Hi Jonas, one thing I find particularly telling is that CVE-2016-4484 is still unpublished and there is only a placeholder: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4484 This rather strongly indicates to me that this was all about publicity and not about security at all. If they cannot even be bothered to have that CVE actually out some 20 days after making a splash at a conference and hyping it to the press, this cannot be of any importance, security-wise... Regards, Arno On Wed, Dec 07, 2016 at 12:37:04 CET, Jonas Meurer wrote: > Hi there, > > Am 15.11.2016 um 13:34 schrieb Milan Broz: > > just little bit clarification about CVE-2016-4484 > > http://hmarco.org/bugs/CVE-2016-4484/CVE-2016-4484_cryptsetup_initrd_shell.html > > > > This bug is *NOT* cryptsetup/LUKS upstream bug, it is a minor problem in scripts > > unlocking an encrypted system. > > > > It allows attacker to drop to initramdisk shell (without decryption of LUKS data). > > > > The scripts are part of Debian cryptsetup package (as an addition to upstream) > > or part of dracut package (if dracut is used). > > I decided to write down my thoughts on CVE-2016-4484 and published them > in a blog post: > > https://blog.freesources.org/posts/2016/12/CVE-2016-4484/ > > Feel free to share your comments, criticism, opinion either in the blog > comments or here on the list. > > Cheers, > jonas > > > _______________________________________________ > dm-crypt mailing list > dm-crypt@xxxxxxxx > http://www.saout.de/mailman/listinfo/dm-crypt -- Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@xxxxxxxxxxx GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718 ---- A good decision is based on knowledge and not on numbers. -- Plato If it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." -- Bruce Schneier _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
