cryptsetup (2:1.7.3-4ubuntu1) artful; urgency=low
* New upstream release, merge from Debian unstable. Remaining
Ubuntu changes:
- debian/control:
+ Depend on plymouth.
+ Invert the "busybox | busybox-static" Recommends, as the latter
is the one we ship in main as part of the ubuntu-standard task.
+ Drop explicit libgcrypt20 dependency from libcryptsetup4.
* d/p/fips-fix-luksformat-with-recent-kernels -- fix luksFormat
with recent FIPS enabled kernels.
* Drop _BSD_SOURCE in favor of _DEFAULT_SOURCE
* Drop c99 std, as the default is now higher than that
* Use DEB_VERSION from dpkg/default.mk for pod2man release variable
* Drop upstart system jobs.
* Add maintscript to drop removed upstart system jobs.
cryptsetup (2:1.7.3-4) unstable; urgency=high
[ Guilhem Moulin ]
* Drop obsolete update-rc.d parameters. Thanks to Michael Biebl for the
patch. (Closes: #847620)
* debian/copyright: Fix license mismatch (docs/examples/*
lib/crypto_backend/* lib/loopaes/* lib/tcrypt/* lib/verity/* python/* are
LGPL-2.1+ not GPL-2+). (Closes: #861802)
* debian/initramfs/cryptroot-hook: honor RESUME={none,auto} as documented in
initramfs.conf(5) by initramfs-tools >=0.129. (Closes: #861074)
cryptsetup (2:1.7.3-3) unstable; urgency=medium
[ Jonas Meurer ]
* debian/scripts/decrypt_ssl: fix script to actually output the decrypted
key. Apparently this script has been broken since June 2008. Doesn't seem
like anybody is using it. Thanks to g1 for spotting and reporting the
error. (Closes: #844050)
* debian/initramfs/cryptroot-script:
+ limit the sleep after max passphrase attempts to devices for the rootfs.
This mitigates the negative impact in case of broken keyscripts etc.
+ add $crypttarget to each message to provide more context.
* debian/initramfs/cryptroot-hook: fix sanity check for key files on root
fs in get_device_opts(): detect if processed device is a root (parent)
device even for LVM setups. (closes: #842951)
* debian/README.initramfs: minor fix to the decrypt_derived keyscript
section: now that systemd is standard, 'cryptdisks_start' should be used
instead of '/etc/init.d/cryptdisks start'.
* debian/manpages/crypttab.xml: add a warning to the 'keyscript' option
that systemd doesn't support the option (yet) and mention the possible
workaround to process the devices in question in the initramfs.
[ Guilhem Moulin ]
* add debian/gbp.conf to set the upstream tag to "v%(version%.%_)s". As
this enables git-buildpackage >= 0.8.7 to automatically generate
orig.tar.gz, step nr. 5 is now removed from debian/README.source.
* debian/compat: bump debhelper compatibility version to 9.
* debian/initramfs/cryptroot-hook:
+ fix tab damage for consistency with the rest of the code
+ better warning for deprecated settings
+ fix sanity check for key files in get_device_opts(): print a warning if
the key file isn't on the root FS, or if the root device is not
encrypted, even for LVM setups.
+ fix sanity check for key files in get_device_opts(): print a warning if
the processed device is a resume device, even for LVM setups.
+ fix runtime error in get_lvm_deps() if the first argument is either
missing or the empty string.
+ reset IFS after processing $rootopts in get_device_opts(); the missing
linefeed in $IFS caused LVM logical volumes spaning over multiple PVs
not to have their parent devices detected correctly.
cryptsetup (2:1.7.3-2) unstable; urgency=medium
[ Guilhem Moulin ]
* debian/README.Debian: update authorized_keys(5) path, incorrect since
2:1.7.2-1, for remote unlocking at initramfs stage using the dropbear SSH
server.
[ Jonas Meurer ]
* debian/initramfs/cryptroot-script: sleep after max passphrase attempts.
This mitigates local brute-force attacks and addresses CVE-2016-4484.
Thanks to Ismael Ripoll and Hector Marco for discovery and report.
- decrease $count by one in tries loop if unlocking was successful.
- warn and sleep for 60 seconds if the maximum allowed attempts of
unlocking (configured with crypttab option tries, default=3) are
reached.
cryptsetup (2:1.7.3-1) unstable; urgency=medium
* New upstream release 1.7.3.
* debian/rules: run dh_strip_nondeterminism(1p) in binary-arch rules to
make the package build more reproducible. Introduces a new Build-Depends
on dh-strip-nondeterminism. Thanks to Reiner Herrmann for bugreport and
patch. (Closes: #842581)
cryptsetup (2:1.7.2-5) unstable; urgency=high
[ Guilhem Moulin ]
* debian/upstream/signing-key.asc: add upstream's armored OpenPGP key,
fingerprint 2A29 1824 3FDE 4664 8D06 86F9 D9B0 577B D93E 98FC.
* debian/watch: add "pgpsigurlmangle" option so uscan(1) can automatically
verify cryptographic signatures on release tarballs.
[ Jonas Meurer ]
* debian/initramfs/cryptroot-hook: only source crypt-hook from
/etc/cryptsetup-initramfs/ when present. (Closes: #841503)
cryptsetup (2:1.7.2-4) unstable; urgency=high
[ Guilhem Moulin ]
* debian/initramfs/cryptroot-hook:
+ Fix warning printed for lvm devices backed by multiple dm-crypt nodes.
Regression introduced in 2:1.7.2-1. Thanks Zoltan Hidvegi, for the
patch. (Closes: #840480)
+ Don't escape all slash characters "/" in device paths of the form
/dev/by-label/..., only the label itself. Regression introduced in
2:1.7.2-2 as a fix for #839888.
cryptsetup (2:1.7.2-3) unstable; urgency=medium
[ Guilhem Moulin ]
* debian/initramfs/cryptroot-conf: don't set CRYPTSETUP and KEYFILE_PATTERN,
so the (deprecated) values set in /etc/initramfs-tools aren't overridden
to the empty string by default. Regression introduced in 2:1.7.2-1.
(Closes: #839994.)
* debian/README.initramfs: fixed minor typo.
cryptsetup (2:1.7.2-2) unstable; urgency=medium
* debian/cryptdisks.functions: fix a nasty typo in do_start that rendered
systems with sysVinit unbootable. Thanks to Marc Haber for bugreport and
patch (Closes: #839888)
cryptsetup (2:1.7.2-1) unstable; urgency=medium
[ Jonas Meurer ]
* new upstream release 1.7.2. Highlights include:
- code now uses kernel crypto API backend according to new changes
introduced in mainline kernel. (in 1.7.1)
- cryptsetup now allows special "-" (standard input) keyfile handling
even for TCRYPT (TrueCrypt and VeraCrypt compatible) devices. (in 1.7.1)
- Support activation options for error handling modes in Linux kernel
dm-verity module. (in 1.7.2)
* debian/cryptdisks.functions: use '--key-file=-' again with the tcrypt
extension, now that upstream issue #269 is fixed.
* migrate the packaging repository from SVN to Git:
- debian/control: Update Vcs-* fields to point to the new git repository.
- debian/README.source: document new repository structure and release
handling.
* debian/README.Debian, debian/NEWS: minor typo fixes.
* debian/rules: run pod2man --release="$(DEB_VERSION). (Closes: #839352)
[ Guilhem Moulin ]
* debian/control: add self to uploaders.
* debian/cryptdisks.functions: when iterating through the crypttab, don't
abort after the first disk that fails to be closed. Regression introduced
2:1.7.0-1 when the filed is sourced under 'set -e'.
* debian/cryptdisks.functions: stop using `seq` since cryptsetup doesn't
depend on busybox. Instead, try again after 1, 2, 4, 8 and 16s when an
encrypted disk cannot be closed. (Closes: #811456)
* debian/cryptsetup.maintscript: add a "rm_conffile" directive to remove
conffile /etc/bash_completion.d/cryptdisks, obsolete since 2:1.7.0-1.
(Closes: #810227)
* debian/README.initramfs: fix typo s/initramfs-update/update-initramfs/.
Thanks, Stuart Prescott. (Closes: #827263)
* debian/rules: Add 'hardening=+pie' to DEB_BUILD_MAINT_OPTIONS to compile
ELF executables as PIEs.
* debian/control: Bump Standards-Version to 3.9.8 (no changes necessary).
* debian/cryptsetup.lintian-overrides: Remove unused lintian override
init.d-script-does-not-source-init-functions.
* Use /etc/crytsetup-initramfs/conf-hook for initramfs hook script
configuration. For backward compatibility setting CRYPTSETUP and
KEYFILE_PATTERN in /etc/initramfs-tools/initramfs.conf is still supported
for now, but causes the hook to print a warning.
This is done following the initramfs-tools maintainers' request (see
#807527) that hook and boot script configuration files be stored outside
the /etc/initramfs-tools directory. (Closes: #783393)
* Print a warning when private key material is to be included in the
initramfs image (ie, if $KEYFILE_PATTERN is not empty), and the image is
created with a permissive mode.
* Add Indonesian debconf templates translation. Thanks, Izharul Haq for the
patch. (Closes: #835158)
* debian/initramfs/cryptroot-hook: Avoid leading space in $rootdevs,
$resumedevs, etc.
* Support unlocking devices at initramfs stage using a key file stored on
the encrypted root FS. Note however that resume devices won't be unlocked
this way since the resume boot script is currently run before mounting the
root FS. (Closes: #776409)
* debian/initramfs/cryptroot-hook: Avoid undesired effects for target or
device names containing non-alphanumeric characters such as "." or "-":
+ replace `grep "^$x\b"` by `awk -vx="$x" '$1==x {print}'`; and
+ replace `echo "$x"` by printf '%s' "$x" when the argument might start
with a dash.
* debian/initramfs/cryptroot-{hook,script}, debian/cryptdisks.functions:
ensure slash characters "/" from device labels are escaped when
constructing symlinks under /dev/disk/by-label.
* debian/scripts/decrypt_gnupg:
+ Remove --no-mdc-warning to display a warning if the MDC integrity
protection is missing.
+ Replace "GnuPG key" by "gpg-encrypted key" in messages and
documentation.
* debian/initramfs/cryptgnupg-hook: Add support for multiple devices
encrypted using a gpg-encrypted key.
* debian/README.gnupg: Indicate that not the only the gpg-encrypted key for
the root FS is copied onto the initramfs, but also the ones for all
devices that need to be unlocked at initramfs stage.
* debian/initramfs/cryptroot-hook: Fix bug for device label starting with
"UUID=".
[ Helmut Grohne ]
* libcryptsetup-dev: move the .pc file to a multiarch location such that
cross-pkg-config can find it. (closes: #811545)
* Fix FTCBFS: Use host arch compiler for askpass as well. (closes: #811559)
-- Andy Whitcroft <email address hidden> Thu, 10 Aug 2017 14:07:29 +0100