2023-08-22 13:30:49 |
Dimitri John Ledkov |
bug |
|
|
added bug |
2023-08-22 17:17:28 |
Dimitri John Ledkov |
nominated for series |
|
Ubuntu Mantic |
|
2023-08-22 17:17:28 |
Dimitri John Ledkov |
bug task added |
|
cryptsetup (Ubuntu Mantic) |
|
2023-08-22 17:17:28 |
Dimitri John Ledkov |
nominated for series |
|
Ubuntu Lunar |
|
2023-08-22 17:17:28 |
Dimitri John Ledkov |
bug task added |
|
cryptsetup (Ubuntu Lunar) |
|
2023-08-22 17:17:28 |
Dimitri John Ledkov |
nominated for series |
|
Ubuntu Jammy |
|
2023-08-22 17:17:28 |
Dimitri John Ledkov |
bug task added |
|
cryptsetup (Ubuntu Jammy) |
|
2023-08-22 17:17:33 |
Dimitri John Ledkov |
cryptsetup (Ubuntu Lunar): status |
New |
Won't Fix |
|
2023-08-22 17:19:21 |
Dimitri John Ledkov |
description |
[ Impact ]
* Crytpsetup has some fips awerness
* Ubuntu provides fips certified kernels & openssl
* When vanilla cryptsetup observes fips kernel & openssl it fails to operate, at all
* It appears the fips awerness in cryptsetup package is obsolete and out of date - i.e. if none of the checks were present, it would actually behaved in a fips compliant way, but it currently instead fails.
[ Test Plan ]
* cherry-pick updated patches to cryptsetup to ensure it has correct modern fips mode detection
* observe that cryptsetup can create new encrypted volume successfully / unchanged behaviour on vanilla ubuntu
* observe that cryptsetup can create new encrypted volume successfully on fips ubuntu
[ Where problems could occur ]
* The change is confined to cryptsetup backend usage (typically openssl) and is related to detecting kernel & openssl modes. There is no other functional changes. But for example strace calls will look slightly different - as possibly observable with strace it will try to open /proc/sys/crypto/fips and call into additional openssl apis.
[ Other Info ]
* Detected during FIPS certification of Jammy |
[ Impact ]
* Crytpsetup has some fips awerness
* Ubuntu provides fips certified kernels & openssl
* When vanilla cryptsetup observes fips kernel & openssl it fails to operate, at all
* It appears the fips awerness in cryptsetup package is obsolete and out of date - i.e. if none of the checks were present, it would actually behaved in a fips compliant way, but it currently instead fails.
[ Test Plan ]
* cherry-pick updated patches to cryptsetup to ensure it has correct modern fips mode detection
* observe that cryptsetup can create new encrypted volume successfully / unchanged behaviour on vanilla ubuntu
* observe that cryptsetup can create new encrypted volume successfully on fips ubuntu
[ Where problems could occur ]
* The change is confined to cryptsetup backend usage (typically openssl) and is related to detecting kernel & openssl modes. There is no other functional changes. But for example strace calls will look slightly different - as possibly observable with strace it will try to open /proc/sys/crypto/fips and call into additional openssl apis.
[ Other Info ]
* Detected during FIPS certification of Jammy
[ Release Target Rationale ]
* Fix in Mantic to ensure that next LTS is capable of doing cryptsetup in fips mode, when backend (openssl) is in fips mode
* Fix in Lunar is not needed, as Canonical does not provide FIPS certification for Lunar releases. And it doesn't matter if cryptsetup is or isn't FIPS capable in Lunar.
* Fix in Jammy is desired, to ensure that Jammy FIPS certified systems can automatically create cryptsetup enabled devices |
|
2023-08-23 01:40:39 |
Magali Lemes do Sacramento |
bug |
|
|
added subscriber Magali Lemes do Sacramento |
2023-08-26 13:51:27 |
Launchpad Janitor |
cryptsetup (Ubuntu Mantic): status |
New |
Fix Released |
|
2023-10-13 22:11:37 |
Dimitri John Ledkov |
description |
[ Impact ]
* Crytpsetup has some fips awerness
* Ubuntu provides fips certified kernels & openssl
* When vanilla cryptsetup observes fips kernel & openssl it fails to operate, at all
* It appears the fips awerness in cryptsetup package is obsolete and out of date - i.e. if none of the checks were present, it would actually behaved in a fips compliant way, but it currently instead fails.
[ Test Plan ]
* cherry-pick updated patches to cryptsetup to ensure it has correct modern fips mode detection
* observe that cryptsetup can create new encrypted volume successfully / unchanged behaviour on vanilla ubuntu
* observe that cryptsetup can create new encrypted volume successfully on fips ubuntu
[ Where problems could occur ]
* The change is confined to cryptsetup backend usage (typically openssl) and is related to detecting kernel & openssl modes. There is no other functional changes. But for example strace calls will look slightly different - as possibly observable with strace it will try to open /proc/sys/crypto/fips and call into additional openssl apis.
[ Other Info ]
* Detected during FIPS certification of Jammy
[ Release Target Rationale ]
* Fix in Mantic to ensure that next LTS is capable of doing cryptsetup in fips mode, when backend (openssl) is in fips mode
* Fix in Lunar is not needed, as Canonical does not provide FIPS certification for Lunar releases. And it doesn't matter if cryptsetup is or isn't FIPS capable in Lunar.
* Fix in Jammy is desired, to ensure that Jammy FIPS certified systems can automatically create cryptsetup enabled devices |
[ Impact ]
* Crytpsetup has some fips awerness
* Ubuntu provides fips certified kernels & openssl
* When vanilla cryptsetup observes fips kernel & openssl it fails to operate, at all
* It appears the fips awerness in cryptsetup package is obsolete and out of date - i.e. if none of the checks were present, it would actually behaved in a fips compliant way, but it currently instead fails.
[ Test Plan ]
* cherry-pick updated patches to cryptsetup to ensure it has correct modern fips mode detection
* observe that cryptsetup can create new encrypted volume successfully / unchanged behaviour on vanilla ubuntu
* observe that cryptsetup can create new encrypted volume successfully on fips ubuntu
[ Where problems could occur ]
* The change is confined to cryptsetup backend usage (typically openssl) and is related to detecting kernel & openssl modes. There is no other functional changes. But for example strace calls will look slightly different - as possibly observable with strace it will try to open /proc/sys/crypto/fips and call into additional openssl apis.
* Note the pbkdf automatic benchmark is changed slightly, and thus will produce slightly different results for newly created volumes. This should not affect interoperability at the target resource usage / caps remain the same.
[ Other Info ]
* Detected during FIPS certification of Jammy
[ Release Target Rationale ]
* Fix in Mantic to ensure that next LTS is capable of doing cryptsetup in fips mode, when backend (openssl) is in fips mode
* Fix in Lunar is not needed, as Canonical does not provide FIPS certification for Lunar releases. And it doesn't matter if cryptsetup is or isn't FIPS capable in Lunar.
* Fix in Jammy is desired, to ensure that Jammy FIPS certified systems can automatically create cryptsetup enabled devices |
|
2023-10-13 22:16:43 |
Dimitri John Ledkov |
description |
[ Impact ]
* Crytpsetup has some fips awerness
* Ubuntu provides fips certified kernels & openssl
* When vanilla cryptsetup observes fips kernel & openssl it fails to operate, at all
* It appears the fips awerness in cryptsetup package is obsolete and out of date - i.e. if none of the checks were present, it would actually behaved in a fips compliant way, but it currently instead fails.
[ Test Plan ]
* cherry-pick updated patches to cryptsetup to ensure it has correct modern fips mode detection
* observe that cryptsetup can create new encrypted volume successfully / unchanged behaviour on vanilla ubuntu
* observe that cryptsetup can create new encrypted volume successfully on fips ubuntu
[ Where problems could occur ]
* The change is confined to cryptsetup backend usage (typically openssl) and is related to detecting kernel & openssl modes. There is no other functional changes. But for example strace calls will look slightly different - as possibly observable with strace it will try to open /proc/sys/crypto/fips and call into additional openssl apis.
* Note the pbkdf automatic benchmark is changed slightly, and thus will produce slightly different results for newly created volumes. This should not affect interoperability at the target resource usage / caps remain the same.
[ Other Info ]
* Detected during FIPS certification of Jammy
[ Release Target Rationale ]
* Fix in Mantic to ensure that next LTS is capable of doing cryptsetup in fips mode, when backend (openssl) is in fips mode
* Fix in Lunar is not needed, as Canonical does not provide FIPS certification for Lunar releases. And it doesn't matter if cryptsetup is or isn't FIPS capable in Lunar.
* Fix in Jammy is desired, to ensure that Jammy FIPS certified systems can automatically create cryptsetup enabled devices |
[ Impact ]
* Crytpsetup has some fips awerness
* Ubuntu provides fips certified kernels & openssl
* When vanilla cryptsetup observes fips kernel & openssl it fails to operate, at all
* It appears the fips awerness in cryptsetup package is obsolete and out of date - i.e. if none of the checks were present, it would actually behaved in a fips compliant way, but it currently instead fails.
[ Test Plan ]
* cherry-pick updated patches to cryptsetup to ensure it has correct modern fips mode detection
* observe that cryptsetup can create new encrypted volume successfully / unchanged behaviour on vanilla ubuntu
* observe that cryptsetup can create new encrypted volume successfully on fips ubuntu (jammy fips-preview is already available internally and to select external customers, also will be on esm.ubuntu.com/fips-preview "soon" packages are there, but the auth is not)
[ Where problems could occur ]
* The change is confined to cryptsetup backend usage (typically openssl) and is related to detecting kernel & openssl modes. There is no other functional changes. But for example strace calls will look slightly different - as possibly observable with strace it will try to open /proc/sys/crypto/fips and call into additional openssl apis.
* Note the pbkdf automatic benchmark is changed slightly, and thus will produce slightly different results for newly created volumes. This should not affect interoperability at the target resource usage / caps remain the same.
[ Other Info ]
* Detected during FIPS certification of Jammy
[ Release Target Rationale ]
* Fix in Mantic to ensure that next LTS is capable of doing cryptsetup in fips mode, when backend (openssl) is in fips mode
* Fix in Lunar is not needed, as Canonical does not provide FIPS certification for Lunar releases. And it doesn't matter if cryptsetup is or isn't FIPS capable in Lunar.
* Fix in Jammy is desired, to ensure that Jammy FIPS certified systems can automatically create cryptsetup enabled devices |
|
2023-10-13 22:17:21 |
Dimitri John Ledkov |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2023-10-17 21:01:43 |
Brian Murray |
description |
[ Impact ]
* Crytpsetup has some fips awerness
* Ubuntu provides fips certified kernels & openssl
* When vanilla cryptsetup observes fips kernel & openssl it fails to operate, at all
* It appears the fips awerness in cryptsetup package is obsolete and out of date - i.e. if none of the checks were present, it would actually behaved in a fips compliant way, but it currently instead fails.
[ Test Plan ]
* cherry-pick updated patches to cryptsetup to ensure it has correct modern fips mode detection
* observe that cryptsetup can create new encrypted volume successfully / unchanged behaviour on vanilla ubuntu
* observe that cryptsetup can create new encrypted volume successfully on fips ubuntu (jammy fips-preview is already available internally and to select external customers, also will be on esm.ubuntu.com/fips-preview "soon" packages are there, but the auth is not)
[ Where problems could occur ]
* The change is confined to cryptsetup backend usage (typically openssl) and is related to detecting kernel & openssl modes. There is no other functional changes. But for example strace calls will look slightly different - as possibly observable with strace it will try to open /proc/sys/crypto/fips and call into additional openssl apis.
* Note the pbkdf automatic benchmark is changed slightly, and thus will produce slightly different results for newly created volumes. This should not affect interoperability at the target resource usage / caps remain the same.
[ Other Info ]
* Detected during FIPS certification of Jammy
[ Release Target Rationale ]
* Fix in Mantic to ensure that next LTS is capable of doing cryptsetup in fips mode, when backend (openssl) is in fips mode
* Fix in Lunar is not needed, as Canonical does not provide FIPS certification for Lunar releases. And it doesn't matter if cryptsetup is or isn't FIPS capable in Lunar.
* Fix in Jammy is desired, to ensure that Jammy FIPS certified systems can automatically create cryptsetup enabled devices |
[ Impact ]
* Crytpsetup has some fips awareness
* Ubuntu provides fips certified kernels & openssl
* When vanilla cryptsetup observes fips kernel & openssl it fails to operate, at all
* It appears the fips awerness in cryptsetup package is obsolete and out of date - i.e. if none of the checks were present, it would actually behaved in a fips compliant way, but it currently instead fails.
[ Test Plan ]
* cherry-pick updated patches to cryptsetup to ensure it has correct modern fips mode detection
* observe that cryptsetup can create new encrypted volume successfully / unchanged behaviour on vanilla ubuntu
* observe that cryptsetup can create new encrypted volume successfully on fips ubuntu (jammy fips-preview is already available internally and to select external customers, also will be on esm.ubuntu.com/fips-preview "soon" packages are there, but the auth is not)
[ Where problems could occur ]
* The change is confined to cryptsetup backend usage (typically openssl) and is related to detecting kernel & openssl modes. There is no other functional changes. But for example strace calls will look slightly different - as possibly observable with strace it will try to open /proc/sys/crypto/fips and call into additional openssl apis.
* Note the pbkdf automatic benchmark is changed slightly, and thus will produce slightly different results for newly created volumes. This should not affect interoperability at the target resource usage / caps remain the same.
[ Other Info ]
* Detected during FIPS certification of Jammy
[ Release Target Rationale ]
* Fix in Mantic to ensure that next LTS is capable of doing cryptsetup in fips mode, when backend (openssl) is in fips mode
* Fix in Lunar is not needed, as Canonical does not provide FIPS certification for Lunar releases. And it doesn't matter if cryptsetup is or isn't FIPS capable in Lunar.
* Fix in Jammy is desired, to ensure that Jammy FIPS certified systems can automatically create cryptsetup enabled devices |
|
2023-10-17 21:02:02 |
Brian Murray |
description |
[ Impact ]
* Crytpsetup has some fips awareness
* Ubuntu provides fips certified kernels & openssl
* When vanilla cryptsetup observes fips kernel & openssl it fails to operate, at all
* It appears the fips awerness in cryptsetup package is obsolete and out of date - i.e. if none of the checks were present, it would actually behaved in a fips compliant way, but it currently instead fails.
[ Test Plan ]
* cherry-pick updated patches to cryptsetup to ensure it has correct modern fips mode detection
* observe that cryptsetup can create new encrypted volume successfully / unchanged behaviour on vanilla ubuntu
* observe that cryptsetup can create new encrypted volume successfully on fips ubuntu (jammy fips-preview is already available internally and to select external customers, also will be on esm.ubuntu.com/fips-preview "soon" packages are there, but the auth is not)
[ Where problems could occur ]
* The change is confined to cryptsetup backend usage (typically openssl) and is related to detecting kernel & openssl modes. There is no other functional changes. But for example strace calls will look slightly different - as possibly observable with strace it will try to open /proc/sys/crypto/fips and call into additional openssl apis.
* Note the pbkdf automatic benchmark is changed slightly, and thus will produce slightly different results for newly created volumes. This should not affect interoperability at the target resource usage / caps remain the same.
[ Other Info ]
* Detected during FIPS certification of Jammy
[ Release Target Rationale ]
* Fix in Mantic to ensure that next LTS is capable of doing cryptsetup in fips mode, when backend (openssl) is in fips mode
* Fix in Lunar is not needed, as Canonical does not provide FIPS certification for Lunar releases. And it doesn't matter if cryptsetup is or isn't FIPS capable in Lunar.
* Fix in Jammy is desired, to ensure that Jammy FIPS certified systems can automatically create cryptsetup enabled devices |
[ Impact ]
* Crytpsetup has some fips awareness
* Ubuntu provides fips certified kernels & openssl
* When vanilla cryptsetup observes fips kernel & openssl it fails to operate, at all
* It appears the fips awareness in cryptsetup package is obsolete and out of date - i.e. if none of the checks were present, it would actually behaved in a fips compliant way, but it currently instead fails.
[ Test Plan ]
* cherry-pick updated patches to cryptsetup to ensure it has correct modern fips mode detection
* observe that cryptsetup can create new encrypted volume successfully / unchanged behaviour on vanilla ubuntu
* observe that cryptsetup can create new encrypted volume successfully on fips ubuntu (jammy fips-preview is already available internally and to select external customers, also will be on esm.ubuntu.com/fips-preview "soon" packages are there, but the auth is not)
[ Where problems could occur ]
* The change is confined to cryptsetup backend usage (typically openssl) and is related to detecting kernel & openssl modes. There is no other functional changes. But for example strace calls will look slightly different - as possibly observable with strace it will try to open /proc/sys/crypto/fips and call into additional openssl apis.
* Note the pbkdf automatic benchmark is changed slightly, and thus will produce slightly different results for newly created volumes. This should not affect interoperability at the target resource usage / caps remain the same.
[ Other Info ]
* Detected during FIPS certification of Jammy
[ Release Target Rationale ]
* Fix in Mantic to ensure that next LTS is capable of doing cryptsetup in fips mode, when backend (openssl) is in fips mode
* Fix in Lunar is not needed, as Canonical does not provide FIPS certification for Lunar releases. And it doesn't matter if cryptsetup is or isn't FIPS capable in Lunar.
* Fix in Jammy is desired, to ensure that Jammy FIPS certified systems can automatically create cryptsetup enabled devices |
|
2023-10-17 21:06:25 |
Brian Murray |
cryptsetup (Ubuntu Jammy): status |
New |
Fix Committed |
|
2023-10-17 21:06:27 |
Brian Murray |
bug |
|
|
added subscriber SRU Verification |
2023-10-17 21:06:33 |
Brian Murray |
tags |
|
verification-needed verification-needed-jammy |
|
2023-10-19 12:04:10 |
Dimitri John Ledkov |
bug |
|
|
added subscriber Ubuntu Security Team |