Merge ~ahasenack/ubuntu/+source/strongswan:cosmic-strongswan-merge-5.6.3-1 into ubuntu/+source/strongswan:debian/sid
- Git
- lp:~ahasenack/ubuntu/+source/strongswan
- cosmic-strongswan-merge-5.6.3-1
- Merge into debian/sid
Status: | Merged |
---|---|
Approved by: | Christian Ehrhardt |
Approved revision: | 914d0606e00afd407437ea850454beba437a0ea2 |
Merge reported by: | Andreas Hasenack |
Merged at revision: | 914d0606e00afd407437ea850454beba437a0ea2 |
Proposed branch: | ~ahasenack/ubuntu/+source/strongswan:cosmic-strongswan-merge-5.6.3-1 |
Merge into: | ubuntu/+source/strongswan:debian/sid |
Diff against target: |
2138 lines (+1596/-92) 19 files modified
debian/changelog (+1216/-0) debian/control (+122/-6) debian/ipsec.secrets.proto (+0/-3) debian/libcharon-extra-plugins.install (+64/-12) debian/libcharon-standard-plugins.install (+19/-0) debian/libstrongswan-extra-plugins.install (+58/-0) debian/libstrongswan.install (+11/-6) debian/patches/dont-load-kernel-libipsec-plugin-by-default.patch (+11/-0) debian/patches/series (+1/-0) debian/rules (+50/-6) debian/strongswan-starter.install (+4/-0) debian/strongswan-starter.postinst (+0/-57) debian/strongswan-tnc-base.install (+16/-0) debian/strongswan-tnc-client.install (+5/-0) debian/strongswan-tnc-ifmap.install (+3/-0) debian/strongswan-tnc-pdp.install (+3/-0) debian/strongswan-tnc-server.install (+10/-0) debian/usr.lib.ipsec.charon (+1/-1) debian/usr.sbin.charon-systemd (+2/-1) |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Christian Ehrhardt (community) | Approve | ||
Canonical Server packageset reviewers | Pending | ||
Review via email: mp+353642@code.launchpad.net |
Commit message
Description of the change
Merge with debian's 5.6.3, fixing CVE-2018-10811 and CVE-2018-5388, dropping one bit of delta that Christian submitted, acquiring another bit of delta.
https:/
Bileto ticket: https:/
The DEP8 failure in neutron-vpnaas is because python3-paramiko (2.0.0-1ubuntu1) is not installable. If you look in the architectures where the test passed, there we have paramiko 2.4.1-0ubuntu1 which is fixed.
paramiko's own dep8 tests seem to be having trouble in migration at the moment (http://
qa regression test run with old and new strongswan:
old: gw1 (https:/
Then dist-upgrade was run with the bileto ppa enabled (ppa:ci-
new: gw1 (https:/
Andreas Hasenack (ahasenack) wrote : | # |
Christian Ehrhardt (paelzer) wrote : | # |
- Deconstruct and Logical is good
- Changelogs are mostly good
- old changes are retained correctly (All 100% identical, you just updated the commit messages)
- as discussed the tests look good as well thanks for doing that two system test that I linked you
I only must ask to fixup the changelog in one place - the mentioning of 1784023.
That is
a) not added on the merge but in 5.6.2-2ubuntu2 (currently in Added changes)
b) please break the LP: #1784023 string so that tools will not try to close the bug again
Please fix this little thing in the changelog, then I think we can upload.
- bb919ae... by Andreas Hasenack
-
merge-changelogs
- 1c941f6... by Andreas Hasenack
-
reconstruct-
changelog - bcb24b5... by Andreas Hasenack
-
update-maintainer
- 914d060... by Andreas Hasenack
-
Cleanup d/changelog (removed signed-off lines)
Christian Ehrhardt (paelzer) wrote : | # |
Thanks for the fixup, looks good now.
Christian Ehrhardt (paelzer) wrote : | # |
To ssh://git.
* [new tag] upload/
Andreas Hasenack (ahasenack) wrote : | # |
Uploaded, thanks
Andreas Hasenack (ahasenack) wrote : | # |
Here is my MP to fix the paramiko dep8 failures: https:/
Christian Ehrhardt (paelzer) wrote : | # |
Jamie also accepted the related qa-regression-test change today.
So overall all should fit together :-)
Preview Diff
1 | diff --git a/debian/changelog b/debian/changelog | |||
2 | index 6270ae7..3be3a4a 100644 | |||
3 | --- a/debian/changelog | |||
4 | +++ b/debian/changelog | |||
5 | @@ -1,3 +1,58 @@ | |||
6 | 1 | strongswan (5.6.3-1ubuntu1) cosmic; urgency=medium | ||
7 | 2 | |||
8 | 3 | * Merge with Debian unstable. Remaining changes: | ||
9 | 4 | - Clean up d/strongswan-starter.postinst: section about runlevel changes | ||
10 | 5 | - Clean up d/strongswan-starter.postinst: Removed entire section on | ||
11 | 6 | opportunistic encryption disabling - this was never in strongSwan and | ||
12 | 7 | won't be see upstream issue #2160. | ||
13 | 8 | - d/rules: Removed patching ipsec.conf on build (not using the | ||
14 | 9 | debconf-managed config.) | ||
15 | 10 | - d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was | ||
16 | 11 | used for debconf-managed include of private key). | ||
17 | 12 | - Mass enablement of extra plugins and features to allow a user to use | ||
18 | 13 | strongswan for a variety of extra use cases without having to rebuild. | ||
19 | 14 | + d/control: Add required additional build-deps | ||
20 | 15 | + d/control: Mention addtionally enabled plugins | ||
21 | 16 | + d/rules: Enable features at configure stage | ||
22 | 17 | + d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf) | ||
23 | 18 | + d/libstrongswan.install: Add plugins (so, conf) | ||
24 | 19 | - d/strongswan-starter.install: Install pool feature, which is useful since | ||
25 | 20 | we have attr-sql plugin enabled as well using it. | ||
26 | 21 | - Add plugin kernel-libipsec to allow the use of strongswan in containers | ||
27 | 22 | via this userspace implementation (please do note that this is still | ||
28 | 23 | considered experimental by upstream). | ||
29 | 24 | + d/libcharon-extra-plugins.install: Add kernel-libipsec components | ||
30 | 25 | + d/control: List kernel-libipsec plugin at extra plugins description | ||
31 | 26 | + d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As | ||
32 | 27 | upstream recommends to not load kernel-libipsec by default. | ||
33 | 28 | - Relocate tnc plugin | ||
34 | 29 | + debian/libcharon-extra-plugins.install: Drop tnc from extra plugins | ||
35 | 30 | + Add new subpackage for TNC in d/strongswan-tnc-* and d/control | ||
36 | 31 | - d/libstrongswan.install: Reorder conf and .so alphabetically | ||
37 | 32 | - d/libstrongswan.install: Add kernel-netlink configuration files | ||
38 | 33 | - Complete the disabling of libfast; This was partially accepted in Debian, | ||
39 | 34 | it is no more packaging medcli and medsrv, but still builds and | ||
40 | 35 | mentions it. | ||
41 | 36 | + d/rules: Add --disable-fast to avoid build time and dependencies | ||
42 | 37 | + d/control: Remove medcli, medsrv from package description | ||
43 | 38 | - d/control: Mention mgf1 plugin which is in libstrongswan now | ||
44 | 39 | - Add now built (since 5.5.1) libraries libtpmtss and nttfft to | ||
45 | 40 | libstrongswan-extra-plugins (no deps from default plugins). | ||
46 | 41 | - d/control, d/libcharon-{extras,standard}-plugins.install: Move charon | ||
47 | 42 | plugins for the most common use cases from extra-plugins into a new | ||
48 | 43 | standard-plugins package. This will allow those use cases without pulling | ||
49 | 44 | in too much more plugins (a bit like the tnc package). Recommend that | ||
50 | 45 | package from strongswan-libcharon. | ||
51 | 46 | - d/usr.sbin.charon-systemd: allow to contact mysql for sql and | ||
52 | 47 | attr-sql plugins (LP #1766240) | ||
53 | 48 | - d/usr.lib.ipsec.charon, d/usr/sbin/charon-systemd: Add support for | ||
54 | 49 | usr-merge, thanks to Christian Ehrhardt. LP #1784023 | ||
55 | 50 | * Dropped: | ||
56 | 51 | - d/usr.sbin.charon-systemd: allow systemd notifications (LP: #1765652) | ||
57 | 52 | [Fixed in 5.6.3-1] | ||
58 | 53 | |||
59 | 54 | -- Andreas Hasenack <andreas@canonical.com> Thu, 23 Aug 2018 13:05:11 -0300 | ||
60 | 55 | |||
61 | 1 | strongswan (5.6.3-1) unstable; urgency=medium | 56 | strongswan (5.6.3-1) unstable; urgency=medium |
62 | 2 | 57 | ||
63 | 3 | * New upstream version 5.6.2 | 58 | * New upstream version 5.6.2 |
64 | @@ -13,6 +68,78 @@ strongswan (5.6.3-1) unstable; urgency=medium | |||
65 | 13 | 68 | ||
66 | 14 | -- Yves-Alexis Perez <corsac@debian.org> Mon, 04 Jun 2018 10:23:22 +0200 | 69 | -- Yves-Alexis Perez <corsac@debian.org> Mon, 04 Jun 2018 10:23:22 +0200 |
67 | 15 | 70 | ||
68 | 71 | strongswan (5.6.2-2ubuntu2) cosmic; urgency=medium | ||
69 | 72 | |||
70 | 73 | * Add support for usr-merge, thanks to Christian Ehrhardt. LP: #1784023 | ||
71 | 74 | |||
72 | 75 | -- Dimitri John Ledkov <xnox@ubuntu.com> Tue, 21 Aug 2018 00:42:38 +0100 | ||
73 | 76 | |||
74 | 77 | strongswan (5.6.2-2ubuntu1) cosmic; urgency=medium | ||
75 | 78 | |||
76 | 79 | * Merge with Debian unstable, closes LP: #1773814 and LP: #1772705. | ||
77 | 80 | Remaining changes: | ||
78 | 81 | + Clean up d/strongswan-starter.postinst: section about runlevel changes | ||
79 | 82 | + Clean up d/strongswan-starter.postinst: Removed entire section on | ||
80 | 83 | opportunistic encryption disabling - this was never in strongSwan and | ||
81 | 84 | won't be see upstream issue #2160. | ||
82 | 85 | + d/rules: Removed patching ipsec.conf on build (not using the | ||
83 | 86 | debconf-managed config.) | ||
84 | 87 | + d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was | ||
85 | 88 | used for debconf-managed include of private key). | ||
86 | 89 | + Mass enablement of extra plugins and features to allow a user to use | ||
87 | 90 | strongswan for a variety of extra use cases without having to rebuild. | ||
88 | 91 | - d/control: Add required additional build-deps | ||
89 | 92 | - d/control: Mention addtionally enabled plugins | ||
90 | 93 | - d/rules: Enable features at configure stage | ||
91 | 94 | - d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf) | ||
92 | 95 | - d/libstrongswan.install: Add plugins (so, conf) | ||
93 | 96 | + d/strongswan-starter.install: Install pool feature, which is useful since | ||
94 | 97 | we have attr-sql plugin enabled as well using it. | ||
95 | 98 | + Add plugin kernel-libipsec to allow the use of strongswan in containers | ||
96 | 99 | via this userspace implementation (please do note that this is still | ||
97 | 100 | considered experimental by upstream). | ||
98 | 101 | - d/libcharon-extra-plugins.install: Add kernel-libipsec components | ||
99 | 102 | - d/control: List kernel-libipsec plugin at extra plugins description | ||
100 | 103 | - d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As | ||
101 | 104 | upstream recommends to not load kernel-libipsec by default. | ||
102 | 105 | + Relocate tnc plugin | ||
103 | 106 | - debian/libcharon-extra-plugins.install: Drop tnc from extra plugins | ||
104 | 107 | - Add new subpackage for TNC in d/strongswan-tnc-* and d/control | ||
105 | 108 | + d/libstrongswan.install: Reorder conf and .so alphabetically | ||
106 | 109 | + d/libstrongswan.install: Add kernel-netlink configuration files | ||
107 | 110 | + Complete the disabling of libfast; This was partially accepted in Debian, | ||
108 | 111 | it is no more packaging medcli and medsrv, but still builds and | ||
109 | 112 | mentions it. | ||
110 | 113 | - d/rules: Add --disable-fast to avoid build time and dependencies | ||
111 | 114 | - d/control: Remove medcli, medsrv from package description | ||
112 | 115 | + d/control: Mention mgf1 plugin which is in libstrongswan now | ||
113 | 116 | + Add now built (since 5.5.1) libraries libtpmtss and nttfft to | ||
114 | 117 | libstrongswan-extra-plugins (no deps from default plugins). | ||
115 | 118 | + d/control, d/libcharon-{extras,standard}-plugins.install: Move charon | ||
116 | 119 | plugins for the most common use cases from extra-plugins into a new | ||
117 | 120 | standard-plugins package. This will allow those use cases without pulling | ||
118 | 121 | in too much more plugins (a bit like the tnc package). Recommend that | ||
119 | 122 | package from strongswan-libcharon. | ||
120 | 123 | * Dropped Changes (no more needed after 18.04) | ||
121 | 124 | + Add rm_conffile for /etc/init.d/ipsec (transition from precies had | ||
122 | 125 | missed that, droppable after 18.04) | ||
123 | 126 | + d/control: bump breaks/replaces from libstrongswan-extra-plugins to | ||
124 | 127 | libstrongswan as we dropped relocating ccm and test-vectors. | ||
125 | 128 | (droppable >18.04). | ||
126 | 129 | + d/control: add breaks/replace from libstrongswan to | ||
127 | 130 | libstrongswan-extra-plugins for the move of mgf1 to libstrongswan. | ||
128 | 131 | (droppable >18.04). | ||
129 | 132 | + d/control: bump breaks/replaces for the move of the updown plugin | ||
130 | 133 | (Missed Changelog entry on last merge) | ||
131 | 134 | + d/control: fix dependencies of strongswan-libcharon due to the move | ||
132 | 135 | the updown plugin (droppable >18.04). | ||
133 | 136 | * Added Changes: | ||
134 | 137 | + d/usr.sbin.charon-systemd: allow to contact mysql for sql and | ||
135 | 138 | attr-sql plugins (LP: #1766240) | ||
136 | 139 | + d/usr.sbin.charon-systemd: allow systemd notifications (LP: #1765652) | ||
137 | 140 | |||
138 | 141 | -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Tue, 29 May 2018 08:21:42 +0200 | ||
139 | 142 | |||
140 | 16 | strongswan (5.6.2-2) unstable; urgency=medium | 143 | strongswan (5.6.2-2) unstable; urgency=medium |
141 | 17 | 144 | ||
142 | 18 | * charon-nm: Fix building list of DNS/MDNS servers with libnm | 145 | * charon-nm: Fix building list of DNS/MDNS servers with libnm |
143 | @@ -23,6 +150,74 @@ strongswan (5.6.2-2) unstable; urgency=medium | |||
144 | 23 | 150 | ||
145 | 24 | -- Yves-Alexis Perez <corsac@debian.org> Fri, 13 Apr 2018 13:46:04 +0200 | 151 | -- Yves-Alexis Perez <corsac@debian.org> Fri, 13 Apr 2018 13:46:04 +0200 |
146 | 25 | 152 | ||
147 | 153 | strongswan (5.6.2-1ubuntu2) bionic; urgency=medium | ||
148 | 154 | |||
149 | 155 | * d/control: fix dependencies of strongswan-libcharon due to the move | ||
150 | 156 | the updown plugin. | ||
151 | 157 | |||
152 | 158 | -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Tue, 20 Mar 2018 07:37:29 +0100 | ||
153 | 159 | |||
154 | 160 | strongswan (5.6.2-1ubuntu1) bionic; urgency=medium | ||
155 | 161 | |||
156 | 162 | * Merge with Debian unstable (LP: #1753018). Remaining changes: | ||
157 | 163 | + Clean up d/strongswan-starter.postinst: section about runlevel changes | ||
158 | 164 | + Clean up d/strongswan-starter.postinst: Removed entire section on | ||
159 | 165 | opportunistic encryption disabling - this was never in strongSwan and | ||
160 | 166 | won't be see upstream issue #2160. | ||
161 | 167 | + Ubuntu is not using the debconf triggered private key generation | ||
162 | 168 | - d/rules: Removed patching ipsec.conf on build (not using the | ||
163 | 169 | debconf-managed config.) | ||
164 | 170 | - d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was | ||
165 | 171 | used for debconf-managed include of private key). | ||
166 | 172 | + Mass enablement of extra plugins and features to allow a user to use | ||
167 | 173 | strongswan for a variety of extra use cases without having to rebuild. | ||
168 | 174 | - d/control: Add required additional build-deps | ||
169 | 175 | - d/control: Mention addtionally enabled plugins | ||
170 | 176 | - d/rules: Enable features at configure stage | ||
171 | 177 | - d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf) | ||
172 | 178 | - d/libstrongswan.install: Add plugins (so, conf) | ||
173 | 179 | + d/strongswan-starter.install: Install pool feature, which is useful since | ||
174 | 180 | we have attr-sql plugin enabled as well using it. | ||
175 | 181 | + Add plugin kernel-libipsec to allow the use of strongswan in containers | ||
176 | 182 | via this userspace implementation (please do note that this is still | ||
177 | 183 | considered experimental by upstream). | ||
178 | 184 | - d/libcharon-extra-plugins.install: Add kernel-libipsec components | ||
179 | 185 | - d/control: List kernel-libipsec plugin at extra plugins description | ||
180 | 186 | - d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As | ||
181 | 187 | upstream recommends to not load kernel-libipsec by default. | ||
182 | 188 | + Relocate tnc plugin | ||
183 | 189 | - debian/libcharon-extra-plugins.install: Drop tnc from extra plugins | ||
184 | 190 | - Add new subpackage for TNC in d/strongswan-tnc-* and d/control | ||
185 | 191 | + d/libstrongswan.install: Reorder conf and .so alphabetically | ||
186 | 192 | + d/libstrongswan.install: Add kernel-netlink configuration files | ||
187 | 193 | + Complete the disabling of libfast; This was partially accepted in Debian, | ||
188 | 194 | it is no more packaging medcli and medsrv, but still builds and | ||
189 | 195 | mentions it. | ||
190 | 196 | - d/rules: Add --disable-fast to avoid build time and dependencies | ||
191 | 197 | - d/control: Remove medcli, medsrv from package description | ||
192 | 198 | + d/control: Mention mgf1 plugin which is in libstrongswan now | ||
193 | 199 | + Add now built (since 5.5.1) libraries libtpmtss and nttfft to | ||
194 | 200 | libstrongswan-extra-plugins (no deps from default plugins). | ||
195 | 201 | + Add rm_conffile for /etc/init.d/ipsec (transition from precies had | ||
196 | 202 | missed that, droppable after 18.04) | ||
197 | 203 | + d/control, d/libcharon-{extras,standard}-plugins.install: Move charon | ||
198 | 204 | plugins for the most common use cases from extra-plugins into a new | ||
199 | 205 | standard-plugins package. This will allow those use cases without pulling | ||
200 | 206 | in too much more plugins (a bit like the tnc package). Recommend that | ||
201 | 207 | package from strongswan-libcharon. | ||
202 | 208 | + d/control: bump breaks/replaces from libstrongswan-extra-plugins to | ||
203 | 209 | libstrongswan as we dropped relocating ccm and test-vectors. | ||
204 | 210 | (droppable >18.04). | ||
205 | 211 | + d/control: add breaks/replace from libstrongswan to | ||
206 | 212 | libstrongswan-extra-plugins for the move of mgf1 to libstrongswan. | ||
207 | 213 | (droppable >18.04). | ||
208 | 214 | * Added Changes: | ||
209 | 215 | + d/control: bump breaks/replaces from strongswan-libcharon to strongswan- | ||
210 | 216 | starter as we followed Debian to move the updown plugin but need to | ||
211 | 217 | match Ubuntu versions (Droppable >18.04). | ||
212 | 218 | |||
213 | 219 | -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Fri, 16 Mar 2018 11:08:47 +0100 | ||
214 | 220 | |||
215 | 26 | strongswan (5.6.2-1) unstable; urgency=medium | 221 | strongswan (5.6.2-1) unstable; urgency=medium |
216 | 27 | 222 | ||
217 | 28 | * d/NEWS: add information about disabled algorithms (closes: #883072) | 223 | * d/NEWS: add information about disabled algorithms (closes: #883072) |
218 | @@ -45,6 +240,129 @@ strongswan (5.6.1-3) unstable; urgency=medium | |||
219 | 45 | 240 | ||
220 | 46 | -- Yves-Alexis Perez <corsac@debian.org> Sun, 17 Dec 2017 16:40:39 +0100 | 241 | -- Yves-Alexis Perez <corsac@debian.org> Sun, 17 Dec 2017 16:40:39 +0100 |
221 | 47 | 242 | ||
222 | 243 | strongswan (5.6.1-2ubuntu4) bionic; urgency=medium | ||
223 | 244 | |||
224 | 245 | * SECURITY UPDATE: DoS via crafted RSASSA-PSS signature | ||
225 | 246 | - debian/patches/CVE-2018-6459.patch: Properly handle MGF1 algorithm | ||
226 | 247 | identifier without parameters in | ||
227 | 248 | src/libstrongswan/credentials/keys/signature_params.c. | ||
228 | 249 | - CVE-2018-6459 | ||
229 | 250 | |||
230 | 251 | -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 07 Mar 2018 14:52:02 +0100 | ||
231 | 252 | |||
232 | 253 | strongswan (5.6.1-2ubuntu3) bionic; urgency=medium | ||
233 | 254 | |||
234 | 255 | * No-change rebuild against libcurl4 | ||
235 | 256 | |||
236 | 257 | -- Steve Langasek <steve.langasek@ubuntu.com> Wed, 28 Feb 2018 08:52:09 +0000 | ||
237 | 258 | |||
238 | 259 | strongswan (5.6.1-2ubuntu2) bionic; urgency=high | ||
239 | 260 | |||
240 | 261 | * No change rebuild against openssl1.1. | ||
241 | 262 | |||
242 | 263 | -- Dimitri John Ledkov <xnox@ubuntu.com> Mon, 12 Feb 2018 16:00:24 +0000 | ||
243 | 264 | |||
244 | 265 | strongswan (5.6.1-2ubuntu1) bionic; urgency=medium | ||
245 | 266 | |||
246 | 267 | * Merge with Debian unstable (LP: #1717343). | ||
247 | 268 | Also fixes and issue with multiple psk's (LP: #1734207). Remaining changes: | ||
248 | 269 | + Clean up d/strongswan-starter.postinst: section about runlevel changes | ||
249 | 270 | + Clean up d/strongswan-starter.postinst: Removed entire section on | ||
250 | 271 | opportunistic encryption disabling - this was never in strongSwan and | ||
251 | 272 | won't be see upstream issue #2160. | ||
252 | 273 | + Ubuntu is not using the debconf triggered private key generation | ||
253 | 274 | - d/rules: Removed patching ipsec.conf on build (not using the | ||
254 | 275 | debconf-managed config.) | ||
255 | 276 | - d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was | ||
256 | 277 | used for debconf-managed include of private key). | ||
257 | 278 | + Mass enablement of extra plugins and features to allow a user to use | ||
258 | 279 | strongswan for a variety of extra use cases without having to rebuild. | ||
259 | 280 | - d/control: Add required additional build-deps | ||
260 | 281 | - d/control: Mention addtionally enabled plugins | ||
261 | 282 | - d/rules: Enable features at configure stage | ||
262 | 283 | - d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf) | ||
263 | 284 | - d/libstrongswan.install: Add plugins (so, conf) | ||
264 | 285 | + d/strongswan-starter.install: Install pool feature, which is useful since | ||
265 | 286 | we have attr-sql plugin enabled as well using it. | ||
266 | 287 | + Add plugin kernel-libipsec to allow the use of strongswan in containers | ||
267 | 288 | via this userspace implementation (please do note that this is still | ||
268 | 289 | considered experimental by upstream). | ||
269 | 290 | - d/libcharon-extra-plugins.install: Add kernel-libipsec components | ||
270 | 291 | - d/control: List kernel-libipsec plugin at extra plugins description | ||
271 | 292 | - d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As | ||
272 | 293 | upstream recommends to not load kernel-libipsec by default. | ||
273 | 294 | + Relocate tnc plugin | ||
274 | 295 | - debian/libcharon-extra-plugins.install: Drop tnc from extra plugins | ||
275 | 296 | - Add new subpackage for TNC in d/strongswan-tnc-* and d/control | ||
276 | 297 | + d/libstrongswan.install: Reorder conf and .so alphabetically | ||
277 | 298 | + d/libstrongswan.install: Add kernel-netlink configuration files | ||
278 | 299 | + Complete the disabling of libfast; This was partially accepted in Debian, | ||
279 | 300 | it is no more packaging medcli and medsrv, but still builds and | ||
280 | 301 | mentions it. | ||
281 | 302 | - d/rules: Add --disable-fast to avoid build time and dependencies | ||
282 | 303 | - d/control: Remove medcli, medsrv from package description | ||
283 | 304 | + d/control: Mention mgf1 plugin which is in libstrongswan now | ||
284 | 305 | + Add now built (since 5.5.1) libraries libtpmtss and nttfft to | ||
285 | 306 | libstrongswan-extra-plugins (no deps from default plugins). | ||
286 | 307 | + Add rm_conffile for /etc/init.d/ipsec (transition from precies had | ||
287 | 308 | missed that, droppable after 18.04) | ||
288 | 309 | + d/control, d/libcharon-{extras,standard}-plugins.install: Move charon | ||
289 | 310 | plugins for the most common use cases from extra-plugins into a new | ||
290 | 311 | standard-plugins package. This will allow those use cases without pulling | ||
291 | 312 | in too much more plugins (a bit like the tnc package). Recommend that | ||
292 | 313 | package from strongswan-libcharon. | ||
293 | 314 | * Added changes: | ||
294 | 315 | + d/strongswan-tnc-client.install (relocate tnc) swidtag creation changed | ||
295 | 316 | in 5.6 | ||
296 | 317 | + d/strongswan-tnc-server.install (relocate tnc) pacman no more needed | ||
297 | 318 | + d/control: bump breaks/replaces from libstrongswan-extra-plugins to | ||
298 | 319 | libstrongswan as we dropped relocating ccm and test-vectors. | ||
299 | 320 | (droppable >18.04). | ||
300 | 321 | - d/control: add breaks/replace from libstrongswan to | ||
301 | 322 | libstrongswan-extra-plugins for the move of mgf1 to libstrongswan. | ||
302 | 323 | (droppable >18.04). | ||
303 | 324 | * Dropped changes: | ||
304 | 325 | + Update init/service handling (debian default matches Ubuntu past now) | ||
305 | 326 | Dropping this fixes (LP: #1734886) | ||
306 | 327 | - d/rules: Change init/systemd program name to strongswan | ||
307 | 328 | - d/strongswan-starter.strongswan.service: Add new systemd file instead of | ||
308 | 329 | patching upstream | ||
309 | 330 | - d/strongswan-starter.links: Removed, use Ubuntu systemd file instead of | ||
310 | 331 | linking to upstream | ||
311 | 332 | + d/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call | ||
312 | 333 | (this is a never failing no-op for us, no need for Delta). | ||
313 | 334 | + d/strongswan-starter.prerm: Stop strongswan service on package removal | ||
314 | 335 | (ipsec now maps to strongswan service, so this works as-is). | ||
315 | 336 | + Clean up d/strongswan-starter.postinst: rename service ipsec to | ||
316 | 337 | strongswan (ipsec now maps to strongswan service, so this works as-is) | ||
317 | 338 | + Clean up d/strongswan-starter.postinst: daemon enable/disable (the | ||
318 | 339 | whole section is disabled, so no need for delta) | ||
319 | 340 | + (is upstream) CVE-2017-11185 patches | ||
320 | 341 | + (is upstream) FTBFS upstream fix for changed include files | ||
321 | 342 | + (is upstream) debian/patches/increase-bliss-test-timeout.patch: Under | ||
322 | 343 | QEMU/KVM autopkgtest the bliss test takes longer than the default | ||
323 | 344 | + (in Debian) add now built (since 5.5.1) mgf1 plugin to | ||
324 | 345 | libstrongswan-extra-plugins. | ||
325 | 346 | + (in Debian) d/strongswan-starter.install: install stroke apparmor profile | ||
326 | 347 | + (this was enabled as part of the former delta, squash changes to no-up) | ||
327 | 348 | d/rules: Disable duplicheck. | ||
328 | 349 | + (not needed) Relocate plugins test-vectors from extra-plugins to | ||
329 | 350 | libstrongswan | ||
330 | 351 | - d/libstrongswan-extra-plugins.install: Remove plugins/conffiles | ||
331 | 352 | - d/libstrongswan.install: Add plugins/confiles | ||
332 | 353 | - d/control: move package descriptions and add required breaks/replaces | ||
333 | 354 | + (not needed) Relocate plugins ccm from extra-plugins to libstrongswan | ||
334 | 355 | - d/libstrongswan-extra-plugins.install: Remove plugins/conffiles | ||
335 | 356 | - d/libstrongswan.install: Add plugins/confiles | ||
336 | 357 | - d/control: move package descriptions and add required breaks/replaces | ||
337 | 358 | + (while using it requires special kernel, it does not hurt to be | ||
338 | 359 | available in the package) Remove ha plugin | ||
339 | 360 | - d/libcharon-extra-plugins.install: Stop installing ha (so, conf) | ||
340 | 361 | - d/rules: Do not enable ha plugin | ||
341 | 362 | - d/control: Drop listing the ha plugin in the package description | ||
342 | 363 | |||
343 | 364 | -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Wed, 29 Nov 2017 15:55:18 +0100 | ||
344 | 365 | |||
345 | 48 | strongswan (5.6.1-2) unstable; urgency=medium | 366 | strongswan (5.6.1-2) unstable; urgency=medium |
346 | 49 | 367 | ||
347 | 50 | * move counters plugin from -starter to -libcharon. closes: #882431 | 368 | * move counters plugin from -starter to -libcharon. closes: #882431 |
348 | @@ -131,6 +449,213 @@ strongswan (5.5.2-1) experimental; urgency=medium | |||
349 | 131 | 449 | ||
350 | 132 | -- Yves-Alexis Perez <corsac@debian.org> Fri, 19 May 2017 11:32:00 +0200 | 450 | -- Yves-Alexis Perez <corsac@debian.org> Fri, 19 May 2017 11:32:00 +0200 |
351 | 133 | 451 | ||
352 | 452 | strongswan (5.5.1-4ubuntu3) bionic; urgency=medium | ||
353 | 453 | |||
354 | 454 | * Fix Artful FTBFS due to newer glibc (LP: #1724859) | ||
355 | 455 | - d/p/utils-Include-stdint.h.patch: upstream fix for changed include | ||
356 | 456 | files. | ||
357 | 457 | |||
358 | 458 | -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Thu, 19 Oct 2017 15:18:52 +0200 | ||
359 | 459 | |||
360 | 460 | strongswan (5.5.1-4ubuntu2) artful; urgency=medium | ||
361 | 461 | |||
362 | 462 | * SECURITY UPDATE: Fix RSA signature verification | ||
363 | 463 | - debian/patches/CVE-2017-11185.patch: does some | ||
364 | 464 | verifications in order to avoid null-point dereference | ||
365 | 465 | in src/libstrongswan/gmp/gmp_rsa_public_key.c | ||
366 | 466 | - CVE-2017-11185 | ||
367 | 467 | |||
368 | 468 | -- Leonidas S. Barbosa <leo.barbosa@canonical.com> Tue, 15 Aug 2017 14:49:49 -0300 | ||
369 | 469 | |||
370 | 470 | strongswan (5.5.1-4ubuntu1) artful; urgency=medium | ||
371 | 471 | |||
372 | 472 | * Merge from Debian to pick up latest security changes (CVE-2017-9022, | ||
373 | 473 | CVE-2017-9023). | ||
374 | 474 | * Remaining Changes: | ||
375 | 475 | + Update init/service handling | ||
376 | 476 | - d/rules: Change init/systemd program name to strongswan | ||
377 | 477 | - d/strongswan-starter.strongswan.service: Add new systemd file instead of | ||
378 | 478 | patching upstream | ||
379 | 479 | - d/strongswan-starter.links: Removed, use Ubuntu systemd file instead of | ||
380 | 480 | linking to upstream | ||
381 | 481 | - d/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call. | ||
382 | 482 | - d/strongswan-starter.prerm: Stop strongswan service on package | ||
383 | 483 | removal (as opposed to using the old init.d script). | ||
384 | 484 | + Clean up d/strongswan-starter.postinst: | ||
385 | 485 | - Removed section about runlevel changes | ||
386 | 486 | - Adapted service restart section for Upstart (kept to be Trusty | ||
387 | 487 | backportable). | ||
388 | 488 | - Remove old symlinks to init.d files is necessary. | ||
389 | 489 | - Removed further out-dated code | ||
390 | 490 | - Removed entire section on opportunistic encryption - this was never in | ||
391 | 491 | strongSwan. | ||
392 | 492 | + d/rules: Removed pieces on 'patching ipsec.conf' on build. | ||
393 | 493 | + Mass enablement of extra plugins and features to allow a user to use | ||
394 | 494 | strongswan for a variety of use cases without having to rebuild. | ||
395 | 495 | - d/control: Add required additional build-deps | ||
396 | 496 | - d/rules: Enable features at configure stage | ||
397 | 497 | - d/control: Mention addtionally enabled plugins | ||
398 | 498 | - d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf) | ||
399 | 499 | - d/libstrongswan.install: Add plugins (so, conf) | ||
400 | 500 | + d/rules: Disable duplicheck as per | ||
401 | 501 | https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718291#10 | ||
402 | 502 | + Remove ha plugin (requires special kernel) | ||
403 | 503 | - d/libcharon-extra-plugins.install: Stop installing ha (so, conf) | ||
404 | 504 | - d/rules: Do not enable ha plugin | ||
405 | 505 | - d/control: Drop listing the ha plugin in the package description | ||
406 | 506 | + Add plugin kernel-libipsec to allow the use of strongswan in containers | ||
407 | 507 | via this userspace implementation (please do note that this is still | ||
408 | 508 | considered experimental by upstream). | ||
409 | 509 | - d/libcharon-extra-plugins.install: Add kernel-libipsec components | ||
410 | 510 | - d/control: List kernel-libipsec plugin at extra plugins description | ||
411 | 511 | - d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As | ||
412 | 512 | upstream recommends to not load kernel-libipsec by default. | ||
413 | 513 | + Relocate tnc plugin | ||
414 | 514 | - debian/libcharon-extra-plugins.install: Drop tnc from extra plugins | ||
415 | 515 | - Add new subpackage for TNC in d/strongswan-tnc-* and d/control | ||
416 | 516 | + d/strongswan-starter.install: Install pool feature, that useful due to | ||
417 | 517 | having attr-sql plugin that is enabled now. | ||
418 | 518 | + Relocate plugins test-vectors and ccm from extra-plugins to libstrongswan | ||
419 | 519 | - d/libstrongswan-extra-plugins.install: Remove plugins/conffiles | ||
420 | 520 | - d/libstrongswan.install: Add plugins/confiles | ||
421 | 521 | - d/control: move package descriptions and add required breaks/replaces | ||
422 | 522 | + d/libstrongswan.install: Reorder conf and .so alphabetically | ||
423 | 523 | + d/libstrongswan.install: Add kernel-netlink configuration files | ||
424 | 524 | + d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference. | ||
425 | 525 | + debian/patches/increase-bliss-test-timeout.patch: Under QEMU/KVM | ||
426 | 526 | autopkgtest the bliss test takes longer than the default (Upstream in | ||
427 | 527 | 5.5.2 via issue 2204) | ||
428 | 528 | + Complete the disabling of libfast; This was partially accepted in Debian, | ||
429 | 529 | it is no more packaging medcli and medsrv, but still builds and | ||
430 | 530 | mentions it. | ||
431 | 531 | - d/rules: Add --disable-fast to avoid build time and dependencies | ||
432 | 532 | - d/control: Remove medcli, medsrv from package description | ||
433 | 533 | + Add now built (5.5.1 vs 5.3.5) mgf1 plugin to libstrongswan-extra-plugins. | ||
434 | 534 | "only" to extra-plugins Mgf1 is not listed as default plugin at | ||
435 | 535 | https://wiki.strongswan.org/projects/strongswan/wiki/Pluginlist. | ||
436 | 536 | + Add now built (5.5.1 vs 5.3.5) libraries libtpmtss and nttfft to | ||
437 | 537 | libstrongswan-extra-plugins. | ||
438 | 538 | + Add missing mention of md4 plugin in d/control | ||
439 | 539 | + Add rm_conffile for /etc/init.d/ipsec (transition from precies had | ||
440 | 540 | missed that) | ||
441 | 541 | + d/control, d/libcharon-{extras,standard}-plugins.install: Move charon | ||
442 | 542 | plugins for the most common use cases from extra-plugins into a new | ||
443 | 543 | standard-plugins package. This will allow those use cases without pulling | ||
444 | 544 | in too much more plugins (a bit like the tnc package). Recommend that | ||
445 | 545 | package from strongswan-libcharon. | ||
446 | 546 | |||
447 | 547 | -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Wed, 31 May 2017 15:57:54 +0200 | ||
448 | 548 | |||
449 | 549 | strongswan (5.5.1-3ubuntu1) artful; urgency=medium | ||
450 | 550 | |||
451 | 551 | * Merge from Debian to pick up latest changes. Among others this includes: | ||
452 | 552 | - a lot of the Delta we upstreamed to Debian (more discussions are ongoing | ||
453 | 553 | but likely have to wait until Debian stretch was released) | ||
454 | 554 | - enabling mediation support (LP: #1657413) | ||
455 | 555 | * Remaining Changes: | ||
456 | 556 | + Update init/service handling | ||
457 | 557 | - d/rules: Change init/systemd program name to strongswan | ||
458 | 558 | - d/strongswan-starter.strongswan.service: Add new systemd file instead of | ||
459 | 559 | patching upstream | ||
460 | 560 | - d/strongswan-starter.links: Removed, use Ubuntu systemd file instead of | ||
461 | 561 | linking to upstream | ||
462 | 562 | - d/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call. | ||
463 | 563 | - d/strongswan-starter.prerm: Stop strongswan service on package | ||
464 | 564 | removal (as opposed to using the old init.d script). | ||
465 | 565 | + Clean up d/strongswan-starter.postinst: | ||
466 | 566 | - Removed section about runlevel changes | ||
467 | 567 | - Adapted service restart section for Upstart (kept to be Trusty | ||
468 | 568 | backportable). | ||
469 | 569 | - Remove old symlinks to init.d files is necessary. | ||
470 | 570 | - Removed further out-dated code | ||
471 | 571 | - Removed entire section on opportunistic encryption - this was never in | ||
472 | 572 | strongSwan. | ||
473 | 573 | + d/rules: Removed pieces on 'patching ipsec.conf' on build. | ||
474 | 574 | + Mass enablement of extra plugins and features to allow a user to use | ||
475 | 575 | strongswan for a variety of use cases without having to rebuild. | ||
476 | 576 | - d/control: Add required additional build-deps | ||
477 | 577 | - d/rules: Enable features at configure stage | ||
478 | 578 | - d/control: Mention addtionally enabled plugins | ||
479 | 579 | - d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf) | ||
480 | 580 | - d/libstrongswan.install: Add plugins (so, conf) | ||
481 | 581 | + d/rules: Disable duplicheck as per | ||
482 | 582 | https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718291#10 | ||
483 | 583 | + Remove ha plugin (requires special kernel) | ||
484 | 584 | - d/libcharon-extra-plugins.install: Stop installing ha (so, conf) | ||
485 | 585 | - d/rules: Do not enable ha plugin | ||
486 | 586 | - d/control: Drop listing the ha plugin in the package description | ||
487 | 587 | + Add plugin kernel-libipsec to allow the use of strongswan in containers | ||
488 | 588 | via this userspace implementation (please do note that this is still | ||
489 | 589 | considered experimental by upstream). | ||
490 | 590 | - d/libcharon-extra-plugins.install: Add kernel-libipsec components | ||
491 | 591 | - d/control: List kernel-libipsec plugin at extra plugins description | ||
492 | 592 | - d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As | ||
493 | 593 | upstream recommends to not load kernel-libipsec by default. | ||
494 | 594 | + Relocate tnc plugin | ||
495 | 595 | - debian/libcharon-extra-plugins.install: Drop tnc from extra plugins | ||
496 | 596 | - Add new subpackage for TNC in d/strongswan-tnc-* and d/control | ||
497 | 597 | + d/strongswan-starter.install: Install pool feature, that useful due to | ||
498 | 598 | having attr-sql plugin that is enabled now. | ||
499 | 599 | + Relocate plugins test-vectors and ccm from extra-plugins to libstrongswan | ||
500 | 600 | - d/libstrongswan-extra-plugins.install: Remove plugins/conffiles | ||
501 | 601 | - d/libstrongswan.install: Add plugins/confiles | ||
502 | 602 | - d/control: move package descriptions and add required breaks/replaces | ||
503 | 603 | + d/libstrongswan.install: Reorder conf and .so alphabetically | ||
504 | 604 | + d/libstrongswan.install: Add kernel-netlink configuration files | ||
505 | 605 | + d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference. | ||
506 | 606 | + debian/patches/increase-bliss-test-timeout.patch: Under QEMU/KVM | ||
507 | 607 | autopkgtest the bliss test takes longer than the default (Upstream in | ||
508 | 608 | 5.5.2 via issue 2204) | ||
509 | 609 | + Complete the disabling of libfast; This was partially accepted in Debian, | ||
510 | 610 | it is no more packaging medcli and medsrv, but still builds and | ||
511 | 611 | mentions it. | ||
512 | 612 | - d/rules: Add --disable-fast to avoid build time and dependencies | ||
513 | 613 | - d/control: Remove medcli, medsrv from package description | ||
514 | 614 | + Add now built (5.5.1 vs 5.3.5) mgf1 plugin to libstrongswan-extra-plugins. | ||
515 | 615 | "only" to extra-plugins Mgf1 is not listed as default plugin at | ||
516 | 616 | https://wiki.strongswan.org/projects/strongswan/wiki/Pluginlist. | ||
517 | 617 | + Add now built (5.5.1 vs 5.3.5) libraries libtpmtss and nttfft to | ||
518 | 618 | libstrongswan-extra-plugins. | ||
519 | 619 | + Add missing mention of md4 plugin in d/control | ||
520 | 620 | + Add rm_conffile for /etc/init.d/ipsec (transition from precies had | ||
521 | 621 | missed that) | ||
522 | 622 | + d/control, d/libcharon-{extras,standard}-plugins.install: Move charon | ||
523 | 623 | plugins for the most common use cases from extra-plugins into a new | ||
524 | 624 | standard-plugins package. This will allow those use cases without pulling | ||
525 | 625 | in too much more plugins (a bit like the tnc package). Recommend that | ||
526 | 626 | package from strongswan-libcharon. | ||
527 | 627 | * Dropped Changes: | ||
528 | 628 | + Add and install apparmor profiles (in Debian) | ||
529 | 629 | - d/rules: Install AppArmor profiles | ||
530 | 630 | - d/control: Add dh-apparmor build-dep | ||
531 | 631 | - d/usr.lib.ipsec.{charon, lookip, stroke}: Add latest AppArmor profiles | ||
532 | 632 | for charon, lookip and stroke | ||
533 | 633 | - d/libcharon-extra-plugins.install: Install profile for lookip | ||
534 | 634 | - d/strongswan-charon.install: Install profile for charon | ||
535 | 635 | - d/strongswan-starter.install: Install profile for stroke | ||
536 | 636 | - Fix strongswan ipsec status issue with apparmor | ||
537 | 637 | - Fix Dep8 tests for the now extra strongswan-pki package for pki | ||
538 | 638 | - Fix Dep8 tests for the now extra strongswan-scepclient package | ||
539 | 639 | + d/rules: Sorted and only one enable option per configure line (in | ||
540 | 640 | Debian) | ||
541 | 641 | + Add updated logcheck rules (in Debian) | ||
542 | 642 | - debian/libstrongswan.strongswan.logcheck.*: Remove outdated files | ||
543 | 643 | - debian/strongswan.logcheck: Add updated logcheck rules | ||
544 | 644 | + Add updated DEP8 tests (in Debian) | ||
545 | 645 | - d/tests/*: Add DEP8 tests | ||
546 | 646 | - d/control: Enable autotestpkg | ||
547 | 647 | + d/rules: do not strip for library integrity checking (After Discussion | ||
548 | 648 | with Debian this isn't acceptable there, but at the same time it turned | ||
549 | 649 | out the real use-case of this never uses this lib but instead third | ||
550 | 650 | party checks of checksums for e.g. FIPS cert; so drop the Delta) | ||
551 | 651 | - Use override_dh_strip to to avoid overwriting user build flags. | ||
552 | 652 | - Add missing mention of libchecksum integrity test in d/control | ||
553 | 653 | + d/rules: Set TESTS_REDUCED_KEYLENGTHS to one generate smallest key-lengths | ||
554 | 654 | in tests to avoid issues in low entropy environments. (Debian has | ||
555 | 655 | disabled !x86 tests for the same reason, one solution is enough) | ||
556 | 656 | |||
557 | 657 | -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Thu, 04 May 2017 14:06:23 +0200 | ||
558 | 658 | |||
559 | 134 | strongswan (5.5.1-3) unstable; urgency=medium | 659 | strongswan (5.5.1-3) unstable; urgency=medium |
560 | 135 | 660 | ||
561 | 136 | [ Christian Ehrhardt ] | 661 | [ Christian Ehrhardt ] |
562 | @@ -164,6 +689,136 @@ strongswan (5.5.1-2) unstable; urgency=medium | |||
563 | 164 | 689 | ||
564 | 165 | -- Yves-Alexis Perez <corsac@debian.org> Wed, 07 Dec 2016 08:34:52 +0100 | 690 | -- Yves-Alexis Perez <corsac@debian.org> Wed, 07 Dec 2016 08:34:52 +0100 |
565 | 166 | 691 | ||
566 | 692 | strongswan (5.5.1-1ubuntu2) zesty; urgency=medium | ||
567 | 693 | |||
568 | 694 | * Update Maintainers which was missed while merging 5.5.1-1. | ||
569 | 695 | |||
570 | 696 | -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 19 Dec 2016 16:02:40 +0100 | ||
571 | 697 | |||
572 | 698 | strongswan (5.5.1-1ubuntu1) zesty; urgency=medium | ||
573 | 699 | |||
574 | 700 | * Merge from Debian (complex delta, discussions and broken out changes can be | ||
575 | 701 | found in the merge proposal linked from the merge bug LP: #1631198) | ||
576 | 702 | * Remaining Changes: | ||
577 | 703 | + d/rules: Enforcing DEB_BUILD_OPTIONS=nostrip for library integrity | ||
578 | 704 | checking. | ||
579 | 705 | + d/rules: Set TESTS_REDUCED_KEYLENGTHS to one generate smallest key-lengths | ||
580 | 706 | in tests to avoid issues in low entropy environments. | ||
581 | 707 | + Update init/service handling | ||
582 | 708 | - d/rules: Change init/systemd program name to strongswan | ||
583 | 709 | - d/strongswan-starter.strongswan.service: Add new systemd file instead of | ||
584 | 710 | patching upstream | ||
585 | 711 | - d/strongswan-starter.links: Removed, use Ubuntu systemd file instead of | ||
586 | 712 | linking to upstream | ||
587 | 713 | - d/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call. | ||
588 | 714 | - d/strongswan-starter.prerm: Stop strongswan service on package | ||
589 | 715 | removal (as opposed to using the old init.d script). | ||
590 | 716 | + Clean up d/strongswan-starter.postinst: | ||
591 | 717 | - Removed section about runlevel changes | ||
592 | 718 | - Adapted service restart section for Upstart (kept to be Trusty | ||
593 | 719 | backportable). | ||
594 | 720 | - Remove old symlinks to init.d files is necessary. | ||
595 | 721 | - Removed further out-dated code | ||
596 | 722 | - Removed entire section on opportunistic encryption - this was never in | ||
597 | 723 | strongSwan. | ||
598 | 724 | + Add and install apparmor profiles | ||
599 | 725 | - d/rules: Install AppArmor profiles | ||
600 | 726 | - d/control: Add dh-apparmor build-dep | ||
601 | 727 | - d/usr.lib.ipsec.{charon, lookip, stroke}: Add latest AppArmor profiles | ||
602 | 728 | for charon, lookip and stroke | ||
603 | 729 | - d/libcharon-extra-plugins.install: Install profile for lookip | ||
604 | 730 | - d/strongswan-charon.install: Install profile for charon | ||
605 | 731 | - d/strongswan-starter.install: Install profile for stroke | ||
606 | 732 | + d/rules: Removed pieces on 'patching ipsec.conf' on build. | ||
607 | 733 | + d/rules: Sorted and only one enable option per configure line | ||
608 | 734 | + Mass enablement of extra plugins and features to allow a user to use | ||
609 | 735 | strongswan for a variety of use cases without having to rebuild. | ||
610 | 736 | - d/control: Add required additional build-deps | ||
611 | 737 | - d/rules: Enable features at configure stage | ||
612 | 738 | - d/control: Mention addtionally enabled plugins | ||
613 | 739 | - d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf) | ||
614 | 740 | - d/libstrongswan.install: Add plugins (so, conf) | ||
615 | 741 | + d/rules: Disable duplicheck as per | ||
616 | 742 | https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718291#10 | ||
617 | 743 | + Remove ha plugin (requires special kernel) | ||
618 | 744 | - d/libcharon-extra-plugins.install: Stop installing ha (so, conf) | ||
619 | 745 | - d/rules: Do not enable ha plugin | ||
620 | 746 | - d/control: Drop listing the ha plugin in the package description | ||
621 | 747 | + Add plugin kernel-libipsec to allow the use of strongswan in containers | ||
622 | 748 | via this userspace implementation (please do note that this is still | ||
623 | 749 | considered experimental by upstream). | ||
624 | 750 | - d/libcharon-extra-plugins.install: Add kernel-libipsec components | ||
625 | 751 | - d/control: List kernel-libipsec plugin at extra plugins description | ||
626 | 752 | - d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As | ||
627 | 753 | upstream recommends to not load kernel-libipsec by default. | ||
628 | 754 | + Relocate tnc plugin | ||
629 | 755 | - debian/libcharon-extra-plugins.install: Drop tnc from extra plugins | ||
630 | 756 | - Add new subpackage for TNC in d/strongswan-tnc-* and d/control | ||
631 | 757 | + d/strongswan-starter.install: Install pool feature, that useful due to | ||
632 | 758 | having attr-sql plugin that is enabled now. | ||
633 | 759 | + Relocate plugins test-vectors and ccm from extra-plugins to libstrongswan | ||
634 | 760 | - d/libstrongswan-extra-plugins.install: Remove plugins | ||
635 | 761 | - d/libstrongswan.install: Add plugins | ||
636 | 762 | + d/libstrongswan.install: Reorder conf and .so alphabetically | ||
637 | 763 | + d/libstrongswan.install: Add kernel-netlink configuration files | ||
638 | 764 | + d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference. | ||
639 | 765 | + Add updated logcheck rules | ||
640 | 766 | - debian/libstrongswan.strongswan.logcheck.*: Remove outdated files | ||
641 | 767 | - debian/strongswan.logcheck: Add updated logcheck rules | ||
642 | 768 | + Add updated DEP8 tests | ||
643 | 769 | - d/tests/*: Add DEP8 tests | ||
644 | 770 | - d/control: Enable autotestpkg | ||
645 | 771 | + debian/patches/increase-bliss-test-timeout.patch: Under QEMU/KVM | ||
646 | 772 | autopkgtest the bliss test takes longer than the default | ||
647 | 773 | + Complete the disabling of libfast | ||
648 | 774 | - Note: This was partially accepted in Debian, it is no more | ||
649 | 775 | packaging medcli and medsrv, but still builds and mentions it | ||
650 | 776 | - d/rules: Add --disable-fast to avoid build time and dependencies | ||
651 | 777 | - d/control: Remove medcli, medsrv from package description | ||
652 | 778 | * Dropped Changes: | ||
653 | 779 | + Adding build-dep to iptables-dev (no change, was only in Changelog) | ||
654 | 780 | + Dropping of build deps libfcgi-dev, clearsilver-dev (in Debian) | ||
655 | 781 | + Adding strongswan-plugin-* virtual packages for dist-upgrade (no | ||
656 | 782 | upgrade path left needing them) | ||
657 | 783 | + Most of "disabling libfast" (Debian dropped it from package content) | ||
658 | 784 | + Transition for ipsec service (no upgrade path left) | ||
659 | 785 | + Reverted part of the cleanup to d/strongswan-starter.postinst as using | ||
660 | 786 | service should rather use invoke-rc.d (so it is a partial revert of our | ||
661 | 787 | delta) | ||
662 | 788 | + Transition handling (breaks/replaces) from per-plugin packages to the | ||
663 | 789 | three grouped plugin packages (no upgrade path left) | ||
664 | 790 | + debian/strongswan-starter.dirs: Don't touch /etc/init.d. (while "correct" | ||
665 | 791 | it is effectively a no-op still, so not worth the delta) | ||
666 | 792 | + Lower dpkg-dev to 1.16.1 from 1.16.2 to enable backporting to Precise | ||
667 | 793 | (no more needed) | ||
668 | 794 | + d/rules: Remove configure option --enable-unit-test (unit tests run by | ||
669 | 795 | default) | ||
670 | 796 | * Added Changes: | ||
671 | 797 | + Fix strongswan ipsec status issue with apparmor (LP: #1587886) | ||
672 | 798 | + d/control, d/libstrongswan.install, d/libstrongswan-extra-plugins: Fixup | ||
673 | 799 | the relocation of the ccm plugin which missed to move the conffiles. | ||
674 | 800 | + Complete move of test-vectors (was missing in d/control) | ||
675 | 801 | + Add now built (5.5.1 vs 5.3.5) mgf1 plugin to libstrongswan-extra-plugins. | ||
676 | 802 | "only" to extra-plugins Mgf1 is not listed as default plugin at | ||
677 | 803 | https://wiki.strongswan.org/projects/strongswan/wiki/Pluginlist. | ||
678 | 804 | + Add now built (5.5.1 vs 5.3.5) libraries libtpmtss and nttfft to | ||
679 | 805 | libstrongswan-extra-plugins. | ||
680 | 806 | + Add missing mention of md4 plugin in d/control | ||
681 | 807 | + Add missing mention of libchecksum integrity test in d/control | ||
682 | 808 | + Add rm_conffile for /etc/init.d/ipsec (transition from precies had | ||
683 | 809 | missed that) | ||
684 | 810 | + Use override_dh_strip to to fix library integrity checking instead of | ||
685 | 811 | DEB_BUILD_OPTION to avoid overwriting user build flags. | ||
686 | 812 | + d/control, d/libcharon-{extras,standard}-plugins.install: Move charon | ||
687 | 813 | plugins for the most common use cases from extra-plugins into a new | ||
688 | 814 | standard-plugins package. This will allow those use cases without pulling | ||
689 | 815 | in too much more plugins (a bit like the tnc package). Recommend that | ||
690 | 816 | package from strongswan-libcharon (LP: #1640826). | ||
691 | 817 | + Fix Dep8 tests for the now extra strongswan-pki package for pki | ||
692 | 818 | + Fix Dep8 tests for the now extra strongswan-scepclient package | ||
693 | 819 | |||
694 | 820 | -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 07 Nov 2016 16:16:41 +0100 | ||
695 | 821 | |||
696 | 167 | strongswan (5.5.1-1) unstable; urgency=medium | 822 | strongswan (5.5.1-1) unstable; urgency=medium |
697 | 168 | 823 | ||
698 | 169 | * New upstream bugfix release. | 824 | * New upstream bugfix release. |
699 | @@ -280,6 +935,177 @@ strongswan (5.3.5-2) unstable; urgency=medium | |||
700 | 280 | 935 | ||
701 | 281 | -- Yves-Alexis Perez <corsac@debian.org> Mon, 14 Mar 2016 23:53:34 +0100 | 936 | -- Yves-Alexis Perez <corsac@debian.org> Mon, 14 Mar 2016 23:53:34 +0100 |
702 | 282 | 937 | ||
703 | 938 | strongswan (5.3.5-1ubuntu4) yakkety; urgency=medium | ||
704 | 939 | |||
705 | 940 | * Build-depend on libjson-c-dev instead of libjson0-dev. | ||
706 | 941 | * Rebuild against libjson-c3. | ||
707 | 942 | |||
708 | 943 | -- Graham Inggs <ginggs@ubuntu.com> Fri, 29 Apr 2016 19:04:22 +0200 | ||
709 | 944 | |||
710 | 945 | strongswan (5.3.5-1ubuntu3) xenial; urgency=medium | ||
711 | 946 | |||
712 | 947 | * Rebuild against libmysqlclient20. | ||
713 | 948 | |||
714 | 949 | -- Robie Basak <robie.basak@ubuntu.com> Tue, 05 Apr 2016 13:02:48 +0000 | ||
715 | 950 | |||
716 | 951 | strongswan (5.3.5-1ubuntu2) xenial; urgency=medium | ||
717 | 952 | |||
718 | 953 | * debian/tests/plugins: rdrand may or may not be loaded, depending on the | ||
719 | 954 | cpu features. | ||
720 | 955 | |||
721 | 956 | -- Iain Lane <iain@orangesquash.org.uk> Mon, 22 Feb 2016 17:13:01 +0000 | ||
722 | 957 | |||
723 | 958 | strongswan (5.3.5-1ubuntu1) xenial; urgency=medium | ||
724 | 959 | |||
725 | 960 | * debian/{rules,control,libstrongswan-extra-plugins.install} | ||
726 | 961 | Enable bliss plugin | ||
727 | 962 | * debian/{rules,control,libstrongswan-extra-plugins.install} | ||
728 | 963 | Enable chapoly plugin | ||
729 | 964 | * debian/patches/dont-load-kernel-libipsec-plugin-by-default.patch | ||
730 | 965 | Upstream suggests to not load this plugin by default as it has | ||
731 | 966 | some limitations. | ||
732 | 967 | https://wiki.strongswan.org/projects/strongswan/wiki/Kernel-libipsec | ||
733 | 968 | * debian/patches/increase-bliss-test-timeout.patch | ||
734 | 969 | Under QEMU/KVM for autopkgtest bliss test takes a bit longer then default | ||
735 | 970 | * Update Apparmor profiles | ||
736 | 971 | - usr.lib.ipsec.charon | ||
737 | 972 | - add capability audit_write for xauth-pam (LP: #1470277) | ||
738 | 973 | - add capability dac_override (needed by agent plugin) | ||
739 | 974 | - allow priv dropping (LP: #1333655) | ||
740 | 975 | - allow caching CRLs (LP: #1505222) | ||
741 | 976 | - allow rw access to /dev/net/tun for kernel-libipsec (LP: #1309594) | ||
742 | 977 | - usr.lib.ipsec.stroke | ||
743 | 978 | - allow priv dropping (LP: #1333655) | ||
744 | 979 | - add local include | ||
745 | 980 | - usr.lib.ipsec.lookip | ||
746 | 981 | - add local include | ||
747 | 982 | * Merge from Debian, which includes fixes for all previous CVEs | ||
748 | 983 | Fixes (LP: #1330504, #1451091, #1448870, #1470277) | ||
749 | 984 | Remaining changes: | ||
750 | 985 | * debian/control | ||
751 | 986 | - Lower dpkg-dev to 1.16.1 from 1.16.2 to enable backporting to Precise | ||
752 | 987 | - Update Maintainer for Ubuntu | ||
753 | 988 | - Add build-deps | ||
754 | 989 | - dh-apparmor | ||
755 | 990 | - iptables-dev | ||
756 | 991 | - libjson0-dev | ||
757 | 992 | - libldns-dev | ||
758 | 993 | - libmysqlclient-dev | ||
759 | 994 | - libpcsclite-dev | ||
760 | 995 | - libsoup2.4-dev | ||
761 | 996 | - libtspi-dev | ||
762 | 997 | - libunbound-dev | ||
763 | 998 | - Drop build-deps | ||
764 | 999 | - libfcgi-dev | ||
765 | 1000 | - clearsilver-dev | ||
766 | 1001 | - Create virtual packages for all strongswan-plugin-* for dist-upgrade | ||
767 | 1002 | - Set XS-Testsuite: autopkgtest | ||
768 | 1003 | * debian/rules: | ||
769 | 1004 | - Enforcing DEB_BUILD_OPTIONS=nostrip for library integrity checking. | ||
770 | 1005 | - Set TESTS_REDUCED_KEYLENGTHS to one generate smallest key-lengths in | ||
771 | 1006 | tests. | ||
772 | 1007 | - Change init/systemd program name to strongswan | ||
773 | 1008 | - Install AppArmor profiles | ||
774 | 1009 | - Removed pieces on 'patching ipsec.conf' on build. | ||
775 | 1010 | - Enablement of features per Ubuntu current config suggested from | ||
776 | 1011 | upstream recommendation | ||
777 | 1012 | - Unpack and sort enabled features to one-per-line | ||
778 | 1013 | - Disable duplicheck as per | ||
779 | 1014 | https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718291#10 | ||
780 | 1015 | - Disable libfast (--disable-fast): | ||
781 | 1016 | Requires dropping medsrv, medcli plugins which depend on libfast | ||
782 | 1017 | - Add configure options | ||
783 | 1018 | --with-tss=trousers | ||
784 | 1019 | - Remove configure options: | ||
785 | 1020 | --enable-ha (requires special kernel) | ||
786 | 1021 | --enable-unit-test (unit tests run by default) | ||
787 | 1022 | - Drop logcheck install | ||
788 | 1023 | * debian/tests/* | ||
789 | 1024 | - Add DEP8 test for strongswan service and plugins | ||
790 | 1025 | * debian/strongswan-starter.strongswan.service | ||
791 | 1026 | - Add new systemd file instead of patching upstream | ||
792 | 1027 | * debian/strongswan-starter.links | ||
793 | 1028 | - removed, use Ubuntu systemd file instead of linking to upstream | ||
794 | 1029 | * debian/usr.lib.ipsec.{charon, lookip, stroke} | ||
795 | 1030 | - added AppArmor profiles for charon, lookip and stroke | ||
796 | 1031 | * debian/libcharon-extra-plugins.install | ||
797 | 1032 | - Add plugins | ||
798 | 1033 | - kernel-libipsec.{so, lib, conf, apparmor} | ||
799 | 1034 | - Remove plugins | ||
800 | 1035 | - libstrongswan-ha.so | ||
801 | 1036 | - Relocate plugins | ||
802 | 1037 | - libstrongswan-tnc-tnccs.so (strongswan-tnc-base.install) | ||
803 | 1038 | * debian/libstrongswan-extra-plugins.install | ||
804 | 1039 | - Add plugins (so, lib, conf) | ||
805 | 1040 | - acert | ||
806 | 1041 | - attr-sql | ||
807 | 1042 | - coupling | ||
808 | 1043 | - dnscert | ||
809 | 1044 | - fips-prf | ||
810 | 1045 | - gmp | ||
811 | 1046 | - ipseckey | ||
812 | 1047 | - load-tester | ||
813 | 1048 | - mysql | ||
814 | 1049 | - ntru | ||
815 | 1050 | - radattr | ||
816 | 1051 | - soup | ||
817 | 1052 | - sqlite | ||
818 | 1053 | - sql | ||
819 | 1054 | - systime-fix | ||
820 | 1055 | - unbound | ||
821 | 1056 | - whitelist | ||
822 | 1057 | - Relocate plugins (so, lib, conf) | ||
823 | 1058 | - ccm (libstrongswan.install) | ||
824 | 1059 | - test-vectors (libstrongswan.install) | ||
825 | 1060 | * debian/libstrongswan.install | ||
826 | 1061 | - Sort sections | ||
827 | 1062 | - Add plugins (so, lib, conf) | ||
828 | 1063 | - libchecksum | ||
829 | 1064 | - ccm | ||
830 | 1065 | - eap-identity | ||
831 | 1066 | - md4 | ||
832 | 1067 | - test-vectors | ||
833 | 1068 | * debian/strongswan-charon.install | ||
834 | 1069 | - Add AppArmor profile for charon | ||
835 | 1070 | * debian/strongswan-starter.install | ||
836 | 1071 | - Add tools, manpages, conf | ||
837 | 1072 | - openac | ||
838 | 1073 | - pool | ||
839 | 1074 | - _updown_espmark | ||
840 | 1075 | - Add AppArmor profile for stroke | ||
841 | 1076 | * debian/strongswan-tnc-base.install | ||
842 | 1077 | - Add new subpackage for TNC | ||
843 | 1078 | - remove non-existent (dropped in 5.2.1) libpts library files | ||
844 | 1079 | * debian/strongswan-tnc-client.install | ||
845 | 1080 | - Add new subpackage for TNC | ||
846 | 1081 | * debian/strongswan-tnc-ifmap.install | ||
847 | 1082 | - Add new subpackage for TNC | ||
848 | 1083 | * debian/strongswan-tnc-pdp.install | ||
849 | 1084 | - Add new subpackage for TNC | ||
850 | 1085 | * debian/strongswan-tnc-server.install | ||
851 | 1086 | - Add new subpackage for TNC | ||
852 | 1087 | * debian/strongswan-starter.postinit: | ||
853 | 1088 | - Removed section about runlevel changes, it's almost 2014. | ||
854 | 1089 | - Adapted service restart section for Upstart. | ||
855 | 1090 | - Remove old symlinks to init.d files is necessary. | ||
856 | 1091 | * debian/strongswan-starter.dirs: Don't touch /etc/init.d. | ||
857 | 1092 | * debian/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call. | ||
858 | 1093 | * debian/strongswan-starter.prerm: Stop strongswan service on package | ||
859 | 1094 | removal (as opposed to using the old init.d script). | ||
860 | 1095 | * debian/libstrongswan.strongswan.logcheck combined into debian/strongswan.logcheck | ||
861 | 1096 | - logcheck patterns updated to be helpful | ||
862 | 1097 | * debian/strongswan-starter.postinst: Removed further out-dated code and | ||
863 | 1098 | entire section on opportunistic encryption - this was never in strongSwan. | ||
864 | 1099 | * debian/ipsec.secrets.proto: Removed ipsec.secrets.inc reference. | ||
865 | 1100 | Drop changes: | ||
866 | 1101 | * debian/control | ||
867 | 1102 | - Per-plugin package breakup: Reducing packaging delta from Debian | ||
868 | 1103 | - Don't build dhcp, farp subpackages: Reduce packging delta from Debian | ||
869 | 1104 | * debian/watch: Already exists in Debian merge | ||
870 | 1105 | * debian/upstream/signing-key.asc: Upstream has newer version. | ||
871 | 1106 | |||
872 | 1107 | -- Ryan Harper <ryan.harper@canonical.com> Fri, 12 Feb 2016 11:24:53 -0600 | ||
873 | 1108 | |||
874 | 283 | strongswan (5.3.5-1) unstable; urgency=medium | 1109 | strongswan (5.3.5-1) unstable; urgency=medium |
875 | 284 | 1110 | ||
876 | 285 | * New upstream bugfix release. | 1111 | * New upstream bugfix release. |
877 | @@ -552,6 +1378,210 @@ strongswan (5.1.2-1) unstable; urgency=medium | |||
878 | 552 | 1378 | ||
879 | 553 | -- Yves-Alexis Perez <corsac@debian.org> Wed, 12 Mar 2014 11:22:38 +0100 | 1379 | -- Yves-Alexis Perez <corsac@debian.org> Wed, 12 Mar 2014 11:22:38 +0100 |
880 | 554 | 1380 | ||
881 | 1381 | strongswan (5.1.2-0ubuntu8) xenial; urgency=medium | ||
882 | 1382 | |||
883 | 1383 | * Import FTBFS for s390x from Debian 5.1.2-3 upload. (LP: #1521240) | ||
884 | 1384 | |||
885 | 1385 | -- Dimitri John Ledkov <xnox@ubuntu.com> Mon, 30 Nov 2015 15:46:06 +0000 | ||
886 | 1386 | |||
887 | 1387 | strongswan (5.1.2-0ubuntu7) xenial; urgency=medium | ||
888 | 1388 | |||
889 | 1389 | * SECURITY UPDATE: authentication bypass in eap-mschapv2 plugin | ||
890 | 1390 | - debian/patches/CVE-2015-8023.patch: only succeed authentication if | ||
891 | 1391 | MSK was established in | ||
892 | 1392 | src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c. | ||
893 | 1393 | - CVE-2015-8023 | ||
894 | 1394 | * debian/patches/disable_ntru_test.patch: disable test causing FTBFS | ||
895 | 1395 | until regression is properly investigated. | ||
896 | 1396 | |||
897 | 1397 | -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 19 Nov 2015 14:00:17 -0500 | ||
898 | 1398 | |||
899 | 1399 | strongswan (5.1.2-0ubuntu6) wily; urgency=medium | ||
900 | 1400 | |||
901 | 1401 | * SECURITY UPDATE: user credential disclosure to rogue servers | ||
902 | 1402 | - debian/patches/CVE-2015-4171.patch: enforce remote authentication | ||
903 | 1403 | config before proceeding with own authentication in | ||
904 | 1404 | src/libcharon/sa/ikev2/tasks/ike_auth.c. | ||
905 | 1405 | - CVE-2015-4171 | ||
906 | 1406 | * debian/rules: don't FTBFS from unused service file | ||
907 | 1407 | |||
908 | 1408 | -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 08 Jun 2015 12:50:38 -0400 | ||
909 | 1409 | |||
910 | 1410 | strongswan (5.1.2-0ubuntu5) vivid; urgency=medium | ||
911 | 1411 | |||
912 | 1412 | * Add a systemd unit corresponding to strongswan-starter.strongswan.upstart. | ||
913 | 1413 | |||
914 | 1414 | -- Martin Pitt <martin.pitt@ubuntu.com> Fri, 16 Jan 2015 08:27:54 +0100 | ||
915 | 1415 | |||
916 | 1416 | strongswan (5.1.2-0ubuntu4) vivid; urgency=medium | ||
917 | 1417 | |||
918 | 1418 | * SECURITY UPDATE: denial of service via DH group 1025 | ||
919 | 1419 | - debian/patches/CVE-2014-9221.patch: define MODP_CUSTOM outside of | ||
920 | 1420 | IKE DH range in src/libstrongswan/crypto/diffie_hellman.c, | ||
921 | 1421 | src/libstrongswan/crypto/diffie_hellman.h. | ||
922 | 1422 | - CVE-2014-9221 | ||
923 | 1423 | |||
924 | 1424 | -- Tyler Hicks <tyhicks@canonical.com> Mon, 05 Jan 2015 08:25:29 -0500 | ||
925 | 1425 | |||
926 | 1426 | strongswan (5.1.2-0ubuntu3) utopic; urgency=low | ||
927 | 1427 | |||
928 | 1428 | * Added "libgcrypt20-dev | libgcrypt11-dev" to build dependencies to fix | ||
929 | 1429 | build. | ||
930 | 1430 | |||
931 | 1431 | -- Jonathan Davies <jonathan.davies@canonical.com> Wed, 15 Oct 2014 16:49:18 +0000 | ||
932 | 1432 | |||
933 | 1433 | strongswan (5.1.2-0ubuntu2) trusty; urgency=medium | ||
934 | 1434 | |||
935 | 1435 | * SECURITY UPDATE: remote authentication bypass | ||
936 | 1436 | - debian/patches/CVE-2014-2338.patch: reject CREATE_CHILD_SA exchange | ||
937 | 1437 | on unestablished IKE_SAs in src/libcharon/sa/ikev2/task_manager_v2.c. | ||
938 | 1438 | - CVE-2014-2338 | ||
939 | 1439 | |||
940 | 1440 | -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 14 Apr 2014 11:24:34 -0400 | ||
941 | 1441 | |||
942 | 1442 | strongswan (5.1.2-0ubuntu1) trusty; urgency=low | ||
943 | 1443 | |||
944 | 1444 | * New upstream release. | ||
945 | 1445 | |||
946 | 1446 | -- Jonathan Davies <jonathan.davies@canonical.com> Sat, 01 Mar 2014 08:53:17 +0000 | ||
947 | 1447 | |||
948 | 1448 | strongswan (5.1.2~rc2-0ubuntu2) trusty; urgency=low | ||
949 | 1449 | |||
950 | 1450 | * debian/ipsec.secrets.proto: Removed ipsec.secrets.inc reference. | ||
951 | 1451 | * debian/usr.lib.ipsec.charon: Allow read access to /run/charon. | ||
952 | 1452 | |||
953 | 1453 | -- Jonathan Davies <jonathan.davies@canonical.com> Wed, 19 Feb 2014 13:07:16 +0000 | ||
954 | 1454 | |||
955 | 1455 | strongswan (5.1.2~rc2-0ubuntu1) trusty; urgency=low | ||
956 | 1456 | |||
957 | 1457 | * New upstream release candidate. | ||
958 | 1458 | |||
959 | 1459 | -- Jonathan Davies <jonathan.davies@canonical.com> Wed, 19 Feb 2014 12:59:21 +0000 | ||
960 | 1460 | |||
961 | 1461 | strongswan (5.1.2~rc1-0ubuntu4) trusty; urgency=medium | ||
962 | 1462 | |||
963 | 1463 | * debian/strongswan-tnc-*.install: Fixed files so libraries go into correct | ||
964 | 1464 | packages. | ||
965 | 1465 | * debian/usr.lib.ipsec.stroke: Allow access to strongswan.d directories. | ||
966 | 1466 | |||
967 | 1467 | -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 17 Feb 2014 18:12:38 +0000 | ||
968 | 1468 | |||
969 | 1469 | strongswan (5.1.2~rc1-0ubuntu3) trusty; urgency=low | ||
970 | 1470 | |||
971 | 1471 | * debian/rules: Exclude rdrand.conf in dh_install's --fail-missing. | ||
972 | 1472 | |||
973 | 1473 | -- Jonathan Davies <jonathan.davies@canonical.com> Sat, 15 Feb 2014 15:46:46 +0000 | ||
974 | 1474 | |||
975 | 1475 | strongswan (5.1.2~rc1-0ubuntu2) trusty; urgency=low | ||
976 | 1476 | |||
977 | 1477 | * debian/libstrongswan.install: Moved rdrand plugin configuration to rules | ||
978 | 1478 | as it's only useful on amd64. | ||
979 | 1479 | * debian/watch: Added opts=pgpsigurlmangle option. | ||
980 | 1480 | * debian/upstream/signing-key.asc: Added key: 0xB34DBA77. | ||
981 | 1481 | |||
982 | 1482 | -- Jonathan Davies <jonathan.davies@canonical.com> Sat, 15 Feb 2014 15:32:10 +0000 | ||
983 | 1483 | |||
984 | 1484 | strongswan (5.1.2~rc1-0ubuntu1) trusty; urgency=medium | ||
985 | 1485 | |||
986 | 1486 | * New upstream release candidate. | ||
987 | 1487 | * debian/*.install - include new configuration files for plugins in | ||
988 | 1488 | appropiate packages. | ||
989 | 1489 | |||
990 | 1490 | -- Jonathan Davies <jonathan.davies@canonical.com> Sat, 15 Feb 2014 15:03:14 +0000 | ||
991 | 1491 | |||
992 | 1492 | strongswan (5.1.2~dr3+git20130120-0ubuntu3) trusty; urgency=low | ||
993 | 1493 | |||
994 | 1494 | * debian/control: | ||
995 | 1495 | - Added Breaks/Replaces for all library files which have been moved | ||
996 | 1496 | about (LP: #1278176). | ||
997 | 1497 | - Removed build-dependency on check and added one on dh-apparmor. | ||
998 | 1498 | * debian/strongswan-starter.postinst: Removed further out-dated code and | ||
999 | 1499 | entire section on opportunistic encryption - this was never in strongSwan. | ||
1000 | 1500 | * debian/rules: Removed pieces on 'patching ipsec.conf' on build. | ||
1001 | 1501 | |||
1002 | 1502 | -- Jonathan Davies <jonathan.davies@canonical.com> Sun, 09 Feb 2014 23:53:23 +0000 | ||
1003 | 1503 | |||
1004 | 1504 | strongswan (5.1.2~dr3+git20130120-0ubuntu2) trusty; urgency=low | ||
1005 | 1505 | |||
1006 | 1506 | * debian/control: Fixed references to plugin-fips-prf. | ||
1007 | 1507 | |||
1008 | 1508 | -- Jonathan Davies <jonathan.davies@canonical.com> Wed, 22 Jan 2014 11:22:14 +0000 | ||
1009 | 1509 | |||
1010 | 1510 | strongswan (5.1.2~dr3+git20130120-0ubuntu1) trusty; urgency=low | ||
1011 | 1511 | |||
1012 | 1512 | * Upstream Git snapshot for build fixes with regards to entropy. | ||
1013 | 1513 | * debian/rules: | ||
1014 | 1514 | - Enforcing DEB_BUILD_OPTIONS=nostrip for library integrity checking. | ||
1015 | 1515 | - Set TESTS_REDUCED_KEYLENGTHS to one generate smallest key-lengths in | ||
1016 | 1516 | tests. | ||
1017 | 1517 | |||
1018 | 1518 | -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 20 Jan 2014 19:00:59 +0000 | ||
1019 | 1519 | |||
1020 | 1520 | strongswan (5.1.2~dr3-0ubuntu1) trusty; urgency=low | ||
1021 | 1521 | |||
1022 | 1522 | * New upstream developer release. | ||
1023 | 1523 | * Made changes to packaging per upstream suggestions. | ||
1024 | 1524 | - Dropped medcli and medsrv packages - not recommended by upstream at this | ||
1025 | 1525 | time. | ||
1026 | 1526 | - Dropped ha plugin - needs special kernel. | ||
1027 | 1527 | - Improved all package descriptions in general. | ||
1028 | 1528 | - Drop build-dep on clearsilver-dev and libfcgi-dev - no longer needed. | ||
1029 | 1529 | - Removed debian/*logcheck* files - not relevant to strongSwan. | ||
1030 | 1530 | - Split dhcp and farp packages into sub-packages. | ||
1031 | 1531 | - Build kernel-libipsec, ntru, systime-fix, and xauth-noauth plugins. | ||
1032 | 1532 | - Changes to TNC-related packages. | ||
1033 | 1533 | * Created AppArmor profiles for lookip and stroke. | ||
1034 | 1534 | |||
1035 | 1535 | -- Jonathan Davies <jonathan.davies@canonical.com> Wed, 15 Jan 2014 22:52:53 +0000 | ||
1036 | 1536 | |||
1037 | 1537 | strongswan (5.1.2~dr2+git20130106-0ubuntu2) trusty; urgency=low | ||
1038 | 1538 | |||
1039 | 1539 | * libstrongswan.install: Removed lingering unit-tester.so reference. | ||
1040 | 1540 | |||
1041 | 1541 | -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 06 Jan 2014 20:29:59 +0000 | ||
1042 | 1542 | |||
1043 | 1543 | strongswan (5.1.2~dr2+git20130106-0ubuntu1) trusty; urgency=low | ||
1044 | 1544 | |||
1045 | 1545 | * Git snapshot of commit 94e10f15e51ead788d9947e966878ebfdc95b7ce. | ||
1046 | 1546 | Incorporates upstream fixes for: | ||
1047 | 1547 | - Integrity testing. | ||
1048 | 1548 | - Unit test failures on little endian systems. | ||
1049 | 1549 | * Dropped debian/patches/02_test_asn1_fix_32bit_time_test.patch - fixed | ||
1050 | 1550 | upstream. | ||
1051 | 1551 | * debian/rules: | ||
1052 | 1552 | - Stop using CK_TIMEOUT_MULTIPLIER. | ||
1053 | 1553 | - Stop enabling the test suite only on non-powerpc arches (it runs | ||
1054 | 1554 | anyway). | ||
1055 | 1555 | |||
1056 | 1556 | -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 06 Jan 2014 20:17:20 +0000 | ||
1057 | 1557 | |||
1058 | 1558 | strongswan (5.1.2~dr2-0ubuntu3) trusty; urgency=low | ||
1059 | 1559 | |||
1060 | 1560 | * debian/control: Reinstate missing comma in dependencies. | ||
1061 | 1561 | |||
1062 | 1562 | -- Jonathan Davies <jonathan.davies@canonical.com> Fri, 03 Jan 2014 05:39:13 +0000 | ||
1063 | 1563 | |||
1064 | 1564 | strongswan (5.1.2~dr2-0ubuntu2) trusty; urgency=low | ||
1065 | 1565 | |||
1066 | 1566 | * Added debian/patches/02_test_asn1_fix_32bit_time_test.patch - fixes issue | ||
1067 | 1567 | where test for >2038 tests on 32-bit platforms is broken. | ||
1068 | 1568 | - Reported upstream: https://wiki.strongswan.org/issues/477 | ||
1069 | 1569 | * debian/control: Added strongswan-plugin-ntru to strongswan-ike Suggests. | ||
1070 | 1570 | |||
1071 | 1571 | -- Jonathan Davies <jonathan.davies@canonical.com> Fri, 03 Jan 2014 05:02:32 +0000 | ||
1072 | 1572 | |||
1073 | 1573 | strongswan (5.1.2~dr2-0ubuntu1) trusty; urgency=low | ||
1074 | 1574 | |||
1075 | 1575 | * New upstream developer release. | ||
1076 | 1576 | * debian/rules: Configure with: --enable-af-alg, --enable-ntru, --enable-soup, | ||
1077 | 1577 | and --enable-unity. | ||
1078 | 1578 | * debian/control: | ||
1079 | 1579 | - New plugin packages created for the above | ||
1080 | 1580 | - Split fips-prf into its own package. | ||
1081 | 1581 | - Added build-dependency on libsoup2.4-dev. | ||
1082 | 1582 | |||
1083 | 1583 | -- Jonathan Davies <jonathan.davies@canonical.com> Thu, 02 Jan 2014 17:37:33 +0000 | ||
1084 | 1584 | |||
1085 | 555 | strongswan (5.1.1-3) unstable; urgency=low | 1585 | strongswan (5.1.1-3) unstable; urgency=low |
1086 | 556 | 1586 | ||
1087 | 557 | * Upload to unstable. | 1587 | * Upload to unstable. |
1088 | @@ -643,6 +1673,192 @@ strongswan (5.1.1-1) unstable; urgency=low | |||
1089 | 643 | 1673 | ||
1090 | 644 | -- Yves-Alexis Perez <corsac@debian.org> Fri, 24 Jan 2014 21:22:32 +0100 | 1674 | -- Yves-Alexis Perez <corsac@debian.org> Fri, 24 Jan 2014 21:22:32 +0100 |
1091 | 645 | 1675 | ||
1092 | 1676 | strongswan (5.1.1-0ubuntu17) trusty; urgency=low | ||
1093 | 1677 | |||
1094 | 1678 | * debian/control: | ||
1095 | 1679 | - Make strongswan-ike depend on iproute2. | ||
1096 | 1680 | - Added xauth plugin dependency on strongswan-plugin-eap-gtc. | ||
1097 | 1681 | - Created strongswan-libfast package. | ||
1098 | 1682 | |||
1099 | 1683 | -- Jonathan Davies <jonathan.davies@canonical.com> Wed, 01 Jan 2014 17:04:45 +0000 | ||
1100 | 1684 | |||
1101 | 1685 | strongswan (5.1.1-0ubuntu16) trusty; urgency=low | ||
1102 | 1686 | |||
1103 | 1687 | * debian/control: | ||
1104 | 1688 | - Further splitting of plugins into subpackages (such as all EAP plugins | ||
1105 | 1689 | to their own packages). | ||
1106 | 1690 | - Added libpcsclite-dev to build-dependencies. | ||
1107 | 1691 | * debian/rules: | ||
1108 | 1692 | - Sort configure options in alphabetical order. | ||
1109 | 1693 | - Added configure option of --enable-eap-aka-3gpp2, --enable-eap-dynamic, | ||
1110 | 1694 | --enable-eap-sim-file, --enable-eap-sim-pcsc, | ||
1111 | 1695 | --enable-eap-simaka-pseudonym, --enable-eap-simaka-reauth and | ||
1112 | 1696 | --enable-eap-simaka-sql. | ||
1113 | 1697 | - Don't exclude medsrv from install. | ||
1114 | 1698 | * Moved eap-identity.so to libstrongswan package as it's used by all the | ||
1115 | 1699 | other EAP plugins. | ||
1116 | 1700 | |||
1117 | 1701 | -- Jonathan Davies <jonathan.davies@canonical.com> Tue, 31 Dec 2013 21:25:50 +0000 | ||
1118 | 1702 | |||
1119 | 1703 | strongswan (5.1.1-0ubuntu15) trusty; urgency=low | ||
1120 | 1704 | |||
1121 | 1705 | * debian/control: | ||
1122 | 1706 | - Split plugins from libstrongswan package into modular subpackages. | ||
1123 | 1707 | - Added libmysqlclient-dev to build-dependencies. | ||
1124 | 1708 | - strongswan-ike: Set to depend on either strongswan-plugins-openssl or | ||
1125 | 1709 | strongswan-plugins-gcrypt. | ||
1126 | 1710 | - strongswan-ike: All other plugins added to Suggests. | ||
1127 | 1711 | - Created two new TNC packages: strongswan-tnc-ifmap and | ||
1128 | 1712 | strongswan-tnc-pdp and added to tnc-imcvs Suggests. | ||
1129 | 1713 | * debian/rules: Added to CONFIGUREARGS: --enable-certexpire, | ||
1130 | 1714 | --enable-error-notify, --enable-mysql, --enable-load-tester, | ||
1131 | 1715 | --enable-radattr, --enable-tnc-pdp, and --enable-whitelist. | ||
1132 | 1716 | * debian/strongswan-ike.install: Moved eap-identity.so to -tnc-imcvs package. | ||
1133 | 1717 | |||
1134 | 1718 | -- Jonathan Davies <jonathan.davies@canonical.com> Tue, 31 Dec 2013 16:15:32 +0000 | ||
1135 | 1719 | |||
1136 | 1720 | strongswan (5.1.1-0ubuntu14) trusty; urgency=low | ||
1137 | 1721 | |||
1138 | 1722 | * debian/rules: | ||
1139 | 1723 | - CK_TIMEOUT_MULTIPLIER back down to 6. | ||
1140 | 1724 | - Disable unit tests on powerpc. | ||
1141 | 1725 | |||
1142 | 1726 | -- Jonathan Davies <jonathan.davies@canonical.com> Tue, 31 Dec 2013 07:39:48 +0000 | ||
1143 | 1727 | |||
1144 | 1728 | strongswan (5.1.1-0ubuntu13) trusty; urgency=low | ||
1145 | 1729 | |||
1146 | 1730 | * debian/rules: CK_TIMEOUT_MULTIPLIER to 10 as just powerppc is being stubborn. | ||
1147 | 1731 | |||
1148 | 1732 | -- Jonathan Davies <jonathan.davies@canonical.com> Tue, 31 Dec 2013 07:23:42 +0000 | ||
1149 | 1733 | |||
1150 | 1734 | strongswan (5.1.1-0ubuntu12) trusty; urgency=low | ||
1151 | 1735 | |||
1152 | 1736 | * debian/rules: Bring CK_TIMEOUT_MULTIPLIER up to 6 to fix powerppc and | ||
1153 | 1737 | armhf. | ||
1154 | 1738 | |||
1155 | 1739 | -- Jonathan Davies <jonathan.davies@canonical.com> Tue, 31 Dec 2013 07:03:40 +0000 | ||
1156 | 1740 | |||
1157 | 1741 | strongswan (5.1.1-0ubuntu11) trusty; urgency=low | ||
1158 | 1742 | |||
1159 | 1743 | * 02_increase-test_rsa_generate-timeout.patch: Removed - only fixed build on | ||
1160 | 1744 | one extra arch. | ||
1161 | 1745 | * debian/rules: Set CK_TIMEOUT_MULTIPLIER to 4. | ||
1162 | 1746 | |||
1163 | 1747 | -- Jonathan Davies <jonathan.davies@canonical.com> Tue, 31 Dec 2013 06:51:47 +0000 | ||
1164 | 1748 | |||
1165 | 1749 | strongswan (5.1.1-0ubuntu10) trusty; urgency=low | ||
1166 | 1750 | |||
1167 | 1751 | * debian/patches: Added patch 02_increase-test_rsa_generate-timeout.patch - | ||
1168 | 1752 | - Increases RSA key generate test timeout to 30 seconds so that it doesn't | ||
1169 | 1753 | fail on armhf, arm64, and powerppc. | ||
1170 | 1754 | * Contrary to what the last changelog entry says, we are still running | ||
1171 | 1755 | strongswan as root (with AppArmor protection). | ||
1172 | 1756 | |||
1173 | 1757 | -- Jonathan Davies <jonathan.davies@canonical.com> Tue, 31 Dec 2013 06:06:47 +0000 | ||
1174 | 1758 | |||
1175 | 1759 | strongswan (5.1.1-0ubuntu9) trusty; urgency=low | ||
1176 | 1760 | |||
1177 | 1761 | * debian/rules: Added to configure options: | ||
1178 | 1762 | - --enable-tnc-ifmap: enable TNC IF-MAP module. | ||
1179 | 1763 | - --enable-duplicheck: enable duplicheck plugin. | ||
1180 | 1764 | - --enable-imv-swid, --enable-imc-swid: Added. | ||
1181 | 1765 | - Run strongswan as it's own user. | ||
1182 | 1766 | * debian/strongswan-starter.install: Install duplicheck. | ||
1183 | 1767 | * debian/strongswan-tnc-imcvs.install: Install swidtags. | ||
1184 | 1768 | |||
1185 | 1769 | -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 30 Dec 2013 19:33:27 +0000 | ||
1186 | 1770 | |||
1187 | 1771 | strongswan (5.1.1-0ubuntu8) trusty; urgency=low | ||
1188 | 1772 | |||
1189 | 1773 | * debian/rules: Added to configure options: | ||
1190 | 1774 | - --enable-unit-tests: check unit testing on build. | ||
1191 | 1775 | - --enable-unbound: for validating DNS lookups. | ||
1192 | 1776 | - --enable-dnscert: for DNSCERT peer authentication. | ||
1193 | 1777 | - --enable-ipseckey: for IPSEC key authentication. | ||
1194 | 1778 | - --enable-lookip: for LookIP functionality. | ||
1195 | 1779 | - --enable-coupling: certificate coupling functionality. | ||
1196 | 1780 | * debian/control: Added check, libldns-dev, libunbound-dev to | ||
1197 | 1781 | build-dependencies. | ||
1198 | 1782 | * debian/libstrongswan.install: Install new plugin .so's. | ||
1199 | 1783 | * debian/strongswan-starter.install: Added lookip. | ||
1200 | 1784 | |||
1201 | 1785 | -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 30 Dec 2013 17:52:07 +0000 | ||
1202 | 1786 | |||
1203 | 1787 | strongswan (5.1.1-0ubuntu7) trusty; urgency=low | ||
1204 | 1788 | |||
1205 | 1789 | * strongswan-starter.install: Moved pt-tls-client to tnc-imcvs (to prevent | ||
1206 | 1790 | the former from depending on the latter). | ||
1207 | 1791 | |||
1208 | 1792 | -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 30 Dec 2013 17:30:19 +0000 | ||
1209 | 1793 | |||
1210 | 1794 | strongswan (5.1.1-0ubuntu6) trusty; urgency=low | ||
1211 | 1795 | |||
1212 | 1796 | * debian/strongswan-starter.prerm: Stop strongswan service on package | ||
1213 | 1797 | removal (as opposed to using the old init.d script). | ||
1214 | 1798 | |||
1215 | 1799 | -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 30 Dec 2013 17:22:10 +0000 | ||
1216 | 1800 | |||
1217 | 1801 | strongswan (5.1.1-0ubuntu5) trusty; urgency=low | ||
1218 | 1802 | |||
1219 | 1803 | * debian/rules: | ||
1220 | 1804 | - CONFIGUREARGS: Merged Debian and RPM options. | ||
1221 | 1805 | - Brings in TNC functionality. | ||
1222 | 1806 | * debian/control: | ||
1223 | 1807 | - Added build-dependency on libtspi-dev. | ||
1224 | 1808 | - Created strongswan-tnc-imcvs binary package for TNC components. | ||
1225 | 1809 | - Added strongswan-tnc-imcvs to libstrongswan's Suggests. | ||
1226 | 1810 | * debian/libstrongswan.install: | ||
1227 | 1811 | - Included newly built MD4 and SQLite libraries. | ||
1228 | 1812 | - Removed 'tnc' references (moved to TNC package). | ||
1229 | 1813 | * debian/strongswan-tnc-imcvs.install: Created - handle new TNC libraries and | ||
1230 | 1814 | binaries. | ||
1231 | 1815 | * debian/usr.lib.ipsec.charon: Allow access to TNC modules. | ||
1232 | 1816 | |||
1233 | 1817 | -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 30 Dec 2013 14:05:43 +0000 | ||
1234 | 1818 | |||
1235 | 1819 | strongswan (5.1.1-0ubuntu4) trusty; urgency=low | ||
1236 | 1820 | |||
1237 | 1821 | * debian/usr.lib.ipsec.charon: Added - AppArmor profile for charon. | ||
1238 | 1822 | * debian/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call. | ||
1239 | 1823 | * debian/control: strongswan-ike - Stop depending on ipsec-tools. | ||
1240 | 1824 | |||
1241 | 1825 | -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 30 Dec 2013 05:35:17 +0000 | ||
1242 | 1826 | |||
1243 | 1827 | strongswan (5.1.1-0ubuntu3) trusty; urgency=low | ||
1244 | 1828 | |||
1245 | 1829 | * strongswan-starter.strongswan.upstart - Only start strongSwan when a | ||
1246 | 1830 | network connection is available. | ||
1247 | 1831 | * debian/control: Downgrade build-dep version of dpkg-dev from 1.16.2 to | ||
1248 | 1832 | 1.16.1 - to make precise backporting easier. | ||
1249 | 1833 | |||
1250 | 1834 | -- Jonathan Davies <jonathan.davies@canonical.com> Thu, 12 Dec 2013 10:43:15 +0000 | ||
1251 | 1835 | |||
1252 | 1836 | strongswan (5.1.1-0ubuntu2) trusty; urgency=low | ||
1253 | 1837 | |||
1254 | 1838 | * strongswan-starter.strongswan.upstart - Created Upstart job for | ||
1255 | 1839 | strongSwan. | ||
1256 | 1840 | * debian/rules: Set dh_installinit to install above file. | ||
1257 | 1841 | * debian/strongswan-starter.postinit: | ||
1258 | 1842 | - Removed section about runlevel changes, it's almost 2014. | ||
1259 | 1843 | - Adapted service restart section for Upstart. | ||
1260 | 1844 | - Remove old symlinks to init.d files is necessary. | ||
1261 | 1845 | * debian/strongswan-starter.dirs: Don't touch /etc/init.d. | ||
1262 | 1846 | |||
1263 | 1847 | -- Jonathan Davies <jonathan.davies@canonical.com> Wed, 11 Dec 2013 23:10:28 +0000 | ||
1264 | 1848 | |||
1265 | 1849 | strongswan (5.1.1-0ubuntu1) trusty; urgency=low | ||
1266 | 1850 | |||
1267 | 1851 | * New upstream release. | ||
1268 | 1852 | * Removed: debian/patches/CVE-2013-6075, CVE-2013-6076.patch - upsteamed. | ||
1269 | 1853 | * debian/control: Updated Standards-Version to 3.9.5 and applied | ||
1270 | 1854 | XSBC-Original-Maintainer policy. | ||
1271 | 1855 | * strongswan-starter.install: | ||
1272 | 1856 | - pki tool is now in /usr/bin. | ||
1273 | 1857 | - Install pt-tls-client. | ||
1274 | 1858 | - Install manpages (LP: #1206263). | ||
1275 | 1859 | |||
1276 | 1860 | -- Jonathan Davies <jpds@ubuntu.com> Sun, 01 Dec 2013 17:43:59 +0000 | ||
1277 | 1861 | |||
1278 | 646 | strongswan (5.1.0-3) unstable; urgency=high | 1862 | strongswan (5.1.0-3) unstable; urgency=high |
1279 | 647 | 1863 | ||
1280 | 648 | * urgency=high for the security fixes. | 1864 | * urgency=high for the security fixes. |
1281 | diff --git a/debian/control b/debian/control | |||
1282 | index 4f12140..5792e50 100644 | |||
1283 | --- a/debian/control | |||
1284 | +++ b/debian/control | |||
1285 | @@ -1,7 +1,8 @@ | |||
1286 | 1 | Source: strongswan | 1 | Source: strongswan |
1287 | 2 | Section: net | 2 | Section: net |
1288 | 3 | Priority: optional | 3 | Priority: optional |
1290 | 4 | Maintainer: strongSwan Maintainers <pkg-swan-devel@lists.alioth.debian.org> | 4 | Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com> |
1291 | 5 | XSBC-Original-Maintainer: strongSwan Maintainers <pkg-swan-devel@lists.alioth.debian.org> | ||
1292 | 5 | Uploaders: Rene Mayrhofer <rmayr@debian.org>, | 6 | Uploaders: Rene Mayrhofer <rmayr@debian.org>, |
1293 | 6 | Yves-Alexis Perez <corsac@debian.org> | 7 | Yves-Alexis Perez <corsac@debian.org> |
1294 | 7 | Standards-Version: 4.1.2 | 8 | Standards-Version: 4.1.2 |
1295 | @@ -19,14 +20,21 @@ Build-Depends: bison, | |||
1296 | 19 | libcurl4-openssl-dev | libcurl3-dev | libcurl2-dev, | 20 | libcurl4-openssl-dev | libcurl3-dev | libcurl2-dev, |
1297 | 20 | libgcrypt20-dev | libgcrypt11-dev, | 21 | libgcrypt20-dev | libgcrypt11-dev, |
1298 | 21 | libgmp3-dev, | 22 | libgmp3-dev, |
1299 | 23 | libjson-c-dev, | ||
1300 | 22 | libkrb5-dev, | 24 | libkrb5-dev, |
1301 | 23 | libldap2-dev, | 25 | libldap2-dev, |
1302 | 26 | libldns-dev, | ||
1303 | 27 | libmysqlclient-dev, | ||
1304 | 24 | libnm-dev [linux-any], | 28 | libnm-dev [linux-any], |
1305 | 25 | libpam0g-dev, | 29 | libpam0g-dev, |
1306 | 30 | libpcsclite-dev, | ||
1307 | 31 | libsoup2.4-dev, | ||
1308 | 26 | libsqlite3-dev, | 32 | libsqlite3-dev, |
1309 | 27 | libssl-dev (>= 0.9.8), | 33 | libssl-dev (>= 0.9.8), |
1310 | 28 | libsystemd-dev [linux-any], | 34 | libsystemd-dev [linux-any], |
1311 | 29 | libtool, | 35 | libtool, |
1312 | 36 | libtspi-dev, | ||
1313 | 37 | libunbound-dev, | ||
1314 | 30 | libxml2-dev, | 38 | libxml2-dev, |
1315 | 31 | pkg-config, | 39 | pkg-config, |
1316 | 32 | po-debconf, | 40 | po-debconf, |
1317 | @@ -68,7 +76,9 @@ Description: strongSwan utility and crypto library | |||
1318 | 68 | - fips-prf (PRF specified by FIPS, used by EAP-SIM/AKA algorithms) | 76 | - fips-prf (PRF specified by FIPS, used by EAP-SIM/AKA algorithms) |
1319 | 69 | - gmp (RSA/DH crypto backend based on libgmp) | 77 | - gmp (RSA/DH crypto backend based on libgmp) |
1320 | 70 | - hmac (HMAC wrapper using various hashers) | 78 | - hmac (HMAC wrapper using various hashers) |
1321 | 79 | - md4 (MD4 hasher software implementation) | ||
1322 | 71 | - md5 (MD5 hasher software implementation) | 80 | - md5 (MD5 hasher software implementation) |
1323 | 81 | - mgf1 (Mask Generation Functions based on the SHA-1, SHA-256 and SHA-512) | ||
1324 | 72 | - nonce (Default nonce generation plugin) | 82 | - nonce (Default nonce generation plugin) |
1325 | 73 | - pem (PEM encoding/decoding routines) | 83 | - pem (PEM encoding/decoding routines) |
1326 | 74 | - pgp (PGP encoding/decoding routines) | 84 | - pgp (PGP encoding/decoding routines) |
1327 | @@ -131,22 +141,57 @@ Description: strongSwan utility and crypto library (extra plugins) | |||
1328 | 131 | cryptographic library. | 141 | cryptographic library. |
1329 | 132 | . | 142 | . |
1330 | 133 | Included plugins are: | 143 | Included plugins are: |
1331 | 144 | - acert (Support of X.509 attribute certificates (since 5.1.3)) | ||
1332 | 134 | - af-alg [linux] (AF_ALG Linux crypto API interface, provides | 145 | - af-alg [linux] (AF_ALG Linux crypto API interface, provides |
1333 | 135 | ciphers/hashers/hmac/xcbc) | 146 | ciphers/hashers/hmac/xcbc) |
1334 | 147 | - attr-sql (provide IKE attributes read from a database to peers) | ||
1335 | 148 | - bliss (Bimodal Lattice Signature Scheme (BLISS) post-quantum computer | ||
1336 | 149 | signature scheme) | ||
1337 | 136 | - ccm (CCM cipher mode wrapper) | 150 | - ccm (CCM cipher mode wrapper) |
1338 | 151 | - chapoly (ChaCha20/Poly1305 AEAD implementation) | ||
1339 | 137 | - cmac (CMAC cipher mode wrapper) | 152 | - cmac (CMAC cipher mode wrapper) |
1340 | 138 | - ctr (CTR cipher mode wrapper) | 153 | - ctr (CTR cipher mode wrapper) |
1341 | 154 | - coupling (Permanent peer certificate coupling) | ||
1342 | 139 | - curl (libcurl based HTTP/FTP fetcher) | 155 | - curl (libcurl based HTTP/FTP fetcher) |
1343 | 140 | - curve25519 (support for Diffie-Hellman group 31 using Curve25519 and | 156 | - curve25519 (support for Diffie-Hellman group 31 using Curve25519 and |
1344 | 141 | support for the Ed25519 digital signature algorithm for IKEv2) | 157 | support for the Ed25519 digital signature algorithm for IKEv2) |
1345 | 158 | - dnscert (authentication via CERT RRs protected by DNSSEC) | ||
1346 | 142 | - gcrypt (Crypto backend based on libgcrypt, provides | 159 | - gcrypt (Crypto backend based on libgcrypt, provides |
1347 | 143 | RSA/DH/ciphers/hashers/rng) | 160 | RSA/DH/ciphers/hashers/rng) |
1348 | 161 | - ipseckey (authentication via IPSECKEY RRs protected by DNSSEC) | ||
1349 | 144 | - ldap (LDAP fetching plugin based on libldap) | 162 | - ldap (LDAP fetching plugin based on libldap) |
1350 | 163 | - load-tester (perform IKE load tests against self or gateway) | ||
1351 | 164 | - mysql (database backend) | ||
1352 | 165 | - ntru (key exchanged based on post-quantum computer NTRU) | ||
1353 | 166 | - nttfft (Number Theoretic Transform via the FFT algorithm) | ||
1354 | 145 | - padlock (VIA padlock crypto backend, provides AES128/SHA1) | 167 | - padlock (VIA padlock crypto backend, provides AES128/SHA1) |
1355 | 146 | - pkcs11 (PKCS#11 smartcard backend) | 168 | - pkcs11 (PKCS#11 smartcard backend) |
1356 | 169 | - radattr (inject and process custom RADIUS attributes as IKEv2 client) | ||
1357 | 170 | - sql (SQL configuration and creds engine) | ||
1358 | 171 | - sqlite (SQLite database backend) | ||
1359 | 172 | - soup (libsoup based HTTP fetcher) | ||
1360 | 173 | - tpmtss (TPM 1.2 and TPM 2.0 Trusted Platform Modules) | ||
1361 | 147 | - rdrand (High quality / high performance random source using the Intel | 174 | - rdrand (High quality / high performance random source using the Intel |
1362 | 148 | rdrand instruction found on Ivy Bridge processors) | 175 | rdrand instruction found on Ivy Bridge processors) |
1363 | 149 | - test-vectors (Set of test vectors for various algorithms) | 176 | - test-vectors (Set of test vectors for various algorithms) |
1364 | 177 | - unbound (DNSSEC enabled resolver using libunbound) | ||
1365 | 178 | - whitelist (peer verification against a whitelist) | ||
1366 | 179 | |||
1367 | 180 | Package: libcharon-standard-plugins | ||
1368 | 181 | Architecture: any | ||
1369 | 182 | Depends: libstrongswan (= ${binary:Version}), | ||
1370 | 183 | ${misc:Depends}, | ||
1371 | 184 | ${shlibs:Depends} | ||
1372 | 185 | Breaks: libcharon-extra-plugins (<< 5.5.1-1ubuntu1~) | ||
1373 | 186 | Replaces: libcharon-extra-plugins (<< 5.5.1-1ubuntu1~) | ||
1374 | 187 | Description: strongSwan charon library (standard plugins) | ||
1375 | 188 | The strongSwan VPN suite uses the native IPsec stack in the standard | ||
1376 | 189 | Linux kernel. It supports both the IKEv1 and IKEv2 protocols. | ||
1377 | 190 | . | ||
1378 | 191 | This package provides standard plugins for the charon library: | ||
1379 | 192 | - eap-mschapv2 (EAP-MSCHAPv2 protocol handler using passwords/NT hashes) | ||
1380 | 193 | - xauth-generic (Generic XAuth backend that provides passwords from | ||
1381 | 194 | ipsec.secrets and other credential sets) | ||
1382 | 150 | 195 | ||
1383 | 151 | Package: libcharon-extra-plugins | 196 | Package: libcharon-extra-plugins |
1384 | 152 | Architecture: any | 197 | Architecture: any |
1385 | @@ -162,13 +207,13 @@ Description: strongSwan charon library (extra plugins) | |||
1386 | 162 | This package provides extra plugins for the charon library: | 207 | This package provides extra plugins for the charon library: |
1387 | 163 | - addrblock (Narrow traffic selectors to RFC 3779 address blocks in X.509 | 208 | - addrblock (Narrow traffic selectors to RFC 3779 address blocks in X.509 |
1388 | 164 | certificates) | 209 | certificates) |
1389 | 210 | - dhcp (Forwarding of DHCP requests for virtual IPs to DHCP server) | ||
1390 | 165 | - certexpire (Export expiration dates of used certificates) | 211 | - certexpire (Export expiration dates of used certificates) |
1391 | 166 | - eap-aka (Generic EAP-AKA protocol handler using different backends) | 212 | - eap-aka (Generic EAP-AKA protocol handler using different backends) |
1392 | 167 | - eap-gtc (EAP-GTC protocol handler authenticating with XAuth backends) | 213 | - eap-gtc (EAP-GTC protocol handler authenticating with XAuth backends) |
1393 | 168 | - eap-identity (EAP-Identity identity exchange algorithm, to use with other | 214 | - eap-identity (EAP-Identity identity exchange algorithm, to use with other |
1394 | 169 | EAP protocols) | 215 | EAP protocols) |
1395 | 170 | - eap-md5 (EAP-MD5 protocol handler using passwords) | 216 | - eap-md5 (EAP-MD5 protocol handler using passwords) |
1396 | 171 | - eap-mschapv2 (EAP-MSCHAPv2 protocol handler using passwords/NT hashes) | ||
1397 | 172 | - eap-radius (EAP server proxy plugin forwarding EAP conversations to a | 217 | - eap-radius (EAP server proxy plugin forwarding EAP conversations to a |
1398 | 173 | RADIUS server) | 218 | RADIUS server) |
1399 | 174 | - eap-tls (EAP-TLS protocol handler, to authenticate with certificates in | 219 | - eap-tls (EAP-TLS protocol handler, to authenticate with certificates in |
1400 | @@ -176,17 +221,25 @@ Description: strongSwan charon library (extra plugins) | |||
1401 | 176 | - eap-tnc (EAP-TNC protocol handler, Trusted Network Connect in a TLS tunnel) | 221 | - eap-tnc (EAP-TNC protocol handler, Trusted Network Connect in a TLS tunnel) |
1402 | 177 | - eap-ttls (EAP-TTLS protocol handler, wraps other EAP methods securely) | 222 | - eap-ttls (EAP-TTLS protocol handler, wraps other EAP methods securely) |
1403 | 178 | - error-notify (Notification about errors via UNIX socket) | 223 | - error-notify (Notification about errors via UNIX socket) |
1404 | 224 | - farp (fake ARP responses for requests to virtual IP address) | ||
1405 | 179 | - ha (High-Availability clustering) | 225 | - ha (High-Availability clustering) |
1406 | 226 | - kernel-libipsec (Userspace IPsec Backend with TUN devices) | ||
1407 | 180 | - led (Let Linux LED subsystem LEDs blink on IKE activity) | 227 | - led (Let Linux LED subsystem LEDs blink on IKE activity) |
1408 | 181 | - lookip (Virtual IP lookup facility using a UNIX socket) | 228 | - lookip (Virtual IP lookup facility using a UNIX socket) |
1409 | 182 | - medcli (Web interface based mediation client interface) | ||
1410 | 183 | - medsrv (Web interface based mediation server interface) | ||
1411 | 184 | - tnc (Trusted Network Connect) | 229 | - tnc (Trusted Network Connect) |
1412 | 185 | - unity (Cisco Unity extensions for IKEv1) | 230 | - unity (Cisco Unity extensions for IKEv1) |
1413 | 186 | - xauth-eap (XAuth backend that uses EAP methods to verify passwords) | 231 | - xauth-eap (XAuth backend that uses EAP methods to verify passwords) |
1414 | 187 | - xauth-generic (Generic XAuth backend that provides passwords from | ||
1415 | 188 | ipsec.secrets and other credential sets) | ||
1416 | 189 | - xauth-pam (XAuth backend that uses PAM modules to verify passwords) | 232 | - xauth-pam (XAuth backend that uses PAM modules to verify passwords) |
1417 | 233 | - eap-aka-3gpp2 (EAP-AKA backend implementing standard 3GPP2 algorithm in software) | ||
1418 | 234 | - eap-dynamic (EAP proxy plugin that dynamically selects an EAP method requested/supported by the client (since 5.0.1)) | ||
1419 | 235 | - eap-peap (EAP-PEAP protocol handler, wraps other EAP methods securely) | ||
1420 | 236 | - eap-sim (Generic EAP-SIM protocol handler using different backends) | ||
1421 | 237 | - eap-sim-file (EAP-SIM backend reading triplets from a file) | ||
1422 | 238 | - eap-sim-pcsc (EAP-SIM backend based on a PC/SC smartcard reader) | ||
1423 | 239 | - eap-simaka-pseudonym (EAP-SIM/AKA in-memory pseudonym identity database) | ||
1424 | 240 | - eap-simaka-reauth (EAP-SIM/AKA in-memory reauthentication identity database) | ||
1425 | 241 | - eap-simaka-sql (EAP-SIM/AKA backend reading triplets/quintuplets from a SQL database) | ||
1426 | 242 | - xauth-noauth (XAuth backend that does not do any authentication (since 5.0.3)) | ||
1427 | 190 | 243 | ||
1428 | 191 | Package: strongswan-starter | 244 | Package: strongswan-starter |
1429 | 192 | Architecture: any | 245 | Architecture: any |
1430 | @@ -212,6 +265,7 @@ Depends: libstrongswan (= ${binary:Version}), | |||
1431 | 212 | ${shlibs:Depends} | 265 | ${shlibs:Depends} |
1432 | 213 | Breaks: strongswan-starter (<= 5.6.1-2) | 266 | Breaks: strongswan-starter (<= 5.6.1-2) |
1433 | 214 | Replaces: strongswan-starter (<= 5.6.1-2) | 267 | Replaces: strongswan-starter (<= 5.6.1-2) |
1434 | 268 | Recommends: libcharon-standard-plugins | ||
1435 | 215 | Suggests: libcharon-extra-plugins | 269 | Suggests: libcharon-extra-plugins |
1436 | 216 | Description: strongSwan charon library | 270 | Description: strongSwan charon library |
1437 | 217 | The strongSwan VPN suite uses the native IPsec stack in the standard | 271 | The strongSwan VPN suite uses the native IPsec stack in the standard |
1438 | @@ -255,6 +309,68 @@ Description: strongSwan plugin to interact with NetworkManager | |||
1439 | 255 | in conjunction with the network-manager-strongswan package, providing | 309 | in conjunction with the network-manager-strongswan package, providing |
1440 | 256 | a simple graphical frontend to configure IPsec based VPNs. | 310 | a simple graphical frontend to configure IPsec based VPNs. |
1441 | 257 | 311 | ||
1442 | 312 | Package: strongswan-tnc-ifmap | ||
1443 | 313 | Architecture: any | ||
1444 | 314 | Depends: ${shlibs:Depends}, ${misc:Depends}, libstrongswan (= ${binary:Version}) | ||
1445 | 315 | Description: strongSwan plugin for Trusted Network Connect's (TNC) IF-MAP client | ||
1446 | 316 | The strongSwan VPN suite uses the native IPsec stack in the standard | ||
1447 | 317 | Linux kernel. It supports both the IKEv1 and IKEv2 protocols. | ||
1448 | 318 | . | ||
1449 | 319 | This package provides Trusted Network Connect's (TNC) IF-MAP 2.0 client. | ||
1450 | 320 | |||
1451 | 321 | Package: strongswan-tnc-base | ||
1452 | 322 | Architecture: any | ||
1453 | 323 | Depends: ${shlibs:Depends}, ${misc:Depends}, libstrongswan (= ${binary:Version}) | ||
1454 | 324 | Suggests: strongswan-tnc-ifmap, strongswan-tnc-pdp | ||
1455 | 325 | Description: strongSwan Trusted Network Connect's (TNC) - base files | ||
1456 | 326 | The strongSwan VPN suite uses the native IPsec stack in the standard | ||
1457 | 327 | Linux kernel. It supports both the IKEv1 and IKEv2 protocols. | ||
1458 | 328 | . | ||
1459 | 329 | This package provides the base files for strongSwan's Trusted Network | ||
1460 | 330 | Connect's (TNC) functionality. | ||
1461 | 331 | . | ||
1462 | 332 | strongSwan's IMC/IMV dynamic libraries can be used by any third party TNC | ||
1463 | 333 | client/server implementation possessing a standard IF-IMC/IMV interface. | ||
1464 | 334 | |||
1465 | 335 | Package: strongswan-tnc-client | ||
1466 | 336 | Architecture: any | ||
1467 | 337 | Depends: ${shlibs:Depends}, ${misc:Depends}, | ||
1468 | 338 | libstrongswan (= ${binary:Version}), strongswan-tnc-base (= ${binary:Version}) | ||
1469 | 339 | Suggests: libcharon-extra-plugins | ||
1470 | 340 | Description: strongSwan Trusted Network Connect's (TNC) - client files | ||
1471 | 341 | The strongSwan VPN suite uses the native IPsec stack in the standard | ||
1472 | 342 | Linux kernel. It supports both the IKEv1 and IKEv2 protocols. | ||
1473 | 343 | . | ||
1474 | 344 | This package provides the client functionality for strongSwan's Trusted Network | ||
1475 | 345 | Connect's (TNC) features. | ||
1476 | 346 | . | ||
1477 | 347 | It includes the OS, scanner, test, SWID, and attestation IMCs. | ||
1478 | 348 | |||
1479 | 349 | Package: strongswan-tnc-server | ||
1480 | 350 | Architecture: any | ||
1481 | 351 | Depends: ${shlibs:Depends}, ${misc:Depends}, | ||
1482 | 352 | libstrongswan (= ${binary:Version}), | ||
1483 | 353 | strongswan-tnc-base (= ${binary:Version}), | ||
1484 | 354 | libstrongswan-extra-plugins (= ${binary:Version}) | ||
1485 | 355 | Description: strongSwan Trusted Network Connect's (TNC) - server files | ||
1486 | 356 | The strongSwan VPN suite uses the native IPsec stack in the standard | ||
1487 | 357 | Linux kernel. It supports both the IKEv1 and IKEv2 protocols. | ||
1488 | 358 | . | ||
1489 | 359 | This package provides the server functionality for strongSwan's Trusted Network | ||
1490 | 360 | Connect's (TNC) features. | ||
1491 | 361 | |||
1492 | 362 | Package: strongswan-tnc-pdp | ||
1493 | 363 | Architecture: any | ||
1494 | 364 | Depends: ${shlibs:Depends}, ${misc:Depends}, | ||
1495 | 365 | libstrongswan (= ${binary:Version}), | ||
1496 | 366 | strongswan-tnc-server (= ${binary:Version}) | ||
1497 | 367 | Description: strongSwan plugin for Trusted Network Connect's (TNC) PDP | ||
1498 | 368 | The strongSwan VPN suite uses the native IPsec stack in the standard | ||
1499 | 369 | Linux kernel. It supports both the IKEv1 and IKEv2 protocols. | ||
1500 | 370 | . | ||
1501 | 371 | This package provides Trusted Network Connect's (TNC) Policy Decision Point | ||
1502 | 372 | (PDP) with RADIUS server interface. | ||
1503 | 373 | |||
1504 | 258 | Package: charon-cmd | 374 | Package: charon-cmd |
1505 | 259 | Architecture: any | 375 | Architecture: any |
1506 | 260 | Depends: libstrongswan (= ${binary:Version}), | 376 | Depends: libstrongswan (= ${binary:Version}), |
1507 | diff --git a/debian/ipsec.secrets.proto b/debian/ipsec.secrets.proto | |||
1508 | index dfa6dde..309e3fc 100644 | |||
1509 | --- a/debian/ipsec.secrets.proto | |||
1510 | +++ b/debian/ipsec.secrets.proto | |||
1511 | @@ -3,6 +3,3 @@ | |||
1512 | 3 | # RSA private key for this host, authenticating it to any other host | 3 | # RSA private key for this host, authenticating it to any other host |
1513 | 4 | # which knows the public part. | 4 | # which knows the public part. |
1514 | 5 | 5 | ||
1515 | 6 | # this file is managed with debconf and will contain the automatically created private key | ||
1516 | 7 | include /var/lib/strongswan/ipsec.secrets.inc | ||
1517 | 8 | |||
1518 | diff --git a/debian/libcharon-extra-plugins.install b/debian/libcharon-extra-plugins.install | |||
1519 | index 1b0cbca..cb539ec 100644 | |||
1520 | --- a/debian/libcharon-extra-plugins.install | |||
1521 | +++ b/debian/libcharon-extra-plugins.install | |||
1522 | @@ -1,50 +1,102 @@ | |||
1523 | 1 | # libcharon plugins | 1 | # libcharon plugins |
1524 | 2 | usr/lib/ipsec/plugins/libstrongswan-addrblock.so | 2 | usr/lib/ipsec/plugins/libstrongswan-addrblock.so |
1525 | 3 | usr/lib/ipsec/plugins/libstrongswan-certexpire.so | 3 | usr/lib/ipsec/plugins/libstrongswan-certexpire.so |
1527 | 4 | usr/lib/ipsec/plugins/libstrongswan-eap*.so | 4 | usr/lib/ipsec/plugins/libstrongswan-eap-aka-3gpp2.so |
1528 | 5 | usr/lib/ipsec/plugins/libstrongswan-eap-aka.so | ||
1529 | 6 | usr/lib/ipsec/plugins/libstrongswan-eap-dynamic.so | ||
1530 | 7 | usr/lib/ipsec/plugins/libstrongswan-eap-gtc.so | ||
1531 | 8 | usr/lib/ipsec/plugins/libstrongswan-eap-identity.so | ||
1532 | 9 | usr/lib/ipsec/plugins/libstrongswan-eap-md5.so | ||
1533 | 10 | usr/lib/ipsec/plugins/libstrongswan-eap-peap.so | ||
1534 | 11 | usr/lib/ipsec/plugins/libstrongswan-eap-radius.so | ||
1535 | 12 | usr/lib/ipsec/plugins/libstrongswan-eap-sim-file.so | ||
1536 | 13 | usr/lib/ipsec/plugins/libstrongswan-eap-sim-pcsc.so | ||
1537 | 14 | usr/lib/ipsec/plugins/libstrongswan-eap-sim.so | ||
1538 | 15 | usr/lib/ipsec/plugins/libstrongswan-eap-simaka-pseudonym.so | ||
1539 | 16 | usr/lib/ipsec/plugins/libstrongswan-eap-simaka-reauth.so | ||
1540 | 17 | usr/lib/ipsec/plugins/libstrongswan-eap-simaka-sql.so | ||
1541 | 18 | usr/lib/ipsec/plugins/libstrongswan-eap-tls.so | ||
1542 | 19 | usr/lib/ipsec/plugins/libstrongswan-eap-tnc.so | ||
1543 | 20 | usr/lib/ipsec/plugins/libstrongswan-eap-ttls.so | ||
1544 | 5 | usr/lib/ipsec/plugins/libstrongswan-error-notify.so | 21 | usr/lib/ipsec/plugins/libstrongswan-error-notify.so |
1545 | 6 | usr/lib/ipsec/plugins/libstrongswan-ha.so | 22 | usr/lib/ipsec/plugins/libstrongswan-ha.so |
1546 | 23 | usr/lib/ipsec/plugins/libstrongswan-kernel-libipsec.so | ||
1547 | 7 | usr/lib/ipsec/plugins/libstrongswan-led.so | 24 | usr/lib/ipsec/plugins/libstrongswan-led.so |
1548 | 8 | usr/lib/ipsec/plugins/libstrongswan-lookip.so | 25 | usr/lib/ipsec/plugins/libstrongswan-lookip.so |
1549 | 9 | #usr/lib/ipsec/plugins/libstrongswan-medsrv.so | 26 | #usr/lib/ipsec/plugins/libstrongswan-medsrv.so |
1550 | 10 | #usr/lib/ipsec/plugins/libstrongswan-medcli.so | 27 | #usr/lib/ipsec/plugins/libstrongswan-medcli.so |
1551 | 11 | usr/lib/ipsec/plugins/libstrongswan-tnc-tnccs.so | ||
1552 | 12 | usr/lib/ipsec/plugins/libstrongswan-unity.so | 28 | usr/lib/ipsec/plugins/libstrongswan-unity.so |
1554 | 13 | usr/lib/ipsec/plugins/libstrongswan-xauth-*.so | 29 | usr/lib/ipsec/plugins/libstrongswan-xauth-eap.so |
1555 | 30 | usr/lib/ipsec/plugins/libstrongswan-xauth-noauth.so | ||
1556 | 31 | usr/lib/ipsec/plugins/libstrongswan-xauth-pam.so | ||
1557 | 14 | # standard configuration files | 32 | # standard configuration files |
1558 | 15 | usr/share/strongswan/templates/config/plugins/addrblock.conf | 33 | usr/share/strongswan/templates/config/plugins/addrblock.conf |
1559 | 16 | usr/share/strongswan/templates/config/plugins/certexpire.conf | 34 | usr/share/strongswan/templates/config/plugins/certexpire.conf |
1561 | 17 | usr/share/strongswan/templates/config/plugins/eap-*.conf | 35 | usr/share/strongswan/templates/config/plugins/eap-aka-3gpp2.conf |
1562 | 36 | usr/share/strongswan/templates/config/plugins/eap-aka.conf | ||
1563 | 37 | usr/share/strongswan/templates/config/plugins/eap-dynamic.conf | ||
1564 | 38 | usr/share/strongswan/templates/config/plugins/eap-gtc.conf | ||
1565 | 39 | usr/share/strongswan/templates/config/plugins/eap-identity.conf | ||
1566 | 40 | usr/share/strongswan/templates/config/plugins/eap-md5.conf | ||
1567 | 41 | usr/share/strongswan/templates/config/plugins/eap-peap.conf | ||
1568 | 42 | usr/share/strongswan/templates/config/plugins/eap-radius.conf | ||
1569 | 43 | usr/share/strongswan/templates/config/plugins/eap-sim-file.conf | ||
1570 | 44 | usr/share/strongswan/templates/config/plugins/eap-sim-pcsc.conf | ||
1571 | 45 | usr/share/strongswan/templates/config/plugins/eap-sim.conf | ||
1572 | 46 | usr/share/strongswan/templates/config/plugins/eap-simaka-pseudonym.conf | ||
1573 | 47 | usr/share/strongswan/templates/config/plugins/eap-simaka-reauth.conf | ||
1574 | 48 | usr/share/strongswan/templates/config/plugins/eap-simaka-sql.conf | ||
1575 | 49 | usr/share/strongswan/templates/config/plugins/eap-tls.conf | ||
1576 | 50 | usr/share/strongswan/templates/config/plugins/eap-tnc.conf | ||
1577 | 51 | usr/share/strongswan/templates/config/plugins/eap-ttls.conf | ||
1578 | 18 | usr/share/strongswan/templates/config/plugins/error-notify.conf | 52 | usr/share/strongswan/templates/config/plugins/error-notify.conf |
1579 | 19 | usr/share/strongswan/templates/config/plugins/ha.conf | 53 | usr/share/strongswan/templates/config/plugins/ha.conf |
1580 | 54 | usr/share/strongswan/templates/config/plugins/kernel-libipsec.conf | ||
1581 | 20 | usr/share/strongswan/templates/config/plugins/led.conf | 55 | usr/share/strongswan/templates/config/plugins/led.conf |
1582 | 21 | usr/share/strongswan/templates/config/plugins/lookip.conf | 56 | usr/share/strongswan/templates/config/plugins/lookip.conf |
1583 | 22 | #usr/share/strongswan/templates/config/plugins/medsrv.conf | 57 | #usr/share/strongswan/templates/config/plugins/medsrv.conf |
1584 | 23 | #usr/share/strongswan/templates/config/plugins/medcli.conf | 58 | #usr/share/strongswan/templates/config/plugins/medcli.conf |
1585 | 24 | usr/share/strongswan/templates/config/plugins/tnc-tnccs.conf | ||
1586 | 25 | usr/share/strongswan/templates/config/plugins/unity.conf | 59 | usr/share/strongswan/templates/config/plugins/unity.conf |
1590 | 26 | usr/share/strongswan/templates/config/plugins/xauth-*.conf | 60 | usr/share/strongswan/templates/config/plugins/xauth-eap.conf |
1591 | 27 | usr/share/strongswan/templates/config/strongswan.d/tnc.conf | 61 | usr/share/strongswan/templates/config/plugins/xauth-noauth.conf |
1592 | 28 | etc/strongswan.d/tnc.conf | 62 | usr/share/strongswan/templates/config/plugins/xauth-pam.conf |
1593 | 29 | etc/strongswan.d/charon/addrblock.conf | 63 | etc/strongswan.d/charon/addrblock.conf |
1594 | 30 | etc/strongswan.d/charon/certexpire.conf | 64 | etc/strongswan.d/charon/certexpire.conf |
1596 | 31 | etc/strongswan.d/charon/eap-*.conf | 65 | etc/strongswan.d/charon/eap-aka-3gpp2.conf |
1597 | 66 | etc/strongswan.d/charon/eap-aka.conf | ||
1598 | 67 | etc/strongswan.d/charon/eap-dynamic.conf | ||
1599 | 68 | etc/strongswan.d/charon/eap-gtc.conf | ||
1600 | 69 | etc/strongswan.d/charon/eap-identity.conf | ||
1601 | 70 | etc/strongswan.d/charon/eap-md5.conf | ||
1602 | 71 | etc/strongswan.d/charon/eap-peap.conf | ||
1603 | 72 | etc/strongswan.d/charon/eap-radius.conf | ||
1604 | 73 | etc/strongswan.d/charon/eap-sim-file.conf | ||
1605 | 74 | etc/strongswan.d/charon/eap-sim-pcsc.conf | ||
1606 | 75 | etc/strongswan.d/charon/eap-sim.conf | ||
1607 | 76 | etc/strongswan.d/charon/eap-simaka-pseudonym.conf | ||
1608 | 77 | etc/strongswan.d/charon/eap-simaka-reauth.conf | ||
1609 | 78 | etc/strongswan.d/charon/eap-simaka-sql.conf | ||
1610 | 79 | etc/strongswan.d/charon/eap-tls.conf | ||
1611 | 80 | etc/strongswan.d/charon/eap-tnc.conf | ||
1612 | 81 | etc/strongswan.d/charon/eap-ttls.conf | ||
1613 | 32 | etc/strongswan.d/charon/error-notify.conf | 82 | etc/strongswan.d/charon/error-notify.conf |
1614 | 33 | etc/strongswan.d/charon/ha.conf | 83 | etc/strongswan.d/charon/ha.conf |
1615 | 84 | etc/strongswan.d/charon/kernel-libipsec.conf | ||
1616 | 34 | etc/strongswan.d/charon/led.conf | 85 | etc/strongswan.d/charon/led.conf |
1617 | 35 | etc/strongswan.d/charon/lookip.conf | 86 | etc/strongswan.d/charon/lookip.conf |
1618 | 36 | #etc/strongswan.d/charon/medsrv.conf | 87 | #etc/strongswan.d/charon/medsrv.conf |
1619 | 37 | #etc/strongswan.d/charon/medcli.conf | 88 | #etc/strongswan.d/charon/medcli.conf |
1620 | 38 | etc/strongswan.d/charon/tnc-tnccs.conf | ||
1621 | 39 | etc/strongswan.d/charon/unity.conf | 89 | etc/strongswan.d/charon/unity.conf |
1623 | 40 | etc/strongswan.d/charon/xauth-*.conf | 90 | etc/strongswan.d/charon/xauth-eap.conf |
1624 | 91 | etc/strongswan.d/charon/xauth-noauth.conf | ||
1625 | 92 | etc/strongswan.d/charon/xauth-pam.conf | ||
1626 | 41 | debian/usr.lib.ipsec.lookip /etc/apparmor.d/ | 93 | debian/usr.lib.ipsec.lookip /etc/apparmor.d/ |
1627 | 42 | # support libs | 94 | # support libs |
1628 | 43 | #usr/lib/ipsec/libfast.so* | 95 | #usr/lib/ipsec/libfast.so* |
1629 | 96 | usr/lib/ipsec/libipsec.so* | ||
1630 | 44 | usr/lib/ipsec/libpttls.so* | 97 | usr/lib/ipsec/libpttls.so* |
1631 | 45 | usr/lib/ipsec/libradius.so* | 98 | usr/lib/ipsec/libradius.so* |
1632 | 46 | usr/lib/ipsec/libsimaka.so* | 99 | usr/lib/ipsec/libsimaka.so* |
1633 | 47 | usr/lib/ipsec/libtnccs.so* | ||
1634 | 48 | usr/lib/ipsec/libtls.so* | 100 | usr/lib/ipsec/libtls.so* |
1635 | 49 | # binaries | 101 | # binaries |
1636 | 50 | usr/bin/pt-tls-client | 102 | usr/bin/pt-tls-client |
1637 | diff --git a/debian/libcharon-standard-plugins.install b/debian/libcharon-standard-plugins.install | |||
1638 | 51 | new file mode 100644 | 103 | new file mode 100644 |
1639 | index 0000000..25e580c | |||
1640 | --- /dev/null | |||
1641 | +++ b/debian/libcharon-standard-plugins.install | |||
1642 | @@ -0,0 +1,19 @@ | |||
1643 | 1 | # most commonly used libcharon plugins | ||
1644 | 2 | # 1) eap-mschapv2 is required on the client side to connect to VPN | ||
1645 | 3 | # concentrators configured for Windows 7+ and modern OSX/iOS using IKEv2. | ||
1646 | 4 | # In such scenario, the VPN concentrator identifies itself with a public | ||
1647 | 5 | # key and asks the client to authenticate with MSCHAPv2. | ||
1648 | 6 | # 2) xauth-generic is required on the client side to connect to VPN | ||
1649 | 7 | # concentrators configured for Android and older OSX/iOS using IKEv1 and | ||
1650 | 8 | # XAUTH. In such scenario, the VPN concentrator identifies itself with a | ||
1651 | 9 | # public key or a shared secret and asks the client to authenticate with a | ||
1652 | 10 | # XAUTH password. | ||
1653 | 11 | # plugins | ||
1654 | 12 | usr/lib/ipsec/plugins/libstrongswan-eap-mschapv2.so | ||
1655 | 13 | usr/lib/ipsec/plugins/libstrongswan-xauth-generic.so | ||
1656 | 14 | # config templates | ||
1657 | 15 | usr/share/strongswan/templates/config/plugins/eap-mschapv2.conf | ||
1658 | 16 | usr/share/strongswan/templates/config/plugins/xauth-generic.conf | ||
1659 | 17 | # configuration files | ||
1660 | 18 | etc/strongswan.d/charon/eap-mschapv2.conf | ||
1661 | 19 | etc/strongswan.d/charon/xauth-generic.conf | ||
1662 | diff --git a/debian/libstrongswan-extra-plugins.install b/debian/libstrongswan-extra-plugins.install | |||
1663 | index cfa5978..4cd01d4 100644 | |||
1664 | --- a/debian/libstrongswan-extra-plugins.install | |||
1665 | +++ b/debian/libstrongswan-extra-plugins.install | |||
1666 | @@ -1,37 +1,95 @@ | |||
1667 | 1 | # Tool for TPM PCR extension | 1 | # Tool for TPM PCR extension |
1668 | 2 | usr/bin/tpm_extendpcr | 2 | usr/bin/tpm_extendpcr |
1669 | 3 | # libstrongswan plugins | 3 | # libstrongswan plugins |
1670 | 4 | usr/lib/ipsec/plugins/libstrongswan-acert.so | ||
1671 | 5 | usr/lib/ipsec/plugins/libstrongswan-attr-sql.so | ||
1672 | 6 | usr/lib/ipsec/plugins/libstrongswan-bliss.so | ||
1673 | 4 | usr/lib/ipsec/plugins/libstrongswan-ccm.so | 7 | usr/lib/ipsec/plugins/libstrongswan-ccm.so |
1674 | 8 | usr/lib/ipsec/plugins/libstrongswan-chapoly.so | ||
1675 | 5 | usr/lib/ipsec/plugins/libstrongswan-cmac.so | 9 | usr/lib/ipsec/plugins/libstrongswan-cmac.so |
1676 | 10 | usr/lib/ipsec/plugins/libstrongswan-coupling.so | ||
1677 | 6 | usr/lib/ipsec/plugins/libstrongswan-ctr.so | 11 | usr/lib/ipsec/plugins/libstrongswan-ctr.so |
1678 | 7 | usr/lib/ipsec/plugins/libstrongswan-curl.so | 12 | usr/lib/ipsec/plugins/libstrongswan-curl.so |
1679 | 8 | usr/lib/ipsec/plugins/libstrongswan-curve25519.so | 13 | usr/lib/ipsec/plugins/libstrongswan-curve25519.so |
1680 | 14 | usr/lib/ipsec/plugins/libstrongswan-dnscert.so | ||
1681 | 9 | usr/lib/ipsec/plugins/libstrongswan-gcrypt.so | 15 | usr/lib/ipsec/plugins/libstrongswan-gcrypt.so |
1682 | 16 | usr/lib/ipsec/plugins/libstrongswan-ipseckey.so | ||
1683 | 10 | usr/lib/ipsec/plugins/libstrongswan-ldap.so | 17 | usr/lib/ipsec/plugins/libstrongswan-ldap.so |
1684 | 18 | usr/lib/ipsec/plugins/libstrongswan-load-tester.so | ||
1685 | 19 | usr/lib/ipsec/plugins/libstrongswan-mysql.so | ||
1686 | 20 | usr/lib/ipsec/plugins/libstrongswan-ntru.so | ||
1687 | 11 | usr/lib/ipsec/plugins/libstrongswan-pkcs11.so | 21 | usr/lib/ipsec/plugins/libstrongswan-pkcs11.so |
1688 | 22 | usr/lib/ipsec/plugins/libstrongswan-radattr.so | ||
1689 | 23 | usr/lib/ipsec/plugins/libstrongswan-soup.so | ||
1690 | 24 | usr/lib/ipsec/plugins/libstrongswan-sqlite.so | ||
1691 | 25 | usr/lib/ipsec/plugins/libstrongswan-sql.so | ||
1692 | 26 | usr/lib/ipsec/plugins/libstrongswan-systime-fix.so | ||
1693 | 12 | usr/lib/ipsec/plugins/libstrongswan-test-vectors.so | 27 | usr/lib/ipsec/plugins/libstrongswan-test-vectors.so |
1694 | 13 | usr/lib/ipsec/plugins/libstrongswan-tpm.so | 28 | usr/lib/ipsec/plugins/libstrongswan-tpm.so |
1695 | 29 | usr/lib/ipsec/plugins/libstrongswan-unbound.so | ||
1696 | 30 | usr/lib/ipsec/plugins/libstrongswan-whitelist.so | ||
1697 | 14 | # default configuration files | 31 | # default configuration files |
1698 | 32 | usr/share/strongswan/templates/config/plugins/acert.conf | ||
1699 | 33 | usr/share/strongswan/templates/config/plugins/attr-sql.conf | ||
1700 | 34 | usr/share/strongswan/templates/config/plugins/bliss.conf | ||
1701 | 15 | usr/share/strongswan/templates/config/plugins/ccm.conf | 35 | usr/share/strongswan/templates/config/plugins/ccm.conf |
1702 | 36 | usr/share/strongswan/templates/config/plugins/chapoly.conf | ||
1703 | 16 | usr/share/strongswan/templates/config/plugins/cmac.conf | 37 | usr/share/strongswan/templates/config/plugins/cmac.conf |
1704 | 38 | usr/share/strongswan/templates/config/plugins/coupling.conf | ||
1705 | 17 | usr/share/strongswan/templates/config/plugins/ctr.conf | 39 | usr/share/strongswan/templates/config/plugins/ctr.conf |
1706 | 18 | usr/share/strongswan/templates/config/plugins/curl.conf | 40 | usr/share/strongswan/templates/config/plugins/curl.conf |
1707 | 19 | usr/share/strongswan/templates/config/plugins/curve25519.conf | 41 | usr/share/strongswan/templates/config/plugins/curve25519.conf |
1708 | 42 | usr/share/strongswan/templates/config/plugins/dnscert.conf | ||
1709 | 20 | usr/share/strongswan/templates/config/plugins/gcrypt.conf | 43 | usr/share/strongswan/templates/config/plugins/gcrypt.conf |
1710 | 44 | usr/share/strongswan/templates/config/plugins/ipseckey.conf | ||
1711 | 21 | usr/share/strongswan/templates/config/plugins/ldap.conf | 45 | usr/share/strongswan/templates/config/plugins/ldap.conf |
1712 | 46 | usr/share/strongswan/templates/config/plugins/load-tester.conf | ||
1713 | 47 | usr/share/strongswan/templates/config/plugins/mysql.conf | ||
1714 | 48 | usr/share/strongswan/templates/config/plugins/ntru.conf | ||
1715 | 22 | usr/share/strongswan/templates/config/plugins/pkcs11.conf | 49 | usr/share/strongswan/templates/config/plugins/pkcs11.conf |
1716 | 50 | usr/share/strongswan/templates/config/plugins/radattr.conf | ||
1717 | 51 | usr/share/strongswan/templates/config/plugins/soup.conf | ||
1718 | 52 | usr/share/strongswan/templates/config/plugins/sql.conf | ||
1719 | 53 | usr/share/strongswan/templates/config/plugins/sqlite.conf | ||
1720 | 54 | usr/share/strongswan/templates/config/plugins/systime-fix.conf | ||
1721 | 23 | usr/share/strongswan/templates/config/plugins/test-vectors.conf | 55 | usr/share/strongswan/templates/config/plugins/test-vectors.conf |
1722 | 24 | usr/share/strongswan/templates/config/plugins/tpm.conf | 56 | usr/share/strongswan/templates/config/plugins/tpm.conf |
1723 | 57 | usr/share/strongswan/templates/config/plugins/unbound.conf | ||
1724 | 58 | usr/share/strongswan/templates/config/plugins/whitelist.conf | ||
1725 | 59 | usr/share/strongswan/templates/database/sql/mysql.sql | ||
1726 | 60 | usr/share/strongswan/templates/database/sql/sqlite.sql | ||
1727 | 61 | etc/strongswan.d/charon/acert.conf | ||
1728 | 62 | etc/strongswan.d/charon/attr-sql.conf | ||
1729 | 63 | etc/strongswan.d/charon/bliss.conf | ||
1730 | 25 | etc/strongswan.d/charon/ccm.conf | 64 | etc/strongswan.d/charon/ccm.conf |
1731 | 65 | etc/strongswan.d/charon/chapoly.conf | ||
1732 | 26 | etc/strongswan.d/charon/cmac.conf | 66 | etc/strongswan.d/charon/cmac.conf |
1733 | 67 | etc/strongswan.d/charon/coupling.conf | ||
1734 | 27 | etc/strongswan.d/charon/ctr.conf | 68 | etc/strongswan.d/charon/ctr.conf |
1735 | 28 | etc/strongswan.d/charon/curl.conf | 69 | etc/strongswan.d/charon/curl.conf |
1736 | 29 | etc/strongswan.d/charon/curve25519.conf | 70 | etc/strongswan.d/charon/curve25519.conf |
1737 | 71 | etc/strongswan.d/charon/dnscert.conf | ||
1738 | 30 | etc/strongswan.d/charon/gcrypt.conf | 72 | etc/strongswan.d/charon/gcrypt.conf |
1739 | 73 | etc/strongswan.d/charon/ipseckey.conf | ||
1740 | 31 | etc/strongswan.d/charon/ldap.conf | 74 | etc/strongswan.d/charon/ldap.conf |
1741 | 75 | etc/strongswan.d/charon/load-tester.conf | ||
1742 | 76 | etc/strongswan.d/charon/mysql.conf | ||
1743 | 77 | etc/strongswan.d/charon/ntru.conf | ||
1744 | 32 | etc/strongswan.d/charon/pkcs11.conf | 78 | etc/strongswan.d/charon/pkcs11.conf |
1745 | 79 | etc/strongswan.d/charon/radattr.conf | ||
1746 | 80 | etc/strongswan.d/charon/soup.conf | ||
1747 | 81 | etc/strongswan.d/charon/sql.conf | ||
1748 | 82 | etc/strongswan.d/charon/sqlite.conf | ||
1749 | 83 | etc/strongswan.d/charon/systime-fix.conf | ||
1750 | 33 | etc/strongswan.d/charon/test-vectors.conf | 84 | etc/strongswan.d/charon/test-vectors.conf |
1751 | 34 | etc/strongswan.d/charon/tpm.conf | 85 | etc/strongswan.d/charon/tpm.conf |
1752 | 35 | # TPM libs | 86 | # TPM libs |
1753 | 36 | usr/lib/ipsec/libtpmtss.so.* | 87 | usr/lib/ipsec/libtpmtss.so.* |
1754 | 37 | usr/lib/ipsec/libtpmtss.so | 88 | usr/lib/ipsec/libtpmtss.so |
1755 | 89 | etc/strongswan.d/charon/unbound.conf | ||
1756 | 90 | etc/strongswan.d/charon/whitelist.conf | ||
1757 | 91 | usr/lib/ipsec/load-tester | ||
1758 | 92 | usr/lib/ipsec/whitelist | ||
1759 | 93 | # support libs | ||
1760 | 94 | usr/lib/ipsec/libtpmtss.so* | ||
1761 | 95 | usr/lib/ipsec/libnttfft.so* | ||
1762 | diff --git a/debian/libstrongswan.install b/debian/libstrongswan.install | |||
1763 | index 072ff7e..5d458bb 100644 | |||
1764 | --- a/debian/libstrongswan.install | |||
1765 | +++ b/debian/libstrongswan.install | |||
1766 | @@ -6,15 +6,16 @@ usr/lib/ipsec/plugins/libstrongswan-dnskey.so | |||
1767 | 6 | usr/lib/ipsec/plugins/libstrongswan-fips-prf.so | 6 | usr/lib/ipsec/plugins/libstrongswan-fips-prf.so |
1768 | 7 | usr/lib/ipsec/plugins/libstrongswan-gmp.so | 7 | usr/lib/ipsec/plugins/libstrongswan-gmp.so |
1769 | 8 | usr/lib/ipsec/plugins/libstrongswan-hmac.so | 8 | usr/lib/ipsec/plugins/libstrongswan-hmac.so |
1770 | 9 | usr/lib/ipsec/plugins/libstrongswan-md4.so | ||
1771 | 9 | usr/lib/ipsec/plugins/libstrongswan-md5.so | 10 | usr/lib/ipsec/plugins/libstrongswan-md5.so |
1772 | 10 | usr/lib/ipsec/plugins/libstrongswan-mgf1.so | 11 | usr/lib/ipsec/plugins/libstrongswan-mgf1.so |
1773 | 11 | usr/lib/ipsec/plugins/libstrongswan-nonce.so | 12 | usr/lib/ipsec/plugins/libstrongswan-nonce.so |
1774 | 12 | usr/lib/ipsec/plugins/libstrongswan-pgp.so | ||
1775 | 13 | usr/lib/ipsec/plugins/libstrongswan-pem.so | 13 | usr/lib/ipsec/plugins/libstrongswan-pem.so |
1776 | 14 | usr/lib/ipsec/plugins/libstrongswan-pgp.so | ||
1777 | 14 | usr/lib/ipsec/plugins/libstrongswan-pkcs1.so | 15 | usr/lib/ipsec/plugins/libstrongswan-pkcs1.so |
1778 | 16 | usr/lib/ipsec/plugins/libstrongswan-pkcs12.so | ||
1779 | 15 | usr/lib/ipsec/plugins/libstrongswan-pkcs7.so | 17 | usr/lib/ipsec/plugins/libstrongswan-pkcs7.so |
1780 | 16 | usr/lib/ipsec/plugins/libstrongswan-pkcs8.so | 18 | usr/lib/ipsec/plugins/libstrongswan-pkcs8.so |
1781 | 17 | usr/lib/ipsec/plugins/libstrongswan-pkcs12.so | ||
1782 | 18 | usr/lib/ipsec/plugins/libstrongswan-pubkey.so | 19 | usr/lib/ipsec/plugins/libstrongswan-pubkey.so |
1783 | 19 | usr/lib/ipsec/plugins/libstrongswan-random.so | 20 | usr/lib/ipsec/plugins/libstrongswan-random.so |
1784 | 20 | usr/lib/ipsec/plugins/libstrongswan-rc2.so | 21 | usr/lib/ipsec/plugins/libstrongswan-rc2.so |
1785 | @@ -31,15 +32,17 @@ usr/share/strongswan/templates/config/plugins/dnskey.conf | |||
1786 | 31 | usr/share/strongswan/templates/config/plugins/fips-prf.conf | 32 | usr/share/strongswan/templates/config/plugins/fips-prf.conf |
1787 | 32 | usr/share/strongswan/templates/config/plugins/gmp.conf | 33 | usr/share/strongswan/templates/config/plugins/gmp.conf |
1788 | 33 | usr/share/strongswan/templates/config/plugins/hmac.conf | 34 | usr/share/strongswan/templates/config/plugins/hmac.conf |
1789 | 35 | usr/share/strongswan/templates/config/plugins/kernel-netlink.conf | ||
1790 | 36 | usr/share/strongswan/templates/config/plugins/md4.conf | ||
1791 | 34 | usr/share/strongswan/templates/config/plugins/md5.conf | 37 | usr/share/strongswan/templates/config/plugins/md5.conf |
1792 | 35 | usr/share/strongswan/templates/config/plugins/mgf1.conf | 38 | usr/share/strongswan/templates/config/plugins/mgf1.conf |
1793 | 36 | usr/share/strongswan/templates/config/plugins/nonce.conf | 39 | usr/share/strongswan/templates/config/plugins/nonce.conf |
1794 | 37 | usr/share/strongswan/templates/config/plugins/pgp.conf | ||
1795 | 38 | usr/share/strongswan/templates/config/plugins/pem.conf | 40 | usr/share/strongswan/templates/config/plugins/pem.conf |
1796 | 41 | usr/share/strongswan/templates/config/plugins/pgp.conf | ||
1797 | 39 | usr/share/strongswan/templates/config/plugins/pkcs1.conf | 42 | usr/share/strongswan/templates/config/plugins/pkcs1.conf |
1798 | 43 | usr/share/strongswan/templates/config/plugins/pkcs12.conf | ||
1799 | 40 | usr/share/strongswan/templates/config/plugins/pkcs7.conf | 44 | usr/share/strongswan/templates/config/plugins/pkcs7.conf |
1800 | 41 | usr/share/strongswan/templates/config/plugins/pkcs8.conf | 45 | usr/share/strongswan/templates/config/plugins/pkcs8.conf |
1801 | 42 | usr/share/strongswan/templates/config/plugins/pkcs12.conf | ||
1802 | 43 | usr/share/strongswan/templates/config/plugins/pubkey.conf | 46 | usr/share/strongswan/templates/config/plugins/pubkey.conf |
1803 | 44 | usr/share/strongswan/templates/config/plugins/random.conf | 47 | usr/share/strongswan/templates/config/plugins/random.conf |
1804 | 45 | usr/share/strongswan/templates/config/plugins/rc2.conf | 48 | usr/share/strongswan/templates/config/plugins/rc2.conf |
1805 | @@ -55,15 +58,17 @@ etc/strongswan.d/charon/dnskey.conf | |||
1806 | 55 | etc/strongswan.d/charon/fips-prf.conf | 58 | etc/strongswan.d/charon/fips-prf.conf |
1807 | 56 | etc/strongswan.d/charon/gmp.conf | 59 | etc/strongswan.d/charon/gmp.conf |
1808 | 57 | etc/strongswan.d/charon/hmac.conf | 60 | etc/strongswan.d/charon/hmac.conf |
1809 | 61 | etc/strongswan.d/charon/kernel-netlink.conf | ||
1810 | 62 | etc/strongswan.d/charon/md4.conf | ||
1811 | 58 | etc/strongswan.d/charon/md5.conf | 63 | etc/strongswan.d/charon/md5.conf |
1812 | 59 | etc/strongswan.d/charon/mgf1.conf | 64 | etc/strongswan.d/charon/mgf1.conf |
1813 | 60 | etc/strongswan.d/charon/nonce.conf | 65 | etc/strongswan.d/charon/nonce.conf |
1814 | 61 | etc/strongswan.d/charon/pgp.conf | ||
1815 | 62 | etc/strongswan.d/charon/pem.conf | 66 | etc/strongswan.d/charon/pem.conf |
1816 | 67 | etc/strongswan.d/charon/pgp.conf | ||
1817 | 68 | etc/strongswan.d/charon/pkcs12.conf | ||
1818 | 63 | etc/strongswan.d/charon/pkcs1.conf | 69 | etc/strongswan.d/charon/pkcs1.conf |
1819 | 64 | etc/strongswan.d/charon/pkcs7.conf | 70 | etc/strongswan.d/charon/pkcs7.conf |
1820 | 65 | etc/strongswan.d/charon/pkcs8.conf | 71 | etc/strongswan.d/charon/pkcs8.conf |
1821 | 66 | etc/strongswan.d/charon/pkcs12.conf | ||
1822 | 67 | etc/strongswan.d/charon/pubkey.conf | 72 | etc/strongswan.d/charon/pubkey.conf |
1823 | 68 | etc/strongswan.d/charon/random.conf | 73 | etc/strongswan.d/charon/random.conf |
1824 | 69 | etc/strongswan.d/charon/rc2.conf | 74 | etc/strongswan.d/charon/rc2.conf |
1825 | diff --git a/debian/patches/dont-load-kernel-libipsec-plugin-by-default.patch b/debian/patches/dont-load-kernel-libipsec-plugin-by-default.patch | |||
1826 | 70 | new file mode 100644 | 75 | new file mode 100644 |
1827 | index 0000000..004b50b | |||
1828 | --- /dev/null | |||
1829 | +++ b/debian/patches/dont-load-kernel-libipsec-plugin-by-default.patch | |||
1830 | @@ -0,0 +1,11 @@ | |||
1831 | 1 | --- a/conf/plugins/kernel-libipsec.conf | ||
1832 | 2 | +++ b/conf/plugins/kernel-libipsec.conf | ||
1833 | 3 | @@ -5,7 +5,7 @@ | ||
1834 | 4 | |||
1835 | 5 | # Whether to load the plugin. Can also be an integer to increase the | ||
1836 | 6 | # priority of this plugin. | ||
1837 | 7 | - load = yes | ||
1838 | 8 | + load = no | ||
1839 | 9 | |||
1840 | 10 | } | ||
1841 | 11 | |||
1842 | diff --git a/debian/patches/series b/debian/patches/series | |||
1843 | index fde45f5..c72895f 100644 | |||
1844 | --- a/debian/patches/series | |||
1845 | +++ b/debian/patches/series | |||
1846 | @@ -2,3 +2,4 @@ | |||
1847 | 2 | 02_disable-bypass-lan.patch | 2 | 02_disable-bypass-lan.patch |
1848 | 3 | 03_systemd-service.patch | 3 | 03_systemd-service.patch |
1849 | 4 | 04_disable-libtls-tests.patch | 4 | 04_disable-libtls-tests.patch |
1850 | 5 | dont-load-kernel-libipsec-plugin-by-default.patch | ||
1851 | diff --git a/debian/rules b/debian/rules | |||
1852 | index d1dbf8a..d3450c7 100755 | |||
1853 | --- a/debian/rules | |||
1854 | +++ b/debian/rules | |||
1855 | @@ -4,20 +4,36 @@ export DEB_LDFLAGS_MAINT_APPEND=-Wl,--as-needed -Wl,-O1 | |||
1856 | 4 | export DEB_BUILD_MAINT_OPTIONS=hardening=+all | 4 | export DEB_BUILD_MAINT_OPTIONS=hardening=+all |
1857 | 5 | 5 | ||
1858 | 6 | CONFIGUREARGS := --libdir=/usr/lib --libexecdir=/usr/lib \ | 6 | CONFIGUREARGS := --libdir=/usr/lib --libexecdir=/usr/lib \ |
1859 | 7 | --with-tss=trousers \ | ||
1860 | 8 | --enable-acert \ | ||
1861 | 7 | --enable-addrblock \ | 9 | --enable-addrblock \ |
1862 | 8 | --enable-agent \ | 10 | --enable-agent \ |
1863 | 9 | --enable-bypass-lan \ | 11 | --enable-bypass-lan \ |
1864 | 12 | --enable-attr-sql \ | ||
1865 | 13 | --enable-bliss \ | ||
1866 | 10 | --enable-ccm \ | 14 | --enable-ccm \ |
1867 | 11 | --enable-certexpire \ | 15 | --enable-certexpire \ |
1868 | 16 | --enable-chapoly \ | ||
1869 | 12 | --enable-cmd \ | 17 | --enable-cmd \ |
1870 | 18 | --enable-coupling \ | ||
1871 | 13 | --enable-ctr \ | 19 | --enable-ctr \ |
1872 | 14 | --enable-curl \ | 20 | --enable-curl \ |
1873 | 21 | --enable-dnscert \ | ||
1874 | 15 | --enable-eap-aka \ | 22 | --enable-eap-aka \ |
1875 | 23 | --enable-eap-aka-3gpp2 \ | ||
1876 | 24 | --enable-eap-dynamic \ | ||
1877 | 16 | --enable-eap-gtc \ | 25 | --enable-eap-gtc \ |
1878 | 17 | --enable-eap-identity \ | 26 | --enable-eap-identity \ |
1879 | 18 | --enable-eap-md5 \ | 27 | --enable-eap-md5 \ |
1880 | 19 | --enable-eap-mschapv2 \ | 28 | --enable-eap-mschapv2 \ |
1881 | 29 | --enable-eap-peap \ | ||
1882 | 20 | --enable-eap-radius \ | 30 | --enable-eap-radius \ |
1883 | 31 | --enable-eap-sim \ | ||
1884 | 32 | --enable-eap-simaka-pseudonym \ | ||
1885 | 33 | --enable-eap-simaka-reauth \ | ||
1886 | 34 | --enable-eap-simaka-sql \ | ||
1887 | 35 | --enable-eap-sim-file \ | ||
1888 | 36 | --enable-eap-sim-pcsc \ | ||
1889 | 21 | --enable-eap-tls \ | 37 | --enable-eap-tls \ |
1890 | 22 | --enable-eap-tnc \ | 38 | --enable-eap-tnc \ |
1891 | 23 | --enable-eap-ttls \ | 39 | --enable-eap-ttls \ |
1892 | @@ -25,18 +41,52 @@ CONFIGUREARGS := --libdir=/usr/lib --libexecdir=/usr/lib \ | |||
1893 | 25 | --enable-gcm \ | 41 | --enable-gcm \ |
1894 | 26 | --enable-gcrypt \ | 42 | --enable-gcrypt \ |
1895 | 27 | --enable-ha \ | 43 | --enable-ha \ |
1896 | 44 | --enable-imc-attestation \ | ||
1897 | 45 | --enable-imc-os \ | ||
1898 | 46 | --enable-imc-scanner \ | ||
1899 | 47 | --enable-imc-swid \ | ||
1900 | 48 | --enable-imc-test \ | ||
1901 | 49 | --enable-imv-attestation \ | ||
1902 | 50 | --enable-imv-os \ | ||
1903 | 51 | --enable-imv-scanner \ | ||
1904 | 52 | --enable-imv-swid \ | ||
1905 | 53 | --enable-imv-test \ | ||
1906 | 54 | --enable-ipseckey \ | ||
1907 | 55 | --enable-kernel-libipsec \ | ||
1908 | 28 | --enable-ldap \ | 56 | --enable-ldap \ |
1909 | 29 | --enable-led \ | 57 | --enable-led \ |
1910 | 58 | --enable-load-tester \ | ||
1911 | 30 | --enable-lookip \ | 59 | --enable-lookip \ |
1912 | 31 | --enable-mediation \ | 60 | --enable-mediation \ |
1913 | 61 | --enable-md4 \ | ||
1914 | 62 | --enable-mysql \ | ||
1915 | 63 | --enable-ntru \ | ||
1916 | 32 | --enable-openssl \ | 64 | --enable-openssl \ |
1917 | 33 | --enable-pkcs11 \ | 65 | --enable-pkcs11 \ |
1918 | 66 | --enable-radattr \ | ||
1919 | 67 | --enable-soup \ | ||
1920 | 68 | --enable-sql \ | ||
1921 | 69 | --enable-sqlite \ | ||
1922 | 70 | --enable-systime-fix \ | ||
1923 | 34 | --enable-test-vectors \ | 71 | --enable-test-vectors \ |
1924 | 35 | --enable-tpm \ | 72 | --enable-tpm \ |
1925 | 73 | --enable-tnccs-11 \ | ||
1926 | 74 | --enable-tnccs-20 \ | ||
1927 | 75 | --enable-tnccs-dynamic \ | ||
1928 | 76 | --enable-tnc-ifmap \ | ||
1929 | 77 | --enable-tnc-imc \ | ||
1930 | 78 | --enable-tnc-imv \ | ||
1931 | 79 | --enable-tnc-pdp \ | ||
1932 | 80 | --enable-unbound \ | ||
1933 | 81 | --enable-unit-tests \ | ||
1934 | 36 | --enable-unity \ | 82 | --enable-unity \ |
1935 | 83 | --enable-whitelist \ | ||
1936 | 37 | --enable-xauth-eap \ | 84 | --enable-xauth-eap \ |
1937 | 85 | --enable-xauth-generic \ | ||
1938 | 86 | --enable-xauth-noauth \ | ||
1939 | 38 | --enable-xauth-pam \ | 87 | --enable-xauth-pam \ |
1940 | 39 | --disable-blowfish \ | 88 | --disable-blowfish \ |
1941 | 89 | --disable-fast \ | ||
1942 | 40 | --disable-des # BSD-Young license | 90 | --disable-des # BSD-Young license |
1943 | 41 | #--with-user=strongswan --with-group=nogroup | 91 | #--with-user=strongswan --with-group=nogroup |
1944 | 42 | # --enable-kernel-pfkey --enable-kernel-klips \ | 92 | # --enable-kernel-pfkey --enable-kernel-klips \ |
1945 | @@ -190,12 +240,6 @@ endif | |||
1946 | 190 | 240 | ||
1947 | 191 | # add additional files not covered by upstream makefile... | 241 | # add additional files not covered by upstream makefile... |
1948 | 192 | install --mode=0600 $(CURDIR)/debian/ipsec.secrets.proto $(CURDIR)/debian/strongswan-starter/etc/ipsec.secrets | 242 | install --mode=0600 $(CURDIR)/debian/ipsec.secrets.proto $(CURDIR)/debian/strongswan-starter/etc/ipsec.secrets |
1949 | 193 | # also "patch" ipsec.conf to include the debconf-managed file | ||
1950 | 194 | echo >> $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf | ||
1951 | 195 | echo "include /var/lib/strongswan/ipsec.conf.inc" >> $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf | ||
1952 | 196 | # and to enable both IKEv1 and IKEv2 by default | ||
1953 | 197 | sed -r 's/^[ \t]+# *charonstart=(yes|no) */\tcharonstart=yes/' < $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf > $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf.tmp | ||
1954 | 198 | mv $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf.tmp $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf | ||
1955 | 199 | 243 | ||
1956 | 200 | # set permissions on ipsec.secrets and private key directories | 244 | # set permissions on ipsec.secrets and private key directories |
1957 | 201 | chmod 600 $(CURDIR)/debian/strongswan-starter/etc/ipsec.secrets | 245 | chmod 600 $(CURDIR)/debian/strongswan-starter/etc/ipsec.secrets |
1958 | diff --git a/debian/strongswan-starter.install b/debian/strongswan-starter.install | |||
1959 | index 9a4c0d1..b5250dc 100644 | |||
1960 | --- a/debian/strongswan-starter.install | |||
1961 | +++ b/debian/strongswan-starter.install | |||
1962 | @@ -16,3 +16,7 @@ usr/lib/ipsec/plugins/libstrongswan-stroke.so | |||
1963 | 16 | usr/share/strongswan/templates/config/plugins/stroke.conf | 16 | usr/share/strongswan/templates/config/plugins/stroke.conf |
1964 | 17 | etc/strongswan.d/charon/stroke.conf | 17 | etc/strongswan.d/charon/stroke.conf |
1965 | 18 | debian/usr.lib.ipsec.stroke /etc/apparmor.d/ | 18 | debian/usr.lib.ipsec.stroke /etc/apparmor.d/ |
1966 | 19 | #pool | ||
1967 | 20 | usr/lib/ipsec/pool | ||
1968 | 21 | usr/share/strongswan/templates/config/strongswan.d/pool.conf | ||
1969 | 22 | etc/strongswan.d/pool.conf | ||
1970 | diff --git a/debian/strongswan-starter.postinst b/debian/strongswan-starter.postinst | |||
1971 | index 9e4d7b1..9b7c734 100644 | |||
1972 | --- a/debian/strongswan-starter.postinst | |||
1973 | +++ b/debian/strongswan-starter.postinst | |||
1974 | @@ -220,63 +220,6 @@ case "$1" in | |||
1975 | 220 | db_set strongswan/install_x509_certificate false | 220 | db_set strongswan/install_x509_certificate false |
1976 | 221 | fi | 221 | fi |
1977 | 222 | 222 | ||
1978 | 223 | # lets see if we are already using dependency based booting or the correct runlevel parameters | ||
1979 | 224 | if ! ( [ "`find /etc/init.d/ -name '.depend.*'`" ] || [ "$runlevels" = "0K841K842S163S164S165S166K84" ] ); then | ||
1980 | 225 | db_fset strongswan/runlevel_changes seen false | ||
1981 | 226 | db_input high strongswan/runlevel_changes || true | ||
1982 | 227 | db_go | ||
1983 | 228 | |||
1984 | 229 | # if the admin did not change the runlevels which got installed by older packages we can modify them | ||
1985 | 230 | if [ "$runlevels" = "0K346K34SS41" ] || [ "$runlevels" = "0K301K302S153S154S155S156K30" ] || [ "$runlevels" = "0K191K192S213S214S215S216K19" ]; then | ||
1986 | 231 | update-rc.d -f ipsec remove | ||
1987 | 232 | fi | ||
1988 | 233 | |||
1989 | 234 | update-rc.d ipsec defaults 16 84 > /dev/null | ||
1990 | 235 | fi | ||
1991 | 236 | |||
1992 | 237 | db_get strongswan/enable-oe | ||
1993 | 238 | if [ "$RET" != "true" ]; then | ||
1994 | 239 | echo -n "Disabling opportunistic encryption (OE) in config file ... " | ||
1995 | 240 | if [ -e $CONF_FILE ] && egrep -q "include /etc/ipsec.d/examples/no_oe.conf$" $CONF_FILE; then | ||
1996 | 241 | # also update to new-style config | ||
1997 | 242 | sed 's/.*include \/etc\/ipsec.d\/examples\/no_oe.conf/#include \/etc\/ipsec.d\/examples\/oe.conf/' < $CONF_FILE > $CONF_FILE.tmp | ||
1998 | 243 | mv $CONF_FILE.tmp $CONF_FILE | ||
1999 | 244 | echo -n "converted old config line to new format" | ||
2000 | 245 | fi | ||
2001 | 246 | if [ -e $CONF_FILE ] && egrep -q "^include /etc/ipsec.d/examples/oe.conf$" $CONF_FILE; then | ||
2002 | 247 | sed 's/include \/etc\/ipsec.d\/examples\/oe.conf/#include \/etc\/ipsec.d\/examples\/oe.conf/' < $CONF_FILE > $CONF_FILE.tmp | ||
2003 | 248 | mv $CONF_FILE.tmp $CONF_FILE | ||
2004 | 249 | echo "done" | ||
2005 | 250 | elif [ ! -e $CONF_FILE ]; then | ||
2006 | 251 | echo "#include /etc/ipsec.d/examples/oe.conf" > $CONF_FILE | ||
2007 | 252 | else | ||
2008 | 253 | echo "already disabled" | ||
2009 | 254 | fi | ||
2010 | 255 | else | ||
2011 | 256 | echo -n "Enabling opportunistic encryption (OE) in config file ... " | ||
2012 | 257 | if [ -e $CONF_FILE ] && egrep -q "include /etc/ipsec.d/examples/no_oe.conf$" $CONF_FILE; then | ||
2013 | 258 | # also update to new-style config | ||
2014 | 259 | sed 's/.*include \/etc\/ipsec.d\/examples\/no_oe.conf/include \/etc\/ipsec.d\/examples\/oe.conf/' < $CONF_FILE > $CONF_FILE.tmp | ||
2015 | 260 | mv $CONF_FILE.tmp $CONF_FILE | ||
2016 | 261 | echo -n "converted old config line to new format" | ||
2017 | 262 | fi | ||
2018 | 263 | if [ -e $CONF_FILE ] && egrep -q "^include /etc/ipsec.d/examples/oe.conf$" $CONF_FILE; then | ||
2019 | 264 | echo "already enabled" | ||
2020 | 265 | elif [ -e $CONF_FILE ] && egrep -q "^#.*include /etc/ipsec.d/examples/oe.conf$" $CONF_FILE; then | ||
2021 | 266 | sed 's/#.*include \/etc\/ipsec.d\/examples\/oe.conf/include \/etc\/ipsec.d\/examples\/oe.conf/' < $CONF_FILE > $CONF_FILE.tmp | ||
2022 | 267 | mv $CONF_FILE.tmp $CONF_FILE | ||
2023 | 268 | echo "done" | ||
2024 | 269 | elif [ ! -e $CONF_FILE ]; then | ||
2025 | 270 | echo "include /etc/ipsec.d/examples/oe.conf" > $CONF_FILE | ||
2026 | 271 | else | ||
2027 | 272 | cat <<EOF >> $CONF_FILE | ||
2028 | 273 | #Enable Opportunistic Encryption | ||
2029 | 274 | include /etc/ipsec.d/examples/oe.conf | ||
2030 | 275 | EOF | ||
2031 | 276 | echo "done" | ||
2032 | 277 | fi | ||
2033 | 278 | fi | ||
2034 | 279 | |||
2035 | 280 | # disabled for now, until we can solve the don't-edit-conffiles issue | 223 | # disabled for now, until we can solve the don't-edit-conffiles issue |
2036 | 281 | #db_get strongswan/ikev1 | 224 | #db_get strongswan/ikev1 |
2037 | 282 | #if [ "$RET" != "true" ]; then | 225 | #if [ "$RET" != "true" ]; then |
2038 | diff --git a/debian/strongswan-tnc-base.install b/debian/strongswan-tnc-base.install | |||
2039 | 283 | new file mode 100644 | 226 | new file mode 100644 |
2040 | index 0000000..a9e3f32 | |||
2041 | --- /dev/null | |||
2042 | +++ b/debian/strongswan-tnc-base.install | |||
2043 | @@ -0,0 +1,16 @@ | |||
2044 | 1 | etc/strongswan.d/charon/tnccs-11.conf | ||
2045 | 2 | etc/strongswan.d/charon/tnccs-20.conf | ||
2046 | 3 | etc/strongswan.d/charon/tnccs-dynamic.conf | ||
2047 | 4 | etc/strongswan.d/charon/tnc-tnccs.conf | ||
2048 | 5 | etc/strongswan.d/imcv.conf | ||
2049 | 6 | etc/strongswan.d/tnc.conf | ||
2050 | 7 | usr/lib/ipsec/libimcv.* | ||
2051 | 8 | usr/lib/ipsec/libtnccs.so* | ||
2052 | 9 | usr/lib/ipsec/plugins/libstrongswan-tnccs-*.so | ||
2053 | 10 | usr/lib/ipsec/plugins/libstrongswan-tnc-tnccs.so | ||
2054 | 11 | usr/share/strongswan/templates/config/plugins/tnccs-11.conf | ||
2055 | 12 | usr/share/strongswan/templates/config/plugins/tnccs-20.conf | ||
2056 | 13 | usr/share/strongswan/templates/config/plugins/tnccs-dynamic.conf | ||
2057 | 14 | usr/share/strongswan/templates/config/plugins/tnc-tnccs.conf | ||
2058 | 15 | usr/share/strongswan/templates/config/strongswan.d/imcv.conf | ||
2059 | 16 | usr/share/strongswan/templates/config/strongswan.d/tnc.conf | ||
2060 | diff --git a/debian/strongswan-tnc-client.install b/debian/strongswan-tnc-client.install | |||
2061 | 0 | new file mode 100644 | 17 | new file mode 100644 |
2062 | index 0000000..88449c6 | |||
2063 | --- /dev/null | |||
2064 | +++ b/debian/strongswan-tnc-client.install | |||
2065 | @@ -0,0 +1,5 @@ | |||
2066 | 1 | etc/strongswan.d/charon/tnc-imc.conf | ||
2067 | 2 | usr/lib/ipsec/imcvs/imc-*.so | ||
2068 | 3 | usr/lib/ipsec/plugins/libstrongswan-tnc-imc.so | ||
2069 | 4 | usr/share/strongswan/swidtag/strongswan.org__strongSwan-*.swidtag | ||
2070 | 5 | usr/share/strongswan/templates/config/plugins/tnc-imc.conf | ||
2071 | diff --git a/debian/strongswan-tnc-ifmap.install b/debian/strongswan-tnc-ifmap.install | |||
2072 | 0 | new file mode 100644 | 6 | new file mode 100644 |
2073 | index 0000000..3c8083b | |||
2074 | --- /dev/null | |||
2075 | +++ b/debian/strongswan-tnc-ifmap.install | |||
2076 | @@ -0,0 +1,3 @@ | |||
2077 | 1 | etc/strongswan.d/charon/tnc-ifmap.conf | ||
2078 | 2 | usr/lib/ipsec/plugins/libstrongswan-tnc-ifmap.so | ||
2079 | 3 | usr/share/strongswan/templates/config/plugins/tnc-ifmap.conf | ||
2080 | diff --git a/debian/strongswan-tnc-pdp.install b/debian/strongswan-tnc-pdp.install | |||
2081 | 0 | new file mode 100644 | 4 | new file mode 100644 |
2082 | index 0000000..2534386 | |||
2083 | --- /dev/null | |||
2084 | +++ b/debian/strongswan-tnc-pdp.install | |||
2085 | @@ -0,0 +1,3 @@ | |||
2086 | 1 | etc/strongswan.d/charon/tnc-pdp.conf | ||
2087 | 2 | usr/lib/ipsec/plugins/libstrongswan-tnc-pdp.so | ||
2088 | 3 | usr/share/strongswan/templates/config/plugins/tnc-pdp.conf | ||
2089 | diff --git a/debian/strongswan-tnc-server.install b/debian/strongswan-tnc-server.install | |||
2090 | 0 | new file mode 100644 | 4 | new file mode 100644 |
2091 | index 0000000..da633f6 | |||
2092 | --- /dev/null | |||
2093 | +++ b/debian/strongswan-tnc-server.install | |||
2094 | @@ -0,0 +1,10 @@ | |||
2095 | 1 | etc/strongswan.d/attest.conf | ||
2096 | 2 | etc/strongswan.d/charon/tnc-imv.conf | ||
2097 | 3 | usr/lib/ipsec/attest | ||
2098 | 4 | usr/lib/ipsec/imcvs/imv-*.so | ||
2099 | 5 | usr/lib/ipsec/_imv_policy | ||
2100 | 6 | usr/lib/ipsec/imv_policy_manager | ||
2101 | 7 | usr/lib/ipsec/plugins/libstrongswan-tnc-imv.so | ||
2102 | 8 | usr/share/strongswan/templates/config/plugins/tnc-imv.conf | ||
2103 | 9 | usr/share/strongswan/templates/config/strongswan.d/attest.conf | ||
2104 | 10 | usr/share/strongswan/templates/database/imv/*.sql | ||
2105 | diff --git a/debian/usr.lib.ipsec.charon b/debian/usr.lib.ipsec.charon | |||
2106 | index 9e24c74..14cfa6d 100644 | |||
2107 | --- a/debian/usr.lib.ipsec.charon | |||
2108 | +++ b/debian/usr.lib.ipsec.charon | |||
2109 | @@ -41,7 +41,7 @@ | |||
2110 | 41 | network, | 41 | network, |
2111 | 42 | network raw, | 42 | network raw, |
2112 | 43 | 43 | ||
2114 | 44 | /bin/dash rmPUx, | 44 | /{,usr/}bin/dash rmPUx, |
2115 | 45 | 45 | ||
2116 | 46 | # libchron-extra-plugins: kernel-libipsec | 46 | # libchron-extra-plugins: kernel-libipsec |
2117 | 47 | /dev/net/tun rw, | 47 | /dev/net/tun rw, |
2118 | diff --git a/debian/usr.sbin.charon-systemd b/debian/usr.sbin.charon-systemd | |||
2119 | index 920fe72..940de46 100644 | |||
2120 | --- a/debian/usr.sbin.charon-systemd | |||
2121 | +++ b/debian/usr.sbin.charon-systemd | |||
2122 | @@ -19,6 +19,7 @@ | |||
2123 | 19 | #include <abstractions/authentication> | 19 | #include <abstractions/authentication> |
2124 | 20 | #include <abstractions/openssl> | 20 | #include <abstractions/openssl> |
2125 | 21 | #include <abstractions/p11-kit> | 21 | #include <abstractions/p11-kit> |
2126 | 22 | #include <abstractions/mysql> | ||
2127 | 22 | 23 | ||
2128 | 23 | capability ipc_lock, | 24 | capability ipc_lock, |
2129 | 24 | capability net_admin, | 25 | capability net_admin, |
2130 | @@ -41,7 +42,7 @@ | |||
2131 | 41 | network, | 42 | network, |
2132 | 42 | network raw, | 43 | network raw, |
2133 | 43 | 44 | ||
2135 | 44 | /bin/dash rmPUx, | 45 | /{,usr/}bin/dash rmPUx, |
2136 | 45 | 46 | ||
2137 | 46 | # libchron-extra-plugins: kernel-libipsec | 47 | # libchron-extra-plugins: kernel-libipsec |
2138 | 47 | /dev/net/tun rw, | 48 | /dev/net/tun rw, |
Paramiko's failures are due to an incorrect packaging of the 2.4.1 orig tarball I believe. The failures are because of the missing .pub files, which are present in the upstream 2.4.1 tarball, but not in our orig one:
https:/ /pastebin. ubuntu. com/p/GKgxv64t2 K/