[ANNOUNCE] cryptsetup 2.8.6

Cryptsetup development
 help / color / mirror / Atom feed

From: Milan Broz <gmazyland@gmail.com>
To: cryptsetup development <cryptsetup@lists.linux.dev>
Subject: [ANNOUNCE] cryptsetup 2.8.6
Date: Thu, 2 Apr 2026 19:06:55 +0200	[thread overview]
Message-ID: <8c242227-5294-43f0-9e41-f674da091200@gmail.com> (raw)

[-- Attachment #1.1.1: Type: text/plain, Size: 4326 bytes --]

The cryptsetup 2.8.6 stable release is available at

      https://gitlab.com/cryptsetup/cryptsetup

Please note that release packages are located on kernel.org

      https://www.kernel.org/pub/linux/utils/cryptsetup/v2.8/

Feedback and bug reports are welcomed (please us project page issue tracker).

Cryptsetup 2.8.6 Release Notes
==============================
Stable bug-fix release.

All users of cryptsetup 2.8.x must upgrade to this version.

Changes since version 2.8.5
~~~~~~~~~~~~~~~~~~~~~~~~~~~
* Fixes an autotools regression in 2.8.5 in the locking tmpfiles.d directory configuration.

Changes since version 2.8.4
~~~~~~~~~~~~~~~~~~~~~~~~~~~

* Fix FileVault (fvault2) metadata parsing.
   With a specially crafted image, it is possible to cause a crash during the loading
   of the FileVault-compatible disk encryption format. It is caused by the metadata block size
   not being fully validated during the crypt_load() API call.

   Thanks to David Pokora (Trail of Bits, in collaboration with Anthropic) for reporting
   and proposing the patch.

* Fix reading FileVault image metadata from incorrect image offset.
   If two subsequent crypt_load() API calls are made, the second call to load FileVault metadata
   uses an incorrect offset.  Subsequently, the correct FileVault metadata is not recognized.
   This is caused by a missing seek to the device's beginning. No other formats are affected.

* OpenSSL backend: Increase the number of allowed threads to 64.
   If there are multiple crypto contexts in use, the 8-thread limit could cause parallel Argon2
   PBKDF to wait or even deadlock. This is a workaround; the real fix probably needs changes
   in the OpenSSL Argon2 thread allocation.

* Fix LUKS2 reencryption lock name.
   If the device is in the reencryption process, it must use the metadata lock to protect
   the reencryption metadata. In some very specific situations, the lock did not contain
   the proper UUID of the reencrypted device.

* Check the UUID of the resumed device to match the UUID stored in metadata.
   It is possible to resume the device with an invalid context, with possible data corruption
   (a different encryption key is loaded).

* Add a specific error for failed detached header allocation.
   If there wasn't enough space on the filesystem, the error message was confusing.

* Fix tests not to use aes-generic kernel cipher name.
   Since Linux kernel 7.0, the crypto library has been used, and the old generic alias for kernel
   crypto no longer works. As it was never supposed to be used from userspace, tests were fixed
   to pass even with Linux kernel 7.0.

* Fix OpenSSL crypto backend if built with LibreSSL.
   LibreSSL provides some definitions that it does not actually support.
   This confused the logic of the configuration scripts.

* Several compatibility fixes to the alternative Meson configuration system:
   * using pkg-config to find the popt library,
   * fix the UUID header path in the function check,
   * fix argp detection with the static argp-standalone library,
   * allow external tokens without dlvsym (with musl library),
   * propagate the crypto backend library dependency to all targets in the static build, and
   * fix the defined locking directory path..
   These changes align it with Autoconf logic.

* Various code fixes based on AI-assisted reviews:
   * fix memory wiping of the larger Veracrypt password pool,
   * remove superfluous return line in integritysetup,
   * OpenSSL crypto backend: check for maximal RAND_bytes buffer size,
   * FileVault format: use safe_alloc for key unwrapping,
   * check for strtoll() failure,
   * avoid integrity sector size overflow (when reading from disk),
   * fix device-mapper flags initialization in the error path,
   * increase buffer for keyring name in the device-mapper table to not truncate it,
   * document non-standard behavior of safe_realloc,
   * fix wrong union access for dm-integrity reload,
   * check for possible CTX_dup failure in OpenSSL crypto backend,
   * fix kernel crypto backend snprintf check,
   * fix prefix "capi:" check not to ignore colon,
   * fix device resize not to leak data on error path, and
   * fix return value in reencryption segment helper.

[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 4753 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

                 reply	other threads:[~2026-04-02 17:07 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=8c242227-5294-43f0-9e41-f674da091200@gmail.com \
    --to=gmazyland@gmail.com \
    --cc=cryptsetup@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox