On Mon, 2012-08-20 at 22:24:56 +0100, Simon L. B. Nielsen wrote: > Hello, > > If you are not using geli(4) on -CURRENT (AKA FreeBSD 10) you can safely > ignore this mail. If you are, please read on! > > -CURRENT users of geli(4) should be advised that, a geli(4) device may > have weak master key, if the provider is created on -CURRENT system > built against source code between r238116 (Jul 4 17:54:17 2012 UTC) > and r239184 (non-inclusive, Aug 10 18:43:29 2012 UTC). > > One can verify if its provider was created with weak keys by running: > > # geli dump <provider> | grep version > > If the version is 7 and the system did not include this fix (r239184) > when provider was initialized, then the data has to be backed up, > underlying provider overwritten with random data, system upgraded and > provider recreated. > > Thanks to Fabian Keil for reporting the issue, Pawel Jakub Dawidek for > fixing it, and Xin Li for drafting this text. > > PS. This only affects FreeBSD 10 / -CURRENT, and as -CURRENT isn't > supported by the FreeBSD Security Team, we are not releasing an > advisory, just this heads up. I haven't read commit mails in a very long time, but is there code in place that will issue a warning upon geli attach if version 7 is detected? While -CURRENT is not supported, there might be a lot of disks initialized with version 7 and they'll eventually be upgraded to 10.0-RELEASE (the OS, not necessarily the geli volumes). Thanks UliReceived on Tue Aug 21 2012 - 10:05:40 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:40:29 UTC