From owner-freebsd-current@FreeBSD.ORG Mon Aug 20 21:25:16 2012 Return-Path: Delivered-To: freebsd-current@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 281F0106564A; Mon, 20 Aug 2012 21:25:16 +0000 (UTC) (envelope-from simon@FreeBSD.org) Received: from emx.nitro.dk (emx.nitro.dk [IPv6:2a01:4f8:120:7384::102]) by mx1.freebsd.org (Postfix) with ESMTP id A74AE8FC0C; Mon, 20 Aug 2012 21:25:15 +0000 (UTC) Received: from mailscan.leto.nitro.dk (mailscan.leto.nitro.dk [127.0.1.4]) by emx.nitro.dk (Postfix) with ESMTP id D0F0C2B573A; Mon, 20 Aug 2012 21:25:14 +0000 (UTC) Received: from emx.nitro.dk ([127.0.1.2]) by mailscan.leto.nitro.dk (mailscan.leto.nitro.dk [127.0.1.4]) (amavisd-new, port 10024) with LMTP id Iuz68t91ZSFk; Mon, 20 Aug 2012 21:25:12 +0000 (UTC) Received: from zaphod.local (unknown [89.100.2.68]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by emx.nitro.dk (Postfix) with ESMTPSA id 75F4A2B5736; Mon, 20 Aug 2012 21:25:12 +0000 (UTC) Message-ID: <5032AB28.9070306@FreeBSD.org> Date: Mon, 20 Aug 2012 22:24:56 +0100 From: "Simon L. B. Nielsen" Organization: FreeBSD Security Team User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:13.0) Gecko/20120614 Thunderbird/13.0.1 MIME-Version: 1.0 To: freebsd-security@FreeBSD.org, freebsd-current@FreeBSD.org X-Enigmail-Version: 1.4.3 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enigC0A5E7BB9CE9D73AFB4E2313" Cc: Subject: [HEADSUP] geli(4) weak master key generation on -CURRENT X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Aug 2012 21:25:16 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigC0A5E7BB9CE9D73AFB4E2313 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Hello, If you are not using geli(4) on -CURRENT (AKA FreeBSD 10) you can safely ignore this mail. If you are, please read on! -CURRENT users of geli(4) should be advised that, a geli(4) device may have weak master key, if the provider is created on -CURRENT system built against source code between r238116 (Jul 4 17:54:17 2012 UTC) and r239184 (non-inclusive, Aug 10 18:43:29 2012 UTC). One can verify if its provider was created with weak keys by running: # geli dump | grep version If the version is 7 and the system did not include this fix (r239184) when provider was initialized, then the data has to be backed up, underlying provider overwritten with random data, system upgraded and provider recreated. Thanks to Fabian Keil for reporting the issue, Pawel Jakub Dawidek for fixing it, and Xin Li for drafting this text. PS. This only affects FreeBSD 10 / -CURRENT, and as -CURRENT isn't supported by the FreeBSD Security Team, we are not releasing an advisory, just this heads up. --=20 Simon L. B. Nielsen FreeBSD Security Officer --------------enigC0A5E7BB9CE9D73AFB4E2313 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAlAyqzcACgkQFdaIBMps37LryQCfSCa1m271tv/9b1Wsr88++C2M cNYAmweTW7GrVIy4EYtsuza/s5Jd5wKq =N/Dw -----END PGP SIGNATURE----- --------------enigC0A5E7BB9CE9D73AFB4E2313--