Ubuntu
strongswan package

Merge ~ahasenack/ubuntu/+source/strongswan:mantic-strongswan-merge into ubuntu/+source/strongswan:debian/sid

  1. Git
  2. lp:~ahasenack/ubuntu/+source/strongswan
  3. mantic-strongswan-merge
  4. Merge into debian/sid
Proposed by Andreas Hasenack
Status: Merged
Approved by: git-ubuntu bot
Approved revision: not available
Merge reported by: git-ubuntu bot
Merged at revision: 3030e09ab5743ab2a7a7cea41266a8512a8a783d
Proposed branch: ~ahasenack/ubuntu/+source/strongswan:mantic-strongswan-merge
Merge into: ubuntu/+source/strongswan:debian/sid
Diff against target: 2661 lines (+2356/-4)
10 files modified
debian/changelog (+1859/-0)
debian/control (+8/-3)
debian/libcharon-extra-plugins.install (+6/-0)
debian/libcharon-extra-plugins.maintscript (+8/-0)
debian/libstrongswan-extra-plugins.install (+3/-0)
debian/rules (+3/-0)
debian/tests/control (+6/-0)
debian/tests/host-to-host (+401/-0)
debian/tests/utils (+61/-0)
debian/usr.sbin.swanctl (+1/-1)
Reviewer Review Type Date Requested Status
git-ubuntu bot Approve
Lucas Kanashiro (community) Approve
Canonical Server Reporter Pending
Review via email: mp+445300@code.launchpad.net

Description of the change

Simple merge from debian. I squashed two d/t/util commits in the logical tag, dropped a delta that is applied upstream, and that's about it.

PPA: https://launchpad.net/~ahasenack/+archive/ubuntu/mantic-strongswan-merge
DEP8: green

The DEP8 delta is a bit hard to send to debian, as it needs VMs to run, and lxd from the snap, and some other changes where ubuntu assumptions were made. This delta is quite trivial to maintain, however.

To post a comment you must log in.
Revision history for this message
Lucas Kanashiro (lucaskanashiro) wrote :

I am going to review this one.

Revision history for this message
Lucas Kanashiro (lucaskanashiro) wrote :

Thanks for the MP Andreas! LGTM, +1. I added a not so important inline comment regarding the changelog, feel free to address it or not.

What I noticed after running lintian against this package is that there are many files not covered by the debian/copyright, maybe this worth a bug report so the Debian maintainer can address it in the next upload. This is the lintian warning: file-without-copyright-information (many of it).

review: Approve
Revision history for this message
git-ubuntu bot (git-ubuntu-bot) wrote :

Approvers: ahasenack, lucaskanashiro
Uploaders: ahasenack, lucaskanashiro
MP auto-approved

review: Approve
~ahasenack/ubuntu/+source/strongswan:mantic-strongswan-merge updated
3030e09... by Andreas Hasenack

changelog

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Thanks, I updated the changelog reference, and filed https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1039527 for d/copyright.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Uploaded:
Uploading strongswan_5.9.11-1ubuntu1.dsc
Uploading strongswan_5.9.11-1ubuntu1.debian.tar.xz
Uploading strongswan_5.9.11-1ubuntu1_source.buildinfo
Uploading strongswan_5.9.11-1ubuntu1_source.changes

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index b8cbd23..fa3f8fa 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,39 @@
6+strongswan (5.9.11-1ubuntu1) mantic; urgency=medium
7+
8+ * Merge with Debian unstable (LP: #2018113). Remaining changes:
9+ - d/control: strongswan-starter hard-depends on strongswan-charon,
10+ therefore bump the dependency from Recommends to Depends. At the same
11+ time avoid a circular dependency by dropping
12+ strongswan-charon->strongswan-starter from Depends to Recommends as the
13+ binaries can work without the services but not vice versa.
14+ - re-add post-quantum encryption algorithm (NTRU) (LP #1863749)
15+ + d/control: mention plugins in package description
16+ + d/rules: enable ntru at build time
17+ + d/libstrongswan-extra-plugins.install: ship config and shared objects
18+ - Re-enable eap-{dynamic,peap} libcharon plugins (LP #1878887)
19+ + d/control: update libcharon-extra-plugins description.
20+ + d/libcharon-extra-plugins.install: install .so and conf files.
21+ + d/rules: add plugins to the configuration arguments.
22+ - Remove conf files of plugins removed from libcharon-extra-plugins
23+ + The conf file of the following plugins were removed: eap-aka-3gpp2,
24+ eap-sim-file, eap-sim-pcsc, eap-sim, eap-simaka-pseudonym,
25+ eap-simaka-reauth, eap-simaka-sql, xauth-noauth.
26+ + Created d/libcharon-extra-plugins.maintscript to handle the removals
27+ properly.
28+ - d/t/{control,host-to-host,utils}: new host-to-host test
29+ (LP #1999525)
30+ - d/usr.sbin.swanctl: allow "m" flag for /usr/sbin/swanctl
31+ (LP #1999935)
32+ * Dropped:
33+ - SECURITY UPDATE: Incorrectly Accepted Untrusted Public Key With
34+ Incorrect Refcount
35+ + debian/patches/CVE-2023-26463.patch: fix authentication bypass and
36+ expired pointer dereference in src/libtls/tls_server.c.
37+ + CVE-2023-26463
38+ [Fixed upstream in 5.9.10]
39+
40+ -- Andreas Hasenack <andreas@canonical.com> Fri, 23 Jun 2023 14:05:18 -0300
41+
42 strongswan (5.9.11-1) unstable; urgency=medium
43
44 * New upstream version 5.9.10
45@@ -17,6 +53,66 @@ strongswan (5.9.8-4) unstable; urgency=medium
46
47 -- Yves-Alexis Perez <corsac@debian.org> Sun, 26 Feb 2023 09:40:09 +0100
48
49+strongswan (5.9.8-3ubuntu4) lunar; urgency=medium
50+
51+ * d/t/utils: also give `cloud-init status --wait` the same amount of
52+ ${limit} seconds to complete, and bump limit to 5min. The logs show
53+ the container started up fine, with an IP.
54+
55+ -- Andreas Hasenack <andreas@canonical.com> Mon, 06 Mar 2023 11:00:58 -0300
56+
57+strongswan (5.9.8-3ubuntu3) lunar; urgency=medium
58+
59+ * SECURITY UPDATE: Incorrectly Accepted Untrusted Public Key With
60+ Incorrect Refcount
61+ - debian/patches/CVE-2023-26463.patch: fix authentication bypass and
62+ expired pointer dereference in src/libtls/tls_server.c.
63+ - CVE-2023-26463
64+
65+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 02 Mar 2023 12:58:47 -0500
66+
67+strongswan (5.9.8-3ubuntu2) lunar; urgency=medium
68+
69+ * d/usr.sbin.swanctl: allow "m" flag for /usr/sbin/swanctl
70+ (LP: #1999935)
71+
72+ -- Andreas Hasenack <andreas@canonical.com> Fri, 16 Dec 2022 16:07:51 -0300
73+
74+strongswan (5.9.8-3ubuntu1) lunar; urgency=medium
75+
76+ * Merge with Debian unstable (LP: #1993449). Remaining changes:
77+ - d/control: strongswan-starter hard-depends on strongswan-charon,
78+ therefore bump the dependency from Recommends to Depends. At the same
79+ time avoid a circular dependency by dropping
80+ strongswan-charon->strongswan-starter from Depends to Recommends as the
81+ binaries can work without the services but not vice versa.
82+ - re-add post-quantum encryption algorithm (NTRU) (LP #1863749)
83+ + d/control: mention plugins in package description
84+ + d/rules: enable ntru at build time
85+ + d/libstrongswan-extra-plugins.install: ship config and shared objects
86+ - Re-enable eap-{dynamic,peap} libcharon plugins (LP #1878887)
87+ + d/control: update libcharon-extra-plugins description.
88+ + d/libcharon-extra-plugins.install: install .so and conf files.
89+ + d/rules: add plugins to the configuration arguments.
90+ - Remove conf files of plugins removed from libcharon-extra-plugins
91+ + The conf file of the following plugins were removed: eap-aka-3gpp2,
92+ eap-sim-file, eap-sim-pcsc, eap-sim, eap-simaka-pseudonym,
93+ eap-simaka-reauth, eap-simaka-sql, xauth-noauth.
94+ + Created d/libcharon-extra-plugins.maintscript to handle the removals
95+ properly.
96+ * Dropped:
97+ - SECURITY UPDATE: Using Untrusted URIs for Revocation Checking
98+ + debian/patches/CVE-2022-40617.patch: do online revocation checks only
99+ after basic trust chain validation in
100+ src/libstrongswan/credentials/credential_manager.c.
101+ + CVE-2022-40617
102+ [Included upstream in 5.9.8]
103+ * Added:
104+ - d/t/{control,host-to-host,utils}: new host-to-host test
105+ (LP: #1999525)
106+
107+ -- Andreas Hasenack <andreas@canonical.com> Tue, 13 Dec 2022 11:04:24 -0300
108+
109 strongswan (5.9.8-3) unstable; urgency=medium
110
111 * d/tests: also drop _copyright test since the util is gone as well
112@@ -45,6 +141,46 @@ strongswan (5.9.8-1) unstable; urgency=medium
113
114 -- Yves-Alexis Perez <corsac@debian.org> Wed, 05 Oct 2022 15:25:18 +0200
115
116+strongswan (5.9.6-1ubuntu2) kinetic; urgency=medium
117+
118+ * SECURITY UPDATE: Using Untrusted URIs for Revocation Checking
119+ - debian/patches/CVE-2022-40617.patch: do online revocation checks only
120+ after basic trust chain validation in
121+ src/libstrongswan/credentials/credential_manager.c.
122+ - CVE-2022-40617
123+
124+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 05 Oct 2022 08:11:03 -0400
125+
126+strongswan (5.9.6-1ubuntu1) kinetic; urgency=medium
127+
128+ * Merge with Debian unstable (LP: #1971328). Remaining changes:
129+ - d/control: strongswan-starter hard-depends on strongswan-charon,
130+ therefore bump the dependency from Recommends to Depends. At the same
131+ time avoid a circular dependency by dropping
132+ strongswan-charon->strongswan-starter from Depends to Recommends as the
133+ binaries can work without the services but not vice versa.
134+ - re-add post-quantum encryption algorithm (NTRU) (LP #1863749)
135+ + d/control: mention plugins in package description
136+ + d/rules: enable ntru at build time
137+ + d/libstrongswan-extra-plugins.install: ship config and shared objects
138+ - Re-enable eap-{dynamic,peap} libcharon plugins (LP #1878887)
139+ + d/control: update libcharon-extra-plugins description.
140+ + d/libcharon-extra-plugins.install: install .so and conf files.
141+ + d/rules: add plugins to the configuration arguments.
142+ - Remove conf files of plugins removed from libcharon-extra-plugins
143+ + The conf file of the following plugins were removed: eap-aka-3gpp2,
144+ eap-sim-file, eap-sim-pcsc, eap-sim, eap-simaka-pseudonym,
145+ eap-simaka-reauth, eap-simaka-sql, xauth-noauth.
146+ + Created d/libcharon-extra-plugins.maintscript to handle the removals
147+ properly.
148+ * Dropped:
149+ - d/p/lp1964977-fix-ipsec-pki-segfault.patch: Fix "ipsec pki"
150+ segmentation fault; don't access OpenSSL objects inside atexit()
151+ handlers. (LP #1964977)
152+ [included by upstream in version 5.9.6]
153+
154+ -- Lucas Kanashiro <kanashiro@ubuntu.com> Fri, 10 Jun 2022 15:03:17 -0300
155+
156 strongswan (5.9.6-1) unstable; urgency=medium
157
158 * New upstream version 5.9.6
159@@ -53,6 +189,42 @@ strongswan (5.9.6-1) unstable; urgency=medium
160
161 -- Yves-Alexis Perez <corsac@debian.org> Sat, 07 May 2022 20:19:18 +0200
162
163+strongswan (5.9.5-2ubuntu2) jammy; urgency=medium
164+
165+ * d/p/lp1964977-fix-ipsec-pki-segfault.patch: Fix "ipsec pki"
166+ segmentation fault; don't access OpenSSL objects inside atexit()
167+ handlers. (LP: #1964977)
168+
169+ -- Sergio Durigan Junior <sergio.durigan@canonical.com> Fri, 18 Mar 2022 14:24:34 -0400
170+
171+strongswan (5.9.5-2ubuntu1) jammy; urgency=medium
172+
173+ * Merge with Debian unstable. Remaining changes:
174+ - d/control: strongswan-starter hard-depends on strongswan-charon,
175+ therefore bump the dependency from Recommends to Depends. At the same
176+ time avoid a circular dependency by dropping
177+ strongswan-charon->strongswan-starter from Depends to Recommends as the
178+ binaries can work without the services but not vice versa.
179+ - re-add post-quantum encryption algorithm (NTRU) (LP #1863749)
180+ + d/control: mention plugins in package description
181+ + d/rules: enable ntru at build time
182+ + d/libstrongswan-extra-plugins.install: ship config and shared objects
183+ - Re-enable eap-{dynamic,peap} libcharon plugins (LP: 1878887)
184+ + d/control: update libcharon-extra-plugins description.
185+ + d/libcharon-extra-plugins.install: install .so and conf files.
186+ + d/rules: add plugins to the configuration arguments.
187+ - Remove conf files of plugins removed from libcharon-extra-plugins
188+ + The conf file of the following plugins were removed: eap-aka-3gpp2,
189+ eap-sim-file, eap-sim-pcsc, eap-sim, eap-simaka-pseudonym,
190+ eap-simaka-reauth, eap-simaka-sql, xauth-noauth.
191+ + Created d/libcharon-extra-plugins.maintscript to handle the removals
192+ properly.
193+ * Dropped patches included in new version:
194+ - debian/patches/CVE-2021-45079.patch
195+ - debian/patches/load-legacy-provider-in-openssl3.patch
196+
197+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 03 Feb 2022 10:49:49 -0500
198+
199 strongswan (5.9.5-2) unstable; urgency=medium
200
201 * actually fix lintian overrides
202@@ -68,6 +240,60 @@ strongswan (5.9.5-1) unstable; urgency=medium
203
204 -- Yves-Alexis Perez <corsac@debian.org> Wed, 26 Jan 2022 14:38:54 +0100
205
206+strongswan (5.9.4-1ubuntu4) jammy; urgency=medium
207+
208+ * SECURITY UPDATE: Incorrect Handling of Early EAP-Success Messages
209+ - debian/patches/CVE-2021-45079.patch: enforce failure if MSK
210+ generation fails in src/libcharon/plugins/eap_gtc/eap_gtc.c,
211+ src/libcharon/plugins/eap_md5/eap_md5.c,
212+ src/libcharon/plugins/eap_radius/eap_radius.c,
213+ src/libcharon/sa/eap/eap_method.h,
214+ src/libcharon/sa/ikev2/authenticators/eap_authenticator.c.
215+ - CVE-2021-45079
216+
217+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 01 Feb 2022 07:23:37 -0500
218+
219+strongswan (5.9.4-1ubuntu3) jammy; urgency=medium
220+
221+ * No-change rebuild against libssl3
222+
223+ -- Steve Langasek <steve.langasek@ubuntu.com> Thu, 09 Dec 2021 00:19:38 +0000
224+
225+strongswan (5.9.4-1ubuntu2) jammy; urgency=medium
226+
227+ * Add d/p/load-legacy-provider-in-openssl3.patch.
228+ Upstream cherry-pick to fix FTBFS against OpenSSL 3.0. (LP: #1946213)
229+
230+ -- Paride Legovini <paride@ubuntu.com> Wed, 17 Nov 2021 17:04:27 +0100
231+
232+strongswan (5.9.4-1ubuntu1) jammy; urgency=medium
233+
234+ * Merge with Debian unstable. Remaining changes:
235+ - d/control: strongswan-starter hard-depends on strongswan-charon,
236+ therefore bump the dependency from Recommends to Depends. At the same
237+ time avoid a circular dependency by dropping
238+ strongswan-charon->strongswan-starter from Depends to Recommends as the
239+ binaries can work without the services but not vice versa.
240+ - re-add post-quantum encryption algorithm (NTRU) (LP #1863749)
241+ + d/control: mention plugins in package description
242+ + d/rules: enable ntru at build time
243+ + d/libstrongswan-extra-plugins.install: ship config and shared objects
244+ - Re-enable eap-{dynamic,peap} libcharon plugins (LP: 1878887)
245+ + d/control: update libcharon-extra-plugins description.
246+ + d/libcharon-extra-plugins.install: install .so and conf files.
247+ + d/rules: add plugins to the configuration arguments.
248+ - Remove conf files of plugins removed from libcharon-extra-plugins
249+ + The conf file of the following plugins were removed: eap-aka-3gpp2,
250+ eap-sim-file, eap-sim-pcsc, eap-sim, eap-simaka-pseudonym,
251+ eap-simaka-reauth, eap-simaka-sql, xauth-noauth.
252+ + Created d/libcharon-extra-plugins.maintscript to handle the removals
253+ properly.
254+ * Dropped changes:
255+ - Compile the tpm plugin against the tpm2 software stack (tss2).
256+ Merged in Debian (5.9.4-1).
257+
258+ -- Paride Legovini <paride@ubuntu.com> Fri, 12 Nov 2021 12:34:30 +0100
259+
260 strongswan (5.9.4-1) unstable; urgency=medium
261
262 [ Paride Legovini ]
263@@ -84,6 +310,62 @@ strongswan (5.9.4-1) unstable; urgency=medium
264
265 -- Yves-Alexis Perez <corsac@debian.org> Tue, 19 Oct 2021 22:34:40 +0200
266
267+strongswan (5.9.1-1ubuntu3.1) impish-security; urgency=medium
268+
269+ * SECURITY UPDATE: Integer Overflow in gmp Plugin
270+ - debian/patches/CVE-2021-41990.patch: reject RSASSA-PSS params with
271+ negative salt length in
272+ src/libstrongswan/credentials/keys/signature_params.c,
273+ src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c.
274+ - CVE-2021-41990
275+ * SECURITY UPDATE: Integer Overflow When Replacing Certificates in Cache
276+ - debian/patches/CVE-2021-41991.patch: prevent crash due to integer
277+ overflow/sign change in
278+ src/libstrongswan/credentials/sets/cert_cache.c.
279+ - CVE-2021-41991
280+
281+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 18 Oct 2021 13:10:30 -0400
282+
283+strongswan (5.9.1-1ubuntu3) impish; urgency=medium
284+
285+ * Compile the tpm plugin against the tpm2 software stack (tss2)
286+ (Debian packaging cherry-pick, LP: #1940079)
287+ - d/rules: add the --enable-tss-tss2 configure flag
288+ - d/control: add Build-Depends: libtss2-dev
289+
290+ -- Paride Legovini <paride@ubuntu.com> Thu, 16 Sep 2021 11:40:38 +0200
291+
292+strongswan (5.9.1-1ubuntu2) impish; urgency=medium
293+
294+ * No-change rebuild due to OpenLDAP soname bump.
295+
296+ -- Sergio Durigan Junior <sergio.durigan@canonical.com> Mon, 21 Jun 2021 18:09:22 -0400
297+
298+strongswan (5.9.1-1ubuntu1) hirsute; urgency=medium
299+
300+ * Merge with Debian unstable. Remaining changes:
301+ - d/control: strongswan-starter hard-depends on strongswan-charon,
302+ therefore bump the dependency from Recommends to Depends. At the same
303+ time avoid a circular dependency by dropping
304+ strongswan-charon->strongswan-starter from Depends to Recommends as the
305+ binaries can work without the services but not vice versa.
306+ - re-add post-quantum encryption algorithm (NTRU) (LP: 1863749)
307+ + d/control: mention plugins in package description
308+ + d/rules: enable ntru at build time
309+ + d/libstrongswan-extra-plugins.install: ship config and shared objects
310+ - Re-enable eap-{dynamic,peap} libcharon plugins (LP: 1878887)
311+ + d/control: update libcharon-extra-plugins description.
312+ + d/libcharon-extra-plugins.install: install .so and conf files.
313+ + d/rules: add plugins to the configuration arguments.
314+ - Remove conf files of plugins removed from libcharon-extra-plugins
315+ + The conf file of the following plugins were removed: eap-aka-3gpp2,
316+ eap-sim-file, eap-sim-pcsc, eap-sim, eap-simaka-pseudonym,
317+ eap-simaka-reauth, eap-simaka-sql, xauth-noauth.
318+ + Created d/libcharon-extra-plugins.maintscript to handle the removals
319+ properly.
320+
321+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Tue, 19 Jan 2021 12:39:11 +0100
322+
323 strongswan (5.9.1-1) unstable; urgency=medium
324
325 * New upstream version 5.9.1
326@@ -98,6 +380,45 @@ strongswan (5.9.0-1) unstable; urgency=medium
327
328 -- Yves-Alexis Perez <corsac@debian.org> Thu, 17 Sep 2020 10:21:30 +0200
329
330+strongswan (5.8.4-1ubuntu2) groovy; urgency=medium
331+
332+ * Re-enable eap-{dynamic,peap} libcharon plugins (LP: #1878887)
333+ - d/control: update libcharon-extra-plugins description.
334+ - d/libcharon-extra-plugins.install: install .so and conf files.
335+ - d/rules: add plugins to the configuration arguments.
336+ * Remove conf files of plugins removed from libcharon-extra-plugins
337+ - The conf file of the following plugins were removed: eap-aka-3gpp2,
338+ eap-sim-file, eap-sim-pcsc, eap-sim, eap-simaka-pseudonym,
339+ eap-simaka-reauth, eap-simaka-sql, xauth-noauth.
340+ - Created d/libcharon-extra-plugins.maintscript to handle the removals
341+ properly.
342+
343+ -- Lucas Kanashiro <kanashiro@ubuntu.com> Thu, 21 May 2020 14:53:05 -0300
344+
345+strongswan (5.8.4-1ubuntu1) groovy; urgency=medium
346+
347+ * Merge with Debian unstable. Remaining changes:
348+ - d/control: strongswan-starter hard-depends on strongswan-charon,
349+ therefore bump the dependency from Recommends to Depends. At the same
350+ time avoid a circular dependency by dropping
351+ strongswan-charon->strongswan-starter from Depends to Recommends as the
352+ binaries can work without the services but not vice versa.
353+ - re-add post-quantum encryption algorithm (NTRU) (LP: 1863749)
354+ + d/control: mention plugins in package description
355+ + d/rules: enable ntru at build time
356+ + d/libstrongswan-extra-plugins.install: ship config and shared objects
357+ * Dropped:
358+ - d/control: build-depend on libiptc-dev to avoid FTBFS (LP: #1861975)
359+ This is needed due to changes in regard to Debian bug 947176 and 939243
360+ and can later be dropped again.
361+ [applied by Debian in version 5.8.2-2]
362+ - d/control: Transition from former Ubuntu only libcharon-standard-plugins
363+ to common libcharon-extauth-plugins (drop after 20.04)
364+ - d/control: Transition from strongswan-tnc-* being in extra packages
365+ to libcharon-extra-plugins (drop after 20.04)
366+
367+ -- Lucas Kanashiro <lucas.kanashiro@canonical.com> Thu, 30 Apr 2020 18:06:55 -0300
368+
369 strongswan (5.8.4-1) unstable; urgency=medium
370
371 * New upstream version 5.8.4 (Closes: #956446)
372@@ -113,6 +434,43 @@ strongswan (5.8.2-2) unstable; urgency=medium
373
374 -- Yves-Alexis Perez <corsac@debian.org> Thu, 13 Feb 2020 22:46:40 +0100
375
376+strongswan (5.8.2-1ubuntu3) focal; urgency=medium
377+
378+ * Reverting part of 5.8.2-1ubuntu2 changes to remove BLISS again as
379+ there is a potential local side-channel attack on strongSwan's BLISS
380+ implementation (https://eprint.iacr.org/2017/505). (LP: #1866765)
381+
382+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Tue, 10 Mar 2020 07:56:56 +0100
383+
384+strongswan (5.8.2-1ubuntu2) focal; urgency=medium
385+
386+ * re-add post-quantum computer signature scheme (BLISS) and encryption
387+ algorithm (NTRU) as well as the dependent nttfft library (LP: #1863749)
388+ - d/control: mention plugins in package description
389+ - d/rules: enable ntru and bliss at build time
390+ - d/libstrongswan-extra-plugins.install: ship config and shared objects
391+
392+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Wed, 04 Mar 2020 07:54:26 +0100
393+
394+strongswan (5.8.2-1ubuntu1) focal; urgency=medium
395+
396+ * Merge with Debian unstable (LP: #1861971). Remaining changes:
397+ - d/control: Transition from strongswan-tnc-* being in extra packages
398+ to libcharon-extra-plugins (drop after 20.04)
399+ - d/control: Transition from former Ubuntu only libcharon-standard-plugins
400+ to common libcharon-extauth-plugins (drop after 20.04)
401+ - d/control: strongswan-starter hard-depends on strongswan-charon,
402+ therefore bump the dependency from Recommends to Depends. At the same
403+ time avoid a circular dependency by dropping
404+ strongswan-charon->strongswan-starter from Depends to Recommends as the
405+ binaries can work without the services but not vice versa.
406+ * Added Changes
407+ - d/control: build-depend on libiptc-dev to avoid FTBFS (LP: #1861975)
408+ This is needed due to changes in regard to Debian bug 947176 and 939243
409+ and can later be dropped again.
410+
411+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Wed, 05 Feb 2020 08:28:30 +0100
412+
413 strongswan (5.8.2-1) unstable; urgency=medium
414
415 [ Jean-Michel Vourgère ]
416@@ -129,6 +487,83 @@ strongswan (5.8.2-1) unstable; urgency=medium
417
418 -- Yves-Alexis Perez <corsac@debian.org> Wed, 01 Jan 2020 14:35:46 +0100
419
420+strongswan (5.8.1-1ubuntu1) focal; urgency=medium
421+
422+ * Merge with Debian unstable (LP: #1852579). Remaining changes:
423+ - d/control: Transition from strongswan-tnc-* being in extra packages
424+ to libcharon-extra-plugins
425+ * Added Changes:
426+ - d/control: Transition from former Ubuntu only libcharon-standard-plugins
427+ to common libcharon-extauth-plugins (drop after 20.04)
428+ - d/control: strongswan-starter hard-depends on strongswan-charon,
429+ therefore bump the dependency from Recommends to Depends. At the same
430+ time avoid a circular dependency by dropping
431+ strongswan-charon->strongswan-starter from Depends to Recommends as the
432+ binaries can work without the services but not vice versa.
433+ * Dropped Changes (now in Debian):
434+ - Clean up d/strongswan-starter.postinst: section about runlevel changes
435+ - Clean up d/strongswan-starter.postinst: Removed entire section on
436+ opportunistic encryption disabling - this was never in strongSwan and
437+ won't be see upstream issue #2160.
438+ - d/rules: Removed patching ipsec.conf on build (not using the
439+ debconf-managed config.)
440+ - d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was
441+ used for debconf-managed include of private key).
442+ - Add plugin kernel-libipsec to allow the use of strongswan in containers
443+ via this userspace implementation (please do note that this is still
444+ considered experimental by upstream).
445+ + d/libcharon-extra-plugins.install: Add kernel-libipsec components
446+ + d/control: List kernel-libipsec plugin at extra plugins description
447+ + d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
448+ upstream recommends to not load kernel-libipsec by default.
449+ - d/control: Mention mgf1 plugin which is in libstrongswan now
450+ - Complete the disabling of libfast; This was partially accepted in Debian,
451+ it is no more packaging medcli and medsrv, but still builds and
452+ mentions it.
453+ + d/rules: Add --disable-fast to avoid build time and dependencies
454+ + d/control: Remove medcli, medsrv from package description
455+ - Add now built (since 5.5.1) libraries libtpmtss and nttfft to
456+ libstrongswan-extra-plugins (no deps from default plugins).
457+ - d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
458+ plugins for the most common use cases from extra-plugins into a new
459+ standard-plugins package. This will allow those use cases without pulling
460+ in too much more plugins (a bit like the tnc package). Recommend that
461+ package from strongswan-libcharon.
462+ - d/usr.lib.ipsec.charon: allow reading of own FDs (LP 1786250)
463+ - d/usr.sbin.charon-systemd: allow CLUSTERIP for ha plugin (LP 1773956)
464+ - executables need to be able to read map and execute themselves otherwise
465+ execution in some environments e.g. containers is blocked (LP 1780534)
466+ + d/usr.lib.ipsec.stroke: add rmix permission to stroke binary
467+ + d/usr.lib.ipsec.lookip: add rmix permission to lookip binary
468+ - d/usr.lib.ipsec.charon, d/usr.sbin.charon-systemd: resync apparmor
469+ profiles of both ways to start charon (LP 1807664)
470+ - d/usr.sbin.swanctl: add apparmor rule for af-alg plugin (LP 1807962)
471+ - We fixed up tpmtss and nttfft in the past, but tpmtss is now packaged in
472+ Debian so this part was be dropped. Two changes remain
473+ - d/control: fix the mentioning of tpmtss in d/control
474+ - apparmor fixes for container and root usage (LP 1826238)
475+ + d/usr.sbin.swanctl: allow reading own binary
476+ + d/usr.sbin.charon-systemd: allow accessing the binary
477+ + d/usr.sbin.swanctl: add attach_disconnected to work inside containers
478+ + d/usr.lib.ipsec.charon, d/usr.sbin.charon-systemd: add CAP_SETPCAP
479+ to apparmor to allow dropping caps
480+ * Dropped Changes (too uncommon to support by default)
481+ - d/libstrongswan.install: Add kernel-netlink configuration files
482+ - d/usr.sbin.charon-systemd: allow to contact mysql for sql and
483+ attr-sql plugins (LP 1766240) - no more needed as itisn't enabled.
484+ - Mass enablement of extra plugins and features to allow a user to use
485+ strongswan for a variety of extra use cases without having to rebuild.
486+ + d/control: Add required additional build-deps
487+ + d/control: Mention addtionally enabled plugins
488+ + d/rules: Enable features at configure stage
489+ + d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
490+ + d/libstrongswan.install: Add plugins (so, conf)
491+ + d/strongswan-starter.install: Install pool feature, which is useful
492+ since we now have attr-sql plugin enabled it.
493+ - Enable additional TNC plugins and add them to libcharon-extra-plugins
494+
495+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Thu, 14 Nov 2019 15:00:15 +0100
496+
497 strongswan (5.8.1-1) unstable; urgency=medium
498
499 * d/rules: disable http and stream tests under CI
500@@ -198,6 +633,99 @@ strongswan (5.8.0-1) unstable; urgency=medium
501
502 -- Yves-Alexis Perez <corsac@debian.org> Mon, 26 Aug 2019 12:58:23 +0200
503
504+strongswan (5.7.2-1ubuntu3) eoan; urgency=medium
505+
506+ * No change rebuild for libmysqlclient21.
507+
508+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Thu, 15 Aug 2019 09:34:34 +0200
509+
510+strongswan (5.7.2-1ubuntu2) eoan; urgency=medium
511+
512+ * Rebuild against new libjson-c4.
513+
514+ -- Gianfranco Costamagna <locutusofborg@debian.org> Mon, 01 Jul 2019 10:53:07 +0200
515+
516+strongswan (5.7.2-1ubuntu1) eoan; urgency=medium
517+
518+ [ Christian Ehrhardt ]
519+ * Merge with Debian unstable. Remaining changes:
520+ - Clean up d/strongswan-starter.postinst: section about runlevel changes
521+ - Clean up d/strongswan-starter.postinst: Removed entire section on
522+ opportunistic encryption disabling - this was never in strongSwan and
523+ won't be see upstream issue #2160.
524+ - d/rules: Removed patching ipsec.conf on build (not using the
525+ debconf-managed config.)
526+ - d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was
527+ used for debconf-managed include of private key).
528+ - Mass enablement of extra plugins and features to allow a user to use
529+ strongswan for a variety of extra use cases without having to rebuild.
530+ + d/control: Add required additional build-deps
531+ + d/control: Mention addtionally enabled plugins
532+ + d/rules: Enable features at configure stage
533+ + d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
534+ + d/libstrongswan.install: Add plugins (so, conf)
535+ + d/strongswan-starter.install: Install pool feature, which is useful
536+ since we now have attr-sql plugin enabled it.
537+ - Add plugin kernel-libipsec to allow the use of strongswan in containers
538+ via this userspace implementation (please do note that this is still
539+ considered experimental by upstream).
540+ + d/libcharon-extra-plugins.install: Add kernel-libipsec components
541+ + d/control: List kernel-libipsec plugin at extra plugins description
542+ + d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
543+ upstream recommends to not load kernel-libipsec by default.
544+ - d/libstrongswan.install: Add kernel-netlink configuration files
545+ - Complete the disabling of libfast; This was partially accepted in Debian,
546+ it is no more packaging medcli and medsrv, but still builds and
547+ mentions it.
548+ + d/rules: Add --disable-fast to avoid build time and dependencies
549+ + d/control: Remove medcli, medsrv from package description
550+ - d/control: Mention mgf1 plugin which is in libstrongswan now
551+ - Add now built (since 5.5.1) libraries libtpmtss and nttfft to
552+ libstrongswan-extra-plugins (no deps from default plugins).
553+ - d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
554+ plugins for the most common use cases from extra-plugins into a new
555+ standard-plugins package. This will allow those use cases without pulling
556+ in too much more plugins (a bit like the tnc package). Recommend that
557+ package from strongswan-libcharon.
558+ - d/usr.sbin.charon-systemd: allow to contact mysql for sql and
559+ attr-sql plugins (LP #1766240)
560+ - d/usr.lib.ipsec.charon: allow reading of own FDs (LP #1786250)
561+ - d/usr.sbin.charon-systemd: allow CLUSTERIP for ha plugin (LP: 1773956)
562+ - executables need to be able to read map and execute themselves otherwise
563+ execution in some environments e.g. containers is blocked (LP: 1780534)
564+ + d/usr.lib.ipsec.stroke: add rmix permission to stroke binary
565+ + d/usr.lib.ipsec.lookip: add rmix permission to lookip binary
566+ - d/usr.lib.ipsec.charon, d/usr.sbin.charon-systemd: resync apparmor
567+ profiles of both ways to start charon (LP: 1807664)
568+ - d/usr.sbin.swanctl: add apparmor rule for af-alg plugin (LP: 1807962)
569+ * Dropped changes
570+ - d/p/lp1795813-mysql-Don-t-release-the-connection-if-transactions-a.patch:
571+ fix SIGSEGV when using mysql plugin (LP: 1795813)
572+ [upstream in 5.7.2]
573+ - d/libstrongswan.install: Reorder conf and .so alphabetically
574+ [was a non functional change, dropped to avoid merge noise]
575+ - Relocate tnc plugin
576+ [TNC is back at libcharon-extra-plugins as it is in Debian]
577+ * Added changes:
578+ - We fixed up tpmtss and nttfft in the past, but tpmtss is now packaged in
579+ Debian so this part was be dropped. Two changes remain
580+ - d/control: fix the mentioning of tpmtss in d/control
581+ - add nttfft (can be merged with the mass enablement change later)
582+ - Transitional packages to go back from strongswan-tnc-* being in extra
583+ packages to be part of libcharon-extra-plugins.
584+ [can be dropped after 20.04]
585+
586+ [ Simon Deziel ]
587+ * Added changes:
588+ - apparmor fixes for container and root usage (LP: #1826238)
589+ + d/usr.sbin.swanctl: allow reading own binary
590+ + d/usr.sbin.charon-systemd: allow accessing the binary
591+ + d/usr.sbin.swanctl: add attach_disconnected to work inside containers
592+ + d/usr.lib.ipsec.charon, d/usr.sbin.charon-systemd: add CAP_SETPCAP
593+ to apparmor to allow dropping caps
594+
595+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Fri, 26 Apr 2019 11:31:17 +0200
596+
597 strongswan (5.7.2-1) unstable; urgency=medium
598
599 * d/control: remove Rene from Uploaders, thanks!
600@@ -216,6 +744,86 @@ strongswan (5.7.2-1) unstable; urgency=medium
601
602 -- Yves-Alexis Perez <corsac@debian.org> Wed, 02 Jan 2019 13:02:11 +0100
603
604+strongswan (5.7.1-1ubuntu2) disco; urgency=medium
605+
606+ * d/usr.sbin.charon-systemd: fix rule for CLUSTERIP to match effective
607+ path (LP: #1773956)
608+ * d/usr.lib.ipsec.charon, d/usr.sbin.charon-systemd: resync apparmor
609+ profiles of both ways to start charon (LP: #1807664)
610+ * d/usr.sbin.swanctl: add apparmor rule for af-alg plugin (LP: #1807962)
611+
612+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 10 Dec 2018 08:30:01 +0100
613+
614+strongswan (5.7.1-1ubuntu1) disco; urgency=medium
615+
616+ * Merge with Debian unstable (LP: #1806401). Remaining changes:
617+ - Clean up d/strongswan-starter.postinst: section about runlevel changes
618+ - Clean up d/strongswan-starter.postinst: Removed entire section on
619+ opportunistic encryption disabling - this was never in strongSwan and
620+ won't be see upstream issue #2160.
621+ - d/rules: Removed patching ipsec.conf on build (not using the
622+ debconf-managed config.)
623+ - d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was
624+ used for debconf-managed include of private key).
625+ - Mass enablement of extra plugins and features to allow a user to use
626+ strongswan for a variety of extra use cases without having to rebuild.
627+ + d/control: Add required additional build-deps
628+ + d/control: Mention addtionally enabled plugins
629+ + d/rules: Enable features at configure stage
630+ + d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
631+ + d/libstrongswan.install: Add plugins (so, conf)
632+ - d/strongswan-starter.install: Install pool feature, which is useful since
633+ we have attr-sql plugin enabled as well using it.
634+ - Add plugin kernel-libipsec to allow the use of strongswan in containers
635+ via this userspace implementation (please do note that this is still
636+ considered experimental by upstream).
637+ + d/libcharon-extra-plugins.install: Add kernel-libipsec components
638+ + d/control: List kernel-libipsec plugin at extra plugins description
639+ + d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
640+ upstream recommends to not load kernel-libipsec by default.
641+ - Relocate tnc plugin
642+ + debian/libcharon-extra-plugins.install: Drop tnc from extra plugins
643+ + Add new subpackage for TNC in d/strongswan-tnc-* and d/control
644+ - d/libstrongswan.install: Reorder conf and .so alphabetically
645+ - d/libstrongswan.install: Add kernel-netlink configuration files
646+ - Complete the disabling of libfast; This was partially accepted in Debian,
647+ it is no more packaging medcli and medsrv, but still builds and
648+ mentions it.
649+ + d/rules: Add --disable-fast to avoid build time and dependencies
650+ + d/control: Remove medcli, medsrv from package description
651+ - d/control: Mention mgf1 plugin which is in libstrongswan now
652+ - Add now built (since 5.5.1) libraries libtpmtss and nttfft to
653+ libstrongswan-extra-plugins (no deps from default plugins).
654+ - d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
655+ plugins for the most common use cases from extra-plugins into a new
656+ standard-plugins package. This will allow those use cases without pulling
657+ in too much more plugins (a bit like the tnc package). Recommend that
658+ package from strongswan-libcharon.
659+ - d/usr.sbin.charon-systemd: allow to contact mysql for sql and
660+ attr-sql plugins (LP #1766240)
661+ - d/usr.lib.ipsec.charon: allow reading of own FDs (LP #1786250)
662+ * Added Changes:
663+ - d/p/lp1795813-mysql-Don-t-release-the-connection-if-transactions-a.patch:
664+ fix SIGSEGV when using mysql plugin (LP: #1795813)
665+ - d/usr.sbin.charon-systemd: allow CLUSTERIP for ha plugin (LP: #1773956)
666+ - executables need to be able to read map and execute themselves otherwise
667+ execution in some environments e.g. containers is blocked (LP: #1780534)
668+ + d/usr.lib.ipsec.stroke: add rmix permission to stroke binary
669+ + d/usr.lib.ipsec.lookip: add rmix permission to lookip binary
670+ - adapt "mass enablement of extra plugins" to match 5.7.x changes
671+ + d/rules: use new options for swima instead of swid
672+ + d/strongswan-tnc-server.install: add new sec updater tool
673+ + d/strongswan-tnc-client.install: add new sw-collector tool
674+ * Dropped (in Debian now):
675+ - SECURITY UPDATE: Insufficient input validation in gmp plugin
676+ (CVE-2018-17540)
677+ - SECURITY UPDATE: Insufficient input validation in gmp plugin
678+ (CVE-2018-16151 CVE-2018-16152)
679+ - d/usr.lib.ipsec.charon, d/usr/sbin/charon-systemd: Add support for
680+ usr-merge, thanks to Christian Ehrhardt. LP #1784023
681+
682+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 03 Dec 2018 15:18:31 +0100
683+
684 strongswan (5.7.1-1) unstable; urgency=medium
685
686 [ Ondřej Nový ]
687@@ -246,6 +854,96 @@ strongswan (5.7.0-1) unstable; urgency=medium
688
689 -- Yves-Alexis Perez <corsac@debian.org> Mon, 24 Sep 2018 16:36:28 +0200
690
691+strongswan (5.6.3-1ubuntu5) disco; urgency=medium
692+
693+ * No-change rebuild against libunbound8
694+
695+ -- Steve Langasek <steve.langasek@ubuntu.com> Sun, 11 Nov 2018 09:01:53 +0000
696+
697+strongswan (5.6.3-1ubuntu4) cosmic; urgency=medium
698+
699+ * d/usr.lib.ipsec.charon: allow reading of own FDs (LP: #1786250)
700+ Thanks to Matt Callaghan.
701+
702+ -- Andreas Hasenack <andreas@canonical.com> Thu, 04 Oct 2018 10:34:01 -0300
703+
704+strongswan (5.6.3-1ubuntu3) cosmic; urgency=medium
705+
706+ * SECURITY UPDATE: Insufficient input validation in gmp plugin
707+ - debian/patches/strongswan-4.4.0-5.7.0_gmp-pkcs1-overflow.patch: fix
708+ buffer overflow with very small RSA keys in
709+ src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c.
710+ - CVE-2018-17540
711+
712+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 01 Oct 2018 13:23:59 -0400
713+
714+strongswan (5.6.3-1ubuntu2) cosmic; urgency=medium
715+
716+ * SECURITY UPDATE: Insufficient input validation in gmp plugin
717+ - debian/patches/strongswan-5.6.1-5.6.3_gmp-pkcs1-verify.patch: don't
718+ parse PKCS1 v1.5 RSA signatures to verify them in
719+ src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c,
720+ src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c.
721+ - CVE-2018-16151
722+ - CVE-2018-16152
723+
724+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 25 Sep 2018 10:16:15 -0400
725+
726+strongswan (5.6.3-1ubuntu1) cosmic; urgency=medium
727+
728+ * Merge with Debian unstable. Remaining changes:
729+ - Clean up d/strongswan-starter.postinst: section about runlevel changes
730+ - Clean up d/strongswan-starter.postinst: Removed entire section on
731+ opportunistic encryption disabling - this was never in strongSwan and
732+ won't be see upstream issue #2160.
733+ - d/rules: Removed patching ipsec.conf on build (not using the
734+ debconf-managed config.)
735+ - d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was
736+ used for debconf-managed include of private key).
737+ - Mass enablement of extra plugins and features to allow a user to use
738+ strongswan for a variety of extra use cases without having to rebuild.
739+ + d/control: Add required additional build-deps
740+ + d/control: Mention addtionally enabled plugins
741+ + d/rules: Enable features at configure stage
742+ + d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
743+ + d/libstrongswan.install: Add plugins (so, conf)
744+ - d/strongswan-starter.install: Install pool feature, which is useful since
745+ we have attr-sql plugin enabled as well using it.
746+ - Add plugin kernel-libipsec to allow the use of strongswan in containers
747+ via this userspace implementation (please do note that this is still
748+ considered experimental by upstream).
749+ + d/libcharon-extra-plugins.install: Add kernel-libipsec components
750+ + d/control: List kernel-libipsec plugin at extra plugins description
751+ + d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
752+ upstream recommends to not load kernel-libipsec by default.
753+ - Relocate tnc plugin
754+ + debian/libcharon-extra-plugins.install: Drop tnc from extra plugins
755+ + Add new subpackage for TNC in d/strongswan-tnc-* and d/control
756+ - d/libstrongswan.install: Reorder conf and .so alphabetically
757+ - d/libstrongswan.install: Add kernel-netlink configuration files
758+ - Complete the disabling of libfast; This was partially accepted in Debian,
759+ it is no more packaging medcli and medsrv, but still builds and
760+ mentions it.
761+ + d/rules: Add --disable-fast to avoid build time and dependencies
762+ + d/control: Remove medcli, medsrv from package description
763+ - d/control: Mention mgf1 plugin which is in libstrongswan now
764+ - Add now built (since 5.5.1) libraries libtpmtss and nttfft to
765+ libstrongswan-extra-plugins (no deps from default plugins).
766+ - d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
767+ plugins for the most common use cases from extra-plugins into a new
768+ standard-plugins package. This will allow those use cases without pulling
769+ in too much more plugins (a bit like the tnc package). Recommend that
770+ package from strongswan-libcharon.
771+ - d/usr.sbin.charon-systemd: allow to contact mysql for sql and
772+ attr-sql plugins (LP #1766240)
773+ - d/usr.lib.ipsec.charon, d/usr/sbin/charon-systemd: Add support for
774+ usr-merge, thanks to Christian Ehrhardt. LP #1784023
775+ * Dropped:
776+ - d/usr.sbin.charon-systemd: allow systemd notifications (LP: #1765652)
777+ [Fixed in 5.6.3-1]
778+
779+ -- Andreas Hasenack <andreas@canonical.com> Thu, 23 Aug 2018 13:05:11 -0300
780+
781 strongswan (5.6.3-1) unstable; urgency=medium
782
783 * New upstream version 5.6.2
784@@ -261,6 +959,78 @@ strongswan (5.6.3-1) unstable; urgency=medium
785
786 -- Yves-Alexis Perez <corsac@debian.org> Mon, 04 Jun 2018 10:23:22 +0200
787
788+strongswan (5.6.2-2ubuntu2) cosmic; urgency=medium
789+
790+ * Add support for usr-merge, thanks to Christian Ehrhardt. LP: #1784023
791+
792+ -- Dimitri John Ledkov <xnox@ubuntu.com> Tue, 21 Aug 2018 00:42:38 +0100
793+
794+strongswan (5.6.2-2ubuntu1) cosmic; urgency=medium
795+
796+ * Merge with Debian unstable, closes LP: #1773814 and LP: #1772705.
797+ Remaining changes:
798+ + Clean up d/strongswan-starter.postinst: section about runlevel changes
799+ + Clean up d/strongswan-starter.postinst: Removed entire section on
800+ opportunistic encryption disabling - this was never in strongSwan and
801+ won't be see upstream issue #2160.
802+ + d/rules: Removed patching ipsec.conf on build (not using the
803+ debconf-managed config.)
804+ + d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was
805+ used for debconf-managed include of private key).
806+ + Mass enablement of extra plugins and features to allow a user to use
807+ strongswan for a variety of extra use cases without having to rebuild.
808+ - d/control: Add required additional build-deps
809+ - d/control: Mention addtionally enabled plugins
810+ - d/rules: Enable features at configure stage
811+ - d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
812+ - d/libstrongswan.install: Add plugins (so, conf)
813+ + d/strongswan-starter.install: Install pool feature, which is useful since
814+ we have attr-sql plugin enabled as well using it.
815+ + Add plugin kernel-libipsec to allow the use of strongswan in containers
816+ via this userspace implementation (please do note that this is still
817+ considered experimental by upstream).
818+ - d/libcharon-extra-plugins.install: Add kernel-libipsec components
819+ - d/control: List kernel-libipsec plugin at extra plugins description
820+ - d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
821+ upstream recommends to not load kernel-libipsec by default.
822+ + Relocate tnc plugin
823+ - debian/libcharon-extra-plugins.install: Drop tnc from extra plugins
824+ - Add new subpackage for TNC in d/strongswan-tnc-* and d/control
825+ + d/libstrongswan.install: Reorder conf and .so alphabetically
826+ + d/libstrongswan.install: Add kernel-netlink configuration files
827+ + Complete the disabling of libfast; This was partially accepted in Debian,
828+ it is no more packaging medcli and medsrv, but still builds and
829+ mentions it.
830+ - d/rules: Add --disable-fast to avoid build time and dependencies
831+ - d/control: Remove medcli, medsrv from package description
832+ + d/control: Mention mgf1 plugin which is in libstrongswan now
833+ + Add now built (since 5.5.1) libraries libtpmtss and nttfft to
834+ libstrongswan-extra-plugins (no deps from default plugins).
835+ + d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
836+ plugins for the most common use cases from extra-plugins into a new
837+ standard-plugins package. This will allow those use cases without pulling
838+ in too much more plugins (a bit like the tnc package). Recommend that
839+ package from strongswan-libcharon.
840+ * Dropped Changes (no more needed after 18.04)
841+ + Add rm_conffile for /etc/init.d/ipsec (transition from precies had
842+ missed that, droppable after 18.04)
843+ + d/control: bump breaks/replaces from libstrongswan-extra-plugins to
844+ libstrongswan as we dropped relocating ccm and test-vectors.
845+ (droppable >18.04).
846+ + d/control: add breaks/replace from libstrongswan to
847+ libstrongswan-extra-plugins for the move of mgf1 to libstrongswan.
848+ (droppable >18.04).
849+ + d/control: bump breaks/replaces for the move of the updown plugin
850+ (Missed Changelog entry on last merge)
851+ + d/control: fix dependencies of strongswan-libcharon due to the move
852+ the updown plugin (droppable >18.04).
853+ * Added Changes:
854+ + d/usr.sbin.charon-systemd: allow to contact mysql for sql and
855+ attr-sql plugins (LP: #1766240)
856+ + d/usr.sbin.charon-systemd: allow systemd notifications (LP: #1765652)
857+
858+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Tue, 29 May 2018 08:21:42 +0200
859+
860 strongswan (5.6.2-2) unstable; urgency=medium
861
862 * charon-nm: Fix building list of DNS/MDNS servers with libnm
863@@ -271,6 +1041,74 @@ strongswan (5.6.2-2) unstable; urgency=medium
864
865 -- Yves-Alexis Perez <corsac@debian.org> Fri, 13 Apr 2018 13:46:04 +0200
866
867+strongswan (5.6.2-1ubuntu2) bionic; urgency=medium
868+
869+ * d/control: fix dependencies of strongswan-libcharon due to the move
870+ the updown plugin.
871+
872+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Tue, 20 Mar 2018 07:37:29 +0100
873+
874+strongswan (5.6.2-1ubuntu1) bionic; urgency=medium
875+
876+ * Merge with Debian unstable (LP: #1753018). Remaining changes:
877+ + Clean up d/strongswan-starter.postinst: section about runlevel changes
878+ + Clean up d/strongswan-starter.postinst: Removed entire section on
879+ opportunistic encryption disabling - this was never in strongSwan and
880+ won't be see upstream issue #2160.
881+ + Ubuntu is not using the debconf triggered private key generation
882+ - d/rules: Removed patching ipsec.conf on build (not using the
883+ debconf-managed config.)
884+ - d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was
885+ used for debconf-managed include of private key).
886+ + Mass enablement of extra plugins and features to allow a user to use
887+ strongswan for a variety of extra use cases without having to rebuild.
888+ - d/control: Add required additional build-deps
889+ - d/control: Mention addtionally enabled plugins
890+ - d/rules: Enable features at configure stage
891+ - d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
892+ - d/libstrongswan.install: Add plugins (so, conf)
893+ + d/strongswan-starter.install: Install pool feature, which is useful since
894+ we have attr-sql plugin enabled as well using it.
895+ + Add plugin kernel-libipsec to allow the use of strongswan in containers
896+ via this userspace implementation (please do note that this is still
897+ considered experimental by upstream).
898+ - d/libcharon-extra-plugins.install: Add kernel-libipsec components
899+ - d/control: List kernel-libipsec plugin at extra plugins description
900+ - d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
901+ upstream recommends to not load kernel-libipsec by default.
902+ + Relocate tnc plugin
903+ - debian/libcharon-extra-plugins.install: Drop tnc from extra plugins
904+ - Add new subpackage for TNC in d/strongswan-tnc-* and d/control
905+ + d/libstrongswan.install: Reorder conf and .so alphabetically
906+ + d/libstrongswan.install: Add kernel-netlink configuration files
907+ + Complete the disabling of libfast; This was partially accepted in Debian,
908+ it is no more packaging medcli and medsrv, but still builds and
909+ mentions it.
910+ - d/rules: Add --disable-fast to avoid build time and dependencies
911+ - d/control: Remove medcli, medsrv from package description
912+ + d/control: Mention mgf1 plugin which is in libstrongswan now
913+ + Add now built (since 5.5.1) libraries libtpmtss and nttfft to
914+ libstrongswan-extra-plugins (no deps from default plugins).
915+ + Add rm_conffile for /etc/init.d/ipsec (transition from precies had
916+ missed that, droppable after 18.04)
917+ + d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
918+ plugins for the most common use cases from extra-plugins into a new
919+ standard-plugins package. This will allow those use cases without pulling
920+ in too much more plugins (a bit like the tnc package). Recommend that
921+ package from strongswan-libcharon.
922+ + d/control: bump breaks/replaces from libstrongswan-extra-plugins to
923+ libstrongswan as we dropped relocating ccm and test-vectors.
924+ (droppable >18.04).
925+ + d/control: add breaks/replace from libstrongswan to
926+ libstrongswan-extra-plugins for the move of mgf1 to libstrongswan.
927+ (droppable >18.04).
928+ * Added Changes:
929+ + d/control: bump breaks/replaces from strongswan-libcharon to strongswan-
930+ starter as we followed Debian to move the updown plugin but need to
931+ match Ubuntu versions (Droppable >18.04).
932+
933+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Fri, 16 Mar 2018 11:08:47 +0100
934+
935 strongswan (5.6.2-1) unstable; urgency=medium
936
937 * d/NEWS: add information about disabled algorithms (closes: #883072)
938@@ -293,6 +1131,129 @@ strongswan (5.6.1-3) unstable; urgency=medium
939
940 -- Yves-Alexis Perez <corsac@debian.org> Sun, 17 Dec 2017 16:40:39 +0100
941
942+strongswan (5.6.1-2ubuntu4) bionic; urgency=medium
943+
944+ * SECURITY UPDATE: DoS via crafted RSASSA-PSS signature
945+ - debian/patches/CVE-2018-6459.patch: Properly handle MGF1 algorithm
946+ identifier without parameters in
947+ src/libstrongswan/credentials/keys/signature_params.c.
948+ - CVE-2018-6459
949+
950+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 07 Mar 2018 14:52:02 +0100
951+
952+strongswan (5.6.1-2ubuntu3) bionic; urgency=medium
953+
954+ * No-change rebuild against libcurl4
955+
956+ -- Steve Langasek <steve.langasek@ubuntu.com> Wed, 28 Feb 2018 08:52:09 +0000
957+
958+strongswan (5.6.1-2ubuntu2) bionic; urgency=high
959+
960+ * No change rebuild against openssl1.1.
961+
962+ -- Dimitri John Ledkov <xnox@ubuntu.com> Mon, 12 Feb 2018 16:00:24 +0000
963+
964+strongswan (5.6.1-2ubuntu1) bionic; urgency=medium
965+
966+ * Merge with Debian unstable (LP: #1717343).
967+ Also fixes and issue with multiple psk's (LP: #1734207). Remaining changes:
968+ + Clean up d/strongswan-starter.postinst: section about runlevel changes
969+ + Clean up d/strongswan-starter.postinst: Removed entire section on
970+ opportunistic encryption disabling - this was never in strongSwan and
971+ won't be see upstream issue #2160.
972+ + Ubuntu is not using the debconf triggered private key generation
973+ - d/rules: Removed patching ipsec.conf on build (not using the
974+ debconf-managed config.)
975+ - d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was
976+ used for debconf-managed include of private key).
977+ + Mass enablement of extra plugins and features to allow a user to use
978+ strongswan for a variety of extra use cases without having to rebuild.
979+ - d/control: Add required additional build-deps
980+ - d/control: Mention addtionally enabled plugins
981+ - d/rules: Enable features at configure stage
982+ - d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
983+ - d/libstrongswan.install: Add plugins (so, conf)
984+ + d/strongswan-starter.install: Install pool feature, which is useful since
985+ we have attr-sql plugin enabled as well using it.
986+ + Add plugin kernel-libipsec to allow the use of strongswan in containers
987+ via this userspace implementation (please do note that this is still
988+ considered experimental by upstream).
989+ - d/libcharon-extra-plugins.install: Add kernel-libipsec components
990+ - d/control: List kernel-libipsec plugin at extra plugins description
991+ - d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
992+ upstream recommends to not load kernel-libipsec by default.
993+ + Relocate tnc plugin
994+ - debian/libcharon-extra-plugins.install: Drop tnc from extra plugins
995+ - Add new subpackage for TNC in d/strongswan-tnc-* and d/control
996+ + d/libstrongswan.install: Reorder conf and .so alphabetically
997+ + d/libstrongswan.install: Add kernel-netlink configuration files
998+ + Complete the disabling of libfast; This was partially accepted in Debian,
999+ it is no more packaging medcli and medsrv, but still builds and
1000+ mentions it.
1001+ - d/rules: Add --disable-fast to avoid build time and dependencies
1002+ - d/control: Remove medcli, medsrv from package description
1003+ + d/control: Mention mgf1 plugin which is in libstrongswan now
1004+ + Add now built (since 5.5.1) libraries libtpmtss and nttfft to
1005+ libstrongswan-extra-plugins (no deps from default plugins).
1006+ + Add rm_conffile for /etc/init.d/ipsec (transition from precies had
1007+ missed that, droppable after 18.04)
1008+ + d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
1009+ plugins for the most common use cases from extra-plugins into a new
1010+ standard-plugins package. This will allow those use cases without pulling
1011+ in too much more plugins (a bit like the tnc package). Recommend that
1012+ package from strongswan-libcharon.
1013+ * Added changes:
1014+ + d/strongswan-tnc-client.install (relocate tnc) swidtag creation changed
1015+ in 5.6
1016+ + d/strongswan-tnc-server.install (relocate tnc) pacman no more needed
1017+ + d/control: bump breaks/replaces from libstrongswan-extra-plugins to
1018+ libstrongswan as we dropped relocating ccm and test-vectors.
1019+ (droppable >18.04).
1020+ - d/control: add breaks/replace from libstrongswan to
1021+ libstrongswan-extra-plugins for the move of mgf1 to libstrongswan.
1022+ (droppable >18.04).
1023+ * Dropped changes:
1024+ + Update init/service handling (debian default matches Ubuntu past now)
1025+ Dropping this fixes (LP: #1734886)
1026+ - d/rules: Change init/systemd program name to strongswan
1027+ - d/strongswan-starter.strongswan.service: Add new systemd file instead of
1028+ patching upstream
1029+ - d/strongswan-starter.links: Removed, use Ubuntu systemd file instead of
1030+ linking to upstream
1031+ + d/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call
1032+ (this is a never failing no-op for us, no need for Delta).
1033+ + d/strongswan-starter.prerm: Stop strongswan service on package removal
1034+ (ipsec now maps to strongswan service, so this works as-is).
1035+ + Clean up d/strongswan-starter.postinst: rename service ipsec to
1036+ strongswan (ipsec now maps to strongswan service, so this works as-is)
1037+ + Clean up d/strongswan-starter.postinst: daemon enable/disable (the
1038+ whole section is disabled, so no need for delta)
1039+ + (is upstream) CVE-2017-11185 patches
1040+ + (is upstream) FTBFS upstream fix for changed include files
1041+ + (is upstream) debian/patches/increase-bliss-test-timeout.patch: Under
1042+ QEMU/KVM autopkgtest the bliss test takes longer than the default
1043+ + (in Debian) add now built (since 5.5.1) mgf1 plugin to
1044+ libstrongswan-extra-plugins.
1045+ + (in Debian) d/strongswan-starter.install: install stroke apparmor profile
1046+ + (this was enabled as part of the former delta, squash changes to no-up)
1047+ d/rules: Disable duplicheck.
1048+ + (not needed) Relocate plugins test-vectors from extra-plugins to
1049+ libstrongswan
1050+ - d/libstrongswan-extra-plugins.install: Remove plugins/conffiles
1051+ - d/libstrongswan.install: Add plugins/confiles
1052+ - d/control: move package descriptions and add required breaks/replaces
1053+ + (not needed) Relocate plugins ccm from extra-plugins to libstrongswan
1054+ - d/libstrongswan-extra-plugins.install: Remove plugins/conffiles
1055+ - d/libstrongswan.install: Add plugins/confiles
1056+ - d/control: move package descriptions and add required breaks/replaces
1057+ + (while using it requires special kernel, it does not hurt to be
1058+ available in the package) Remove ha plugin
1059+ - d/libcharon-extra-plugins.install: Stop installing ha (so, conf)
1060+ - d/rules: Do not enable ha plugin
1061+ - d/control: Drop listing the ha plugin in the package description
1062+
1063+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Wed, 29 Nov 2017 15:55:18 +0100
1064+
1065 strongswan (5.6.1-2) unstable; urgency=medium
1066
1067 * move counters plugin from -starter to -libcharon. closes: #882431
1068@@ -379,6 +1340,213 @@ strongswan (5.5.2-1) experimental; urgency=medium
1069
1070 -- Yves-Alexis Perez <corsac@debian.org> Fri, 19 May 2017 11:32:00 +0200
1071
1072+strongswan (5.5.1-4ubuntu3) bionic; urgency=medium
1073+
1074+ * Fix Artful FTBFS due to newer glibc (LP: #1724859)
1075+ - d/p/utils-Include-stdint.h.patch: upstream fix for changed include
1076+ files.
1077+
1078+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Thu, 19 Oct 2017 15:18:52 +0200
1079+
1080+strongswan (5.5.1-4ubuntu2) artful; urgency=medium
1081+
1082+ * SECURITY UPDATE: Fix RSA signature verification
1083+ - debian/patches/CVE-2017-11185.patch: does some
1084+ verifications in order to avoid null-point dereference
1085+ in src/libstrongswan/gmp/gmp_rsa_public_key.c
1086+ - CVE-2017-11185
1087+
1088+ -- Leonidas S. Barbosa <leo.barbosa@canonical.com> Tue, 15 Aug 2017 14:49:49 -0300
1089+
1090+strongswan (5.5.1-4ubuntu1) artful; urgency=medium
1091+
1092+ * Merge from Debian to pick up latest security changes (CVE-2017-9022,
1093+ CVE-2017-9023).
1094+ * Remaining Changes:
1095+ + Update init/service handling
1096+ - d/rules: Change init/systemd program name to strongswan
1097+ - d/strongswan-starter.strongswan.service: Add new systemd file instead of
1098+ patching upstream
1099+ - d/strongswan-starter.links: Removed, use Ubuntu systemd file instead of
1100+ linking to upstream
1101+ - d/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call.
1102+ - d/strongswan-starter.prerm: Stop strongswan service on package
1103+ removal (as opposed to using the old init.d script).
1104+ + Clean up d/strongswan-starter.postinst:
1105+ - Removed section about runlevel changes
1106+ - Adapted service restart section for Upstart (kept to be Trusty
1107+ backportable).
1108+ - Remove old symlinks to init.d files is necessary.
1109+ - Removed further out-dated code
1110+ - Removed entire section on opportunistic encryption - this was never in
1111+ strongSwan.
1112+ + d/rules: Removed pieces on 'patching ipsec.conf' on build.
1113+ + Mass enablement of extra plugins and features to allow a user to use
1114+ strongswan for a variety of use cases without having to rebuild.
1115+ - d/control: Add required additional build-deps
1116+ - d/rules: Enable features at configure stage
1117+ - d/control: Mention addtionally enabled plugins
1118+ - d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
1119+ - d/libstrongswan.install: Add plugins (so, conf)
1120+ + d/rules: Disable duplicheck as per
1121+ https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718291#10
1122+ + Remove ha plugin (requires special kernel)
1123+ - d/libcharon-extra-plugins.install: Stop installing ha (so, conf)
1124+ - d/rules: Do not enable ha plugin
1125+ - d/control: Drop listing the ha plugin in the package description
1126+ + Add plugin kernel-libipsec to allow the use of strongswan in containers
1127+ via this userspace implementation (please do note that this is still
1128+ considered experimental by upstream).
1129+ - d/libcharon-extra-plugins.install: Add kernel-libipsec components
1130+ - d/control: List kernel-libipsec plugin at extra plugins description
1131+ - d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
1132+ upstream recommends to not load kernel-libipsec by default.
1133+ + Relocate tnc plugin
1134+ - debian/libcharon-extra-plugins.install: Drop tnc from extra plugins
1135+ - Add new subpackage for TNC in d/strongswan-tnc-* and d/control
1136+ + d/strongswan-starter.install: Install pool feature, that useful due to
1137+ having attr-sql plugin that is enabled now.
1138+ + Relocate plugins test-vectors and ccm from extra-plugins to libstrongswan
1139+ - d/libstrongswan-extra-plugins.install: Remove plugins/conffiles
1140+ - d/libstrongswan.install: Add plugins/confiles
1141+ - d/control: move package descriptions and add required breaks/replaces
1142+ + d/libstrongswan.install: Reorder conf and .so alphabetically
1143+ + d/libstrongswan.install: Add kernel-netlink configuration files
1144+ + d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference.
1145+ + debian/patches/increase-bliss-test-timeout.patch: Under QEMU/KVM
1146+ autopkgtest the bliss test takes longer than the default (Upstream in
1147+ 5.5.2 via issue 2204)
1148+ + Complete the disabling of libfast; This was partially accepted in Debian,
1149+ it is no more packaging medcli and medsrv, but still builds and
1150+ mentions it.
1151+ - d/rules: Add --disable-fast to avoid build time and dependencies
1152+ - d/control: Remove medcli, medsrv from package description
1153+ + Add now built (5.5.1 vs 5.3.5) mgf1 plugin to libstrongswan-extra-plugins.
1154+ "only" to extra-plugins Mgf1 is not listed as default plugin at
1155+ https://wiki.strongswan.org/projects/strongswan/wiki/Pluginlist.
1156+ + Add now built (5.5.1 vs 5.3.5) libraries libtpmtss and nttfft to
1157+ libstrongswan-extra-plugins.
1158+ + Add missing mention of md4 plugin in d/control
1159+ + Add rm_conffile for /etc/init.d/ipsec (transition from precies had
1160+ missed that)
1161+ + d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
1162+ plugins for the most common use cases from extra-plugins into a new
1163+ standard-plugins package. This will allow those use cases without pulling
1164+ in too much more plugins (a bit like the tnc package). Recommend that
1165+ package from strongswan-libcharon.
1166+
1167+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Wed, 31 May 2017 15:57:54 +0200
1168+
1169+strongswan (5.5.1-3ubuntu1) artful; urgency=medium
1170+
1171+ * Merge from Debian to pick up latest changes. Among others this includes:
1172+ - a lot of the Delta we upstreamed to Debian (more discussions are ongoing
1173+ but likely have to wait until Debian stretch was released)
1174+ - enabling mediation support (LP: #1657413)
1175+ * Remaining Changes:
1176+ + Update init/service handling
1177+ - d/rules: Change init/systemd program name to strongswan
1178+ - d/strongswan-starter.strongswan.service: Add new systemd file instead of
1179+ patching upstream
1180+ - d/strongswan-starter.links: Removed, use Ubuntu systemd file instead of
1181+ linking to upstream
1182+ - d/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call.
1183+ - d/strongswan-starter.prerm: Stop strongswan service on package
1184+ removal (as opposed to using the old init.d script).
1185+ + Clean up d/strongswan-starter.postinst:
1186+ - Removed section about runlevel changes
1187+ - Adapted service restart section for Upstart (kept to be Trusty
1188+ backportable).
1189+ - Remove old symlinks to init.d files is necessary.
1190+ - Removed further out-dated code
1191+ - Removed entire section on opportunistic encryption - this was never in
1192+ strongSwan.
1193+ + d/rules: Removed pieces on 'patching ipsec.conf' on build.
1194+ + Mass enablement of extra plugins and features to allow a user to use
1195+ strongswan for a variety of use cases without having to rebuild.
1196+ - d/control: Add required additional build-deps
1197+ - d/rules: Enable features at configure stage
1198+ - d/control: Mention addtionally enabled plugins
1199+ - d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
1200+ - d/libstrongswan.install: Add plugins (so, conf)
1201+ + d/rules: Disable duplicheck as per
1202+ https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718291#10
1203+ + Remove ha plugin (requires special kernel)
1204+ - d/libcharon-extra-plugins.install: Stop installing ha (so, conf)
1205+ - d/rules: Do not enable ha plugin
1206+ - d/control: Drop listing the ha plugin in the package description
1207+ + Add plugin kernel-libipsec to allow the use of strongswan in containers
1208+ via this userspace implementation (please do note that this is still
1209+ considered experimental by upstream).
1210+ - d/libcharon-extra-plugins.install: Add kernel-libipsec components
1211+ - d/control: List kernel-libipsec plugin at extra plugins description
1212+ - d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
1213+ upstream recommends to not load kernel-libipsec by default.
1214+ + Relocate tnc plugin
1215+ - debian/libcharon-extra-plugins.install: Drop tnc from extra plugins
1216+ - Add new subpackage for TNC in d/strongswan-tnc-* and d/control
1217+ + d/strongswan-starter.install: Install pool feature, that useful due to
1218+ having attr-sql plugin that is enabled now.
1219+ + Relocate plugins test-vectors and ccm from extra-plugins to libstrongswan
1220+ - d/libstrongswan-extra-plugins.install: Remove plugins/conffiles
1221+ - d/libstrongswan.install: Add plugins/confiles
1222+ - d/control: move package descriptions and add required breaks/replaces
1223+ + d/libstrongswan.install: Reorder conf and .so alphabetically
1224+ + d/libstrongswan.install: Add kernel-netlink configuration files
1225+ + d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference.
1226+ + debian/patches/increase-bliss-test-timeout.patch: Under QEMU/KVM
1227+ autopkgtest the bliss test takes longer than the default (Upstream in
1228+ 5.5.2 via issue 2204)
1229+ + Complete the disabling of libfast; This was partially accepted in Debian,
1230+ it is no more packaging medcli and medsrv, but still builds and
1231+ mentions it.
1232+ - d/rules: Add --disable-fast to avoid build time and dependencies
1233+ - d/control: Remove medcli, medsrv from package description
1234+ + Add now built (5.5.1 vs 5.3.5) mgf1 plugin to libstrongswan-extra-plugins.
1235+ "only" to extra-plugins Mgf1 is not listed as default plugin at
1236+ https://wiki.strongswan.org/projects/strongswan/wiki/Pluginlist.
1237+ + Add now built (5.5.1 vs 5.3.5) libraries libtpmtss and nttfft to
1238+ libstrongswan-extra-plugins.
1239+ + Add missing mention of md4 plugin in d/control
1240+ + Add rm_conffile for /etc/init.d/ipsec (transition from precies had
1241+ missed that)
1242+ + d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
1243+ plugins for the most common use cases from extra-plugins into a new
1244+ standard-plugins package. This will allow those use cases without pulling
1245+ in too much more plugins (a bit like the tnc package). Recommend that
1246+ package from strongswan-libcharon.
1247+ * Dropped Changes:
1248+ + Add and install apparmor profiles (in Debian)
1249+ - d/rules: Install AppArmor profiles
1250+ - d/control: Add dh-apparmor build-dep
1251+ - d/usr.lib.ipsec.{charon, lookip, stroke}: Add latest AppArmor profiles
1252+ for charon, lookip and stroke
1253+ - d/libcharon-extra-plugins.install: Install profile for lookip
1254+ - d/strongswan-charon.install: Install profile for charon
1255+ - d/strongswan-starter.install: Install profile for stroke
1256+ - Fix strongswan ipsec status issue with apparmor
1257+ - Fix Dep8 tests for the now extra strongswan-pki package for pki
1258+ - Fix Dep8 tests for the now extra strongswan-scepclient package
1259+ + d/rules: Sorted and only one enable option per configure line (in
1260+ Debian)
1261+ + Add updated logcheck rules (in Debian)
1262+ - debian/libstrongswan.strongswan.logcheck.*: Remove outdated files
1263+ - debian/strongswan.logcheck: Add updated logcheck rules
1264+ + Add updated DEP8 tests (in Debian)
1265+ - d/tests/*: Add DEP8 tests
1266+ - d/control: Enable autotestpkg
1267+ + d/rules: do not strip for library integrity checking (After Discussion
1268+ with Debian this isn't acceptable there, but at the same time it turned
1269+ out the real use-case of this never uses this lib but instead third
1270+ party checks of checksums for e.g. FIPS cert; so drop the Delta)
1271+ - Use override_dh_strip to to avoid overwriting user build flags.
1272+ - Add missing mention of libchecksum integrity test in d/control
1273+ + d/rules: Set TESTS_REDUCED_KEYLENGTHS to one generate smallest key-lengths
1274+ in tests to avoid issues in low entropy environments. (Debian has
1275+ disabled !x86 tests for the same reason, one solution is enough)
1276+
1277+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Thu, 04 May 2017 14:06:23 +0200
1278+
1279 strongswan (5.5.1-3) unstable; urgency=medium
1280
1281 [ Christian Ehrhardt ]
1282@@ -412,6 +1580,136 @@ strongswan (5.5.1-2) unstable; urgency=medium
1283
1284 -- Yves-Alexis Perez <corsac@debian.org> Wed, 07 Dec 2016 08:34:52 +0100
1285
1286+strongswan (5.5.1-1ubuntu2) zesty; urgency=medium
1287+
1288+ * Update Maintainers which was missed while merging 5.5.1-1.
1289+
1290+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 19 Dec 2016 16:02:40 +0100
1291+
1292+strongswan (5.5.1-1ubuntu1) zesty; urgency=medium
1293+
1294+ * Merge from Debian (complex delta, discussions and broken out changes can be
1295+ found in the merge proposal linked from the merge bug LP: #1631198)
1296+ * Remaining Changes:
1297+ + d/rules: Enforcing DEB_BUILD_OPTIONS=nostrip for library integrity
1298+ checking.
1299+ + d/rules: Set TESTS_REDUCED_KEYLENGTHS to one generate smallest key-lengths
1300+ in tests to avoid issues in low entropy environments.
1301+ + Update init/service handling
1302+ - d/rules: Change init/systemd program name to strongswan
1303+ - d/strongswan-starter.strongswan.service: Add new systemd file instead of
1304+ patching upstream
1305+ - d/strongswan-starter.links: Removed, use Ubuntu systemd file instead of
1306+ linking to upstream
1307+ - d/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call.
1308+ - d/strongswan-starter.prerm: Stop strongswan service on package
1309+ removal (as opposed to using the old init.d script).
1310+ + Clean up d/strongswan-starter.postinst:
1311+ - Removed section about runlevel changes
1312+ - Adapted service restart section for Upstart (kept to be Trusty
1313+ backportable).
1314+ - Remove old symlinks to init.d files is necessary.
1315+ - Removed further out-dated code
1316+ - Removed entire section on opportunistic encryption - this was never in
1317+ strongSwan.
1318+ + Add and install apparmor profiles
1319+ - d/rules: Install AppArmor profiles
1320+ - d/control: Add dh-apparmor build-dep
1321+ - d/usr.lib.ipsec.{charon, lookip, stroke}: Add latest AppArmor profiles
1322+ for charon, lookip and stroke
1323+ - d/libcharon-extra-plugins.install: Install profile for lookip
1324+ - d/strongswan-charon.install: Install profile for charon
1325+ - d/strongswan-starter.install: Install profile for stroke
1326+ + d/rules: Removed pieces on 'patching ipsec.conf' on build.
1327+ + d/rules: Sorted and only one enable option per configure line
1328+ + Mass enablement of extra plugins and features to allow a user to use
1329+ strongswan for a variety of use cases without having to rebuild.
1330+ - d/control: Add required additional build-deps
1331+ - d/rules: Enable features at configure stage
1332+ - d/control: Mention addtionally enabled plugins
1333+ - d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
1334+ - d/libstrongswan.install: Add plugins (so, conf)
1335+ + d/rules: Disable duplicheck as per
1336+ https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718291#10
1337+ + Remove ha plugin (requires special kernel)
1338+ - d/libcharon-extra-plugins.install: Stop installing ha (so, conf)
1339+ - d/rules: Do not enable ha plugin
1340+ - d/control: Drop listing the ha plugin in the package description
1341+ + Add plugin kernel-libipsec to allow the use of strongswan in containers
1342+ via this userspace implementation (please do note that this is still
1343+ considered experimental by upstream).
1344+ - d/libcharon-extra-plugins.install: Add kernel-libipsec components
1345+ - d/control: List kernel-libipsec plugin at extra plugins description
1346+ - d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
1347+ upstream recommends to not load kernel-libipsec by default.
1348+ + Relocate tnc plugin
1349+ - debian/libcharon-extra-plugins.install: Drop tnc from extra plugins
1350+ - Add new subpackage for TNC in d/strongswan-tnc-* and d/control
1351+ + d/strongswan-starter.install: Install pool feature, that useful due to
1352+ having attr-sql plugin that is enabled now.
1353+ + Relocate plugins test-vectors and ccm from extra-plugins to libstrongswan
1354+ - d/libstrongswan-extra-plugins.install: Remove plugins
1355+ - d/libstrongswan.install: Add plugins
1356+ + d/libstrongswan.install: Reorder conf and .so alphabetically
1357+ + d/libstrongswan.install: Add kernel-netlink configuration files
1358+ + d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference.
1359+ + Add updated logcheck rules
1360+ - debian/libstrongswan.strongswan.logcheck.*: Remove outdated files
1361+ - debian/strongswan.logcheck: Add updated logcheck rules
1362+ + Add updated DEP8 tests
1363+ - d/tests/*: Add DEP8 tests
1364+ - d/control: Enable autotestpkg
1365+ + debian/patches/increase-bliss-test-timeout.patch: Under QEMU/KVM
1366+ autopkgtest the bliss test takes longer than the default
1367+ + Complete the disabling of libfast
1368+ - Note: This was partially accepted in Debian, it is no more
1369+ packaging medcli and medsrv, but still builds and mentions it
1370+ - d/rules: Add --disable-fast to avoid build time and dependencies
1371+ - d/control: Remove medcli, medsrv from package description
1372+ * Dropped Changes:
1373+ + Adding build-dep to iptables-dev (no change, was only in Changelog)
1374+ + Dropping of build deps libfcgi-dev, clearsilver-dev (in Debian)
1375+ + Adding strongswan-plugin-* virtual packages for dist-upgrade (no
1376+ upgrade path left needing them)
1377+ + Most of "disabling libfast" (Debian dropped it from package content)
1378+ + Transition for ipsec service (no upgrade path left)
1379+ + Reverted part of the cleanup to d/strongswan-starter.postinst as using
1380+ service should rather use invoke-rc.d (so it is a partial revert of our
1381+ delta)
1382+ + Transition handling (breaks/replaces) from per-plugin packages to the
1383+ three grouped plugin packages (no upgrade path left)
1384+ + debian/strongswan-starter.dirs: Don't touch /etc/init.d. (while "correct"
1385+ it is effectively a no-op still, so not worth the delta)
1386+ + Lower dpkg-dev to 1.16.1 from 1.16.2 to enable backporting to Precise
1387+ (no more needed)
1388+ + d/rules: Remove configure option --enable-unit-test (unit tests run by
1389+ default)
1390+ * Added Changes:
1391+ + Fix strongswan ipsec status issue with apparmor (LP: #1587886)
1392+ + d/control, d/libstrongswan.install, d/libstrongswan-extra-plugins: Fixup
1393+ the relocation of the ccm plugin which missed to move the conffiles.
1394+ + Complete move of test-vectors (was missing in d/control)
1395+ + Add now built (5.5.1 vs 5.3.5) mgf1 plugin to libstrongswan-extra-plugins.
1396+ "only" to extra-plugins Mgf1 is not listed as default plugin at
1397+ https://wiki.strongswan.org/projects/strongswan/wiki/Pluginlist.
1398+ + Add now built (5.5.1 vs 5.3.5) libraries libtpmtss and nttfft to
1399+ libstrongswan-extra-plugins.
1400+ + Add missing mention of md4 plugin in d/control
1401+ + Add missing mention of libchecksum integrity test in d/control
1402+ + Add rm_conffile for /etc/init.d/ipsec (transition from precies had
1403+ missed that)
1404+ + Use override_dh_strip to to fix library integrity checking instead of
1405+ DEB_BUILD_OPTION to avoid overwriting user build flags.
1406+ + d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
1407+ plugins for the most common use cases from extra-plugins into a new
1408+ standard-plugins package. This will allow those use cases without pulling
1409+ in too much more plugins (a bit like the tnc package). Recommend that
1410+ package from strongswan-libcharon (LP: #1640826).
1411+ + Fix Dep8 tests for the now extra strongswan-pki package for pki
1412+ + Fix Dep8 tests for the now extra strongswan-scepclient package
1413+
1414+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 07 Nov 2016 16:16:41 +0100
1415+
1416 strongswan (5.5.1-1) unstable; urgency=medium
1417
1418 * New upstream bugfix release.
1419@@ -528,6 +1826,177 @@ strongswan (5.3.5-2) unstable; urgency=medium
1420
1421 -- Yves-Alexis Perez <corsac@debian.org> Mon, 14 Mar 2016 23:53:34 +0100
1422
1423+strongswan (5.3.5-1ubuntu4) yakkety; urgency=medium
1424+
1425+ * Build-depend on libjson-c-dev instead of libjson0-dev.
1426+ * Rebuild against libjson-c3.
1427+
1428+ -- Graham Inggs <ginggs@ubuntu.com> Fri, 29 Apr 2016 19:04:22 +0200
1429+
1430+strongswan (5.3.5-1ubuntu3) xenial; urgency=medium
1431+
1432+ * Rebuild against libmysqlclient20.
1433+
1434+ -- Robie Basak <robie.basak@ubuntu.com> Tue, 05 Apr 2016 13:02:48 +0000
1435+
1436+strongswan (5.3.5-1ubuntu2) xenial; urgency=medium
1437+
1438+ * debian/tests/plugins: rdrand may or may not be loaded, depending on the
1439+ cpu features.
1440+
1441+ -- Iain Lane <iain@orangesquash.org.uk> Mon, 22 Feb 2016 17:13:01 +0000
1442+
1443+strongswan (5.3.5-1ubuntu1) xenial; urgency=medium
1444+
1445+ * debian/{rules,control,libstrongswan-extra-plugins.install}
1446+ Enable bliss plugin
1447+ * debian/{rules,control,libstrongswan-extra-plugins.install}
1448+ Enable chapoly plugin
1449+ * debian/patches/dont-load-kernel-libipsec-plugin-by-default.patch
1450+ Upstream suggests to not load this plugin by default as it has
1451+ some limitations.
1452+ https://wiki.strongswan.org/projects/strongswan/wiki/Kernel-libipsec
1453+ * debian/patches/increase-bliss-test-timeout.patch
1454+ Under QEMU/KVM for autopkgtest bliss test takes a bit longer then default
1455+ * Update Apparmor profiles
1456+ - usr.lib.ipsec.charon
1457+ - add capability audit_write for xauth-pam (LP: #1470277)
1458+ - add capability dac_override (needed by agent plugin)
1459+ - allow priv dropping (LP: #1333655)
1460+ - allow caching CRLs (LP: #1505222)
1461+ - allow rw access to /dev/net/tun for kernel-libipsec (LP: #1309594)
1462+ - usr.lib.ipsec.stroke
1463+ - allow priv dropping (LP: #1333655)
1464+ - add local include
1465+ - usr.lib.ipsec.lookip
1466+ - add local include
1467+ * Merge from Debian, which includes fixes for all previous CVEs
1468+ Fixes (LP: #1330504, #1451091, #1448870, #1470277)
1469+ Remaining changes:
1470+ * debian/control
1471+ - Lower dpkg-dev to 1.16.1 from 1.16.2 to enable backporting to Precise
1472+ - Update Maintainer for Ubuntu
1473+ - Add build-deps
1474+ - dh-apparmor
1475+ - iptables-dev
1476+ - libjson0-dev
1477+ - libldns-dev
1478+ - libmysqlclient-dev
1479+ - libpcsclite-dev
1480+ - libsoup2.4-dev
1481+ - libtspi-dev
1482+ - libunbound-dev
1483+ - Drop build-deps
1484+ - libfcgi-dev
1485+ - clearsilver-dev
1486+ - Create virtual packages for all strongswan-plugin-* for dist-upgrade
1487+ - Set XS-Testsuite: autopkgtest
1488+ * debian/rules:
1489+ - Enforcing DEB_BUILD_OPTIONS=nostrip for library integrity checking.
1490+ - Set TESTS_REDUCED_KEYLENGTHS to one generate smallest key-lengths in
1491+ tests.
1492+ - Change init/systemd program name to strongswan
1493+ - Install AppArmor profiles
1494+ - Removed pieces on 'patching ipsec.conf' on build.
1495+ - Enablement of features per Ubuntu current config suggested from
1496+ upstream recommendation
1497+ - Unpack and sort enabled features to one-per-line
1498+ - Disable duplicheck as per
1499+ https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718291#10
1500+ - Disable libfast (--disable-fast):
1501+ Requires dropping medsrv, medcli plugins which depend on libfast
1502+ - Add configure options
1503+ --with-tss=trousers
1504+ - Remove configure options:
1505+ --enable-ha (requires special kernel)
1506+ --enable-unit-test (unit tests run by default)
1507+ - Drop logcheck install
1508+ * debian/tests/*
1509+ - Add DEP8 test for strongswan service and plugins
1510+ * debian/strongswan-starter.strongswan.service
1511+ - Add new systemd file instead of patching upstream
1512+ * debian/strongswan-starter.links
1513+ - removed, use Ubuntu systemd file instead of linking to upstream
1514+ * debian/usr.lib.ipsec.{charon, lookip, stroke}
1515+ - added AppArmor profiles for charon, lookip and stroke
1516+ * debian/libcharon-extra-plugins.install
1517+ - Add plugins
1518+ - kernel-libipsec.{so, lib, conf, apparmor}
1519+ - Remove plugins
1520+ - libstrongswan-ha.so
1521+ - Relocate plugins
1522+ - libstrongswan-tnc-tnccs.so (strongswan-tnc-base.install)
1523+ * debian/libstrongswan-extra-plugins.install
1524+ - Add plugins (so, lib, conf)
1525+ - acert
1526+ - attr-sql
1527+ - coupling
1528+ - dnscert
1529+ - fips-prf
1530+ - gmp
1531+ - ipseckey
1532+ - load-tester
1533+ - mysql
1534+ - ntru
1535+ - radattr
1536+ - soup
1537+ - sqlite
1538+ - sql
1539+ - systime-fix
1540+ - unbound
1541+ - whitelist
1542+ - Relocate plugins (so, lib, conf)
1543+ - ccm (libstrongswan.install)
1544+ - test-vectors (libstrongswan.install)
1545+ * debian/libstrongswan.install
1546+ - Sort sections
1547+ - Add plugins (so, lib, conf)
1548+ - libchecksum
1549+ - ccm
1550+ - eap-identity
1551+ - md4
1552+ - test-vectors
1553+ * debian/strongswan-charon.install
1554+ - Add AppArmor profile for charon
1555+ * debian/strongswan-starter.install
1556+ - Add tools, manpages, conf
1557+ - openac
1558+ - pool
1559+ - _updown_espmark
1560+ - Add AppArmor profile for stroke
1561+ * debian/strongswan-tnc-base.install
1562+ - Add new subpackage for TNC
1563+ - remove non-existent (dropped in 5.2.1) libpts library files
1564+ * debian/strongswan-tnc-client.install
1565+ - Add new subpackage for TNC
1566+ * debian/strongswan-tnc-ifmap.install
1567+ - Add new subpackage for TNC
1568+ * debian/strongswan-tnc-pdp.install
1569+ - Add new subpackage for TNC
1570+ * debian/strongswan-tnc-server.install
1571+ - Add new subpackage for TNC
1572+ * debian/strongswan-starter.postinit:
1573+ - Removed section about runlevel changes, it's almost 2014.
1574+ - Adapted service restart section for Upstart.
1575+ - Remove old symlinks to init.d files is necessary.
1576+ * debian/strongswan-starter.dirs: Don't touch /etc/init.d.
1577+ * debian/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call.
1578+ * debian/strongswan-starter.prerm: Stop strongswan service on package
1579+ removal (as opposed to using the old init.d script).
1580+ * debian/libstrongswan.strongswan.logcheck combined into debian/strongswan.logcheck
1581+ - logcheck patterns updated to be helpful
1582+ * debian/strongswan-starter.postinst: Removed further out-dated code and
1583+ entire section on opportunistic encryption - this was never in strongSwan.
1584+ * debian/ipsec.secrets.proto: Removed ipsec.secrets.inc reference.
1585+ Drop changes:
1586+ * debian/control
1587+ - Per-plugin package breakup: Reducing packaging delta from Debian
1588+ - Don't build dhcp, farp subpackages: Reduce packging delta from Debian
1589+ * debian/watch: Already exists in Debian merge
1590+ * debian/upstream/signing-key.asc: Upstream has newer version.
1591+
1592+ -- Ryan Harper <ryan.harper@canonical.com> Fri, 12 Feb 2016 11:24:53 -0600
1593+
1594 strongswan (5.3.5-1) unstable; urgency=medium
1595
1596 * New upstream bugfix release.
1597@@ -800,6 +2269,210 @@ strongswan (5.1.2-1) unstable; urgency=medium
1598
1599 -- Yves-Alexis Perez <corsac@debian.org> Wed, 12 Mar 2014 11:22:38 +0100
1600
1601+strongswan (5.1.2-0ubuntu8) xenial; urgency=medium
1602+
1603+ * Import FTBFS for s390x from Debian 5.1.2-3 upload. (LP: #1521240)
1604+
1605+ -- Dimitri John Ledkov <xnox@ubuntu.com> Mon, 30 Nov 2015 15:46:06 +0000
1606+
1607+strongswan (5.1.2-0ubuntu7) xenial; urgency=medium
1608+
1609+ * SECURITY UPDATE: authentication bypass in eap-mschapv2 plugin
1610+ - debian/patches/CVE-2015-8023.patch: only succeed authentication if
1611+ MSK was established in
1612+ src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c.
1613+ - CVE-2015-8023
1614+ * debian/patches/disable_ntru_test.patch: disable test causing FTBFS
1615+ until regression is properly investigated.
1616+
1617+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 19 Nov 2015 14:00:17 -0500
1618+
1619+strongswan (5.1.2-0ubuntu6) wily; urgency=medium
1620+
1621+ * SECURITY UPDATE: user credential disclosure to rogue servers
1622+ - debian/patches/CVE-2015-4171.patch: enforce remote authentication
1623+ config before proceeding with own authentication in
1624+ src/libcharon/sa/ikev2/tasks/ike_auth.c.
1625+ - CVE-2015-4171
1626+ * debian/rules: don't FTBFS from unused service file
1627+
1628+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 08 Jun 2015 12:50:38 -0400
1629+
1630+strongswan (5.1.2-0ubuntu5) vivid; urgency=medium
1631+
1632+ * Add a systemd unit corresponding to strongswan-starter.strongswan.upstart.
1633+
1634+ -- Martin Pitt <martin.pitt@ubuntu.com> Fri, 16 Jan 2015 08:27:54 +0100
1635+
1636+strongswan (5.1.2-0ubuntu4) vivid; urgency=medium
1637+
1638+ * SECURITY UPDATE: denial of service via DH group 1025
1639+ - debian/patches/CVE-2014-9221.patch: define MODP_CUSTOM outside of
1640+ IKE DH range in src/libstrongswan/crypto/diffie_hellman.c,
1641+ src/libstrongswan/crypto/diffie_hellman.h.
1642+ - CVE-2014-9221
1643+
1644+ -- Tyler Hicks <tyhicks@canonical.com> Mon, 05 Jan 2015 08:25:29 -0500
1645+
1646+strongswan (5.1.2-0ubuntu3) utopic; urgency=low
1647+
1648+ * Added "libgcrypt20-dev | libgcrypt11-dev" to build dependencies to fix
1649+ build.
1650+
1651+ -- Jonathan Davies <jonathan.davies@canonical.com> Wed, 15 Oct 2014 16:49:18 +0000
1652+
1653+strongswan (5.1.2-0ubuntu2) trusty; urgency=medium
1654+
1655+ * SECURITY UPDATE: remote authentication bypass
1656+ - debian/patches/CVE-2014-2338.patch: reject CREATE_CHILD_SA exchange
1657+ on unestablished IKE_SAs in src/libcharon/sa/ikev2/task_manager_v2.c.
1658+ - CVE-2014-2338
1659+
1660+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 14 Apr 2014 11:24:34 -0400
1661+
1662+strongswan (5.1.2-0ubuntu1) trusty; urgency=low
1663+
1664+ * New upstream release.
1665+
1666+ -- Jonathan Davies <jonathan.davies@canonical.com> Sat, 01 Mar 2014 08:53:17 +0000
1667+
1668+strongswan (5.1.2~rc2-0ubuntu2) trusty; urgency=low
1669+
1670+ * debian/ipsec.secrets.proto: Removed ipsec.secrets.inc reference.
1671+ * debian/usr.lib.ipsec.charon: Allow read access to /run/charon.
1672+
1673+ -- Jonathan Davies <jonathan.davies@canonical.com> Wed, 19 Feb 2014 13:07:16 +0000
1674+
1675+strongswan (5.1.2~rc2-0ubuntu1) trusty; urgency=low
1676+
1677+ * New upstream release candidate.
1678+
1679+ -- Jonathan Davies <jonathan.davies@canonical.com> Wed, 19 Feb 2014 12:59:21 +0000
1680+
1681+strongswan (5.1.2~rc1-0ubuntu4) trusty; urgency=medium
1682+
1683+ * debian/strongswan-tnc-*.install: Fixed files so libraries go into correct
1684+ packages.
1685+ * debian/usr.lib.ipsec.stroke: Allow access to strongswan.d directories.
1686+
1687+ -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 17 Feb 2014 18:12:38 +0000
1688+
1689+strongswan (5.1.2~rc1-0ubuntu3) trusty; urgency=low
1690+
1691+ * debian/rules: Exclude rdrand.conf in dh_install's --fail-missing.
1692+
1693+ -- Jonathan Davies <jonathan.davies@canonical.com> Sat, 15 Feb 2014 15:46:46 +0000
1694+
1695+strongswan (5.1.2~rc1-0ubuntu2) trusty; urgency=low
1696+
1697+ * debian/libstrongswan.install: Moved rdrand plugin configuration to rules
1698+ as it's only useful on amd64.
1699+ * debian/watch: Added opts=pgpsigurlmangle option.
1700+ * debian/upstream/signing-key.asc: Added key: 0xB34DBA77.
1701+
1702+ -- Jonathan Davies <jonathan.davies@canonical.com> Sat, 15 Feb 2014 15:32:10 +0000
1703+
1704+strongswan (5.1.2~rc1-0ubuntu1) trusty; urgency=medium
1705+
1706+ * New upstream release candidate.
1707+ * debian/*.install - include new configuration files for plugins in
1708+ appropiate packages.
1709+
1710+ -- Jonathan Davies <jonathan.davies@canonical.com> Sat, 15 Feb 2014 15:03:14 +0000
1711+
1712+strongswan (5.1.2~dr3+git20130120-0ubuntu3) trusty; urgency=low
1713+
1714+ * debian/control:
1715+ - Added Breaks/Replaces for all library files which have been moved
1716+ about (LP: #1278176).
1717+ - Removed build-dependency on check and added one on dh-apparmor.
1718+ * debian/strongswan-starter.postinst: Removed further out-dated code and
1719+ entire section on opportunistic encryption - this was never in strongSwan.
1720+ * debian/rules: Removed pieces on 'patching ipsec.conf' on build.
1721+
1722+ -- Jonathan Davies <jonathan.davies@canonical.com> Sun, 09 Feb 2014 23:53:23 +0000
1723+
1724+strongswan (5.1.2~dr3+git20130120-0ubuntu2) trusty; urgency=low
1725+
1726+ * debian/control: Fixed references to plugin-fips-prf.
1727+
1728+ -- Jonathan Davies <jonathan.davies@canonical.com> Wed, 22 Jan 2014 11:22:14 +0000
1729+
1730+strongswan (5.1.2~dr3+git20130120-0ubuntu1) trusty; urgency=low
1731+
1732+ * Upstream Git snapshot for build fixes with regards to entropy.
1733+ * debian/rules:
1734+ - Enforcing DEB_BUILD_OPTIONS=nostrip for library integrity checking.
1735+ - Set TESTS_REDUCED_KEYLENGTHS to one generate smallest key-lengths in
1736+ tests.
1737+
1738+ -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 20 Jan 2014 19:00:59 +0000
1739+
1740+strongswan (5.1.2~dr3-0ubuntu1) trusty; urgency=low
1741+
1742+ * New upstream developer release.
1743+ * Made changes to packaging per upstream suggestions.
1744+ - Dropped medcli and medsrv packages - not recommended by upstream at this
1745+ time.
1746+ - Dropped ha plugin - needs special kernel.
1747+ - Improved all package descriptions in general.
1748+ - Drop build-dep on clearsilver-dev and libfcgi-dev - no longer needed.
1749+ - Removed debian/*logcheck* files - not relevant to strongSwan.
1750+ - Split dhcp and farp packages into sub-packages.
1751+ - Build kernel-libipsec, ntru, systime-fix, and xauth-noauth plugins.
1752+ - Changes to TNC-related packages.
1753+ * Created AppArmor profiles for lookip and stroke.
1754+
1755+ -- Jonathan Davies <jonathan.davies@canonical.com> Wed, 15 Jan 2014 22:52:53 +0000
1756+
1757+strongswan (5.1.2~dr2+git20130106-0ubuntu2) trusty; urgency=low
1758+
1759+ * libstrongswan.install: Removed lingering unit-tester.so reference.
1760+
1761+ -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 06 Jan 2014 20:29:59 +0000
1762+
1763+strongswan (5.1.2~dr2+git20130106-0ubuntu1) trusty; urgency=low
1764+
1765+ * Git snapshot of commit 94e10f15e51ead788d9947e966878ebfdc95b7ce.
1766+ Incorporates upstream fixes for:
1767+ - Integrity testing.
1768+ - Unit test failures on little endian systems.
1769+ * Dropped debian/patches/02_test_asn1_fix_32bit_time_test.patch - fixed
1770+ upstream.
1771+ * debian/rules:
1772+ - Stop using CK_TIMEOUT_MULTIPLIER.
1773+ - Stop enabling the test suite only on non-powerpc arches (it runs
1774+ anyway).
1775+
1776+ -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 06 Jan 2014 20:17:20 +0000
1777+
1778+strongswan (5.1.2~dr2-0ubuntu3) trusty; urgency=low
1779+
1780+ * debian/control: Reinstate missing comma in dependencies.
1781+
1782+ -- Jonathan Davies <jonathan.davies@canonical.com> Fri, 03 Jan 2014 05:39:13 +0000
1783+
1784+strongswan (5.1.2~dr2-0ubuntu2) trusty; urgency=low
1785+
1786+ * Added debian/patches/02_test_asn1_fix_32bit_time_test.patch - fixes issue
1787+ where test for >2038 tests on 32-bit platforms is broken.
1788+ - Reported upstream: https://wiki.strongswan.org/issues/477
1789+ * debian/control: Added strongswan-plugin-ntru to strongswan-ike Suggests.
1790+
1791+ -- Jonathan Davies <jonathan.davies@canonical.com> Fri, 03 Jan 2014 05:02:32 +0000
1792+
1793+strongswan (5.1.2~dr2-0ubuntu1) trusty; urgency=low
1794+
1795+ * New upstream developer release.
1796+ * debian/rules: Configure with: --enable-af-alg, --enable-ntru, --enable-soup,
1797+ and --enable-unity.
1798+ * debian/control:
1799+ - New plugin packages created for the above
1800+ - Split fips-prf into its own package.
1801+ - Added build-dependency on libsoup2.4-dev.
1802+
1803+ -- Jonathan Davies <jonathan.davies@canonical.com> Thu, 02 Jan 2014 17:37:33 +0000
1804+
1805 strongswan (5.1.1-3) unstable; urgency=low
1806
1807 * Upload to unstable.
1808@@ -891,6 +2564,192 @@ strongswan (5.1.1-1) unstable; urgency=low
1809
1810 -- Yves-Alexis Perez <corsac@debian.org> Fri, 24 Jan 2014 21:22:32 +0100
1811
1812+strongswan (5.1.1-0ubuntu17) trusty; urgency=low
1813+
1814+ * debian/control:
1815+ - Make strongswan-ike depend on iproute2.
1816+ - Added xauth plugin dependency on strongswan-plugin-eap-gtc.
1817+ - Created strongswan-libfast package.
1818+
1819+ -- Jonathan Davies <jonathan.davies@canonical.com> Wed, 01 Jan 2014 17:04:45 +0000
1820+
1821+strongswan (5.1.1-0ubuntu16) trusty; urgency=low
1822+
1823+ * debian/control:
1824+ - Further splitting of plugins into subpackages (such as all EAP plugins
1825+ to their own packages).
1826+ - Added libpcsclite-dev to build-dependencies.
1827+ * debian/rules:
1828+ - Sort configure options in alphabetical order.
1829+ - Added configure option of --enable-eap-aka-3gpp2, --enable-eap-dynamic,
1830+ --enable-eap-sim-file, --enable-eap-sim-pcsc,
1831+ --enable-eap-simaka-pseudonym, --enable-eap-simaka-reauth and
1832+ --enable-eap-simaka-sql.
1833+ - Don't exclude medsrv from install.
1834+ * Moved eap-identity.so to libstrongswan package as it's used by all the
1835+ other EAP plugins.
1836+
1837+ -- Jonathan Davies <jonathan.davies@canonical.com> Tue, 31 Dec 2013 21:25:50 +0000
1838+
1839+strongswan (5.1.1-0ubuntu15) trusty; urgency=low
1840+
1841+ * debian/control:
1842+ - Split plugins from libstrongswan package into modular subpackages.
1843+ - Added libmysqlclient-dev to build-dependencies.
1844+ - strongswan-ike: Set to depend on either strongswan-plugins-openssl or
1845+ strongswan-plugins-gcrypt.
1846+ - strongswan-ike: All other plugins added to Suggests.
1847+ - Created two new TNC packages: strongswan-tnc-ifmap and
1848+ strongswan-tnc-pdp and added to tnc-imcvs Suggests.
1849+ * debian/rules: Added to CONFIGUREARGS: --enable-certexpire,
1850+ --enable-error-notify, --enable-mysql, --enable-load-tester,
1851+ --enable-radattr, --enable-tnc-pdp, and --enable-whitelist.
1852+ * debian/strongswan-ike.install: Moved eap-identity.so to -tnc-imcvs package.
1853+
1854+ -- Jonathan Davies <jonathan.davies@canonical.com> Tue, 31 Dec 2013 16:15:32 +0000
1855+
1856+strongswan (5.1.1-0ubuntu14) trusty; urgency=low
1857+
1858+ * debian/rules:
1859+ - CK_TIMEOUT_MULTIPLIER back down to 6.
1860+ - Disable unit tests on powerpc.
1861+
1862+ -- Jonathan Davies <jonathan.davies@canonical.com> Tue, 31 Dec 2013 07:39:48 +0000
1863+
1864+strongswan (5.1.1-0ubuntu13) trusty; urgency=low
1865+
1866+ * debian/rules: CK_TIMEOUT_MULTIPLIER to 10 as just powerppc is being stubborn.
1867+
1868+ -- Jonathan Davies <jonathan.davies@canonical.com> Tue, 31 Dec 2013 07:23:42 +0000
1869+
1870+strongswan (5.1.1-0ubuntu12) trusty; urgency=low
1871+
1872+ * debian/rules: Bring CK_TIMEOUT_MULTIPLIER up to 6 to fix powerppc and
1873+ armhf.
1874+
1875+ -- Jonathan Davies <jonathan.davies@canonical.com> Tue, 31 Dec 2013 07:03:40 +0000
1876+
1877+strongswan (5.1.1-0ubuntu11) trusty; urgency=low
1878+
1879+ * 02_increase-test_rsa_generate-timeout.patch: Removed - only fixed build on
1880+ one extra arch.
1881+ * debian/rules: Set CK_TIMEOUT_MULTIPLIER to 4.
1882+
1883+ -- Jonathan Davies <jonathan.davies@canonical.com> Tue, 31 Dec 2013 06:51:47 +0000
1884+
1885+strongswan (5.1.1-0ubuntu10) trusty; urgency=low
1886+
1887+ * debian/patches: Added patch 02_increase-test_rsa_generate-timeout.patch -
1888+ - Increases RSA key generate test timeout to 30 seconds so that it doesn't
1889+ fail on armhf, arm64, and powerppc.
1890+ * Contrary to what the last changelog entry says, we are still running
1891+ strongswan as root (with AppArmor protection).
1892+
1893+ -- Jonathan Davies <jonathan.davies@canonical.com> Tue, 31 Dec 2013 06:06:47 +0000
1894+
1895+strongswan (5.1.1-0ubuntu9) trusty; urgency=low
1896+
1897+ * debian/rules: Added to configure options:
1898+ - --enable-tnc-ifmap: enable TNC IF-MAP module.
1899+ - --enable-duplicheck: enable duplicheck plugin.
1900+ - --enable-imv-swid, --enable-imc-swid: Added.
1901+ - Run strongswan as it's own user.
1902+ * debian/strongswan-starter.install: Install duplicheck.
1903+ * debian/strongswan-tnc-imcvs.install: Install swidtags.
1904+
1905+ -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 30 Dec 2013 19:33:27 +0000
1906+
1907+strongswan (5.1.1-0ubuntu8) trusty; urgency=low
1908+
1909+ * debian/rules: Added to configure options:
1910+ - --enable-unit-tests: check unit testing on build.
1911+ - --enable-unbound: for validating DNS lookups.
1912+ - --enable-dnscert: for DNSCERT peer authentication.
1913+ - --enable-ipseckey: for IPSEC key authentication.
1914+ - --enable-lookip: for LookIP functionality.
1915+ - --enable-coupling: certificate coupling functionality.
1916+ * debian/control: Added check, libldns-dev, libunbound-dev to
1917+ build-dependencies.
1918+ * debian/libstrongswan.install: Install new plugin .so's.
1919+ * debian/strongswan-starter.install: Added lookip.
1920+
1921+ -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 30 Dec 2013 17:52:07 +0000
1922+
1923+strongswan (5.1.1-0ubuntu7) trusty; urgency=low
1924+
1925+ * strongswan-starter.install: Moved pt-tls-client to tnc-imcvs (to prevent
1926+ the former from depending on the latter).
1927+
1928+ -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 30 Dec 2013 17:30:19 +0000
1929+
1930+strongswan (5.1.1-0ubuntu6) trusty; urgency=low
1931+
1932+ * debian/strongswan-starter.prerm: Stop strongswan service on package
1933+ removal (as opposed to using the old init.d script).
1934+
1935+ -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 30 Dec 2013 17:22:10 +0000
1936+
1937+strongswan (5.1.1-0ubuntu5) trusty; urgency=low
1938+
1939+ * debian/rules:
1940+ - CONFIGUREARGS: Merged Debian and RPM options.
1941+ - Brings in TNC functionality.
1942+ * debian/control:
1943+ - Added build-dependency on libtspi-dev.
1944+ - Created strongswan-tnc-imcvs binary package for TNC components.
1945+ - Added strongswan-tnc-imcvs to libstrongswan's Suggests.
1946+ * debian/libstrongswan.install:
1947+ - Included newly built MD4 and SQLite libraries.
1948+ - Removed 'tnc' references (moved to TNC package).
1949+ * debian/strongswan-tnc-imcvs.install: Created - handle new TNC libraries and
1950+ binaries.
1951+ * debian/usr.lib.ipsec.charon: Allow access to TNC modules.
1952+
1953+ -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 30 Dec 2013 14:05:43 +0000
1954+
1955+strongswan (5.1.1-0ubuntu4) trusty; urgency=low
1956+
1957+ * debian/usr.lib.ipsec.charon: Added - AppArmor profile for charon.
1958+ * debian/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call.
1959+ * debian/control: strongswan-ike - Stop depending on ipsec-tools.
1960+
1961+ -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 30 Dec 2013 05:35:17 +0000
1962+
1963+strongswan (5.1.1-0ubuntu3) trusty; urgency=low
1964+
1965+ * strongswan-starter.strongswan.upstart - Only start strongSwan when a
1966+ network connection is available.
1967+ * debian/control: Downgrade build-dep version of dpkg-dev from 1.16.2 to
1968+ 1.16.1 - to make precise backporting easier.
1969+
1970+ -- Jonathan Davies <jonathan.davies@canonical.com> Thu, 12 Dec 2013 10:43:15 +0000
1971+
1972+strongswan (5.1.1-0ubuntu2) trusty; urgency=low
1973+
1974+ * strongswan-starter.strongswan.upstart - Created Upstart job for
1975+ strongSwan.
1976+ * debian/rules: Set dh_installinit to install above file.
1977+ * debian/strongswan-starter.postinit:
1978+ - Removed section about runlevel changes, it's almost 2014.
1979+ - Adapted service restart section for Upstart.
1980+ - Remove old symlinks to init.d files is necessary.
1981+ * debian/strongswan-starter.dirs: Don't touch /etc/init.d.
1982+
1983+ -- Jonathan Davies <jonathan.davies@canonical.com> Wed, 11 Dec 2013 23:10:28 +0000
1984+
1985+strongswan (5.1.1-0ubuntu1) trusty; urgency=low
1986+
1987+ * New upstream release.
1988+ * Removed: debian/patches/CVE-2013-6075, CVE-2013-6076.patch - upsteamed.
1989+ * debian/control: Updated Standards-Version to 3.9.5 and applied
1990+ XSBC-Original-Maintainer policy.
1991+ * strongswan-starter.install:
1992+ - pki tool is now in /usr/bin.
1993+ - Install pt-tls-client.
1994+ - Install manpages (LP: #1206263).
1995+
1996+ -- Jonathan Davies <jpds@ubuntu.com> Sun, 01 Dec 2013 17:43:59 +0000
1997+
1998 strongswan (5.1.0-3) unstable; urgency=high
1999
2000 * urgency=high for the security fixes.
2001diff --git a/debian/control b/debian/control
2002index 3035fc5..270e164 100644
2003--- a/debian/control
2004+++ b/debian/control
2005@@ -1,7 +1,8 @@
2006 Source: strongswan
2007 Section: net
2008 Priority: optional
2009-Maintainer: strongSwan Maintainers <pkg-swan-devel@lists.alioth.debian.org>
2010+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
2011+XSBC-Original-Maintainer: strongSwan Maintainers <pkg-swan-devel@lists.alioth.debian.org>
2012 Uploaders: Yves-Alexis Perez <corsac@debian.org>
2013 Standards-Version: 4.6.2
2014 Vcs-Browser: https://salsa.debian.org/debian/strongswan
2015@@ -136,6 +137,7 @@ Description: strongSwan utility and crypto library (extra plugins)
2016 - gcrypt (Crypto backend based on libgcrypt, provides
2017 RSA/DH/ciphers/hashers/rng)
2018 - ldap (LDAP fetching plugin based on libldap)
2019+ - ntru (key exchanged based on post-quantum computer NTRU)
2020 - padlock (VIA padlock crypto backend, provides AES128/SHA1)
2021 - pkcs11 (PKCS#11 smartcard backend)
2022 - rdrand (High quality / high performance random source using the Intel
2023@@ -203,6 +205,9 @@ Description: strongSwan charon library (extra plugins)
2024 - unity (Cisco Unity extensions for IKEv1)
2025 - xauth-eap (XAuth backend that uses EAP methods to verify passwords)
2026 - xauth-pam (XAuth backend that uses PAM modules to verify passwords)
2027+ - eap-dynamic (EAP proxy plugin that dynamically selects an EAP method
2028+ requested/supported by the client (since 5.0.1))
2029+ - eap-peap (EAP-PEAP protocol handler, wraps other EAP methods securely)
2030
2031 Package: strongswan-starter
2032 Architecture: any
2033@@ -210,9 +215,9 @@ Pre-Depends: ${misc:Pre-Depends}
2034 Depends: adduser,
2035 libstrongswan (= ${binary:Version}),
2036 sysvinit-utils (>= 3.05-3),
2037+ strongswan-charon,
2038 ${misc:Depends},
2039 ${shlibs:Depends}
2040-Recommends: strongswan-charon
2041 Conflicts: openswan
2042 Description: strongSwan daemon starter and configuration file parser
2043 The strongSwan VPN suite uses the native IPsec stack in the standard
2044@@ -251,9 +256,9 @@ Architecture: any
2045 Pre-Depends: debconf | debconf-2.0
2046 Depends: iproute2 [linux-any] | iproute [linux-any],
2047 libstrongswan (= ${binary:Version}),
2048- strongswan-starter,
2049 ${misc:Depends},
2050 ${shlibs:Depends}
2051+Recommends: strongswan-starter,
2052 Provides: ike-server
2053 Description: strongSwan Internet Key Exchange daemon
2054 The strongSwan VPN suite uses the native IPsec stack in the standard
2055diff --git a/debian/libcharon-extra-plugins.install b/debian/libcharon-extra-plugins.install
2056index 94fbabd..91ca716 100644
2057--- a/debian/libcharon-extra-plugins.install
2058+++ b/debian/libcharon-extra-plugins.install
2059@@ -2,9 +2,11 @@
2060 usr/lib/ipsec/plugins/libstrongswan-addrblock.so
2061 usr/lib/ipsec/plugins/libstrongswan-certexpire.so
2062 usr/lib/ipsec/plugins/libstrongswan-eap-aka.so
2063+usr/lib/ipsec/plugins/libstrongswan-eap-dynamic.so
2064 usr/lib/ipsec/plugins/libstrongswan-eap-gtc.so
2065 usr/lib/ipsec/plugins/libstrongswan-eap-identity.so
2066 usr/lib/ipsec/plugins/libstrongswan-eap-md5.so
2067+usr/lib/ipsec/plugins/libstrongswan-eap-peap.so
2068 usr/lib/ipsec/plugins/libstrongswan-eap-radius.so
2069 usr/lib/ipsec/plugins/libstrongswan-eap-tls.so
2070 usr/lib/ipsec/plugins/libstrongswan-eap-tnc.so
2071@@ -25,9 +27,11 @@ usr/lib/ipsec/plugins/libstrongswan-xauth-pam.so
2072 usr/share/strongswan/templates/config/plugins/addrblock.conf
2073 usr/share/strongswan/templates/config/plugins/certexpire.conf
2074 usr/share/strongswan/templates/config/plugins/eap-aka.conf
2075+usr/share/strongswan/templates/config/plugins/eap-dynamic.conf
2076 usr/share/strongswan/templates/config/plugins/eap-gtc.conf
2077 usr/share/strongswan/templates/config/plugins/eap-identity.conf
2078 usr/share/strongswan/templates/config/plugins/eap-md5.conf
2079+usr/share/strongswan/templates/config/plugins/eap-peap.conf
2080 usr/share/strongswan/templates/config/plugins/eap-radius.conf
2081 usr/share/strongswan/templates/config/plugins/eap-tls.conf
2082 usr/share/strongswan/templates/config/plugins/eap-tnc.conf
2083@@ -49,9 +53,11 @@ etc/strongswan.d/tnc.conf
2084 etc/strongswan.d/charon/addrblock.conf
2085 etc/strongswan.d/charon/certexpire.conf
2086 etc/strongswan.d/charon/eap-aka.conf
2087+etc/strongswan.d/charon/eap-dynamic.conf
2088 etc/strongswan.d/charon/eap-gtc.conf
2089 etc/strongswan.d/charon/eap-identity.conf
2090 etc/strongswan.d/charon/eap-md5.conf
2091+etc/strongswan.d/charon/eap-peap.conf
2092 etc/strongswan.d/charon/eap-radius.conf
2093 etc/strongswan.d/charon/eap-tls.conf
2094 etc/strongswan.d/charon/eap-tnc.conf
2095diff --git a/debian/libcharon-extra-plugins.maintscript b/debian/libcharon-extra-plugins.maintscript
2096new file mode 100644
2097index 0000000..f6e7a3a
2098--- /dev/null
2099+++ b/debian/libcharon-extra-plugins.maintscript
2100@@ -0,0 +1,8 @@
2101+rm_conffile /etc/strongswan.d/charon/eap-aka-3gpp2.conf 5.8.4-1ubuntu2~ libcharon-extra-plugins
2102+rm_conffile /etc/strongswan.d/charon/eap-sim-file.conf 5.8.4-1ubuntu2~ libcharon-extra-plugins
2103+rm_conffile /etc/strongswan.d/charon/eap-sim-pcsc.conf 5.8.4-1ubuntu2~ libcharon-extra-plugins
2104+rm_conffile /etc/strongswan.d/charon/eap-sim.conf 5.8.4-1ubuntu2~ libcharon-extra-plugins
2105+rm_conffile /etc/strongswan.d/charon/eap-simaka-pseudonym.conf 5.8.4-1ubuntu2~ libcharon-extra-plugins
2106+rm_conffile /etc/strongswan.d/charon/eap-simaka-reauth.conf 5.8.4-1ubuntu2~ libcharon-extra-plugins
2107+rm_conffile /etc/strongswan.d/charon/eap-simaka-sql.conf 5.8.4-1ubuntu2~ libcharon-extra-plugins
2108+rm_conffile /etc/strongswan.d/charon/xauth-noauth.conf 5.8.4-1ubuntu2~ libcharon-extra-plugins
2109diff --git a/debian/libstrongswan-extra-plugins.install b/debian/libstrongswan-extra-plugins.install
2110index 2846e21..8f71239 100644
2111--- a/debian/libstrongswan-extra-plugins.install
2112+++ b/debian/libstrongswan-extra-plugins.install
2113@@ -9,6 +9,7 @@ usr/lib/ipsec/plugins/libstrongswan-curl.so
2114 usr/lib/ipsec/plugins/libstrongswan-curve25519.so
2115 usr/lib/ipsec/plugins/libstrongswan-gcrypt.so
2116 usr/lib/ipsec/plugins/libstrongswan-ldap.so
2117+usr/lib/ipsec/plugins/libstrongswan-ntru.so
2118 usr/lib/ipsec/plugins/libstrongswan-pkcs11.so
2119 usr/lib/ipsec/plugins/libstrongswan-test-vectors.so
2120 usr/lib/ipsec/plugins/libstrongswan-tpm.so
2121@@ -21,6 +22,7 @@ usr/share/strongswan/templates/config/plugins/curl.conf
2122 usr/share/strongswan/templates/config/plugins/curve25519.conf
2123 usr/share/strongswan/templates/config/plugins/gcrypt.conf
2124 usr/share/strongswan/templates/config/plugins/ldap.conf
2125+usr/share/strongswan/templates/config/plugins/ntru.conf
2126 usr/share/strongswan/templates/config/plugins/pkcs11.conf
2127 usr/share/strongswan/templates/config/plugins/test-vectors.conf
2128 usr/share/strongswan/templates/config/plugins/tpm.conf
2129@@ -32,6 +34,7 @@ etc/strongswan.d/charon/curl.conf
2130 etc/strongswan.d/charon/curve25519.conf
2131 etc/strongswan.d/charon/gcrypt.conf
2132 etc/strongswan.d/charon/ldap.conf
2133+etc/strongswan.d/charon/ntru.conf
2134 etc/strongswan.d/charon/pkcs11.conf
2135 etc/strongswan.d/charon/test-vectors.conf
2136 etc/strongswan.d/charon/tpm.conf
2137diff --git a/debian/rules b/debian/rules
2138index 2fed1f1..8ca4bd7 100755
2139--- a/debian/rules
2140+++ b/debian/rules
2141@@ -15,9 +15,11 @@ CONFIGUREARGS := --libdir=/usr/lib --libexecdir=/usr/lib \
2142 --enable-curl \
2143 --enable-eap-aka \
2144 --enable-eap-gtc \
2145+ --enable-eap-dynamic \
2146 --enable-eap-identity \
2147 --enable-eap-md5 \
2148 --enable-eap-mschapv2 \
2149+ --enable-eap-peap \
2150 --enable-eap-radius \
2151 --enable-eap-tls \
2152 --enable-eap-tnc \
2153@@ -32,6 +34,7 @@ CONFIGUREARGS := --libdir=/usr/lib --libexecdir=/usr/lib \
2154 --enable-led \
2155 --enable-lookip \
2156 --enable-mediation \
2157+ --enable-ntru \
2158 --enable-openssl \
2159 --enable-pkcs11 \
2160 --enable-test-vectors \
2161diff --git a/debian/tests/control b/debian/tests/control
2162index 997a870..3675f33 100644
2163--- a/debian/tests/control
2164+++ b/debian/tests/control
2165@@ -5,3 +5,9 @@ Restrictions: needs-root isolation-container allow-stderr
2166 Tests: daemon plugins
2167 Depends: strongswan-starter, libstrongswan-standard-plugins, libstrongswan-extra-plugins, libcharon-extra-plugins
2168 Restrictions: needs-root isolation-machine allow-stderr
2169+
2170+Tests: host-to-host
2171+Depends: strongswan-swanctl, strongswan-pki, libstrongswan-extra-plugins,
2172+ charon-systemd, lsb-release, snapd, dctrl-tools, libtss2-tcti-tabrmd0,
2173+ bind9-dnsutils
2174+Restrictions: needs-root isolation-machine allow-stderr skippable
2175diff --git a/debian/tests/host-to-host b/debian/tests/host-to-host
2176new file mode 100755
2177index 0000000..3a76da0
2178--- /dev/null
2179+++ b/debian/tests/host-to-host
2180@@ -0,0 +1,401 @@
2181+#!/bin/bash
2182+
2183+# host to host setup from https://docs.strongswan.org/docs/5.9/config/quickstart.html
2184+
2185+set -e
2186+set -o pipefail
2187+
2188+# exit early if not on Ubuntu
2189+if [ "$(lsb_release --short --id)" != "Ubuntu" ]; then
2190+ echo "This test only runs on Ubuntu, skipping."
2191+ exit 77
2192+fi
2193+
2194+cleanup() {
2195+ if [ $? -ne 0 ]; then
2196+ set +e
2197+ echo "Something failed, gathering debug info"
2198+ echo
2199+ echo "Installed strongswan packages:"
2200+ dpkg -l | grep -E "(strongswan|charon)"
2201+ echo
2202+ echo "loaded kernel modules:"
2203+ lsmod
2204+ echo
2205+ echo "journal logs from host:"
2206+ journalctl --no-pager -u strongswan.service || :
2207+ echo
2208+ echo "LXD details:"
2209+ lxc network list
2210+ lxc list
2211+ echo
2212+ for container in $(lxc list -f compact -c ns | grep -F RUNNING | awk '{print $1}'); do
2213+ echo "journal logs from container ${container}"
2214+ lxc exec "${container}" -- journalctl -u strongswan.service --no-pager || :
2215+ echo
2216+ echo "strongswan data from container ${container}"
2217+ for cmd in stats list-certs list-conns list-pols list-sas; do
2218+ echo "${cmd}:"
2219+ lxc exec "${container}" -- swanctl --${cmd} || :
2220+ echo
2221+ done
2222+ done
2223+ fi
2224+ set +e
2225+ rm -rf "${WORKDIR}"
2226+ for container in "${PEERS[@]}"; do
2227+ lxc delete --force "${container}" > /dev/null 2>&1 || :
2228+ done
2229+}
2230+
2231+trap cleanup EXIT
2232+
2233+WORKDIR=$(mktemp -d)
2234+PEERS=("moon" "sun")
2235+declare -A REMOTE
2236+REMOTE["moon"]="sun"
2237+REMOTE["sun"]="moon"
2238+PUBKEY_ALGO="ed25519"
2239+TESTNAME=$(basename "${0}")
2240+
2241+# ca
2242+CA_KEY_FILE="${WORKDIR}/strongswanKey.pem"
2243+REQ_FILE="${WORKDIR}/req.pem" # can be reused for multiple reqs
2244+CA_CERT_FILE="${WORKDIR}/strongswanCert.pem"
2245+
2246+source debian/tests/utils
2247+
2248+check_pol() {
2249+ #root@moon:~# swanctl --list-pols
2250+ #moon-sun/moon-sun, TUNNEL
2251+ # local: 10.38.71.14/32
2252+ # remote: 10.38.71.194/32
2253+ local me="${1}"
2254+ local pol="${2}"
2255+ local -i failures=0
2256+ local tunnel
2257+ local ip
2258+ local policy_ip
2259+
2260+ echo "Checking policy for:"
2261+ echo -n " we have a tunnel: "
2262+ if echo "${pol}" | head -n 1 | grep -qF TUNNEL; then
2263+ echo "OK"
2264+ else
2265+ echo "FAIL"
2266+ failures=$((failures+1))
2267+ fi
2268+
2269+ # moon-sun/moon-sun, TUNNEL -> tunnel = moon-sun
2270+ tunnel=$(echo "${pol}" | head -n 1 | cut -d , -f 1)
2271+ echo -n " tunnel matches local-remote: "
2272+ if echo "${tunnel}" | grep -qE "^${me}-${REMOTE[${me}]}/${me}-${REMOTE[${me}]}"; then
2273+ echo "OK"
2274+ else
2275+ echo "FAIL (tunnel=${tunnel})"
2276+ failures=$((failures+1))
2277+ fi
2278+
2279+ echo -n " local IP matches local peer: "
2280+ ip=$(lxc exec "${me}" -- dig +short "${me}.lxd")/32
2281+ policy_ip=$(echo "${pol}" | sed -n -r "s,^[[:blank:]]+local:[[:blank:]]+([0-9.]+/32),\1,p")
2282+ if [ "${ip}" = "${policy_ip}" ]; then
2283+ echo "OK"
2284+ else
2285+ echo "FAIL: local ip ${ip} != policy local ip ${policy_ip}"
2286+ failures=$((failures+1))
2287+ fi
2288+
2289+ echo -n " remote IP matches remote peer: "
2290+ ip=$(lxc exec "${me}" -- dig +short "${REMOTE[${me}]}.lxd")/32
2291+ policy_ip=$(echo "${pol}" | sed -n -r "s,^[[:blank:]]+remote:[[:blank:]]+([0-9.]+/32),\1,p")
2292+ if [ "${ip}" = "${policy_ip}" ]; then
2293+ echo "OK"
2294+ else
2295+ echo "FAIL: local ip ${ip} != policy local ip ${policy_ip}"
2296+ failures=$((failures+1))
2297+ fi
2298+
2299+ return ${failures}
2300+}
2301+
2302+check_sa() {
2303+ local -i failures=0
2304+ local me="${1}"
2305+ local sa="${2}"
2306+ local name=""
2307+ local sa_ip
2308+
2309+ # SAs look like this:
2310+ # moon-sun: #1, ESTABLISHED, IKEv2, f1bdc688a5078946_i* bf6e1559c5a87ab9_r
2311+ # local 'C=CH, O=strongswan, CN=moon.strongswan.org' @ 10.84.128.22[4500]
2312+ # remote 'C=CH, O=strongswan, CN=sun.strongswan.org' @ 10.84.128.191[4500]
2313+ # AES_CBC-128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/CURVE_25519
2314+ # established 11s ago, rekeying in 14147s
2315+ # moon-sun: #2, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-128
2316+ # installed 11s ago, rekeying in 3285s, expires in 3949s
2317+ # in c3bcdf8d, 168 bytes, 2 packets, 0s ago
2318+ # out caf49378, 168 bytes, 2 packets, 0s ago
2319+ # local 10.84.128.22/32
2320+ # remote 10.84.128.191/32
2321+
2322+ echo "Checking SA for:"
2323+
2324+ echo -n " established SA: "
2325+ if echo "${sa}" | grep -qE "^[[:alnum:]]+-[[:alnum:]]+:.*ESTABLISHED"; then
2326+ echo "OK"
2327+ else
2328+ echo "FAIL"
2329+ failures=$((failures+1))
2330+ fi
2331+
2332+ # parse the connection name from the first line: $local-$remote: #1,....
2333+ name=$(echo "${sa}" | head -n 1 | sed -r "s/^([[:alnum:]]+)-[[:alnum:]]+:.*/\1/")
2334+ echo -n " local DN matches CN=${name}.strongswan.org: "
2335+ if echo "${sa}" | grep -qE "^[[:blank:]]*local.*CN=${name}\.strongswan\.org"; then
2336+ echo "OK"
2337+ else
2338+ echo "FAIL"
2339+ failures=$((failures+1))
2340+ fi
2341+
2342+ # parse the connection name from the first line: $local-$remote: #1,....
2343+ name=$(echo "${sa}" | head -n 1 | sed -r "s/^[[:alnum:]]+-([[:alnum:]]+):.*/\1/")
2344+ echo -n " remote DN matches CN=${name}.strongswan.org: "
2345+ if echo "${sa}" | grep -qE "^[[:blank:]]*remote.*CN=${name}\.strongswan\.org"; then
2346+ echo "OK"
2347+ else
2348+ echo "FAIL"
2349+ failures=$((failures+1))
2350+ fi
2351+
2352+ echo -n " local IP matches local peer: "
2353+ ip=$(lxc exec "${me}" -- dig +short "${me}.lxd")/32
2354+ sa_ip=$(echo "${sa}" | sed -n -r "s,^[[:blank:]]+local[[:blank:]]+([0-9.]+/32),\1,p")
2355+ if [ "${ip}" = "${sa_ip}" ]; then
2356+ echo "OK"
2357+ else
2358+ echo "FAIL: local ip ${ip} != SA local ip ${sa_ip}"
2359+ failures=$((failures+1))
2360+ fi
2361+
2362+ echo -n " remote IP matches remote peer: "
2363+ ip=$(lxc exec "${me}" -- dig +short "${REMOTE[${me}]}.lxd")/32
2364+ sa_ip=$(echo "${sa}" | sed -n -r "s,^[[:blank:]]+remote[[:blank:]]+([0-9.]+/32),\1,p")
2365+ if [ "${ip}" = "${sa_ip}" ]; then
2366+ echo "OK"
2367+ else
2368+ echo "FAIL: remote ip ${ip} != SA remote ip ${sa_ip}"
2369+ failures=$((failures+1))
2370+ fi
2371+
2372+ # TODO: check for cipher, if it matches the algo used in the pubkey
2373+ # TODO: check for traffic, should not be zero
2374+
2375+ return ${failures}
2376+}
2377+
2378+_setup_peer() {
2379+ local peer="${1}"
2380+ local algo="${2}"
2381+ local key_file="${WORKDIR}/${peer}Key.pem"
2382+ local cert_file="${WORKDIR}/${peer}Cert.pem"
2383+
2384+ pki --gen --type "${algo}" --outform pem > "${key_file}"
2385+
2386+ pki --req --type priv --in "${key_file}" \
2387+ --dn "C=CH, O=strongswan, CN=${peer}.strongswan.org" \
2388+ --san "${peer}.strongswan.org" --outform pem > "${REQ_FILE}"
2389+
2390+ pki --issue --cacert "${CA_CERT_FILE}" --cakey "${CA_KEY_FILE}" \
2391+ --type pkcs10 --in "${REQ_FILE}" --serial 01 --lifetime 5 \
2392+ --outform pem --flag serverAuth > "${cert_file}"
2393+}
2394+
2395+_setup_lxd() {
2396+ lxd init --auto
2397+ network=$(lxc network list --format=compact | grep -E "bridge.*YES.*CREATED" | awk '{print $1}')
2398+ lxc network set "${network:-lxdbr0}" ipv6.address=none
2399+ if [ -n "${http_proxy}" ]; then
2400+ lxc config set core.proxy_http "${http_proxy}"
2401+ fi
2402+ if [ -n "${https_proxy}" ]; then
2403+ lxc config set core.proxy_https "${https_proxy}"
2404+ fi
2405+ if [ -n "${noproxy}" ]; then
2406+ lxc config set core.proxy_ignore_hosts "${noproxy}"
2407+ fi
2408+}
2409+
2410+_setup_host_containers() {
2411+ local release
2412+ local ip
2413+ local -i result=0
2414+ local -a deps
2415+
2416+ release=$(lsb_release -cs)
2417+ readarray -t deps < <(get_test_dependencies "${TESTNAME}" snapd dctrl-tools)
2418+
2419+ for container in "${PEERS[@]}"; do
2420+ echo "Launching container ${container} with release ${release}"
2421+ lxc launch "ubuntu-daily:${release}" "${container}" -c security.nesting=true -q
2422+ echo -en "Waiting for container ${container} to be ready "
2423+ wait_container_ready "${container}"
2424+
2425+ echo "Copying over /etc/apt to container ${container}"
2426+ lxc exec "${container}" -- rm -rf /etc/apt
2427+ lxc exec "${container}" -- mkdir -p /etc/apt
2428+ tar -cC /etc/apt . | lxc exec "${container}" -- tar -xC /etc/apt
2429+
2430+ echo "Installing deps in container ${container} (${deps[*]})"
2431+ output=$(lxc exec "${container}" -- apt-get update -q) || {
2432+ result=$?
2433+ echo "apt-get update failed in container ${container}"
2434+ echo "${output}"
2435+ return ${result}
2436+ }
2437+ output=$(lxc exec "${container}" --env DEBIAN_FRONTEND=noninteractive -- apt-get dist-upgrade -q -y) || {
2438+ result=$?
2439+ echo "apt-get dist-upgrade failed in container ${container}"
2440+ echo "${output}"
2441+ return ${result}
2442+ }
2443+ output=$(lxc exec "${container}" --env DEBIAN_FRONTEND=noninteractive -- apt-get install -q -y "${deps[@]}") || {
2444+ result=$?
2445+ echo "apt-get install ${deps[*]} failed in container ${container}"
2446+ echo "${output}"
2447+ return ${result}
2448+ }
2449+ echo "Done for container ${container}"
2450+ done
2451+}
2452+
2453+_setup_host_containers_certs() {
2454+ for container in "${PEERS[@]}"; do
2455+ echo "Copying ${CA_CERT_FILE} to container ${container}"
2456+ lxc file push "${CA_CERT_FILE}" "${container}/etc/swanctl/x509ca/"
2457+
2458+ echo "Copying ${container} cert and key"
2459+ lxc file push "${WORKDIR}/${container}Key.pem" "${container}/etc/swanctl/private/"
2460+ lxc file push "${WORKDIR}/${container}Cert.pem" "${container}/etc/swanctl/x509/"
2461+ done
2462+}
2463+
2464+_setup_host_containers_strongswan() {
2465+ local config
2466+
2467+ config=$(mktemp)
2468+
2469+ for peer in "${PEERS[@]}"; do
2470+ conn_name="${peer}-${REMOTE[${peer}]}"
2471+ cat > "${config}" <<EOF
2472+connections {
2473+ ${conn_name} {
2474+ remote_addrs = ${REMOTE[${peer}]}.lxd
2475+ local {
2476+ auth=pubkey
2477+ certs = ${peer}Cert.pem
2478+ }
2479+ remote {
2480+ auth = pubkey
2481+ id = "C=CH, O=strongswan, CN=${REMOTE[${peer}]}.strongswan.org"
2482+ }
2483+ children {
2484+ ${conn_name} {
2485+ start_action = trap
2486+ }
2487+ }
2488+ }
2489+}
2490+EOF
2491+ lxc file push "${config}" "${peer}/etc/swanctl/conf.d/${conn_name}.conf"
2492+ echo "Loading creds in container ${peer}"
2493+ lxc exec "${peer}" -- swanctl --load-creds
2494+ echo "Loading connections in container ${peer}"
2495+ lxc exec "${peer}" -- swanctl --load-conns
2496+ done
2497+}
2498+
2499+setup() {
2500+ local algo=${1:-ed25519}
2501+ echo "Creating a CA"
2502+ echo
2503+ echo "Generating private key for CA"
2504+ pki --gen --type "${algo}" --outform pem > "${CA_KEY_FILE}"
2505+
2506+ echo "Generating self-signed certificate for CA"
2507+ pki \
2508+ --self --ca --lifetime 10 --in "${CA_KEY_FILE}" \
2509+ --dn "C=CH, O=strongSwan, CN=strongSwan Root CA" \
2510+ --outform pem > "${CA_CERT_FILE}"
2511+ echo "Here is the CA cert:"
2512+ pki --print --in "${CA_CERT_FILE}"
2513+
2514+ for peer in "${PEERS[@]}"; do
2515+ echo "Generating key and certificate for peer ${peer}"
2516+ _setup_peer "${peer}" "${algo}"
2517+ done
2518+
2519+ echo "Setting up host LXD"
2520+ _setup_lxd
2521+
2522+ echo "Creating host containers"
2523+ _setup_host_containers
2524+
2525+ echo "Copy certificates to containers"
2526+ _setup_host_containers_certs
2527+
2528+ echo "Configuring strongswan in containers"
2529+ _setup_host_containers_strongswan
2530+}
2531+
2532+test_ping() {
2533+ for peer in "${PEERS[@]}"; do
2534+ echo "Generating traffic from ${peer} to ${REMOTE[${peer}]}"
2535+ # first ping to establish the tunnel always fails
2536+ lxc exec "${peer}" -- ping -c 2 -W 3 "${REMOTE[${peer}]}.lxd" > /dev/null 2>&1 || :
2537+ # this one must work
2538+ lxc exec "${peer}" -- ping -c 4 -W 3 "${REMOTE[${peer}]}.lxd"
2539+ echo
2540+ done
2541+}
2542+
2543+test_sa() {
2544+ for peer in "${PEERS[@]}"; do
2545+ sa=$(lxc exec "${peer}" -- swanctl --list-sas)
2546+ echo "This is the ${peer} SA:"
2547+ if [ -z "${sa}" ]; then
2548+ echo "FAILED: SA is empty (swanctl --list-sas)"
2549+ return 1
2550+ fi
2551+ echo "${sa}"
2552+ echo
2553+ check_sa "${peer}" "${sa}"
2554+ echo
2555+ done
2556+}
2557+
2558+test_pol() {
2559+ for peer in "${PEERS[@]}"; do
2560+ pol=$(lxc exec "${peer}" -- swanctl --list-pols)
2561+ echo "This is the ${peer} policy:"
2562+ if [ -z "${pol}" ]; then
2563+ echo "FAILED: pol is empty (swanctl --list-pols)"
2564+ return 1
2565+ fi
2566+ echo "${pol}"
2567+ echo
2568+ check_pol "${peer}" "${pol}"
2569+ echo
2570+ done
2571+}
2572+
2573+
2574+# the lxd deb package last existed in focal, so we install the snap
2575+snap list lxd > /dev/null 2>&1 || snap install lxd
2576+
2577+setup "${PUBKEY_ALGO}"
2578+
2579+test_ping
2580+test_sa
2581+test_pol
2582diff --git a/debian/tests/utils b/debian/tests/utils
2583new file mode 100644
2584index 0000000..e8a8584
2585--- /dev/null
2586+++ b/debian/tests/utils
2587@@ -0,0 +1,61 @@
2588+wait_container_ready() {
2589+ local container="${1}"
2590+ local -i limit=300 # seconds
2591+ local -i i=0
2592+ while /bin/true; do
2593+ ip=$(lxc list "${container}" -c 4 --format=compact | tail -1 | awk '{print $1}')
2594+ if [ -n "${ip}" ]; then
2595+ break
2596+ fi
2597+ i=$((i+1))
2598+ if [ ${i} -ge ${limit} ]; then
2599+ return 1
2600+ fi
2601+ sleep 1s
2602+ echo -n "."
2603+ done
2604+ while ! nc -z "${ip}" 22; do
2605+ echo -n "."
2606+ i=$((i+1))
2607+ if [ ${i} -ge ${limit} ]; then
2608+ return 1
2609+ fi
2610+ sleep 1s
2611+ done
2612+ # cloud-init might still be doing things...
2613+ # this call blocks, so wrap it in its own little timeout
2614+ # Give it ${limit} seconds too
2615+ output=$(lxc exec "${container}" -- timeout --verbose ${limit} cloud-init status --wait) || {
2616+ result=$?
2617+ echo "cloud-init status --wait failed on container ${container}"
2618+ echo "${output}"
2619+ return ${result}
2620+ }
2621+ echo
2622+}
2623+
2624+get_test_dependencies() {
2625+ local test_name="${1}"
2626+ shift
2627+ local exclusions="$*"
2628+ # Get test dependencies which we need to install in the containers
2629+ # we will create:
2630+ # -s: show Depends field
2631+ # -n: omit field name in output
2632+ # -X: do an exact match, instead of substring
2633+ # -F Tests: apply regexp to Tests field
2634+ depends=$(grep-dctrl -s Depends -n -F Tests -X "${test_name}" debian/tests/control | tr -d ,)
2635+ [ -n "${depends}" ] || {
2636+ echo "Failed to obtain list of dependencies for this test"
2637+ return 1
2638+ }
2639+ # remove exclusions, if any
2640+ for p in ${depends}; do
2641+ if echo "${exclusions}" | grep -qwF "${p}"; then
2642+ continue
2643+ else
2644+ echo "${p}"
2645+ fi
2646+ done
2647+}
2648+
2649diff --git a/debian/usr.sbin.swanctl b/debian/usr.sbin.swanctl
2650index 455c7cb..54c2b06 100644
2651--- a/debian/usr.sbin.swanctl
2652+++ b/debian/usr.sbin.swanctl
2653@@ -22,7 +22,7 @@
2654 /run/charon.vici rw,
2655
2656 # Allow reading own binary
2657- /usr/sbin/swanctl r,
2658+ /usr/sbin/swanctl rm,
2659
2660 # for af-alg plugin
2661 network alg seqpacket,

Subscribers

People subscribed via source and target branches