Ubuntu's Server Installer Was Mistakenly Leaking Encrypted Storage Passphrase To Its Log

Written by Michael Larabel in Ubuntu on 12 May 2020 at 10:18 AM EDT. 20 Comments
UBUNTU
With the recently released Ubuntu 20.04 LTS, the Ubuntu Server installer exclusively uses the "Subiquity" installer that Canonical has been working on in recent years in moving away from the classic Debian Installer. Unfortunately a security issue crept into Subiquity that has now been resolved.

Thankfully the Subiquity installer supports upgrading the installer software during the installation process as CVE-2020-11932 is now public as what was deemed a critical bug. Subiquity was logging the LUKS encrypted volume passwords via the installation log and in turn copying the passphrase to the disk, not necessarily within the encrypted volume, that could then be easily read/leaked from there.

For those using the Ubuntu Server installer, the issue is fixed in v20.05.2 and should be promoted to update when next firing up the installer with an active Internet connection.
20 Comments
Related News
Ubuntu's Great Mainline Kernel PPA Hasn't Been Working Since Mid-September
Ubuntu Hoping To Remove Qt 5 Before Ubuntu 26.04 LTS
Ubuntu 25.04 "Plucky Puffin" Development Opens - Defaulting To -O3 Optimizations
Ubuntu Considers Replacing initramfs-tools With Dracut
Ubuntu Snaps Up Intel's NPU User-Space Software So It's Easier To Accelerate AI
Ubuntu 24.10 Developer Preview Released For Snapdragon X1 Elite Laptops
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week
Linus Torvalds Lands A 2.6% Performance Improvement With Minor Linux Kernel Patch
VMware Workstation Shifting From Proprietary Code To Using Upstream KVM
Intel Spots A 3888.9% Performance Improvement In The Linux Kernel From One Line Of Code
Rust-Based Redox OS Gets RISC-V Working, Also Now Booting On The Raspberry Pi 4
Ubuntu Hoping To Remove Qt 5 Before Ubuntu 26.04 LTS
Valve Engineer Fixes Massive Performance Issue For RADV Driver With AMD FSR2 Sample
KDE Will Nicely Notify You When Apps Are Being Killed Due To Out-Of-Memory
Ubuntu's Great Mainline Kernel PPA Hasn't Been Working Since Mid-September