------------------------------------------------------------------- Tue Mar 8 21:10:23 UTC 2022 - Dirk Müller <dmueller@suse.com> - use pam_moduledir ------------------------------------------------------------------- Thu Feb 24 12:38:24 UTC 2022 - Dirk Müller <dmueller@suse.com> - update to 0.3.3: * Correctly handle malicious mountpoint paths in the fscrypt bash completion script (CVE-2022-25328, command injection). * Validate the size, type, and owner (for login protectors) of policy and protector files (CVE-2022-25327, denial of service). * Make the fscrypt metadata directories non-world-writable by default (CVE-2022-25326, denial of service). * When running as a non-root user, ignore policy and protector files that aren't owned by the user or by root. * Also require that the metadata directories themselves and the mountpoint root directory be owned by the user or by root. * Make policy and protector files mode 0600 rather than 0644. * Make all relevant files owned by the user when root encrypts a directory with a user's login protector, not just the the login protector itself. * Make pam_fscrypt ignore system users completely. - drop 346.patch: upstream ------------------------------------------------------------------- Wed Feb 23 22:28:47 UTC 2022 - Dirk Müller <dmueller@suse.com> - refresh 346.patch with final merged state ------------------------------------------------------------------- Tue Feb 22 15:39:10 UTC 2022 - Dirk Müller <dmueller@suse.com> - add 346.patch (bsc#1195623) ------------------------------------------------------------------- Thu Feb 10 20:16:40 UTC 2022 - Dirk Müller <dmueller@suse.com> - update to 0.3.2: * Made linked protectors (e.g., login protectors used on a non-root filesystem) more reliable when a filesystem UUID changes. * Made login protectors be owned by the user when they are created as root, so that the user has permission to update them later. * Made fscrypt work when the root directory is a btrfs filesystem. * Made pam_fscrypt start warning when a user's login protector is getting de-synced due to their password being changed by root. * Support reading the key for raw key protectors from standard input. * Made fscrypt metadata remove-protector-from-policy work even if the protector is no longer accessible. * Made fscrypt stop trying to access irrelevant filesystems. * Improved the documentation. ------------------------------------------------------------------- Fri Feb 4 21:42:05 UTC 2022 - Dirk Müller <dmueller@suse.com> - spec-cleaner run ------------------------------------------------------------------- Wed Oct 20 10:18:41 UTC 2021 - Marcus Rueckert <mrueckert@suse.de> - Update to 0.3.1 https://github.com/google/fscrypt/releases/tag/v0.3.1 ------------------------------------------------------------------- Thu Apr 1 10:42:36 UTC 2021 - Marcus Rueckert <mrueckert@suse.de> - Update to 0.3.0 https://github.com/google/fscrypt/releases/tag/v0.3.0 ------------------------------------------------------------------- Mon Mar 29 11:32:11 UTC 2021 - Marcus Rueckert <mrueckert@suse.de> - Update to 0.2.9 https://github.com/google/fscrypt/releases/tag/v0.2.9 https://github.com/google/fscrypt/releases/tag/v0.2.8 ------------------------------------------------------------------- Tue Mar 24 23:46:58 UTC 2020 - Marcus Rueckert <mrueckert@suse.de> - initial package