Package: release-notes Severity: normal When installing Debian from live media using the Calamares installer and selecting the full disk encryption feature, the disk's unlock key is stored in the initramfs which is world readable. This allows users with local filesystem access to gain access to the private key and gain access to the filesystem again in the future.
This can be worked around by adding "UMASK=0077" to /etc/initramfs-tools/conf.d/initramfs-permissions and running "update-initramfs -u". This will recreate the initramfs without world-readable permissions. A fix for the installer is being planned and will be uploaded to debian-security. In the meantime users of full disk encryption should apply the above workaround. Debian bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931373 CVE: https://security-tracker.debian.org/tracker/CVE-2019-13179
