Numerous_security_holes_in_0.6.2.mdwn 1.5 KB
Newer Older
1
[[!meta date="Mon, 04 Apr 2011 11:12:13 +0000"]]
2
[[!meta title="Numerous security holes in Tails 0.6.2"]]
3
[[!pagetemplate template="news.tmpl"]]
4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45

[[!tag security/fixed]]

The following security holes affect Tails 0.6.2.

We **strongly** urge you to [[upgrade to Tails 0.7|news/version_0.7]]
in case you are still using an older version.

[[!toc levels=1]]

# Incomplete "erase memory on shutdown" feature

As an [[external audit
demonstrated|security/audits/Blackhat_De-Anonymizing_Live_CDs]], the
"erase memory on shutdown" feature, as implemented in Tails 0.6.2 and
older, does not erase as much memory as it could. More specifically:

1. Parts of the memory that are still allocated at shutdown time are
   not erased and can be recovered after shutdown; this includes the
   entire in-memory filesystem (associated meta-data, content of files
   created or modified since boot).
2. Partial recovery of deleted file names and their meta-data is also
   possible.

This discovery lead to a brand new implementation of the memory
erasure feature that is shipped in Tails 0.7. As a bonus, the memory
is now also erased when the boot media is physically removed.

# Other security holes

These are Debian security announces; details can be found on the
[Debian security page](http://security.debian.org/):

  - Linux kernel (DSA-2153-1)
  - Iceweasel (DSA-2186, DSA-2200)
  - NSS (DSA-2203)
  - tiff (DSA-2210)
  - CUPS (DSA-2176)
  - Avahi (DSA-2174)
  - freetype (DSA-2155-1)
  - OpenOffice.org (DSA-2151-1)
  - D-bus (DSA-2149-1)