On Sun, Jan 31, 2021 at 09:07:07AM -0600, Mason wrote: > Hi, > > Anyone know why cryptsetup isn't updated to 2.3? I asked Andrew, and it > appears that Qubes 4.1 is using 1.7..5 cryptsetup.. 2.2 cryptsetup has a > vulnerability in it. > https://nvd.nist.gov/vuln/detail/CVE-2020-14382#match-5995976 . > > https://gitlab.com/cryptsetup/cryptsetup/-/wikis/FrequentlyAskedQuestions > Though, since 1.7 the default hash is SHA256 ("LUKS1 used SHA1 (since > version 1.7.0 it uses SHA256)". > > Andrew suggested I post this in the mailing list. > > Thanks, > Mason >
I think you are wrong here - 4.1 will use Fedora 32 in dom0, and that *will* have cryptsetup-2.3.4-1.fc32.(Available as security update in 32 since Sept 2020) Qubes 4.0 which uses Fedora 25 in dom0 does have the older version. In any case, this will only bite, I think, if you allow an attacker to attach a crafted image to dom0 - in that case you are hosed in any case imo. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20210131153452.GB572%40thirdeyesecurity.org.
