vulnerabilities in LUKS

Valerio Bellizzomi valerio at selnet.org
Sun Nov 20 17:56:04 CET 2016 

On Sun, 2016-11-20 at 16:03 +0100, Teddy Hogeborn wrote:
> Valerio Bellizzomi <valerio at selnet.org> writes:
> 
> > > > I guess mandos is affected by such
> > > >
> > > > http://www.jakoblell.com/blog/2013/12/22/practical-malleability-attack-against-cbc-encrypted-luks-partitions/
> > > >
> > > > http://seclists.org/oss-sec/2016/q4/432
> > > 
> > > No, Mandos itself is not affected.  Users of Mandos, however, are
> > > likely to be affected, since these issues affect surrounding
> > > software used by Mandos itself.  But we cannot fix these issues from
> > > Mandos.
> >
> > Users of a old installed LUKS encrypted partition are likely to be
> > affected by the first issue I listed
> 
> Yes, that is what I meant by "Users of Mandos, however, are likely to be
> affected [...]".  There is still nothing we can do about this from
> Mandos.
> 
> > > The second issue is more easily fixed by simply upgrading the
> > > initramfs-tools package to its version from Debian unstable.
> >
> > No, I'm using jessie standard repository
> 
> If you have chosen to use the standard repository and *only* the
> standard repository, you have implicitly chosen to accept the assessment
> of Debian's security team regarding the severity of security issues.  In
> this case, they have apparently not classified this bug as sufficiently
> severe to merit a security update to Debian 7 (jessie).  If you disagree
> with their assessment, you have three options:
> 
> 1. Upgrade to Debian testing or unstable, where the bug *is* fixed.
> 
> 2. Backport the fix to Debian 7 yourself.
> 
> 3. Find someone else to backport the fix for you; either find someone
>    who has done it already and is willing to share the fix to you, or
>    hire somebody to do the work necessary.
> 
> In *any* case, there is nothing we can do about any of these bugs from
> within Mandos.  You are free to use the Mandos public mailing list to
> alert other users of Mandos (especially about the CBC issue), but
> otherwise I can't see what we can do to help.
> 
> /Teddy Hogeborn
> 

I believe this should be documented somehow, at least by this message

Valerio Bellizzomi

More information about the Mandos-Dev mailing list