-
cryptsetup (2:2.3.3-1ubuntu6) groovy; urgency=medium
* Introduce retry logic for external invocations after mdadm (LP: #1879980)
- Currently, if an encrypted rootfs is configured on top of a MD RAID1
array and such array gets degraded (e.g., a member is removed/failed)
the cryptsetup scripts cannot mount the rootfs, and the boot fails.
We fix that issue here by allowing the cryptroot script to be re-run
by initramfs-tools/local-block stage, as mdadm can activate degraded
arrays at that stage.
There is an initramfs-tools counter-part for this fix, but alone the
cryptsetup portion is harmless.
- d/cryptsetup-initramfs.install: ship the new local-bottom script.
- d/functions: declare variables for local-top|block|bottom scripts
(flag that local-block is running and external invocation counter.)
- d/i/s/local-block/cryptroot: set flag that local-block is running.
- d/i/s/local-bottom/cryptroot: clean up the flag and counter files.
- d/i/s/local-top/cryptroot: change the logic from just waiting 180
seconds to waiting 5 seconds first, then allowing initramfs-tools
to run mdadm (to activate degraded arrays) and call back at least
30 times/seconds more.
-- <email address hidden> (Guilherme G. Piccoli) Wed, 16 Sep 2020 17:35:59 -0300
-
cryptsetup (2:2.3.3-1ubuntu5) groovy; urgency=medium
* SECURITY UPDATE: Out-of-bounds write
- debian/patches/CVE-2020-14382-*.patch: check segment gaps regardless of
heap space in lib/luks2/luks2_json_metadata.c.
- CVE-2020-14382
* debian/patches/decrease_memlock_ulimit.patch
Fixed FTBFS due a restrict environment in the new Bionic Builder (LP: #1891473)
tests/luks2-validation.test, tests/compat-test, tests/tcrypt-compat-test.
- Thanks Guilherme G. Piccoli.
-- <email address hidden> (Leonidas S. Barbosa) Wed, 09 Sep 2020 09:29:17 -0300
-
cryptsetup (2:2.3.3-1ubuntu4) groovy; urgency=medium
* No change rebuild against new json-c ABI.
-- Dimitri John Ledkov <email address hidden> Tue, 28 Jul 2020 17:42:50 +0100
-
cryptsetup (2:2.3.3-1ubuntu3) groovy; urgency=medium
* debian/rules:
- fix FTBFS on riscv64 adding --with-tmpfilesdir to ensure all archs, even
without systemd knows how to ship cryptsetup.conf
-- Didier Roche <email address hidden> Thu, 18 Jun 2020 11:44:50 +0200
-
cryptsetup (2:2.3.3-1ubuntu2) groovy; urgency=medium
* debian/cryptsetup-bin.install:
- Fix FTBFS due to dh_missing detecting crypsetup.conf in debian/tmp where
it was installed from ./scripts/crypsetup.conf.
* Fix warning and error when running on ZFS on root: (LP: #1830110)
- d/functions: Return an empty devno for ZFS devices as they don't have
major:minor device numbers.
- d/initramfs/hooks/cryptroot: Ignore and don't print an error message when
devices don't have a devno.
Submitted to debian upstream as bug #902449.
-- Didier Roche <email address hidden> Thu, 18 Jun 2020 10:12:10 +0200
-
cryptsetup (2:2.3.3-1ubuntu1) groovy; urgency=low
* Merge from Debian unstable. Remaining changes:
- debian/control:
+ Recommend plymouth.
+ Depend on busybox-initramfs instead of busybox | busybox-static.
- Fix cryptroot-unlock for busybox compatibility.
cryptsetup (2:2.3.3-1) unstable; urgency=medium
[ Guilhem Moulin ]
* New upstream bugfix release.
* d/scripts/decrypt_derived: Remove useless call to `| tr -d '\n'`.
* d/control: Bump debhelper compatibility level to 13. Remove
debian/tmp/lib/$DEB_HOST_MULTIARCH/libcryptsetup.la as we don't install it
anywhere.
[ Rob Pilling ]
* d/scripts/decrypt_derived:
+ move an error message to standard error so it's not accidentally used as
a key
+ exit with a success code when successful
cryptsetup (2:2.3.2-1) unstable; urgency=medium
* New upstream release.
* debian/control: Set 'Rules-Requires-Root: no'.
* d/initramfs/hooks/cryptroot: Unconditionally copy 'ecb' kernel module
when the host CPU lacks AES-NI support. On such systems XTS needs ECB.
This is a work around for #883595 on kernels 4.10 and later.
(Closes: #959423)
-- Steve Langasek <email address hidden> Tue, 09 Jun 2020 10:40:32 -0700
-
cryptsetup (2:2.3.1-1ubuntu1) groovy; urgency=low
* Merge from Debian unstable. Remaining changes:
- debian/control:
+ Recommend plymouth.
+ Depend on busybox-initramfs instead of busybox | busybox-static.
- Fix cryptroot-unlock for busybox compatibility.
cryptsetup (2:2.3.1-1) unstable; urgency=medium
* New upstream release.
* d/initramfs/hooks/cryptroot: Don't set unused variable LIBC_DIR.
cryptsetup (2:2.3.0-1) unstable; urgency=low
* New upstream release, introducing support for BitLocker-compatible
devices (BITLK format) used in Windows systems.
WARNING: crypttab(5) support for these devices is currently *experimental*
and requires blkid from util-linux >=2.33 (i.e., Buster or later). These
devices currently have no keyword to use in the 4th field (unlike 'luks'
or 'plain'), the device type is inferred from the signature instead.
* crypttab(5): Make the 4th field (options) optional so we don't have to
introduce a new keyword for each new device type. (That field is also
optional in the systemd implementation.) Other fields (dm target name,
source device, and key file) remain required.
* Install cryptdisks_{start,stop} bash completion scripts to the right
path/name so they are loaded automatically. This was no longer the case
since 2:1.7.0-1. (Closes: #949623)
* d/*.install: Replace tabs with spaces.
* d/cryptdisks-functions: Fix broken $FORCE_START handling. Since
2:2.0.3-2 the SysV init scripts' "force-start" option was no longer
overriding noauto/noearly. (Closes: #933142)
* Move some functions to d/function from the initramfs hook.
* SysV init scripts: skip devices holding the root FS and/or /usr during the
shutdown phase; these file systems are still mounted at this point so any
attempt to gracefully close the underlying device(s) is bound to fail.
(Closes: #916649, #918008)
* Bump Standards-Version to 4.5.0 (no changes necessary).
-- Steve Langasek <email address hidden> Fri, 01 May 2020 07:07:58 -0700
-
cryptsetup (2:2.2.2-3ubuntu2) focal; urgency=medium
* Depend on cryptsetup from cryptsetup-initramfs instead of the dummy
cryptsetup-run package. LP: #1864360.
-- Steve Langasek <email address hidden> Thu, 27 Feb 2020 00:16:14 -0600
