Files in etc need updating
The When installing Debian from live media using the Calamares installer (Section 2.2.13, “News from Debian Live team”) and selecting the full disk encryption feature, the disk's unlock key is stored in the initramfs which is world readable.
This allows users with local filesystem access to read the private key and gain access to the filesystem again in the future. This will recreate the initramfs without world-readable permissions.
If you read this after upgrading a remote system to buster, ping the system on the network continuously as this adds entropy to the randomness pool and the system will eventually be reachable by ssh again.
See the wiki and DLange's overview of the issue for other options. To avoid the danger of your machine losing networking after the upgrade to buster, it is recommended that you migrate in advance to the new naming scheme (usually meaning names like kernel commandline option might also work for systems with only one network interface (of a given type).
Configurations that override these options but omit these algorithm names may cause unexpected authentication failures.
No action is required for configurations that accept the default for these options.
Information about the security levels can be found in the SSL_CTX_set_security_level(3ssl) manpage.
The list of valid strings for the minimum protocol version can be found in SSL_CONF_cmd(3ssl).
If updates are warranted, they can only come via regular point releases, which may be slow in arriving.To find the new-style names that will be used, first find the current names of the relevant interfaces: Following various security recommendations, the default minimum TLS version has been changed from TLSv1 to TLSv1.2.The default security level for TLS connections has also been increased from level 1 to level 2.Sometimes, changes introduced in a new release have side-effects we cannot reasonably avoid, or they expose bugs somewhere else. Please also read the errata, the relevant packages' documentation, bug reports, and other information mentioned in Section 6.1, “Further reading”. These now specify signature algorithms that are accepted for their respective authentication mechanism, where previously they specified accepted key types.
This distinction matters when using the RSA/SHA2 signature algorithms and their certificate counterparts.A fix for the installer is being planned (see bug #931373) and will be uploaded to debian-security.