[ubuntu/focal-security] cryptsetup 2:2.2.2-3ubuntu2.4 (Accepted)

Marc Deslauriers marc.deslauriers at canonical.com
Tue Feb 15 15:09:31 UTC 2022


cryptsetup (2:2.2.2-3ubuntu2.4) focal-security; urgency=medium

  * SECURITY UPDATE: decryption through LUKS2 reencryption crash recovery
    - debian/patches/CVE-2021-4122.patch: add disable-luks2 reencryption
      configure option in configure.ac, lib/luks2/luks2_keyslot.c,
      lib/luks2/luks2_reencrypt.c, lib/setup.c, tests/api-test-2.c,
      tests/luks2-reencryption-test.
    - debian/rules: Disable LUKS2 reencryption by adding new
      --disable-luks2-reencryption build option.
    - CVE-2021-4122

cryptsetup (2:2.2.2-3ubuntu2.3) focal; urgency=medium

  * Introduce retry logic for external invocations after mdadm (LP: #1879980)
    - Currently, if an encrypted rootfs is configured on top of a MD RAID1
      array and such array gets degraded (e.g., a member is removed/failed)
      the cryptsetup scripts cannot mount the rootfs, and the boot fails.
      We fix that issue here by allowing the cryptroot script to be re-run
      by initramfs-tools/local-block stage, as mdadm can activate degraded
      arrays at that stage.
      There is an initramfs-tools counter-part for this fix, but alone the
      cryptsetup portion is harmless.
    - d/cryptsetup-initramfs.install: ship the new local-bottom script.
    - d/functions: declare variables for local-top|block|bottom scripts
      (flag that local-block is running and external invocation counter.)
    - d/i/s/local-block/cryptroot: set flag that local-block is running.
    - d/i/s/local-bottom/cryptroot: clean up the flag and counter files.
    - d/i/s/local-top/cryptroot: change the logic from just waiting 180
      seconds to waiting 5 seconds first, then allowing initramfs-tools
      to run mdadm (to activate degraded arrays) and call back at least
      30 times/seconds more.

Date: 2022-01-18 18:36:10.484754+00:00
Changed-By: Marc Deslauriers <marc.deslauriers at canonical.com>
https://launchpad.net/ubuntu/+source/cryptsetup/2:2.2.2-3ubuntu2.4
-------------- next part --------------
Sorry, changesfile not available.


More information about the Focal-changes mailing list