Hi all,
I’ve just released Subiquity 22.02.1 to stable and so this version will be offered to all users during installation.
The primary driver for this release was to provide a fix for LP: #1960162 CVE-2022-0555. Users who have used the Guided Storage option to create encrypted drives should be aware that the passphrase may have leaked into the log files. Please review the contents of /var/log/installer, particularly /var/log/installer/subiquity-server-*.log, to determine if you are affected by this. Notably, these log files are also readable by all users on the system. Affected users are strongly recommended to update the passphrases of affected systems: cryptsetup luksChangeKey <device>. Installs not using the Guided storage are not affected.
The affected versions of Subiquity are from version 21.04.1 and newer. This issue is fixed as of Subiquity version 22.02.1. The fix includes tightening the permissions on the log files in case of similar future information leakage.
The affected versions of Subiquity can be found in the following installation ISOs:
- Bionic live server 18.04.6
- Focal live server 20.04.3
- Hirsute live server 21.04
- Impish live server 21.10
Also note that installations performed from older ISOs may be affected, if the installer update was taken to an affected Subiquity version at install time.
This version also has several other fixes and features - please see the full release notes for further details.
Cheers,
dbungert
for the Ubuntu Server team