Hello community, here is the log from the commit of package cryptsetup for openSUSE:Factory checked in at 2015-10-20 16:21:29 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/cryptsetup (Old) and /work/SRC/openSUSE:Factory/.cryptsetup.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "cryptsetup" Changes: -------- --- /work/SRC/openSUSE:Factory/cryptsetup/cryptsetup.changes 2015-04-21 12:02:13.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.cryptsetup.new/cryptsetup.changes 2015-10-20 16:21:30.000000000 +0200 @@ -1,0 +2,32 @@ +Tue Sep 8 20:19:34 UTC 2015 - [email protected] + +- Update to 1.6.8 + * If the null cipher (no encryption) is used, allow only empty + password for LUKS. (Previously cryptsetup accepted any password + in this case.) + The null cipher can be used only for testing and it is used + temporarily during offline encrypting not yet encrypted device + (cryptsetup-reencrypt tool). + Accepting only empty password prevents situation when someone + adds another LUKS device using the same UUID (UUID of existing + LUKS device) with faked header containing null cipher. + This could force user to use different LUKS device (with no + encryption) without noticing. + (IOW it prevents situation when attacker intentionally forces + user to boot into different system just by LUKS header + manipulation.) + Properly configured systems should have an additional integrity + protection in place here (LUKS here provides only + confidentiality) but it is better to not allow this situation + in the first place. + (For more info see QubesOS Security Bulletin QSB-019-2015.) + * Properly support stdin "-" handling for luksAddKey for both new + and old keyfile parameters. + * If encrypted device is file-backed (it uses underlying loop + device), cryptsetup resize will try to resize underlying loop + device as well. (It can be used to grow up file-backed device + in one step.) + * Cryptsetup now allows to use empty password through stdin pipe. + (Intended only for testing in scripts.) + +------------------------------------------------------------------- Old: ---- cryptsetup-1.6.7.tar.sign cryptsetup-1.6.7.tar.xz New: ---- cryptsetup-1.6.8.tar.sign cryptsetup-1.6.8.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ cryptsetup.spec ++++++ --- /var/tmp/diff_new_pack.Q0cV7v/_old 2015-10-20 16:21:31.000000000 +0200 +++ /var/tmp/diff_new_pack.Q0cV7v/_new 2015-10-20 16:21:31.000000000 +0200 @@ -18,12 +18,12 @@ %define so_ver 4 Name: cryptsetup -Version: 1.6.7 +Version: 1.6.8 Release: 0 Summary: Set Up dm-crypt Based Encrypted Block Devices License: SUSE-GPL-2.0-with-openssl-exception and LGPL-2.0+ Group: System/Base -Url: http://code.google.com/p/cryptsetup/ +Url: https://gitlab.com/cryptsetup/cryptsetup/ Source0: https://www.kernel.org/pub/linux/utils/cryptsetup/v1.6/cryptsetup-%{version}.tar.xz # GPG signature of the uncompressed tarball. Source1: https://www.kernel.org/pub/linux/utils/cryptsetup/v1.6/cryptsetup-%{version}.tar.sign @@ -61,11 +61,11 @@ includes support for automatically setting up encrypted volumes at boot time via the config file %{_sysconfdir}/crypttab. -%package -n libcryptsetup4-hmac +%package -n libcryptsetup%{so_ver}-hmac Summary: Checksums for libcryptsetup4 Group: System/Base -%description -n libcryptsetup4-hmac +%description -n libcryptsetup%{so_ver}-hmac This package contains HMAC checksums for integrity checking of libcryptsetup4, used for FIPS. ++++++ cryptsetup-1.6.7.tar.xz -> cryptsetup-1.6.8.tar.xz ++++++ ++++ 27338 lines of diff (skipped)
