[pkg-cryptsetup-devel] Security issue (CVE-2021-4122) in cryptsetup 2:2.3.5-1
Guilhem Moulin
guilhem at debian.org
Thu Feb 10 08:53:16 GMT 2022
On Thu, 10 Feb 2022 at 09:15:48 +0100, Yves-Alexis Perez wrote:
> On Wed, 2022-02-09 at 13:42 +0100, Guilhem Moulin wrote:
>> Ah cool, thanks for the info and suggestion! I therefore added a
>> NEWS.Debian entry and uploaded the resulting source-only .changes to
>> security-master.
>
> Thanks, I'll take a look and process it. Before writing a DSA text, do you
> have any draft I could use (I'll take a look at the upstream advisory and add
> the bits in NEWS.Debian as well).
Unfortunately I only have the d/changelog summary, plus the NEWS entry
for the truncation issue:
This release fixes a key truncation issue for standalone dm-integrity
devices using HMAC integrity protection. For existing such devices
with extra long HMAC keys (typically >106 bytes of length, see
https://bugs.debian.org/949336#78 for the various corner cases), one
might need to manually truncate the key using integritysetup(8)'s
`--integrity-key-size` option in order to properly map the device
under 2:2.3.7-1+deb11u1 and later.
Only standalone dm-integrity devices are affected. dm-crypt devices,
including those using authenticated disk encryption, are unaffected.
For CVE-2021-4122 one could summarize the upstream advisory at
https://seclists.org/oss-sec/2022/q1/34 , if you'd like an entry longer
than d/changelog.
cheers
--
Guilhem.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-cryptsetup-devel/attachments/20220210/521f5f25/attachment.sig>
More information about the pkg-cryptsetup-devel
mailing list