Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package calamares-settings-debian I realise it's 3 days before release weekend, this upload fixes a problem that we can't really fix in a security update. Yesterday a user discovered that their encryption key for their hard disk in a full-disk-encryption setup is world-readable on debian-based systems using initramfs-tools. This affects Calamares users who can now install Debian on in an easy to use full-disk encryption setup. Upstream bug: https://github.com/calamares/calamares/issues/1191 CVE: https://nvd.nist.gov/vuln/detail/CVE-2019-13179 This upload updates the bootloader-config script with this additional snippet: """ # Set secure permissions for the initramfs, # the initramfs is re-generated later in the installation process # so we only set the permissions without regenerating the initramfs now: echo "UMASK=0077" > $CHROOT/etc/initramfs-tools/conf.d/initramfs-permissions """ Which will cause "update-initramfs -u" that runs later in the script to write the initramfs with safe permissions. Without this upload, users will have to write that file theirselves in order to have a setup safe from local users (or users on the system with filesystem access). In such a case we'll note it in the release notes, but I would urge the release team to consider it if there is still any possibility.
