On Thu, Oct 30, 2014 at 09:19:37PM +0100, Eduard Bloch wrote:
> severity 736066 important
> thanks
>
> Dear Security Team,
>
> FYI, as discussed in this bug report, I am lowering the severity of this
> bug because of not considering this a general security problem. It's
> only an issue in
severity 736066 important
thanks
Dear Security Team,
FYI, as discussed in this bug report, I am lowering the severity of this
bug because of not considering this a general security problem. It's
only an issue in specific scenarios which are sufficiently explained
now.
Regards,
Eduard.
* Eduard
Hi,
Eduard Bloch:
So, I suggest this new version. Added below for review; I consider
uploading this to Experimental and submitting for l10n in a couple of
days.
Fair enough.
--
-- Matthias Urlichs
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of
Hallo,
* Matthias Urlichs [Mon, Sep 29 2014, 07:29:44AM]:
According to a security audit by Taylor Hornby (Defuse Security), the
current
implementation of Encfs is vulnerable or potentially vulnerable to
multiple
attacks on the encrypted data. This especially affects use cases
Hallo,
* Eduard Bloch [Thu, Sep 11 2014, 04:55:14PM]:
(What would be the right way to do that? Lower the severtiy of the bug?
Add a jessie-ignore tag?)
To notify users about the potential security issue, a NEWS file could
be added, or one could add a warning to the output of the encfs
Eduard Bloch e...@gmx.de writes:
Hallo,
* Eduard Bloch [Thu, Sep 11 2014, 04:55:14PM]:
(What would be the right way to do that? Lower the severtiy of the bug?
Add a jessie-ignore tag?)
To notify users about the potential security issue, a NEWS file could
be added, or one could add a
Quoting Eduard Bloch (e...@gmx.de):
Template: encfs/security-information
Type: note
_Description: Encfs Security Information
Besides using an Evil Debconf Note (;-) ), is there a reason for
capitalizing every noun in the note title ?
BTW, that might be a use case for the debconf error
Hi,
Christian PERRIER:
According to a security audit by Taylor Hornby (Defuse Security), the
current
implementation of Encfs is vulnerable or potentially vulnerable to multiple
attacks on the encrypted data. This especially affects use cases where the
attacker has read/write access
Hi,
Michael Halcrow:
Finally, encfs has an interesting reverse crypto mode where it
presents an encrypted FUSE view over a plaintext mountpoint.
With eCryptfs, you would accomplish this by unmounting and then
reading the encrypted files directly from the lower file system.
This is not a
On Thu, Sep 11, 2014 at 04:06:06PM -0400, Harlan Lieberman-Berg wrote:
On Thu, 2014-09-11 at 19:33 +0200, Eduard Bloch wrote:
I though Jan has just described one. For example, taking a 10 year old
CD with backups from your safe and trying to get the data back.
Another option would be to
Hi Holger,
On Thu, Sep 11, 2014 at 06:42:32PM +0200, Holger Levsen wrote:
I (probably too briefly) skimmed though the bug report, but couldn't find a
usecase where an encrypted filestem container with broken crypto could be
useful. Could you elaborate, please?
As far as I understand the
On 09/12/2014 06:46 AM, Jan Niehusmann wrote:
A common use case for disk encryption is to protect a lost or stolen
laptop. And the adversary is not some powerful agency, but a curious
person browsing through the hard disk before formatting it.
I see no reason to assume that encfs is not good
Hi,
due to bug #736066, encfs was removed from jessie.
I'd think it would be better to allow encfs into jessie for the
following reasons:
The bug report is about security issues, but these are not security
issues of the software (as in: you can somehow hack into the computer
wich is running the
Hallo,
* Jan Niehusmann [Thu, Sep 11 2014, 12:12:08PM]:
The bug report is about security issues, but these are not security
issues of the software (as in: you can somehow hack into the computer
wich is running the software), but of the encryption algorithms used.
So it can be compared to a
Hi Eduard,
On Donnerstag, 11. September 2014, Eduard Bloch wrote:
In fact, that is what I considered as workaround, and even harder: add a
debconf message with priority critical telling exactly those details.
I (probably too briefly) skimmed though the bug report, but couldn't find a
usecase
Hallo,
* Holger Levsen [Thu, Sep 11 2014, 06:42:32PM]:
Hi Eduard,
On Donnerstag, 11. September 2014, Eduard Bloch wrote:
In fact, that is what I considered as workaround, and even harder: add a
debconf message with priority critical telling exactly those details.
I (probably too
On 11/09/2014 18:33, Eduard Bloch wrote:
Otherwise we should disable support for 1024b GPG keys ASAP so nobody
could use them anymore.
Please also note, that the primary author (after a period of dormancy)
is back and seems to be actively working on remediating the issues (cf.
Hi,
On Donnerstag, 11. September 2014, Eduard Bloch wrote:
I though Jan has just described one. For example, taking a 10 year old
CD with backups from your safe and trying to get the data back.
seems useful indeed, thanks.
cheers,
Holger
signature.asc
Description: This is a
On Thu, 2014-09-11 at 19:33 +0200, Eduard Bloch wrote:
I though Jan has just described one. For example, taking a 10 year old
CD with backups from your safe and trying to get the data back.
Another option would be to take the same approach that TrueCrypt did
under (potentially) the same
19 matches
Mail list logo