FEDORA-2016-5c7e9b8778 created by kkofler 3 years ago for Fedora 24
stable

A security update that fixes Calamares bug CAL-405: https://calamares.io/bugs/browse/CAL-405

When installing with a LUKS-encrypted / partition, Calamares was always creating a keyfile to decode / and storing it in the initramfs. It did that even with an unencrypted separate /boot partition. As a result, the keyfile would be stored in cleartext on the /boot partition, and it was possible to unlock the / partition without ever entering a passphrase. This completely defeated the security of LUKS.

Please note that this only affects manual partitioning. The automatic partitioning never leaves /boot unencrypted (and it is, in fact, recommended to also always encrypt /boot when doing manual partitioning).

This update fixes the dracutlukscfg module to not add the keyfile to install_items in the dracut configuration (so that dracut will not include it onto the initramfs) if /boot is separate and unencrypted.

How to install

sudo dnf upgrade --advisory=FEDORA-2016-5c7e9b8778

This update has been submitted for testing by kkofler.

3 years ago

kkofler edited this update.

3 years ago

This update has been pushed to testing.

3 years ago
User Icon ngompa provided feedback 3 years ago
karma

This update has been submitted for stable by kkofler.

3 years ago

This update has been pushed to stable.

3 years ago

Please login to add feedback.

Metadata
Type
security
Severity
medium
Karma
1
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-3
Stable by Karma
disabled
Stable by Time
disabled
Dates
submitted
3 years ago
in testing
3 years ago
in stable
3 years ago
modified
3 years ago

Automated Test Results