-
cryptsetup (2:2.2.2-3ubuntu2.4) focal-security; urgency=medium
* SECURITY UPDATE: decryption through LUKS2 reencryption crash recovery
- debian/patches/CVE-2021-4122.patch: add disable-luks2 reencryption
configure option in configure.ac, lib/luks2/luks2_keyslot.c,
lib/luks2/luks2_reencrypt.c, lib/setup.c, tests/api-test-2.c,
tests/luks2-reencryption-test.
- debian/rules: Disable LUKS2 reencryption by adding new
--disable-luks2-reencryption build option.
- CVE-2021-4122
-- Marc Deslauriers <email address hidden> Tue, 18 Jan 2022 12:36:47 -0500
-
cryptsetup (2:2.2.2-3ubuntu2.3) focal; urgency=medium
* Introduce retry logic for external invocations after mdadm (LP: #1879980)
- Currently, if an encrypted rootfs is configured on top of a MD RAID1
array and such array gets degraded (e.g., a member is removed/failed)
the cryptsetup scripts cannot mount the rootfs, and the boot fails.
We fix that issue here by allowing the cryptroot script to be re-run
by initramfs-tools/local-block stage, as mdadm can activate degraded
arrays at that stage.
There is an initramfs-tools counter-part for this fix, but alone the
cryptsetup portion is harmless.
- d/cryptsetup-initramfs.install: ship the new local-bottom script.
- d/functions: declare variables for local-top|block|bottom scripts
(flag that local-block is running and external invocation counter.)
- d/i/s/local-block/cryptroot: set flag that local-block is running.
- d/i/s/local-bottom/cryptroot: clean up the flag and counter files.
- d/i/s/local-top/cryptroot: change the logic from just waiting 180
seconds to waiting 5 seconds first, then allowing initramfs-tools
to run mdadm (to activate degraded arrays) and call back at least
30 times/seconds more.
-- <email address hidden> (Guilherme G. Piccoli) Wed, 16 Sep 2020 17:40:05 -0300
-
cryptsetup (2:2.2.2-3ubuntu2.2) focal-security; urgency=medium
* SECURITY UPDATE: Out-of-bounds write
- debian/patches/CVE-2020-14382-*.patch: check segment gaps regardless of
heap space in lib/luks2/luks2_json_metadata.c.
- CVE-2020-14382
* debian/patches/decrease_memlock_ulimit.patch
Fixed FTBFS due a restrict environment in the new Bionic Builder (LP: #1891473)
tests/luks2-validation.test, tests/compat-test, tests/tcrypt-compat-test.
- Thanks Guilherme G. Piccoli.
-- <email address hidden> (Leonidas S. Barbosa) Thu, 10 Sep 2020 08:47:50 -0300
-
cryptsetup (2:2.2.2-3ubuntu2) focal; urgency=medium
* Depend on cryptsetup from cryptsetup-initramfs instead of the dummy
cryptsetup-run package. LP: #1864360.
-- Steve Langasek <email address hidden> Thu, 27 Feb 2020 00:16:14 -0600
-
cryptsetup (2:2.2.2-3ubuntu1) focal; urgency=medium
* Merge from Debian unstable. Remaining changes:
- debian/control:
+ Recommend plymouth.
+ Depend on busybox-initramfs instead of busybox | busybox-static.
- Fix cryptroot-unlock for busybox compatibility.
cryptsetup (2:2.2.2-3) unstable; urgency=high
* initramfs hook: Workaround fix for the libgcc_s's source location.
(Closes: #950628, #939766.) See #950254 for the proper fix.
-- Matthias Klose <email address hidden> Mon, 10 Feb 2020 09:20:12 +0100
-
cryptsetup (2:2.2.2-2ubuntu1) focal; urgency=low
* Merge from Debian unstable. Remaining changes:
- debian/control:
+ Recommend plymouth.
+ Depend on busybox-initramfs instead of busybox | busybox-static.
- Fix cryptroot-unlock for busybox compatibility.
cryptsetup (2:2.2.2-2) unstable; urgency=medium
[ Guilhem Moulin ]
* d/initramfs/hooks/cryptroot: On initramfs images built with MODULES=dep,
include the IV generator found in the cipher specification when there is a
matching kernel module. On 5.4 kernels ESSIV isn't implemented in
dm_crypt anymore, but by a dedicated 'essiv' module which thus needs to be
available in order to unlock dm-crypt target using 'aes-cbc-essiv:sha256'.
Closes: #948593.
[ Debian Janitor ]
* Set debhelper-compat version in Build-Depends.
* Set upstream metadata fields: Bug-Database, Bug-Submit, Repository,
Repository-Browse.
-- Steve Langasek <email address hidden> Sat, 01 Feb 2020 22:11:22 -0800
-
cryptsetup (2:2.2.2-1ubuntu1) focal; urgency=low
* Merge from Debian unstable. Remaining changes:
- debian/control:
+ Recommend plymouth.
+ Depend on busybox-initramfs instead of busybox | busybox-static.
- Fix cryptroot-unlock for busybox compatibility.
cryptsetup (2:2.2.2-1) unstable; urgency=medium
* New upstream bugfix release.
* debian/control:
+ Add 'procps' to the Build-Depends since the upstream test suite uses
free(1).
+ Bump Standards-Version to 4.4.1 (no changes necessary).
-- Steve Langasek <email address hidden> Mon, 11 Nov 2019 22:07:44 -0800
-
cryptsetup (2:2.2.1-1ubuntu1) focal; urgency=low
* Merge from Debian unstable. Remaining changes:
- debian/control:
+ Recommend plymouth.
+ Depend on busybox-initramfs instead of busybox | busybox-static.
- Fix cryptroot-unlock for busybox compatibility.
cryptsetup (2:2.2.1-1) unstable; urgency=medium
* New upstream bugfix release.
* Remove d/patches, applied upstream.
-- Steve Langasek <email address hidden> Fri, 18 Oct 2019 15:14:29 -0700
-
cryptsetup (2:2.2.0-3ubuntu1) eoan; urgency=low
* Merge from Debian unstable. Remaining changes:
- debian/control:
+ Recommend plymouth.
+ Depend on busybox-initramfs instead of busybox | busybox-static.
- Fix cryptroot-unlock for busybox compatibility.
cryptsetup (2:2.2.0-3) unstable; urgency=medium
* Cherry pick upstream commit 8f8f0b32: Fix mapped segments overflow on
32bit architectures. Regression since 2:2.1.0-1. (Closes: #935702)
-- Steve Langasek <email address hidden> Wed, 28 Aug 2019 16:13:22 -0700