SUSE-RU-2020:0952-1: moderate: Recommended update for cryptsetup
sle-updates at lists.suse.com
sle-updates at lists.suse.com
Wed Apr 8 07:15:16 MDT 2020
SUSE Recommended Update: Recommended update for cryptsetup
______________________________________________________________________________
Announcement ID: SUSE-RU-2020:0952-1
Rating: moderate
References: #1165580
Affected Products:
SUSE Linux Enterprise Software Development Kit 12-SP5
SUSE Linux Enterprise Server 12-SP5
______________________________________________________________________________
An update that has one recommended fix can now be installed.
Description:
This update for cryptsetup fixes the following issues:
- Update from version 2.0.5 to version 2.0.6 (jsc#SLE-5911, bsc#1165580):
* Fix support of larger metadata areas in LUKS2 header. This release
properly supports all specified metadata areas, as documented in LUKS2
format description (see docs/on-disk-format-luks2.pdf in archive).
Currently, only default metadata area size is used (in format or
convert). Later cryptsetup versions will allow increasing this
metadata area size.
* If AEAD (authenticated encryption) is used, cryptsetup now tries to
check if the requested AEAD algorithm with specified key size is
available in kernel crypto API. This change avoids formatting a device
that cannot be later activated. For this function, the kernel must be
compiled with the CONFIG_CRYPTO_USER_API_AEAD option enabled. Note
that kernel user crypto API options (CONFIG_CRYPTO_USER_API and
CONFIG_CRYPTO_USER_API_SKCIPHER) are already mandatory for LUKS2.
* Fix setting of integrity no-journal flag. Now you can store this flag
to metadata using --persistent option.
* Fix cryptsetup-reencrypt to not keep temporary reencryption headers if
interrupted during initial password prompt.
* Adds early check to plain and LUKS2 formats to disallow device format
if device size is not aligned to requested sector size. Previously it
was possible, and the device was rejected to activate by kernel later.
* Fix checking of hash algorithms availability for PBKDF early.
Previously LUKS2 format allowed non-existent hash algorithm with
invalid keyslot preventing the device from activation.
* Allow Adiantum cipher construction (a non-authenticated
length-preserving fast encryption scheme), so it can be used both for
data encryption and keyslot encryption in LUKS1/2 devices. For
benchmark, use: # cryptsetup benchmark -c xchacha12,aes-adiantum #
cryptsetup benchmark -c xchacha20,aes-adiantum For LUKS format: #
cryptsetup luksFormat -c xchacha20,aes-adiantum-plain64 -s 256
<device> The support for Adiantum will be merged in Linux kernel 4.21.
For more info see the paper https://eprint.iacr.org/2018/720.
Patch Instructions:
To install this SUSE Recommended Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- SUSE Linux Enterprise Software Development Kit 12-SP5:
zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-952=1
- SUSE Linux Enterprise Server 12-SP5:
zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-952=1
Package List:
- SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64):
cryptsetup-debuginfo-2.0.6-3.3.1
cryptsetup-debugsource-2.0.6-3.3.1
libcryptsetup-devel-2.0.6-3.3.1
- SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64):
cryptsetup-2.0.6-3.3.1
cryptsetup-debuginfo-2.0.6-3.3.1
cryptsetup-debugsource-2.0.6-3.3.1
libcryptsetup12-2.0.6-3.3.1
libcryptsetup12-debuginfo-2.0.6-3.3.1
libcryptsetup12-hmac-2.0.6-3.3.1
- SUSE Linux Enterprise Server 12-SP5 (s390x x86_64):
libcryptsetup12-32bit-2.0.6-3.3.1
libcryptsetup12-debuginfo-32bit-2.0.6-3.3.1
libcryptsetup12-hmac-32bit-2.0.6-3.3.1
References:
https://bugzilla.suse.com/1165580
More information about the sle-updates
mailing list