archive mirror
 help / color / mirror / Atom feed
* [ANNOUNCE] cryptsetup 2.6.1
@ 2023-02-09 16:36 Milan Broz
  0 siblings, 0 replies; only message in thread
From: Milan Broz @ 2023-02-09 16:36 UTC (permalink / raw)
  To: cryptsetup development

[-- Attachment #1.1: Type: text/plain, Size: 2453 bytes --]

The cryptsetup 2.6.1 stable release is available at

Please note that release packages are located on

Feedback and bug reports are welcomed.

Cryptsetup 2.6.1 Release Notes
Stable bug-fix release with minor extensions.

All users of cryptsetup 2.6.0 should upgrade to this version.

Changes since version 2.6.0

* bitlk: Fixes for BitLocker-compatible on-disk metadata parser
   (found by new cryptsetup OSS-Fuzz fuzzers).
   - Fix a possible memory leak if the metadata contains more than
     one description field.
   - Harden parsing of metadata entries for key and description entries.
   - Fix broken metadata parsing that can cause a crash or out of memory.

* Fix possible iteration overflow in OpenSSL2 PBKDF2 crypto backend.
   OpenSSL2 uses a signed integer for PBKDF2 iteration count.
   As cryptsetup uses an unsigned value, this can lead to overflow and
   a decrease in the actual iteration count.
   This situation can happen only if the user specifies
   --pbkdf-force-iterations option.
   OpenSSL3 (and other supported crypto backends) are not affected.

* Fix compilation for new ISO C standards (gcc with -std=c11 and higher).

* fvault2: Fix compilation with very old uuid.h.

* verity: Fix possible hash offset setting overflow.

* bitlk: Fix use of startup BEK key on big-endian platforms.

* Fix compilation with latest musl library.
   Recent musl no longer implements lseek64() in some configurations.
   Use lseek() as 64-bit offset is mandatory for cryptsetup.

* Do not initiate encryption (reencryption command) when the header and
   data devices are the same.
   If data device reduction is not requsted, this leads to data corruption
   since LUKS metadata was written over the data device.

* Fix possible memory leak if crypt_load() fails.

* Always use passphrases with a minimal 8 chars length for benchmarking.
   Some enterprise distributions decided to set an unconditional check
   for PBKDF2 password length when running in FIPS mode.
   This questionable change led to unexpected failures during LUKS format
   and keyslot operations, where short passwords were used for
   benchmarking PBKDF2 speed.
   PBKDF2 benchmark calculations should not be affected by this change.

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2023-02-09 16:36 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-02-09 16:36 [ANNOUNCE] cryptsetup 2.6.1 Milan Broz

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).