Package: yubikey-luks Version: 0.5.1+29.g5df2b95-5 Severity: grave Justification: confidential information leak Tags: security
Hi, Looking at the upstream yubikey-luks repository, I noticed what seems to be an important recent fix, namely for the password (used as the yubikey challenge) being exposed in the process list: https://github.com/cornelinux/yubikey-luks/pull/63 This affects stable, too. The fix from the PR seems simple enough, it just changes four LOC. I looked at the (non-whitespace, non-documentation) diff between our current version and HEAD, and it's not that big. Perhaps the RT would be even be willing to ACK an update to HEAD. Best, Christian
