Re: Allow encfs into jessie?
Hallo,
* Eduard Bloch [Thu, Sep 11 2014, 04:55:14PM]:
> > (What would be the right way to do that? Lower the severtiy of the bug?
> > Add a jessie-ignore tag?)
> >
> > To notify users about the potential security issue, a NEWS file could
> > be added, or one could add a warning to the output of the encfs command.
>
> In fact, that is what I considered as workaround, and even harder: add a
> debconf message with priority critical telling exactly those details.
>
> Unless someone cries out loudly I will continue with this plan in a
> couple of days.
So, here is what I came up with. Does it sound scarry enough, does it
sound generally acceptable?
Template: encfs/security-information
Type: note
_Description: Encfs Security Information
According to a security audit by Taylor Hornby (Defuse Security), the current
implementation of Encfs is vulnerable or potentially vulnerable to multiple
attacks on the encrypted data. This especially affects use cases where the
attacker has read/write access to the encrypted directory or has enough
knowledge of the unencrypted file system contents.
.
In the current situation encfs should not be considered a safe home for
sensible data. This package should be only used to retrieve information from
previously encrypted sources, and even this action contains some risk of
receiving compromised data.
Regards,
Eduard.
Reply to: