[qubes-users] cryptsetup concerns


Anyone know why cryptsetup isn’t updated to 2.3? I asked Andrew, and it appears that Qubes 4.1 is using 1.7…5 cryptsetup… 2.2 cryptsetup has a vulnerability in it. https://nvd.nist.gov/vuln/detail/CVE-2020-14382#match-5995976 .

https://gitlab.com/cryptsetup/cryptsetup/-/wikis/FrequentlyAskedQuestions Though, since 1.7 the default hash is SHA256 (“LUKS1 used SHA1 (since version 1.7.0 it uses SHA256)”.

Andrew suggested I post this in the mailing list.


1 Like

I think you are wrong here - 4.1 will use Fedora 32 in dom0, and that
*will* have cryptsetup-2.3.4-1.fc32.(Available as security update in
32 since Sept 2020)
Qubes 4.0 which uses Fedora 25 in dom0 does have the older version.

In any case, this will only bite, I think, if you allow an attacker
to attach a crafted image to dom0 - in that case you are hosed in any
case imo.