summaryrefslogtreecommitdiffstats
path: root/wiki/src/security/Numerous_security_holes_in_0.6.2.mdwn
blob: 681face744fd77e557dbd25007a1495f69a16a34 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
[[!meta date="Mon Apr 4 11:12:13 2011"]]
[[!meta title="Numerous security holes in Tails 0.6.2"]]

[[!tag security/fixed]]

The following security holes affect Tails 0.6.2.

We **strongly** urge you to [[upgrade to Tails 0.7|news/version_0.7]]
in case you are still using an older version.

[[!toc levels=1]]

# Incomplete "erase memory on shutdown" feature

As an [[external audit
demonstrated|security/audits/Blackhat_De-Anonymizing_Live_CDs]], the
"erase memory on shutdown" feature, as implemented in Tails 0.6.2 and
older, does not erase as much memory as it could. More specifically:

1. Parts of the memory that are still allocated at shutdown time are
   not erased and can be recovered after shutdown; this includes the
   entire in-memory filesystem (associated meta-data, content of files
   created or modified since boot).
2. Partial recovery of deleted file names and their meta-data is also
   possible.

This discovery lead to a brand new implementation of the memory
erasure feature that is shipped in Tails 0.7. As a bonus, the memory
is now also erased when the boot media is physically removed.

# Other security holes

These are Debian security announces; details can be found on the
[Debian security page](http://security.debian.org/):

  - Linux kernel (DSA-2153-1)
  - Iceweasel (DSA-2186, DSA-2200)
  - NSS (DSA-2203)
  - tiff (DSA-2210)
  - CUPS (DSA-2176)
  - Avahi (DSA-2174)
  - freetype (DSA-2155-1)
  - OpenOffice.org (DSA-2151-1)
  - D-bus (DSA-2149-1)