Your message dated Mon, 08 Mar 2021 19:49:12 +0000
with message-id <e1ljlso-0008oy...@fasolo.debian.org>
and subject line Bug#984709: fixed in yubikey-luks 0.5.1+29.g5df2b95-6
has caused the Debian Bug report #984709,
regarding yubikey-luks: Stop exposing challenge in process list
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
984709: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984709
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: yubikey-luks
Version: 0.5.1+29.g5df2b95-5
Severity: grave
Justification: confidential information leak
Tags: security
Hi,
Looking at the upstream yubikey-luks repository, I noticed what seems to
be an important recent fix, namely for the password (used as the yubikey
challenge) being exposed in the process list:
https://github.com/cornelinux/yubikey-luks/pull/63
This affects stable, too.
The fix from the PR seems simple enough, it just changes four LOC.
I looked at the (non-whitespace, non-documentation) diff between our
current version and HEAD, and it's not that big. Perhaps the RT would be
even be willing to ACK an update to HEAD.
Best,
Christian
--- End Message ---
--- Begin Message ---
Source: yubikey-luks
Source-Version: 0.5.1+29.g5df2b95-6
Done: Markus Frosch <lazyfro...@debian.org>
We believe that the bug you reported is fixed in the latest version of
yubikey-luks, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 984...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Markus Frosch <lazyfro...@debian.org> (supplier of updated yubikey-luks package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 08 Mar 2021 20:27:04 +0100
Source: yubikey-luks
Architecture: source
Version: 0.5.1+29.g5df2b95-6
Distribution: unstable
Urgency: medium
Maintainer: Debian Authentication Maintainers <team+a...@tracker.debian.org>
Changed-By: Markus Frosch <lazyfro...@debian.org>
Closes: 984709
Changes:
yubikey-luks (0.5.1+29.g5df2b95-6) unstable; urgency=medium
.
* [4a7b14f] patch: Stop exposing challenge in process list (Closes: #984709)
Checksums-Sha1:
d35370fdd5ac2eed7f256953c3c340068c682da3 2101
yubikey-luks_0.5.1+29.g5df2b95-6.dsc
d7703b7d1b88dcb338bc0e606b517d2db29fe080 5220
yubikey-luks_0.5.1+29.g5df2b95-6.debian.tar.xz
371bbffd71c478ed225cdaa0ba55fd7a559a8f95 5755
yubikey-luks_0.5.1+29.g5df2b95-6_amd64.buildinfo
Checksums-Sha256:
5c0b1c2257767b2a5988d7da710da27a6c638ff268918c53475121413fc94f28 2101
yubikey-luks_0.5.1+29.g5df2b95-6.dsc
d5c783eb4f6190aa07304191e05203326aa135887c32eb86cbd6a1126e51a2ee 5220
yubikey-luks_0.5.1+29.g5df2b95-6.debian.tar.xz
8abc78488e7f7c0cb90af84b109965c733c308ef2356a0c1e08c4ece69ad7600 5755
yubikey-luks_0.5.1+29.g5df2b95-6_amd64.buildinfo
Files:
346d8b07af9a97db39786288bff2d6cc 2101 admin optional
yubikey-luks_0.5.1+29.g5df2b95-6.dsc
059955022de679e9d9434f5cb5da351c 5220 admin optional
yubikey-luks_0.5.1+29.g5df2b95-6.debian.tar.xz
8a0f5d7de8237a266961c1b17915f28f 5755 admin optional
yubikey-luks_0.5.1+29.g5df2b95-6_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEQxWm7LMPIn3zbHcE7EL4Xo3fO0sFAmBGe1AACgkQ7EL4Xo3f
O0unzA/+K/SHqr+uexoLv3/Jd3DNgeBZUjF99yUyEdzAaY9MZSKM1wjyPamrN7Ci
xWWU1pk1ovn+3I8OYYSQW8VHUuT/fW2OGdFMbe2WZy+4U8dETyMXVqManACOO28M
ixpQa0vsBm53nHG81b8MiJ+hl4ngyaHoz8jKkjZnLrCfnOAOArccyIM830E7MwDw
0IctPJxIOwdrAkPHoBp1hA65YPC/2efZmS7vA0ifaAx2WVnqKEaeV/7PT8w3pBMw
23vkjzR1myTsNRKtqUE8Sg/kLLRYd8cZnExsE/SW9T/wKdQB7iNuuvV03LFv+aMn
fYj46RHIJf4njqUwa9DNOdoOez2QSsKVKmqLFIaSR9NZYm0YKVNC1D9+hB0g3sGa
HbDpxsIExku60r8TZJoiYmgcs1ZWyIltrSqovwdnpcBZIJQS77bpVtFkGaAhaqZS
3V+Mt8WQp9LELMo+69mfjIVqJ4edFtETAgBY+Bxm3skWdPfZH4k8mFRpM7b7Jbk1
CxE2rfhUmG0J4OEKV67DdRwyn2xBbf5cbep7Va0aAfsB50aaACwx1CoINcXpKae0
N3YhR1dJzd+UTwo7KAGZZHPIeQTkR2DlfHTI2GOjbAhrF3mDQ5EVI3hEf0ZI3Vhr
OwVAL7SpTN46KWY2DuhBffQtxoc6IDZZrHdt4ST1tnTX5Vt+c1I=
=PpwL
-----END PGP SIGNATURE-----
--- End Message ---
