security update in Fedora 24 for calamares

Status: stable 2 years ago

A security update that fixes Calamares bug CAL-405: https://calamares.io/bugs/browse/CAL-405

When installing with a LUKS-encrypted / partition, Calamares was always creating a keyfile to decode / and storing it in the initramfs. It did that even with an unencrypted separate /boot partition. As a result, the keyfile would be stored in cleartext on the /boot partition, and it was possible to unlock the / partition without ever entering a passphrase. This completely defeated the security of LUKS.

Please note that this only affects manual partitioning. The automatic partitioning never leaves /boot unencrypted (and it is, in fact, recommended to also always encrypt /boot when doing manual partitioning).

This update fixes the dracutlukscfg module to not add the keyfile to install_items in the dracut configuration (so that dracut will not include it onto the initramfs) if /boot is separate and unencrypted.

Comments 6

This update has been submitted for testing by kkofler.

kkofler edited this update.

This update has been pushed to testing.

This update has been submitted for stable by kkofler.

This update has been pushed to stable.

Add Comment & Feedback

Please login to add feedback.

Content Type
Test Gating
Submitted by
Update Type
Update Severity
stable threshold: 3
unstable threshold: -3
Autopush (karma)
Autopush (time)
submitted 2 years ago
in testing 2 years ago
in stable 2 years ago
modified 2 years ago

Automated Test Results