[ubuntu/hirsute-proposed] cryptsetup 2:2.3.4-1ubuntu1 (Accepted)

Michael Hudson-Doyle michael.hudson at ubuntu.com
Tue Nov 10 21:08:14 UTC 2020 

cryptsetup (2:2.3.4-1ubuntu1) hirsute; urgency=medium

  * Merge with Debian unstable. Remaining changes:
    - debian/control:
      + Recommend plymouth.
      + Depend on busybox-initramfs instead of busybox | busybox-static.
    - Fix cryptroot-unlock for busybox compatibility.
    - Fix warning and error when running on ZFS on root: (LP #1830110)
      - d/functions: Return an empty devno for ZFS devices as they don't have
        major:minor device numbers.
      - d/initramfs/hooks/cryptroot: Ignore and don't print an error message when
        devices don't have a devno.
      Submitted to debian upstream as bug #902449.
    - debian/patches/decrease_memlock_ulimit.patch
      Fixed FTBFS due a restrict environment in the new Bionic Builder (LP #1891473)
      tests/luks2-validation.test, tests/compat-test, tests/tcrypt-compat-test.
      - Thanks Guilherme G. Piccoli.
    - Introduce retry logic for external invocations after mdadm (LP #1879980)
      - Currently, if an encrypted rootfs is configured on top of a MD RAID1
        array and such array gets degraded (e.g., a member is removed/failed)
        the cryptsetup scripts cannot mount the rootfs, and the boot fails.
        We fix that issue here by allowing the cryptroot script to be re-run
        by initramfs-tools/local-block stage, as mdadm can activate degraded
        arrays at that stage.
        There is an initramfs-tools counter-part for this fix, but alone the
        cryptsetup portion is harmless.
      - d/cryptsetup-initramfs.install: ship the new local-bottom script.
      - d/functions: declare variables for local-top|block|bottom scripts
        (flag that local-block is running and external invocation counter.)
      - d/i/s/local-block/cryptroot: set flag that local-block is running.
      - d/i/s/local-bottom/cryptroot: clean up the flag and counter files.
      - d/i/s/local-top/cryptroot: change the logic from just waiting 180
        seconds to waiting 5 seconds first, then allowing initramfs-tools
        to run mdadm (to activate degraded arrays) and call back at least
        30 times/seconds more.
  * Dropped changes:
    - Included in new upstream version:
      - SECURITY UPDATE: Out-of-bounds write
        - debian/patches/CVE-2020-14382-*.patch: check segment gaps regardless of
          heap space in lib/luks2/luks2_json_metadata.c.
        - CVE-2020-14382
    - included in Debian:
      - debian/cryptsetup-bin.install:
        - Fix FTBFS due to dh_missing detecting crypsetup.conf in debian/tmp where
          it was installed from ./scripts/crypsetup.conf.
      - debian/rules:
        - fix FTBFS on riscv64 adding --with-tmpfilesdir to ensure all archs, even
          without systemd knows how to ship cryptsetup.conf

cryptsetup (2:2.3.4-1) unstable; urgency=high

  * New upstream bugfix release, including fix for CVE-2020-14382:
    possible out-of-bounds memory write while validating LUKS2 data
    segments metadata on 32-bits platforms. (Closes: #969471)

cryptsetup (2:2.3.3-2) unstable; urgency=medium

  [ Helmut Grohne ]
  * d/control: Annotate Build-Depends with <!nocheck>. (Closes: #964092)

  [ Guilhem Moulin ]
  * d/rules: Build with `--with-tmpfilesdir` to force installing
    usr/lib/tmpfiles.d/cryptsetup.conf instead of picking the source from
    scripts/cryptsetup.conf.  This fixes FTBS in environments containing
    systemd. (Closes: #968250)
  * Add 'bitlk' flag in crypttab(5) to force detection of Windows BitLocker
    volumes. (Closes: #967853)

Date: Tue, 10 Nov 2020 10:37:25 +1300
Changed-By: Michael Hudson-Doyle <michael.hudson at ubuntu.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
https://launchpad.net/ubuntu/+source/cryptsetup/2:2.3.4-1ubuntu1
-------------- next part --------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 10 Nov 2020 10:37:25 +1300
Source: cryptsetup
Architecture: source
Version: 2:2.3.4-1ubuntu1
Distribution: hirsute
Urgency: high
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Michael Hudson-Doyle <michael.hudson at ubuntu.com>
Closes: 964092 967853 968250 969471
Changes:
 cryptsetup (2:2.3.4-1ubuntu1) hirsute; urgency=medium
 .
   * Merge with Debian unstable. Remaining changes:
     - debian/control:
       + Recommend plymouth.
       + Depend on busybox-initramfs instead of busybox | busybox-static.
     - Fix cryptroot-unlock for busybox compatibility.
     - Fix warning and error when running on ZFS on root: (LP #1830110)
       - d/functions: Return an empty devno for ZFS devices as they don't have
         major:minor device numbers.
       - d/initramfs/hooks/cryptroot: Ignore and don't print an error message when
         devices don't have a devno.
       Submitted to debian upstream as bug #902449.
     - debian/patches/decrease_memlock_ulimit.patch
       Fixed FTBFS due a restrict environment in the new Bionic Builder (LP #1891473)
       tests/luks2-validation.test, tests/compat-test, tests/tcrypt-compat-test.
       - Thanks Guilherme G. Piccoli.
     - Introduce retry logic for external invocations after mdadm (LP #1879980)
       - Currently, if an encrypted rootfs is configured on top of a MD RAID1
         array and such array gets degraded (e.g., a member is removed/failed)
         the cryptsetup scripts cannot mount the rootfs, and the boot fails.
         We fix that issue here by allowing the cryptroot script to be re-run
         by initramfs-tools/local-block stage, as mdadm can activate degraded
         arrays at that stage.
         There is an initramfs-tools counter-part for this fix, but alone the
         cryptsetup portion is harmless.
       - d/cryptsetup-initramfs.install: ship the new local-bottom script.
       - d/functions: declare variables for local-top|block|bottom scripts
         (flag that local-block is running and external invocation counter.)
       - d/i/s/local-block/cryptroot: set flag that local-block is running.
       - d/i/s/local-bottom/cryptroot: clean up the flag and counter files.
       - d/i/s/local-top/cryptroot: change the logic from just waiting 180
         seconds to waiting 5 seconds first, then allowing initramfs-tools
         to run mdadm (to activate degraded arrays) and call back at least
         30 times/seconds more.
   * Dropped changes:
     - Included in new upstream version:
       - SECURITY UPDATE: Out-of-bounds write
         - debian/patches/CVE-2020-14382-*.patch: check segment gaps regardless of
           heap space in lib/luks2/luks2_json_metadata.c.
         - CVE-2020-14382
     - included in Debian:
       - debian/cryptsetup-bin.install:
         - Fix FTBFS due to dh_missing detecting crypsetup.conf in debian/tmp where
           it was installed from ./scripts/crypsetup.conf.
       - debian/rules:
         - fix FTBFS on riscv64 adding --with-tmpfilesdir to ensure all archs, even
           without systemd knows how to ship cryptsetup.conf
 .
 cryptsetup (2:2.3.4-1) unstable; urgency=high
 .
   * New upstream bugfix release, including fix for CVE-2020-14382:
     possible out-of-bounds memory write while validating LUKS2 data
     segments metadata on 32-bits platforms. (Closes: #969471)
 .
 cryptsetup (2:2.3.3-2) unstable; urgency=medium
 .
   [ Helmut Grohne ]
   * d/control: Annotate Build-Depends with <!nocheck>. (Closes: #964092)
 .
   [ Guilhem Moulin ]
   * d/rules: Build with `--with-tmpfilesdir` to force installing
     usr/lib/tmpfiles.d/cryptsetup.conf instead of picking the source from
     scripts/cryptsetup.conf.  This fixes FTBS in environments containing
     systemd. (Closes: #968250)
   * Add 'bitlk' flag in crypttab(5) to force detection of Windows BitLocker
     volumes. (Closes: #967853)
Checksums-Sha1:
 ba59609ab140500ce4515fdf6c80930016f04998 2972 cryptsetup_2.3.4-1ubuntu1.dsc
 d8e220f1a4939e6ce6c67bf5082c16de7693ad49 11239076 cryptsetup_2.3.4.orig.tar.gz
 795a5222bb69256d98856f9f6cfc13022b7f7fb0 126572 cryptsetup_2.3.4-1ubuntu1.debian.tar.xz
 00d3871de37ca9a2bcdd974e9be4ac47fe25a499 7358 cryptsetup_2.3.4-1ubuntu1_source.buildinfo
Checksums-Sha256:
 1a690cefbc636cd135859d0ed702b4e154e4a9a90c37f69153ca260a7a9e4576 2972 cryptsetup_2.3.4-1ubuntu1.dsc
 b45c0f2038e48ed5f68e7ee2e3e38089d8b5c930fcc0eeff5a8583943fc39a74 11239076 cryptsetup_2.3.4.orig.tar.gz
 b3884b693d26871c2eae268828a8d0960c017c74caf5c982aef135528b28b8c1 126572 cryptsetup_2.3.4-1ubuntu1.debian.tar.xz
 b8a6d260ef35ac4a3a0bff5ebc68d67d86354e79b3fddcdf4af8175e079f538f 7358 cryptsetup_2.3.4-1ubuntu1_source.buildinfo
Files:
 54cea15f4432815350b4b2e841a199c4 2972 admin optional cryptsetup_2.3.4-1ubuntu1.dsc
 ae2d275f9e97fd973c77f1c3b7d6c687 11239076 admin optional cryptsetup_2.3.4.orig.tar.gz
 38ceae073d112c65a2a6d254bf15c69d 126572 admin optional cryptsetup_2.3.4-1ubuntu1.debian.tar.xz
 6ce88273bace6a8c7fc782560de5a094 7358 admin optional cryptsetup_2.3.4-1ubuntu1_source.buildinfo
Original-Maintainer: Debian Cryptsetup Team <pkg-cryptsetup-devel at alioth-lists.debian.net>

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEiiBE+E9xaoW3f/djEd9ClMyjmJMFAl+rAPEACgkQEd9ClMyj
mJPXMA//Z/dqcfV/Gg+ThezStPpiaMCRj00mQDTPKH19nJnGoLmo8Y5vONdLRiat
ON8ZKboEnxIlj6IEsrKIG2wyHwdLLtVCtJheyxbnaKk8kMUvUL1njI2vE0U3HFEy
6aEv2HY2SzrJhG0E729ZeEiuFsP6krdm/OyGMqUisAJG1UA/dQl+YoxOhJInmfF4
OPzaq2BTnqleZpT+zbQUGfVeU61MUbAIITDXLHf0zaIv2qiZI84SJ8wBVxAAHP8N
uunvwOuEVnMuN1UKYiNqVOeSTDbFYGuj8dW4QzImoEa1xSKCkWywD5lcopvK4BWB
BBAALClVuNSoNn0zhJalwQV9ypaqx5fpyA+nRZ2NjK/b7aWwoNsMvOGZqmf71D4c
ur9nuzsPOv1Sc3wWEYZI7g9YsYTosI7Kh0HJ8ZD/4mjym6u0OzcsrOL1fdK6m3d+
uybbxWwNQt4gJWXDAh6OSzWQyUELkt+44y2NcsCnWrOGBDU/ctRVVx/2RF2ZmefU
mo60EdCwMskSyDrOc8Eho4ReC4R9zPlyDjcQ0jdmfTa9DD0Q2DN7mZAQDfXbk7gB
t8y2SwsH9euA+hYCg1AdBO+u2U1stvJrhXzZjw2HBujSpdzV8bH5qEvyfapM0x4g
GuGdaNRNt5sTzo/HWWxjjs0oD3TgZ8+Ga+RxK833bsCAcYs5YN4=
=bn+1
-----END PGP SIGNATURE-----

More information about the Hirsute-changes mailing list