--- /dev/null
+From 793c786f470aeedf443686cff30f97acaff23a04 Mon Sep 17 00:00:00 2001
+From: Andrew Soutar <andrew@andrewsoutar.com>
+Date: Mon, 31 Jul 2017 02:19:16 -0400
+Subject: [PATCH 2/3] cryptsetup: fix infinite timeout (#6486)
+
+0004f698d causes `arg_timeout` to be infinity instead of 0 when timeout=0. The
+logic here now matches this change.
+
+Fixes #6381
+---
+ src/cryptsetup/cryptsetup.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/src/cryptsetup/cryptsetup.c b/src/cryptsetup/cryptsetup.c
+index 3b4c08616..08ed7e53b 100644
+--- a/src/cryptsetup/cryptsetup.c
++++ b/src/cryptsetup/cryptsetup.c
+@@ -56,7 +56,7 @@ static bool arg_tcrypt_veracrypt = false;
+ static char **arg_tcrypt_keyfiles = NULL;
+ static uint64_t arg_offset = 0;
+ static uint64_t arg_skip = 0;
+-static usec_t arg_timeout = 0;
++static usec_t arg_timeout = USEC_INFINITY;
+
+ /* Options Debian's crypttab knows we don't:
+
+@@ -670,10 +670,10 @@ int main(int argc, char *argv[]) {
+ if (arg_discards)
+ flags |= CRYPT_ACTIVATE_ALLOW_DISCARDS;
+
+- if (arg_timeout > 0)
+- until = now(CLOCK_MONOTONIC) + arg_timeout;
+- else
++ if (arg_timeout == USEC_INFINITY)
+ until = 0;
++ else
++ until = now(CLOCK_MONOTONIC) + arg_timeout;
+
+ arg_key_size = (arg_key_size > 0 ? arg_key_size : (256 / 8));
+
+--
+2.14.0
+
--- /dev/null
+From 47d36aeaebc3083795de40c80e75f0fda48c3053 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Fri, 21 Jul 2017 07:51:07 -0400
+Subject: [PATCH 3/3] resolved: make sure idn2 conversions are roundtrippable
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+While working on the gateway→_gateway conversion, I noticed that
+libidn2 strips the leading underscore in some names.
+https://gitlab.com/libidn/libidn2/issues/30 was resolved in
+https://gitlab.com/libidn/libidn2/commit/05d753ea69e2308cd02436d0511f4b844071dc79,
+which disabled "STD3 ASCII rules" by default, i.e. disabled stripping
+of underscores. So the situation is that with previously released libidn2
+versions we would get incorrect behaviour, and once new libidn2 is released,
+we should be OK.
+
+Let's implement a simple test which checks that the name survives the
+roundtrip, and if it doesn't, skip IDN resolution. Under old libidn2 this will
+fail in more cases, and under new libidn2 in fewer, but should be the right
+thing to do also under new libidn2.
+---
+ src/shared/dns-domain.c | 29 ++++++++++++++++++++++++++---
+ src/test/test-dns-domain.c | 6 ++++++
+ 2 files changed, 32 insertions(+), 3 deletions(-)
+
+diff --git a/src/shared/dns-domain.c b/src/shared/dns-domain.c
+index 12c4d65dd..139d286af 100644
+--- a/src/shared/dns-domain.c
++++ b/src/shared/dns-domain.c
+@@ -1274,15 +1274,38 @@ int dns_name_apply_idna(const char *name, char **ret) {
+
+ #if defined(HAVE_LIBIDN2)
+ int r;
++ _cleanup_free_ char *t = NULL;
+
+ assert(name);
+ assert(ret);
+
+- r = idn2_lookup_u8((uint8_t*) name, (uint8_t**) ret,
++ r = idn2_lookup_u8((uint8_t*) name, (uint8_t**) &t,
+ IDN2_NFC_INPUT | IDN2_NONTRANSITIONAL);
+- if (r == IDN2_OK)
++ log_debug("idn2_lookup_u8: %s → %s", name, t);
++ if (r == IDN2_OK) {
++ if (!startswith(name, "xn--")) {
++ _cleanup_free_ char *s = NULL;
++
++ r = idn2_to_unicode_8z8z(t, &s, 0);
++ if (r != IDN2_OK) {
++ log_debug("idn2_to_unicode_8z8z(\"%s\") failed: %d/%s",
++ t, r, idn2_strerror(r));
++ return 0;
++ }
++
++ if (!streq_ptr(name, s)) {
++ log_debug("idn2 roundtrip failed: \"%s\" → \"%s\" → \"%s\", ignoring.",
++ name, t, s);
++ return 0;
++ }
++ }
++
++ *ret = t;
++ t = NULL;
+ return 1; /* *ret has been written */
+- log_debug("idn2_lookup_u8(\"%s\") failed: %s", name, idn2_strerror(r));
++ }
++
++ log_debug("idn2_lookup_u8(\"%s\") failed: %d/%s", name, r, idn2_strerror(r));
+ if (r == IDN2_2HYPHEN)
+ /* The name has two hypens — forbidden by IDNA2008 in some cases */
+ return 0;
+diff --git a/src/test/test-dns-domain.c b/src/test/test-dns-domain.c
+index 11cf0b1f0..cbd2d1e65 100644
+--- a/src/test/test-dns-domain.c
++++ b/src/test/test-dns-domain.c
+@@ -652,6 +652,12 @@ static void test_dns_name_apply_idna(void) {
+ test_dns_name_apply_idna_one("föö.bär.", ret, "xn--f-1gaa.xn--br-via");
+ test_dns_name_apply_idna_one("xn--f-1gaa.xn--br-via", ret, "xn--f-1gaa.xn--br-via");
+
++ test_dns_name_apply_idna_one("_443._tcp.fedoraproject.org", ret2,
++ "_443._tcp.fedoraproject.org");
++ test_dns_name_apply_idna_one("_443", ret2, "_443");
++ test_dns_name_apply_idna_one("gateway", ret, "gateway");
++ test_dns_name_apply_idna_one("_gateway", ret2, "_gateway");
++
+ test_dns_name_apply_idna_one("r3---sn-ab5l6ne7.googlevideo.com", ret2,
+ ret2 ? "r3---sn-ab5l6ne7.googlevideo.com" : "");
+ }
+--
+2.14.0
+