OS vendors are also urged to update to Calamares 3.1.1

Jul 5, 2017 23:13 GMT  ·  By

The developers of the Calamares open-source universal installer framework issued a warning to inform those who used Calamares 3.1 or a previous version to install their current GNU/Linux operating system of a possible password weakness issue.

According to the Calamares developers, this password weakness issue was discovered to affect all Calamares versions prior to the 3.1.1 release, which was released last week with improved salting for user passwords, and they believe it's important if an attacker has a method of obtaining the password hash, which could compromise your Linux-based operating system.

"Systems installed by Calamares up to and including Calamares 3.1 have a weaker password salt than they should. This weakness is important if an attacker has a way to obtain the password hash. The Calamares team believes that installed systems should be as secure as possible, and therefore considers this weakness important," reads the security advisory.

Users are advised to reset their password immediately

The Calamares developers are advising all users of GNU/Linux distributions that use their universal installer framework to install the operating system to reset their password on the respective computers using the "passwd" command-line utility, which will provide a stronger salt and therefore a more secure password hash.

Please note that you will need to change only the passwords of the user created during the installation process, as well as the root account, if it has a password set, of course. Users that have been added after the installation don't have this password weakness.

Check the security advisory to see how you can verify if your distro that was installed with the Calamares installer contains weakly-salted passwords, and try to keep in mind that all the Live ISOs that come with Calamares 3.1 or a previous release have this password weakness.

Among the distros that use the Calamares distribution-independent installer, we can mention Chakra GNU/Linux, KaOS, KDE Neon, Netrunner, OpenMandriva, Siduction, Tanglu Linux, Sabayon, GeckoLinux, Pisi Linux, Manjaro, SwagArch, BlackPanther OS, BBQLinux, and the no longer maintained Apricity OS.

Maintainers of these GNU/Linux distributions and others not mentioned here that uses Calamares to allow users to install their systems on their computers are also urged to update the ISO images to Calamares 3.1.1 as as soon as possible to fix this password weakness bug.