cryptsetup (2:2.0.3-2) unstable; urgency=medium

    The 'decrypt_openct' keyscript has been removed, since openct itself
    is no longer developed and was removed from Debian since Jessie.

    In order to defeat online brute-force attacks, the initramfs boot
    script sleeps for 1 second after each failed try.  On the other
    hand, it no longer sleeps for a full minute after exceeding the
    maximum number of unlocking tries.  This behavior was added in
    2:1.7.3-2 as an attempt to mitigate CVE-2016-4484; to avoid dropping
    to the debug shell after exceeding the maximum number of unlocking
    tries, users need to use the 'panic' boot parameter and lock down
    their boot loader & BIOS/UEFI.

    The initramfs hook nows uses /proc/mounts instead of /etc/fstab to
    detect the root device that is to be unlocked at initramfs stage.

    The 'precheck' crypttab(5) option is no longer supported.  The
    precheck for LUKS devices is still hardcoded to `cryptsetup isLuks`;
    the script refuses to unlock non-LUKS devices (plain dm-crypt and
    tcrypt devices) containing a known filesystem (other that swap).

 -- Guilhem Moulin <guilhem@debian.org>  Tue, 22 May 2018 01:47:21 +0200

cryptsetup (2:2.0.3-1) unstable; urgency=medium

    With this version, cryptsetup has been split into cryptsetup-run
    (init script) and cryptsetup-initramfs (initramfs integration).
    'cryptsetup' is now a transitional dummy package depending on
    cryptsetup-run and cryptsetup-initramfs.

 -- Guilhem Moulin <guilhem@debian.org>  Wed, 16 May 2018 23:39:20 +0200