cryptsetup (2:2.4.3-1ubuntu1.2) jammy; urgency=medium
* Cherry-pick modern support for FIPS enabled backends. LP: #2032659
- cherry-pick v2.6.0 change to correct FIPS mode detection, and
correctly use OpenSSL backend in FIPS-compliant way, if OpenSSL is in
FIPS mode.
- cherry-pick v2.6.0 fixes to benchmark function that works with
OpenSSL in 140-3 FIPS mode.
- Enable the optional runtime FIPS codepath
-- Dimitri John Ledkov <dimitri.ledkov@canonical.com> Tue, 22 Aug 2023 18:16:42 +0100
cryptsetup (2:2.4.3-1ubuntu1.1) jammy; urgency=medium
* d/initramfs/hooks/cryptroot: Include OpenSSL legacy.so for ripemd160 and
whirlpool hash algorithms (LP: #1979159)
-- Benjamin Drung <bdrung@ubuntu.com> Thu, 04 Aug 2022 14:08:01 +0200
cryptsetup (2:2.4.3-1ubuntu1) jammy; urgency=low
* Merge from Debian unstable (LP: #1959427). Remaining changes:
- debian/control:
+ Recommend plymouth.
+ Depend on busybox-initramfs instead of busybox | busybox-static.
+ Move cryptsetup-initramfs back to cryptsetup's Recommends.
+ Do not build cryptsetup-suspend binary package on i386.
- Fix cryptroot-unlock for busybox compatibility.
- Fix warning and error when running on ZFS on root: (LP: #1830110)
- d/functions: Return an empty devno for ZFS devices as they don't have
major:minor device numbers.
- d/initramfs/hooks/cryptroot: Ignore and don't print an error message
when devices don't have a devno.
- debian/patches/decrease_memlock_ulimit.patch
Fixed FTBFS due to a restricted build environment
- Stop building the udeb on request.
-- Steve Langasek <steve.langasek@ubuntu.com> Fri, 28 Jan 2022 12:14:06 -0800
cryptsetup (2:2.4.3-1) unstable; urgency=high
[ Guilhem Moulin ]
* New upstream security release 2.4.3, with fix for CVE-2021-4122:
decryption through LUKS2 reencryption crash recovery. (Closes: #1003685,
#1003686)
* Remove cryptsetup-initramfs.preinst. (Closes: #1001063)
[ Christoph Anton Mitterer ]
* d/rules: don't expand here-document.
-- Guilhem Moulin <guilhem@debian.org> Thu, 13 Jan 2022 19:07:05 +0100
cryptsetup (2:2.4.2-1ubuntu4) jammy; urgency=medium
* Move cryptsetup-initramfs back to cryptsetup's Recommends (from Suggests).
-- Michael Hudson-Doyle <michael.hudson@ubuntu.com> Thu, 09 Dec 2021 12:53:00 +1300
cryptsetup (2:2.4.2-1ubuntu3) jammy; urgency=medium
* Fix build on i386.
-- Michael Hudson-Doyle <michael.hudson@ubuntu.com> Tue, 07 Dec 2021 13:17:48 +1300
cryptsetup (2:2.4.2-1ubuntu2) jammy; urgency=medium
* Do not build new cryptsetup-suspend binary package on i386.
-- Michael Hudson-Doyle <michael.hudson@ubuntu.com> Tue, 07 Dec 2021 11:47:55 +1300
cryptsetup (2:2.4.2-1ubuntu1) jammy; urgency=medium
* Merge from Debian unstable. Remaining changes:
- debian/control:
+ Recommend plymouth.
+ Depend on busybox-initramfs instead of busybox | busybox-static.
- Fix cryptroot-unlock for busybox compatibility.
- Fix warning and error when running on ZFS on root: (LP: #1830110)
- d/functions: Return an empty devno for ZFS devices as they don't have
major:minor device numbers.
- d/initramfs/hooks/cryptroot: Ignore and don't print an error message when
devices don't have a devno.
Submitted to debian upstream as bug #902449.
- debian/patches/decrease_memlock_ulimit.patch
Fixed FTBFS due a restrict environment in the new Bionic Builder (LP: #1891473)
tests/luks2-validation.test, tests/compat-test, tests/tcrypt-compat-test.
- Thanks Guilherme G. Piccoli.
- Stop building the udeb on request.
* Dropped change, included in Debian:
- Introduce retry logic for external invocations after mdadm (LP: #1879980)
- Currently, if an encrypted rootfs is configured on top of a MD RAID1
array and such array gets degraded (e.g., a member is removed/failed)
the cryptsetup scripts cannot mount the rootfs, and the boot fails.
We fix that issue here by allowing the cryptroot script to be re-run
by initramfs-tools/local-block stage, as mdadm can activate degraded
arrays at that stage.
There is an initramfs-tools counter-part for this fix, but alone the
cryptsetup portion is harmless.
- d/cryptsetup-initramfs.install: ship the new local-bottom script.
- d/functions: declare variables for local-top|block|bottom scripts
(flag that local-block is running and external invocation counter.)
- d/i/s/local-block/cryptroot: set flag that local-block is running.
- d/i/s/local-bottom/cryptroot: clean up the flag and counter files.
- d/i/s/local-top/cryptroot: change the logic from just waiting 180
seconds to waiting 5 seconds first, then allowing initramfs-tools
to run mdadm (to activate degraded arrays) and call back at least
30 times/seconds more.
-- Michael Hudson-Doyle <michael.hudson@ubuntu.com> Thu, 02 Dec 2021 11:58:05 +1300
cryptsetup (2:2.4.2-1) unstable; urgency=high
* New upstream bugfix release 2.4.2.
* d/control: Replace Build-Depends on removed package libsepol1-dev with
libsepol-dev. (Closes: #999815)
* blkid/un_blkid checks: Ignore large offsets when converting from sectors
to bytes.
* crypttab(5): Formatting fix.
* Refresh d/copyright.
* Refresh lintian overrides to accommodate lintian v2.112.
-- Guilhem Moulin <guilhem@debian.org> Thu, 18 Nov 2021 17:15:08 +0100
cryptsetup (2:2.4.1-1) unstable; urgency=medium
[ Guilhem Moulin ]
* New upstream bugfix release 2.4.1.
* d/rules:
+ Use execute_after_dh_* from Debhelper compatibility level 13 when
relevant.
+ Skip documentation generation under nodoc profile.
+ Add new target execute_before_dh_auto_test so blhc ignores compilations
of tests/*.c.
* d/cryptsetup-initramfs.lintian-overrides: Refresh for lintian 2.107.0.
* crypttab(5):
+ Improve documentation about escape sequences.
+ Document that keyscript= can also take an absolute path.
(Closes: #994219)
+ Document that keyscript's exit status is ignored.
+ Various typo fixes and manpages improvements.
* initramfs: Add new hook configuration option ASKPASS=[Yn] to opt out from
askpass inclusion. (Closes: #994486)
* d/cryptsetup-initramfs.post*: Replace `which` with `command -v`.
* Merge debian/experimental branch and bring cryptsetup-suspend to sid.
* d/bash_completion: s/mawk/awk/. We're only using the POSIX subset so any
implementation should work. (Closes: #993374)
* Add DEP-8 tests for cryptdisks_start and cryptdisks_stop covering most of
d/functions and d/cryptdisks-functions. The testbed requires
'isolation-machine' restriction since we need to load kernel modules and
create loop devices.
* d/gbp.conf, d/watch: Explicitly use gzip compression.
[ Christoph Anton Mitterer ]
* d/functions: Export _CRYPTTAB_* to the keyscript's environment.
[ Lukas Schwaighofer ]
* initramfs: Honor activation/auto_activation_volume_list setting.
(Closes: #993725)
[ Thorsten Glaser ]
* blkid/un_blkid checks: Honor offset= option. (Closes: #994056)
-- Guilhem Moulin <guilhem@debian.org> Fri, 08 Oct 2021 14:27:03 +0200
# For older changelog entries, run 'apt-get changelog libcryptsetup12'
Generated by dwww version 1.14 on Thu Jan 23 03:23:39 CET 2025.