-
ecryptfs-utils (108-0ubuntu1.2) wily-security; urgency=medium
* SECURITY UPDATE: Information exposure via unencrypted swap partitions. The
swap partition was not configured to use encryption when GPT partitioning
was in use on NVMe and MMC drives.
- debian/patches/set-up-encrypted-swap-on-nvme-and-mmc.patch: Properly
handle the formatting of the path to swap partitions on NVMe and MMC
drives so that they're correctly marked as not to be automatically
mounted by systemd. Based on upstream patch from Jason Gerard DeRose.
(LP: #1597154)
- debian/ecryptfs-utils.postinst: Fix any unencrypted GPT swap partitions
that have mistakenly remained marked as auto mount. This should only
modify the swap partitions on systems that ecryptfs-setup-swap has been
used on. (LP: #1447282, LP: #1597154)
- CVE not yet assigned
-- Tyler Hicks <email address hidden> Wed, 13 Jul 2016 00:57:21 -0500
-
ecryptfs-utils (108-0ubuntu1.1) wily-security; urgency=medium
* SECURITY UPDATE: Don't allow mount.ecryptfs_private to be used to mount on
top of pseudo filesystem such as procfs
- debian/patches/CVE-2016-1572.patch: Check the filesystem type of the
mount destination against a whitelist of approved types.
- CVE-2016-1572
-- Tyler Hicks <email address hidden> Fri, 15 Jan 2016 17:48:15 -0600
-
ecryptfs-utils (108-0ubuntu1) wily; urgency=medium
[ Martin Pitt ]
* src/utils/ecryptfs-setup-swap:
- Add setup-swap-check-links.patch: When commenting out existing swap, also
consider device symlinks like /dev/mapper/ubuntu--vg-swap_1 or
/dev/disks/by-uuid/ into account. Fixes broken cryptswap under LVM and
manual setups. (LP: #1453738)
* src/utils/ecryptfs-setup-swap, debian/ecryptfs-utils.postinst:
- On upgrade, uncomment underlying
unencrypted swap partitions that are referred to by a device link when
crypttab and fstab have a "cryptswap*" device referring to them.
* debian/control, debian/libecryptfs0.install,
debian/libecryptfs0.links, debian/libecryptfs0.shlibs:
- Rename libecryptfs0 to libecryptfs1 and adjust the packaging. It has
actually shipped libecryptfs.so.1 since at least trusty. Add
C/R/P: libecryptfs0 for smoother upgrades, this needs to be kept until
after 16.04 LTS.
[ Tyler Hicks ]
* src/utils/mount.ecryptfs_private.c: Implement proper option parsing to
restore the -f option when unmounting and display a helpful usage message
(LP: #1454388)
* src/utils/mount.ecryptfs_private.c: Add an option, -d, to
umount.ecryptfs_private to treat the situation where the encrypted private
session counter is nonzero, after decrementing it, as a non-error
situation. No error message is printed to stderr and the exit status is 0.
* src/pam_ecryptfs/pam_ecryptfs.c: Use the new umount.ecryptfs_private '-d'
option to silence the error message that was printed to stderr when the
encrypted private session counter is nonzero after being decremented.
(LP: #1454319)
* src/utils/ecryptfs-umount-private: Return 1 if umount.ecryptfs_private
encounters an error. The ecryptfs-umount-private script was previously
returning 0 even when umount.ecryptfs_private exited upon error.
* debian/control: Fix 'Please add dh-python package to Build-Depends'
build warning
[ Dustin Kirkland ]
* debian/libecryptfs1.install, debian/libecryptfs1.links,
debian/libecryptfs1.shlibs:
- fix ftbfs, add missing files
* wily
-- Dustin Kirkland <email address hidden> Thu, 06 Aug 2015 12:46:37 -0500
-
ecryptfs-utils (107-0ubuntu3) wily; urgency=medium
* Rename libecryptfs0 to libecryptfs1 and adjust the packaging. It has
actually shipped libecryptfs.so.1 since at least trusty. Add
C/R/P: libecryptfs0 for smoother upgrades, this needs to be kept until
after 16.04 LTS.
ecryptfs-utils (107-0ubuntu2) wily; urgency=medium
* Add setup-swap-check-links.patch: When commenting out existing swap, also
consider device symlinks like /dev/mapper/ubuntu--vg-swap_1 or
/dev/disks/by-uuid/ into account. Fixes broken cryptswap under LVM and
manual setups. (LP: #1453738)
* debian/ecryptfs-utils.postinst: On upgrade, uncomment underlying
unencrypted swap partitions that are referred to by a device link when
crypttab and fstab have a "cryptswap*" device referring to them.
-- Martin Pitt <email address hidden> Thu, 09 Jul 2015 12:20:47 +0200
-
ecryptfs-utils (107-0ubuntu2) wily; urgency=medium
* Add setup-swap-check-links.patch: When commenting out existing swap, also
consider device symlinks like /dev/mapper/ubuntu--vg-swap_1 or
/dev/disks/by-uuid/ into account. Fixes broken cryptswap under LVM and
manual setups. (LP: #1453738)
* debian/ecryptfs-utils.postinst: On upgrade, uncomment underlying
unencrypted swap partitions that are referred to by a device link when
crypttab and fstab have a "cryptswap*" device referring to them.
-- Martin Pitt <email address hidden> Thu, 09 Jul 2015 09:04:27 +0200
-
ecryptfs-utils (107-0ubuntu1.1) vivid; urgency=medium
* Add setup-swap-mark-gpt-noauto.patch: In ecryptfs-setup-swap, mark the
"fake" underlying unencrypted swap partition as no-auto Without that, the
swap partition gets auto-activated under systemd as it cannot be told
apart from a real unencrypted swap partition.
* debian/ecryptfs-utils.postinst: Fix existing GPT installations with
cryptswap1 and an offset= for the above issue. (LP: #1447282)
-- Martin Pitt <email address hidden> Fri, 24 Apr 2015 12:15:12 +0100
-
ecryptfs-utils (107-0ubuntu1) vivid; urgency=medium
[ Dustin Kirkland ]
* scripts/release.sh:
- a few more release script improvements, build the source
package for the Ubuntu development distro
* debian/control:
- build depend on distro-info, which we use in our release script
* vivid
[ Tyler Hicks ]
* src/libecryptfs/key_management.c:
- Fix a regression when reading version 1 wrapped passphrase files. A
return code indicating success was always returned even when an error
was encountered. The impact is low since the error situation is still
caught when validating either the wrapping password's signature or the
wrapped passphrase's signature. Thanks to László Böszörményi for
catching this mistake.
- Reject empty passphrases passed into ecryptfs_wrap_passphrase()
* src/libecryptfs/main.c:
- Reject empty wrapping passphrases passed into generate_passphrase_sig()
-- Dustin Kirkland <email address hidden> Thu, 26 Mar 2015 18:02:29 -0500