-
ecryptfs-utils (111-0ubuntu1.1) xenial-security; urgency=medium
* SECURITY UPDATE: Information exposure via unencrypted swap partitions. The
swap partition was not configured to use encryption when GPT partitioning
was in use on NVMe and MMC drives.
- debian/patches/set-up-encrypted-swap-on-nvme-and-mmc.patch: Properly
handle the formatting of the path to swap partitions on NVMe and MMC
drives so that they're correctly marked as not to be automatically
mounted by systemd. Based on upstream patch from Jason Gerard DeRose.
(LP: #1597154)
- debian/ecryptfs-utils.postinst: Fix any unencrypted GPT swap partitions
that have mistakenly remained marked as auto mount. This should only
modify the swap partitions on systems that ecryptfs-setup-swap has been
used on. (LP: #1447282, LP: #1597154)
- CVE not yet assigned
-- Tyler Hicks <email address hidden> Wed, 13 Jul 2016 00:36:59 -0500
-
ecryptfs-utils (111-0ubuntu1) xenial; urgency=medium
* src/utils/ecryptfs-setup-private: LP: #1328689
- fix a long standing bug, where setting up an encrypted private,
encrypted home, or migrating to an encrypted home did not work
correctly over ssh sessions
- the root cause of the bug is some complexity in the handling of
user keyrings and session keyrings
- the long term solution would be to correctly use session keyrings
- the short term solution is to continue linking user and session
keyrings
* xenial
-- Dustin Kirkland <email address hidden> Fri, 26 Feb 2016 17:58:16 -0600
-
ecryptfs-utils (110-0ubuntu1) xenial; urgency=medium
[ Tyler Hicks ]
* Remove unnecessary dependencies in the Debian packaging (LP: #1548975)
- debian/control: Remove opencryptoki from ecryptfs-utils
Suggests and libopencryptoki-dev from libecryptfs-dev Depends as
openCryptoki is not a dependency of eCryptfs.
- debian/rules: Remove openCryptoki related logic since it was not being
used and is no longer needed
- debian/control: Remove libtspi-dev from libecryptfs-dev Depends since
--disable-tspi is passed to the configure script
- debian/control: Remove libpkcs11-helper1-dev from libecryptfs-dev
Depends since --disable-pkcs11-helper is passed to the configure script
- debian/control: Remove libgpg-error-dev and libgpgme11-dev from
libecryptfs-dev Depends since --disable-gpg is passed to the configure
script
- debian/control: Remove libgcrypt11-dev from Build-Depends and
libecryptfs-dev Depends since --enable-nss is passed to the configure
script to use NSS instead of Libgcrypt
- debian/control: Remove libkeyutils-dev and libpam0g-dev from
libecryptfs-dev Depends since these are build-time dependencies and not
run-time dependencies
[ Dustin Kirkland ]
* xenial
-- Dustin Kirkland <email address hidden> Tue, 23 Feb 2016 17:29:37 -0500
-
ecryptfs-utils (109-0ubuntu1) xenial; urgency=medium
[ Maikel ]
* doc/manpage/ecryptfs-migrate-home.8: Fix typos in man page (LP: #1518787)
[ Kylie McClain ]
* src/utils/mount.ecryptfs.c, src/utils/mount.ecryptfs_private.c: Fix build
issues on musl libc (LP: #1514625)
[ Colin Ian King ]
* src/daemon/main.c:
- Static analysis with Clang's scan-build shows that we can potentially
overflow the input buffer if the input is equal or more than the buffer
size. Need to guard against this by:
1. Only reading in input_size - 1 chars
2. Checking earlier on to see if input_size is value to insure that we
read in at least 1 char
[ Tyler Hicks ]
* src/utils/mount.ecryptfs_private.c:
- Refuse to mount over non-standard filesystems. Mounting over
certain types filesystems is a red flag that the user is doing
something devious, such as mounting over the /proc/self symlink
target with malicious content in order to confuse programs that may
attempt to parse those files. (LP: #1530566)
[ Dustin Kirkland ]
* xenial
-- Dustin Kirkland <email address hidden> Fri, 22 Jan 2016 10:05:35 -0600
-
ecryptfs-utils (108-0ubuntu1) wily; urgency=medium
[ Martin Pitt ]
* src/utils/ecryptfs-setup-swap:
- Add setup-swap-check-links.patch: When commenting out existing swap, also
consider device symlinks like /dev/mapper/ubuntu--vg-swap_1 or
/dev/disks/by-uuid/ into account. Fixes broken cryptswap under LVM and
manual setups. (LP: #1453738)
* src/utils/ecryptfs-setup-swap, debian/ecryptfs-utils.postinst:
- On upgrade, uncomment underlying
unencrypted swap partitions that are referred to by a device link when
crypttab and fstab have a "cryptswap*" device referring to them.
* debian/control, debian/libecryptfs0.install,
debian/libecryptfs0.links, debian/libecryptfs0.shlibs:
- Rename libecryptfs0 to libecryptfs1 and adjust the packaging. It has
actually shipped libecryptfs.so.1 since at least trusty. Add
C/R/P: libecryptfs0 for smoother upgrades, this needs to be kept until
after 16.04 LTS.
[ Tyler Hicks ]
* src/utils/mount.ecryptfs_private.c: Implement proper option parsing to
restore the -f option when unmounting and display a helpful usage message
(LP: #1454388)
* src/utils/mount.ecryptfs_private.c: Add an option, -d, to
umount.ecryptfs_private to treat the situation where the encrypted private
session counter is nonzero, after decrementing it, as a non-error
situation. No error message is printed to stderr and the exit status is 0.
* src/pam_ecryptfs/pam_ecryptfs.c: Use the new umount.ecryptfs_private '-d'
option to silence the error message that was printed to stderr when the
encrypted private session counter is nonzero after being decremented.
(LP: #1454319)
* src/utils/ecryptfs-umount-private: Return 1 if umount.ecryptfs_private
encounters an error. The ecryptfs-umount-private script was previously
returning 0 even when umount.ecryptfs_private exited upon error.
* debian/control: Fix 'Please add dh-python package to Build-Depends'
build warning
[ Dustin Kirkland ]
* debian/libecryptfs1.install, debian/libecryptfs1.links,
debian/libecryptfs1.shlibs:
- fix ftbfs, add missing files
* wily
-- Dustin Kirkland <email address hidden> Thu, 06 Aug 2015 12:46:37 -0500
