Arch Linux

Summary:
ecryptfs-utils just got an update to release 105.
The update includes fix for CVE-2014-9687 [1]

Details:
The main issue is an insecure salt usage in the generation of the wrapped passphrase by ecryptfs-utils. More description is available in an issue description [2] and fixing commit [3] [4].

For the fix to be effective the ecryptfs passphrase needs to be rewrapped.
For Arch this is a manual step _to my understanding_ (from [3] it shows that the migration/rewrapping is automatic on Ubuntu). Since it is generally advised for ecryptfs usage to keep an offline backup of the (unwrapped) recover-passphrase, these offline backups need to be updated.

Suggestions:
For above reasons it would be helpful IMO to pacman notify users when the ecryptfs-utils 105 hits stable. A notification could be "ecryptfs passphrase wrapping changed. Rewrap passphrases and update recover passphrases." or something.

At best it is also verified before, if the rewrapping for a PAM-mount configured ecryptfs-userhome directory is indeed a manual step or automatic on next login for Arch. (I can test too but usually don't have testing enabled).

[1] http://packetstormsecurity.com/files/cve/CVE-2014-9687
[2] https://bugs.launchpad.net/ecryptfs/+bug/906550/comments/5
[3] https://code.launchpad.net/~tyhicks/ecryptfs/v2-wrapped-passphrase-files/+merge/249908
[4] http://bazaar.launchpad.net/~ecryptfs/ecryptfs/trunk/revision/839