[ubuntu/focal-security] cryptsetup 2:2.2.2-3ubuntu2.4 (Accepted)
marc.deslauriers at canonical.com
Tue Feb 15 15:09:31 UTC 2022
cryptsetup (2:2.2.2-3ubuntu2.4) focal-security; urgency=medium
* SECURITY UPDATE: decryption through LUKS2 reencryption crash recovery
- debian/patches/CVE-2021-4122.patch: add disable-luks2 reencryption
configure option in configure.ac, lib/luks2/luks2_keyslot.c,
lib/luks2/luks2_reencrypt.c, lib/setup.c, tests/api-test-2.c,
- debian/rules: Disable LUKS2 reencryption by adding new
--disable-luks2-reencryption build option.
cryptsetup (2:2.2.2-3ubuntu2.3) focal; urgency=medium
* Introduce retry logic for external invocations after mdadm (LP: #1879980)
- Currently, if an encrypted rootfs is configured on top of a MD RAID1
array and such array gets degraded (e.g., a member is removed/failed)
the cryptsetup scripts cannot mount the rootfs, and the boot fails.
We fix that issue here by allowing the cryptroot script to be re-run
by initramfs-tools/local-block stage, as mdadm can activate degraded
arrays at that stage.
There is an initramfs-tools counter-part for this fix, but alone the
cryptsetup portion is harmless.
- d/cryptsetup-initramfs.install: ship the new local-bottom script.
- d/functions: declare variables for local-top|block|bottom scripts
(flag that local-block is running and external invocation counter.)
- d/i/s/local-block/cryptroot: set flag that local-block is running.
- d/i/s/local-bottom/cryptroot: clean up the flag and counter files.
- d/i/s/local-top/cryptroot: change the logic from just waiting 180
seconds to waiting 5 seconds first, then allowing initramfs-tools
to run mdadm (to activate degraded arrays) and call back at least
30 times/seconds more.
Date: 2022-01-18 18:36:10.484754+00:00
Changed-By: Marc Deslauriers <marc.deslauriers at canonical.com>
-------------- next part --------------
Sorry, changesfile not available.
More information about the Focal-changes