[ANNOUNCE] cryptsetup 2.8.5

Cryptsetup development
 help / color / mirror / Atom feed

* [ANNOUNCE] cryptsetup 2.8.5
@ 2026-04-02 14:09 Milan Broz
  2026-04-02 15:36 ` Milan Broz
  0 siblings, 1 reply; 2+ messages in thread
From: Milan Broz @ 2026-04-02 14:09 UTC (permalink / raw)
  To: cryptsetup development

[-- Attachment #1.1.1: Type: text/plain, Size: 4172 bytes --]

The cryptsetup 2.8.5 stable release is available at

     https://gitlab.com/cryptsetup/cryptsetup

Please note that release packages are located on kernel.org

     https://www.kernel.org/pub/linux/utils/cryptsetup/v2.8/

Feedback and bug reports are welcomed (please us project page issue tracker).

Cryptsetup 2.8.5 Release Notes
==============================
Stable bug-fix release.

All users of cryptsetup 2.8.x must upgrade to this version.

Changes since version 2.8.4
~~~~~~~~~~~~~~~~~~~~~~~~~~~

* Fix FileVault (fvault2) metadata parsing.
   With a specially crafted image, it is possible to cause a crash during the loading
   of the FileVault-compatible disk encryption format. It is caused by the metadata block size
   not being fully validated during the crypt_load() API call.

   Thanks to David Pokora (Trail of Bits, in collaboration with Anthropic) for reporting
   and proposing the patch.

* Fix reading FileVault image metadata from incorrect image offset.
   If two subsequent crypt_load() API calls are made, the second call to load FileVault metadata
   uses an incorrect offset.  Subsequently, the correct FileVault metadata is not recognized.
   This is caused by a missing seek to the device's beginning. No other formats are affected.

* OpenSSL backend: Increase the number of allowed threads to 64.
   If there are multiple crypto contexts in use, the 8-thread limit could cause parallel Argon2
   PBKDF to wait or even deadlock. This is a workaround; the real fix probably needs changes
   in the OpenSSL Argon2 thread allocation.

* Fix LUKS2 reencryption lock name.
   If the device is in the reencryption process, it must use the metadata lock to protect
   the reencryption metadata. In some very specific situations, the lock did not contain
   the proper UUID of the reencrypted device.

* Check the UUID of the resumed device to match the UUID stored in metadata.
   It is possible to resume the device with an invalid context, with possible data corruption
   (a different encryption key is loaded).

* Add a specific error for failed detached header allocation.
   If there wasn't enough space on the filesystem, the error message was confusing.

* Fix tests not to use aes-generic kernel cipher name.
   Since Linux kernel 7.0, the crypto library has been used, and the old generic alias for kernel
   crypto no longer works. As it was never supposed to be used from userspace, tests were fixed
   to pass even with Linux kernel 7.0.

* Fix OpenSSL crypto backend if built with LibreSSL.
   LibreSSL provides some definitions that it does not actually support.
   This confused the logic of the configuration scripts.

* Several compatibility fixes to the alternative Meson configuration system:
   * using pkg-config to find the popt library,
   * fix the UUID header path in the function check,
   * fix argp detection with the static argp-standalone library,
   * allow external tokens without dlvsym (with musl library),
   * propagate the crypto backend library dependency to all targets in the static build, and
   * fix the defined locking directory path..
   These changes align it with Autoconf logic.

* Various code fixes based on AI-assisted reviews:
   * fix memory wiping of the larger Veracrypt password pool,
   * remove superfluous return line in integritysetup,
   * OpenSSL crypto backend: check for maximal RAND_bytes buffer size,
   * FileVault fomrat:: use safe_alloc for key unwrapping,
   * check for strtoll() failure,
   * avoid integrity sector size overflow (when reading from disk),
   * fix device-mapper flags initialization in the error path,
   * increase buffer for keyring name in the device-mapper table to not truncate it,
   * document non-standard behavior of safe_realloc,
   * fix wrong union access for dm-integrity reload,
   * check for possible CTX_dup failure in OpenSSL crypto backend,
   * fix kernel crypto backend snprintf check,
   * fix prefix "capi:" check not to ignore colon,
   * fix device resize not to leak data on error path, and
   * fix return value in reencryption segment helper.

[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 4753 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: [ANNOUNCE] cryptsetup 2.8.5
  2026-04-02 14:09 [ANNOUNCE] cryptsetup 2.8.5 Milan Broz
@ 2026-04-02 15:36 ` Milan Broz
  0 siblings, 0 replies; 2+ messages in thread
From: Milan Broz @ 2026-04-02 15:36 UTC (permalink / raw)
  To: cryptsetup development

On 4/2/26 4:09 PM, Milan Broz wrote:
> The cryptsetup 2.8.5 stable release is available

Well, there was an unexpected Easter egg, temporary
file config is now broken. Please wait for 2.8.6.

Sorry for that, we apparently need better integration checks.

Milan


^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2026-04-02 15:36 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-02 14:09 [ANNOUNCE] cryptsetup 2.8.5 Milan Broz
2026-04-02 15:36 ` Milan Broz

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox