Mandos-Dev
mailing list