[HEADSUP] geli(4) weak master key generation on -CURRENT
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enigC0A5E7BB9CE9D73AFB4E2313
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Hello,
If you are not using geli(4) on -CURRENT (AKA FreeBSD 10) you can safely
ignore this mail. If you are, please read on!
-CURRENT users of geli(4) should be advised that, a geli(4) device may
have weak master key, if the provider is created on -CURRENT system
built against source code between r238116 (Jul 4 17:54:17 2012 UTC)
and r239184 (non-inclusive, Aug 10 18:43:29 2012 UTC).
One can verify if its provider was created with weak keys by running:
# geli dump <provider> | grep version
If the version is 7 and the system did not include this fix (r239184)
when provider was initialized, then the data has to be backed up,
underlying provider overwritten with random data, system upgraded and
provider recreated.
Thanks to Fabian Keil for reporting the issue, Pawel Jakub Dawidek for
fixing it, and Xin Li for drafting this text.
PS. This only affects FreeBSD 10 / -CURRENT, and as -CURRENT isn't
supported by the FreeBSD Security Team, we are not releasing an
advisory, just this heads up.
--=20
Simon L. B. Nielsen
FreeBSD Security Officer
--------------enigC0A5E7BB9CE9D73AFB4E2313
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAlAyqzcACgkQFdaIBMps37LryQCfSCa1m271tv/9b1Wsr88++C2M
cNYAmweTW7GrVIy4EYtsuza/s5Jd5wKq
=N/Dw
-----END PGP SIGNATURE-----
--------------enigC0A5E7BB9CE9D73AFB4E2313--
討論串 (同標題文章)
完整討論串 (本文為第 1 之 3 篇):