Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://nixos.paris/users/raito/statuses/110624012347227668">Raito Bezarius (raito@nixos.paris)'s status on Thursday, 29-Jun-2023 11:53:40 JST</a><a href="https://nixos.paris/@raito" title="raito@nixos.paris"><img src="https://gnusocial.jp/avatar/30450-48-20221119150430.webp" width="48" height="48" alt="Raito Bezarius" style="position: absolute; left: 0; top: 0;">Raito Bezarius</a></section><article><p>PSA: <a href="https://github.com/NixOS/calamares-nixos-extensions/security/advisories/GHSA-3rvf-24q2-24ww" rel="nofollow noreferrer">https://github.com/NixOS/calamares-nixos-extensions/security/advisories/GHSA-3rvf-24q2-24ww</a></p><p>If you installed <a href="https://nixos.paris/tags/NixOS" rel="tag">#NixOS</a> using the graphical *Calamares* installer on a non EFI system with a LUKS rootfs or have any LUKS partition which is not a rootfs.</p><p>Your LUKS encryption key has been exposed in the /boot partition, potentially unencrypted or encrypted via GRUB cryptodisk.</p><p>We consider this to be a serious vulnerability and we are disclosing it immediately as it was found in the Heads project.</p><p>We are exploring automatic remediation in <a href="https://github.com/NixOS/nixpkgs/pull/240411" rel="nofollow noreferrer">https://github.com/NixOS/nixpkgs/pull/240411</a>.</p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/1701060#notice-3347149">In conversation</a><time datetime="2023-06-29T11:53:40+09:00" title="Thursday, 29-Jun-2023 11:53:40 JST">Thursday, 29-Jun-2023 11:53:40 JST</time> <span>from <span><a href="https://nixos.paris/@raito/110624012347227668" rel="external" title="Sent from nixos.paris via ActivityPub">nixos.paris</a></span></span><a href="https://nixos.paris/@raito/110624012347227668">permalink</a><h4>Attachments</h4><ol><li><label><a rel="external" href="https://gnusocial.jp/attachment/1177210">Untitled attachment</a></label><br></li><li><article><header><div>Domain not in remote thumbnail source whitelist: opengraph.githubassets.com</div><h5><a href="https://github.com/NixOS/nixpkgs/pull/240411">nixos/luks: offer rekeying procedure at early boot time by RaitoBezarius · Pull Request #240411 · NixOS/nixpkgs</a></h5><div></div></header><div>Description of changes
Due to GHSA-3rvf-24q2-24ww We decided to offer rekeying procedures in NixOS based on nixos.rekey command line argument at boot in stage 1.
This is automatically enabled if we...</div><footer></footer></article></li></ol></footer></blockquote>

Corresponding Notice

Embed this notice
Raito Bezarius (raito@nixos.paris)'s status on Thursday, 29-Jun-2023 11:53:40 JST Raito Bezarius
PSA: https://github.com/NixOS/calamares-nixos-extensions/security/advisories/GHSA-3rvf-24q2-24ww
If you installed #NixOS using the graphical *Calamares* installer on a non EFI system with a LUKS rootfs or have any LUKS partition which is not a rootfs.
Your LUKS encryption key has been exposed in the /boot partition, potentially unencrypted or encrypted via GRUB cryptodisk.
We consider this to be a serious vulnerability and we are disclosing it immediately as it was found in the Heads project.
We are exploring automatic remediation in https://github.com/NixOS/nixpkgs/pull/240411.
In conversationThursday, 29-Jun-2023 11:53:40 JST from nixos.parispermalink
Attachments
1. Untitled attachment
2. Domain not in remote thumbnail source whitelist: opengraph.githubassets.com
  nixos/luks: offer rekeying procedure at early boot time by RaitoBezarius · Pull Request #240411 · NixOS/nixpkgs
  Description of changes Due to GHSA-3rvf-24q2-24ww We decided to offer rekeying procedures in NixOS based on nixos.rekey command line argument at boot in stage 1. This is automatically enabled if we...

Public

Embed Notice

HTML Code

Corresponding Notice