Ubuntu
strongswan package

Merge version 5.8.4-1 from Debian. Part of the delta was dropped because it was fixed by Debian or it was part of a transition and it should be removed after Focal release. Take a look at the changes removed in this version:

  * Dropped:
    - d/control: build-depend on libiptc-dev to avoid FTBFS (LP: #1861975)
      This is needed due to changes in regard to Debian bug 947176 and 939243
      and can later be dropped again.
      [applied by Debian in version 5.8.2-2]
    - d/control: Transition from former Ubuntu only libcharon-standard-plugins
      to common libcharon-extauth-plugins (drop after 20.04)
    - d/control: Transition from strongswan-tnc-* being in extra packages
      to libcharon-extra-plugins (drop after 20.04)

The rest of the delta was kept. Those changes were forwarded upstream but there are some discussions going on. Christian and I will sync about them next week.

  * Merge with Debian unstable. Remaining changes:
    - d/control: strongswan-starter hard-depends on strongswan-charon,
      therefore bump the dependency from Recommends to Depends. At the same
      time avoid a circular dependency by dropping
      strongswan-charon->strongswan-starter from Depends to Recommends as the
      binaries can work without the services but not vice versa.
    - re-add post-quantum encryption algorithm (NTRU) (LP: #1863749)
      + d/control: mention plugins in package description
      + d/rules: enable ntru at build time
      + d/libstrongswan-extra-plugins.install: ship config and shared objects

PPA with the proposed package:

https://launchpad.net/~lucaskanashiro/+archive/ubuntu/groovy-strongswan-merge/+packages

autopkgtest output:

autopkgtest [19:21:35]: @@@@@@@@@@@@@@@@@@@@ summary
admin-strongswan-charon PASS
admin-strongswan-starter PASS
daemon PASS
plugins PASS

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2020-05-01:

Glad the "droppable after 20.04" now also could go away :-)

Yeah, the remaining Delta LGTM.
Lets next week (on the invite you sent) talk about the details of these two remaining deltas, why they exists and if/how we might upstream them.

Further I'd want to talk about testing strongswan merges in that session and we'll run the tests I used to use on your PPA together. From there you might have a chance to extend these tests a bit maybe, but you don't need to do the initial-work that already exists.

One feedback on the changelog, the NTRU bug should no more be (LP: #1863749) as that would ping on the bug, make it (LP: 1863749) or such to avoid bumping it. I already saw that LP automatically linked your MP on the bug due to it being referenced on the commit subject - rename that and the changelog on a rebase please :-)

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2020-05-01:

can you also take a look at https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1875504 please?

Revision history for this message

Lucas Kanashiro (lucaskanashiro) wrote on 2020-05-05:

The mentioned bug was marked as incomplete and asked for more information. Christian, could you take at the changes and approve this MP if they are good enough? I believe we can upload this new version and investigate the issue reported by the user in parallel.

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2020-05-06:

Agreed to continue ont hat bug in the background.
The changes LGTM.
- drops are ok
- retained delta seems right
´

And we discussed all that is left (e.g. continue to discuss the strongswan-starter dependencies) yesterday.

review: Approve

Revision history for this message

Lucas Kanashiro (lucaskanashiro) wrote on 2020-05-06:

$ dput ubuntu ../strongswan_5.8.4-1ubuntu1_source.changes
Checking signature on .changes
gpg: /home/kanashiro/packaging/ubuntu/strongswan/strongswan_5.8.4-1ubuntu1_source.changes: Valid signature from F823A2729883C97C
Checking signature on .dsc
gpg: /home/kanashiro/packaging/ubuntu/strongswan/strongswan_5.8.4-1ubuntu1.dsc: Valid signature from F823A2729883C97C
Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading strongswan_5.8.4-1ubuntu1.dsc: done.
  Uploading strongswan_5.8.4.orig.tar.bz2: done.
  Uploading strongswan_5.8.4.orig.tar.bz2.asc: done.
  Uploading strongswan_5.8.4-1ubuntu1.debian.tar.xz: done.
  Uploading strongswan_5.8.4-1ubuntu1_source.changes: done.
Successfully uploaded packages.

$ git push pkg upload/5.8.4-1ubuntu1
Enumerating objects: 32, done.
Counting objects: 100% (32/32), done.
Delta compression using up to 8 threads
Compressing objects: 100% (26/26), done.
Writing objects: 100% (26/26), 35.26 KiB | 4.41 MiB/s, done.
Total 26 (delta 17), reused 0 (delta 0)
To ssh://git.launchpad.net/~usd-import-team/ubuntu/+source/strongswan
* [new tag] upload/5.8.4-1ubuntu1 -> upload/5.8.4-1ubuntu1

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Lucas Kanashiro

git-ubuntu developers

 diff --git a/debian/changelog b/debian/changelog
 index 4153bfd..aa2a2b3 100644
 --- a/debian/changelog
 +++ b/debian/changelog
@@ -1,3 +1,27 @@
++strongswan (5.8.4-1ubuntu1) groovy; urgency=medium
++
++  * Merge with Debian unstable. Remaining changes:
++    - d/control: strongswan-starter hard-depends on strongswan-charon,
++      therefore bump the dependency from Recommends to Depends. At the same
++      time avoid a circular dependency by dropping
++      strongswan-charon->strongswan-starter from Depends to Recommends as the
++      binaries can work without the services but not vice versa.
++    - re-add post-quantum encryption algorithm (NTRU) (LP: 1863749)
++      + d/control: mention plugins in package description
++      + d/rules: enable ntru at build time
++      + d/libstrongswan-extra-plugins.install: ship config and shared objects
++  * Dropped:
++    - d/control: build-depend on libiptc-dev to avoid FTBFS (LP: #1861975)
++      This is needed due to changes in regard to Debian bug 947176 and 939243
++      and can later be dropped again.
++      [applied by Debian in version 5.8.2-2]
++    - d/control: Transition from former Ubuntu only libcharon-standard-plugins
++      to common libcharon-extauth-plugins (drop after 20.04)
++    - d/control: Transition from strongswan-tnc-* being in extra packages
++      to libcharon-extra-plugins (drop after 20.04)
++
++ -- Lucas Kanashiro <lucas.kanashiro@canonical.com>  Thu, 30 Apr 2020 18:06:55 -0300
++
  strongswan (5.8.4-1) unstable; urgency=medium
    * New upstream version 5.8.4 (Closes: #956446)
@@ -13,6 +37,43 @@ strongswan (5.8.2-2) unstable; urgency=medium
   -- Yves-Alexis Perez <corsac@debian.org>  Thu, 13 Feb 2020 22:46:40 +0100
++strongswan (5.8.2-1ubuntu3) focal; urgency=medium
++
++  * Reverting part of 5.8.2-1ubuntu2 changes to remove BLISS again as
++    there is a potential local side-channel attack on strongSwan's BLISS
++    implementation (https://eprint.iacr.org/2017/505). (LP: #1866765)
++
++ -- Christian Ehrhardt <christian.ehrhardt@canonical.com>  Tue, 10 Mar 2020 07:56:56 +0100
++
++strongswan (5.8.2-1ubuntu2) focal; urgency=medium
++
++  * re-add post-quantum computer signature scheme (BLISS) and encryption
++    algorithm (NTRU) as well as the dependent nttfft library (LP: #1863749)
++    - d/control: mention plugins in package description
++    - d/rules: enable ntru and bliss at build time
++    - d/libstrongswan-extra-plugins.install: ship config and shared objects
++
++ -- Christian Ehrhardt <christian.ehrhardt@canonical.com>  Wed, 04 Mar 2020 07:54:26 +0100
++
++strongswan (5.8.2-1ubuntu1) focal; urgency=medium
++
++  * Merge with Debian unstable (LP: #1861971). Remaining changes:
++    - d/control: Transition from strongswan-tnc-* being in extra packages
++      to libcharon-extra-plugins (drop after 20.04)
++    - d/control: Transition from former Ubuntu only libcharon-standard-plugins
++      to common libcharon-extauth-plugins (drop after 20.04)
++    - d/control: strongswan-starter hard-depends on strongswan-charon,
++      therefore bump the dependency from Recommends to Depends. At the same
++      time avoid a circular dependency by dropping
++      strongswan-charon->strongswan-starter from Depends to Recommends as the
++      binaries can work without the services but not vice versa.
++  * Added Changes
++    - d/control: build-depend on libiptc-dev to avoid FTBFS (LP: #1861975)
++      This is needed due to changes in regard to Debian bug 947176 and 939243
++      and can later be dropped again.
++
++ -- Christian Ehrhardt <christian.ehrhardt@canonical.com>  Wed, 05 Feb 2020 08:28:30 +0100
++
  strongswan (5.8.2-1) unstable; urgency=medium
    [ Jean-Michel Vourgère ]
@@ -29,6 +90,83 @@ strongswan (5.8.2-1) unstable; urgency=medium
   -- Yves-Alexis Perez <corsac@debian.org>  Wed, 01 Jan 2020 14:35:46 +0100
++strongswan (5.8.1-1ubuntu1) focal; urgency=medium
++
++  * Merge with Debian unstable (LP: #1852579). Remaining changes:
++    - d/control: Transition from strongswan-tnc-* being in extra packages
++      to libcharon-extra-plugins
++  * Added Changes:
++    - d/control: Transition from former Ubuntu only libcharon-standard-plugins
++      to common libcharon-extauth-plugins (drop after 20.04)
++    - d/control: strongswan-starter hard-depends on strongswan-charon,
++      therefore bump the dependency from Recommends to Depends. At the same
++      time avoid a circular dependency by dropping
++      strongswan-charon->strongswan-starter from Depends to Recommends as the
++      binaries can work without the services but not vice versa.
++  * Dropped Changes (now in Debian):
++    - Clean up d/strongswan-starter.postinst: section about runlevel changes
++    - Clean up d/strongswan-starter.postinst: Removed entire section on
++      opportunistic encryption disabling - this was never in strongSwan and
++      won't be see upstream issue #2160.
++    - d/rules: Removed patching ipsec.conf on build (not using the
++      debconf-managed config.)
++    - d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was
++      used for debconf-managed include of private key).
++    - Add plugin kernel-libipsec to allow the use of strongswan in containers
++      via this userspace implementation (please do note that this is still
++      considered experimental by upstream).
++      + d/libcharon-extra-plugins.install: Add kernel-libipsec components
++      + d/control: List kernel-libipsec plugin at extra plugins description
++      + d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
++        upstream recommends to not load kernel-libipsec by default.
++    - d/control: Mention mgf1 plugin which is in libstrongswan now
++    - Complete the disabling of libfast; This was partially accepted in Debian,
++      it is no more packaging medcli and medsrv, but still builds and
++      mentions it.
++      + d/rules: Add --disable-fast to avoid build time and dependencies
++      + d/control: Remove medcli, medsrv from package description
++    - Add now built (since 5.5.1) libraries libtpmtss and nttfft to
++      libstrongswan-extra-plugins (no deps from default plugins).
++    - d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
++      plugins for the most common use cases from extra-plugins into a new
++      standard-plugins package. This will allow those use cases without pulling
++      in too much more plugins (a bit like the tnc package). Recommend that
++      package from strongswan-libcharon.
++    - d/usr.lib.ipsec.charon: allow reading of own FDs (LP 1786250)
++    - d/usr.sbin.charon-systemd: allow CLUSTERIP for ha plugin (LP 1773956)
++    - executables need to be able to read map and execute themselves otherwise
++      execution in some environments e.g. containers is blocked (LP 1780534)
++      + d/usr.lib.ipsec.stroke: add rmix permission to stroke binary
++      + d/usr.lib.ipsec.lookip: add rmix permission to lookip binary
++    - d/usr.lib.ipsec.charon, d/usr.sbin.charon-systemd: resync apparmor
++      profiles of both ways to start charon (LP 1807664)
++    - d/usr.sbin.swanctl: add apparmor rule for af-alg plugin (LP 1807962)
++    - We fixed up tpmtss and nttfft in the past, but tpmtss is now packaged in
++      Debian so this part was be dropped. Two changes remain
++      - d/control: fix the mentioning of tpmtss in d/control
++    - apparmor fixes for container and root usage (LP 1826238)
++      + d/usr.sbin.swanctl: allow reading own binary
++      + d/usr.sbin.charon-systemd: allow accessing the binary
++      + d/usr.sbin.swanctl: add attach_disconnected to work inside containers
++      + d/usr.lib.ipsec.charon, d/usr.sbin.charon-systemd: add CAP_SETPCAP
++        to apparmor to allow dropping caps
++  * Dropped Changes (too uncommon to support by default)
++    - d/libstrongswan.install: Add kernel-netlink configuration files
++    - d/usr.sbin.charon-systemd: allow to contact mysql for sql and
++      attr-sql plugins (LP 1766240) - no more needed as itisn't enabled.
++    - Mass enablement of extra plugins and features to allow a user to use
++      strongswan for a variety of extra use cases without having to rebuild.
++      + d/control: Add required additional build-deps
++      + d/control: Mention addtionally enabled plugins
++      + d/rules: Enable features at configure stage
++      + d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
++      + d/libstrongswan.install: Add plugins (so, conf)
++      + d/strongswan-starter.install: Install pool feature, which is useful
++        since we now have attr-sql plugin enabled it.
++    - Enable additional TNC plugins and add them to libcharon-extra-plugins
++
++ -- Christian Ehrhardt <christian.ehrhardt@canonical.com>  Thu, 14 Nov 2019 15:00:15 +0100
++
  strongswan (5.8.1-1) unstable; urgency=medium
    * d/rules: disable http and stream tests under CI
@@ -98,6 +236,99 @@ strongswan (5.8.0-1) unstable; urgency=medium
   -- Yves-Alexis Perez <corsac@debian.org>  Mon, 26 Aug 2019 12:58:23 +0200
++strongswan (5.7.2-1ubuntu3) eoan; urgency=medium
++
++  * No change rebuild for libmysqlclient21.
++
++ -- Christian Ehrhardt <christian.ehrhardt@canonical.com>  Thu, 15 Aug 2019 09:34:34 +0200
++
++strongswan (5.7.2-1ubuntu2) eoan; urgency=medium
++
++  * Rebuild against new libjson-c4.
++
++ -- Gianfranco Costamagna <locutusofborg@debian.org>  Mon, 01 Jul 2019 10:53:07 +0200
++
++strongswan (5.7.2-1ubuntu1) eoan; urgency=medium
++
++  [ Christian Ehrhardt ]
++  * Merge with Debian unstable. Remaining changes:
++    - Clean up d/strongswan-starter.postinst: section about runlevel changes
++    - Clean up d/strongswan-starter.postinst: Removed entire section on
++      opportunistic encryption disabling - this was never in strongSwan and
++      won't be see upstream issue #2160.
++    - d/rules: Removed patching ipsec.conf on build (not using the
++      debconf-managed config.)
++    - d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was
++      used for debconf-managed include of private key).
++    - Mass enablement of extra plugins and features to allow a user to use
++      strongswan for a variety of extra use cases without having to rebuild.
++      + d/control: Add required additional build-deps
++      + d/control: Mention addtionally enabled plugins
++      + d/rules: Enable features at configure stage
++      + d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
++      + d/libstrongswan.install: Add plugins (so, conf)
++      + d/strongswan-starter.install: Install pool feature, which is useful
++        since we now have attr-sql plugin enabled it.
++    - Add plugin kernel-libipsec to allow the use of strongswan in containers
++      via this userspace implementation (please do note that this is still
++      considered experimental by upstream).
++      + d/libcharon-extra-plugins.install: Add kernel-libipsec components
++      + d/control: List kernel-libipsec plugin at extra plugins description
++      + d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
++        upstream recommends to not load kernel-libipsec by default.
++    - d/libstrongswan.install: Add kernel-netlink configuration files
++    - Complete the disabling of libfast; This was partially accepted in Debian,
++      it is no more packaging medcli and medsrv, but still builds and
++      mentions it.
++      + d/rules: Add --disable-fast to avoid build time and dependencies
++      + d/control: Remove medcli, medsrv from package description
++    - d/control: Mention mgf1 plugin which is in libstrongswan now
++    - Add now built (since 5.5.1) libraries libtpmtss and nttfft to
++      libstrongswan-extra-plugins (no deps from default plugins).
++    - d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
++      plugins for the most common use cases from extra-plugins into a new
++      standard-plugins package. This will allow those use cases without pulling
++      in too much more plugins (a bit like the tnc package). Recommend that
++      package from strongswan-libcharon.
++    - d/usr.sbin.charon-systemd: allow to contact mysql for sql and
++      attr-sql plugins (LP #1766240)
++    - d/usr.lib.ipsec.charon: allow reading of own FDs (LP #1786250)
++    - d/usr.sbin.charon-systemd: allow CLUSTERIP for ha plugin (LP: 1773956)
++    - executables need to be able to read map and execute themselves otherwise
++      execution in some environments e.g. containers is blocked (LP: 1780534)
++      + d/usr.lib.ipsec.stroke: add rmix permission to stroke binary
++      + d/usr.lib.ipsec.lookip: add rmix permission to lookip binary
++    - d/usr.lib.ipsec.charon, d/usr.sbin.charon-systemd: resync apparmor
++      profiles of both ways to start charon (LP: 1807664)
++    - d/usr.sbin.swanctl: add apparmor rule for af-alg plugin (LP: 1807962)
++  * Dropped changes
++    - d/p/lp1795813-mysql-Don-t-release-the-connection-if-transactions-a.patch:
++      fix SIGSEGV when using mysql plugin (LP: 1795813)
++      [upstream in 5.7.2]
++    - d/libstrongswan.install: Reorder conf and .so alphabetically
++      [was a non functional change, dropped to avoid merge noise]
++    - Relocate tnc plugin
++      [TNC is back at libcharon-extra-plugins as it is in Debian]
++  * Added changes:
++    - We fixed up tpmtss and nttfft in the past, but tpmtss is now packaged in
++      Debian so this part was be dropped. Two changes remain
++      - d/control: fix the mentioning of tpmtss in d/control
++      - add nttfft (can be merged with the mass enablement change later)
++    - Transitional packages to go back from strongswan-tnc-* being in extra
++      packages to be part of libcharon-extra-plugins.
++      [can be dropped after 20.04]
++
++  [ Simon Deziel ]
++  * Added changes:
++    - apparmor fixes for container and root usage (LP: #1826238)
++      + d/usr.sbin.swanctl: allow reading own binary
++      + d/usr.sbin.charon-systemd: allow accessing the binary
++      + d/usr.sbin.swanctl: add attach_disconnected to work inside containers
++      + d/usr.lib.ipsec.charon, d/usr.sbin.charon-systemd: add CAP_SETPCAP
++        to apparmor to allow dropping caps
++
++ -- Christian Ehrhardt <christian.ehrhardt@canonical.com>  Fri, 26 Apr 2019 11:31:17 +0200
++
  strongswan (5.7.2-1) unstable; urgency=medium
    * d/control: remove Rene from Uploaders, thanks!
@@ -116,6 +347,86 @@ strongswan (5.7.2-1) unstable; urgency=medium
   -- Yves-Alexis Perez <corsac@debian.org>  Wed, 02 Jan 2019 13:02:11 +0100
++strongswan (5.7.1-1ubuntu2) disco; urgency=medium
++
++  * d/usr.sbin.charon-systemd: fix rule for CLUSTERIP to match effective
++    path (LP: #1773956)
++  * d/usr.lib.ipsec.charon, d/usr.sbin.charon-systemd: resync apparmor
++    profiles of both ways to start charon (LP: #1807664)
++  * d/usr.sbin.swanctl: add apparmor rule for af-alg plugin (LP: #1807962)
++
++ -- Christian Ehrhardt <christian.ehrhardt@canonical.com>  Mon, 10 Dec 2018 08:30:01 +0100
++
++strongswan (5.7.1-1ubuntu1) disco; urgency=medium
++
++  * Merge with Debian unstable (LP: #1806401). Remaining changes:
++    - Clean up d/strongswan-starter.postinst: section about runlevel changes
++    - Clean up d/strongswan-starter.postinst: Removed entire section on
++      opportunistic encryption disabling - this was never in strongSwan and
++      won't be see upstream issue #2160.
++    - d/rules: Removed patching ipsec.conf on build (not using the
++      debconf-managed config.)
++    - d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was
++      used for debconf-managed include of private key).
++    - Mass enablement of extra plugins and features to allow a user to use
++      strongswan for a variety of extra use cases without having to rebuild.
++      + d/control: Add required additional build-deps
++      + d/control: Mention addtionally enabled plugins
++      + d/rules: Enable features at configure stage
++      + d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
++      + d/libstrongswan.install: Add plugins (so, conf)
++    - d/strongswan-starter.install: Install pool feature, which is useful since
++      we have attr-sql plugin enabled as well using it.
++    - Add plugin kernel-libipsec to allow the use of strongswan in containers
++      via this userspace implementation (please do note that this is still
++      considered experimental by upstream).
++      + d/libcharon-extra-plugins.install: Add kernel-libipsec components
++      + d/control: List kernel-libipsec plugin at extra plugins description
++      + d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
++        upstream recommends to not load kernel-libipsec by default.
++    - Relocate tnc plugin
++      + debian/libcharon-extra-plugins.install: Drop tnc from extra plugins
++      + Add new subpackage for TNC in d/strongswan-tnc-* and d/control
++    - d/libstrongswan.install: Reorder conf and .so alphabetically
++    - d/libstrongswan.install: Add kernel-netlink configuration files
++    - Complete the disabling of libfast; This was partially accepted in Debian,
++      it is no more packaging medcli and medsrv, but still builds and
++      mentions it.
++      + d/rules: Add --disable-fast to avoid build time and dependencies
++      + d/control: Remove medcli, medsrv from package description
++    - d/control: Mention mgf1 plugin which is in libstrongswan now
++    - Add now built (since 5.5.1) libraries libtpmtss and nttfft to
++      libstrongswan-extra-plugins (no deps from default plugins).
++    - d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
++      plugins for the most common use cases from extra-plugins into a new
++      standard-plugins package. This will allow those use cases without pulling
++      in too much more plugins (a bit like the tnc package). Recommend that
++      package from strongswan-libcharon.
++    - d/usr.sbin.charon-systemd: allow to contact mysql for sql and
++      attr-sql plugins (LP #1766240)
++    - d/usr.lib.ipsec.charon: allow reading of own FDs (LP #1786250)
++  * Added Changes:
++    - d/p/lp1795813-mysql-Don-t-release-the-connection-if-transactions-a.patch:
++      fix SIGSEGV when using mysql plugin (LP: #1795813)
++    - d/usr.sbin.charon-systemd: allow CLUSTERIP for ha plugin (LP: #1773956)
++    - executables need to be able to read map and execute themselves otherwise
++      execution in some environments e.g. containers is blocked (LP: #1780534)
++      + d/usr.lib.ipsec.stroke: add rmix permission to stroke binary
++      + d/usr.lib.ipsec.lookip: add rmix permission to lookip binary
++    - adapt "mass enablement of extra plugins" to match 5.7.x changes
++      + d/rules: use new options for swima instead of swid
++      + d/strongswan-tnc-server.install: add new sec updater tool
++      + d/strongswan-tnc-client.install: add new sw-collector tool
++  * Dropped (in Debian now):
++    - SECURITY UPDATE: Insufficient input validation in gmp plugin
++      (CVE-2018-17540)
++    - SECURITY UPDATE: Insufficient input validation in gmp plugin
++      (CVE-2018-16151 CVE-2018-16152)
++    - d/usr.lib.ipsec.charon, d/usr/sbin/charon-systemd: Add support for
++      usr-merge, thanks to Christian Ehrhardt. LP #1784023
++
++ -- Christian Ehrhardt <christian.ehrhardt@canonical.com>  Mon, 03 Dec 2018 15:18:31 +0100
++
  strongswan (5.7.1-1) unstable; urgency=medium
    [ Ondřej Nový ]
@@ -146,6 +457,96 @@ strongswan (5.7.0-1) unstable; urgency=medium
   -- Yves-Alexis Perez <corsac@debian.org>  Mon, 24 Sep 2018 16:36:28 +0200
++strongswan (5.6.3-1ubuntu5) disco; urgency=medium
++
++  * No-change rebuild against libunbound8
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Sun, 11 Nov 2018 09:01:53 +0000
++
++strongswan (5.6.3-1ubuntu4) cosmic; urgency=medium
++
++  * d/usr.lib.ipsec.charon: allow reading of own FDs (LP: #1786250)
++    Thanks to Matt Callaghan.
++
++ -- Andreas Hasenack <andreas@canonical.com>  Thu, 04 Oct 2018 10:34:01 -0300
++
++strongswan (5.6.3-1ubuntu3) cosmic; urgency=medium
++
++  * SECURITY UPDATE: Insufficient input validation in gmp plugin
++    - debian/patches/strongswan-4.4.0-5.7.0_gmp-pkcs1-overflow.patch: fix
++      buffer overflow with very small RSA keys in
++      src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c.
++    - CVE-2018-17540
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Mon, 01 Oct 2018 13:23:59 -0400
++
++strongswan (5.6.3-1ubuntu2) cosmic; urgency=medium
++
++  * SECURITY UPDATE: Insufficient input validation in gmp plugin
++    - debian/patches/strongswan-5.6.1-5.6.3_gmp-pkcs1-verify.patch: don't
++      parse PKCS1 v1.5 RSA signatures to verify them in
++      src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c,
++      src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c.
++    - CVE-2018-16151
++    - CVE-2018-16152
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Tue, 25 Sep 2018 10:16:15 -0400
++
++strongswan (5.6.3-1ubuntu1) cosmic; urgency=medium
++
++  * Merge with Debian unstable. Remaining changes:
++    - Clean up d/strongswan-starter.postinst: section about runlevel changes
++    - Clean up d/strongswan-starter.postinst: Removed entire section on
++      opportunistic encryption disabling - this was never in strongSwan and
++      won't be see upstream issue #2160.
++    - d/rules: Removed patching ipsec.conf on build (not using the
++      debconf-managed config.)
++    - d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was
++      used for debconf-managed include of private key).
++    - Mass enablement of extra plugins and features to allow a user to use
++      strongswan for a variety of extra use cases without having to rebuild.
++      + d/control: Add required additional build-deps
++      + d/control: Mention addtionally enabled plugins
++      + d/rules: Enable features at configure stage
++      + d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
++      + d/libstrongswan.install: Add plugins (so, conf)
++    - d/strongswan-starter.install: Install pool feature, which is useful since
++      we have attr-sql plugin enabled as well using it.
++    - Add plugin kernel-libipsec to allow the use of strongswan in containers
++      via this userspace implementation (please do note that this is still
++      considered experimental by upstream).
++      + d/libcharon-extra-plugins.install: Add kernel-libipsec components
++      + d/control: List kernel-libipsec plugin at extra plugins description
++      + d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
++        upstream recommends to not load kernel-libipsec by default.
++    - Relocate tnc plugin
++      + debian/libcharon-extra-plugins.install: Drop tnc from extra plugins
++      + Add new subpackage for TNC in d/strongswan-tnc-* and d/control
++    - d/libstrongswan.install: Reorder conf and .so alphabetically
++    - d/libstrongswan.install: Add kernel-netlink configuration files
++    - Complete the disabling of libfast; This was partially accepted in Debian,
++      it is no more packaging medcli and medsrv, but still builds and
++      mentions it.
++      + d/rules: Add --disable-fast to avoid build time and dependencies
++      + d/control: Remove medcli, medsrv from package description
++    - d/control: Mention mgf1 plugin which is in libstrongswan now
++    - Add now built (since 5.5.1) libraries libtpmtss and nttfft to
++      libstrongswan-extra-plugins (no deps from default plugins).
++    - d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
++      plugins for the most common use cases from extra-plugins into a new
++      standard-plugins package. This will allow those use cases without pulling
++      in too much more plugins (a bit like the tnc package). Recommend that
++      package from strongswan-libcharon.
++    - d/usr.sbin.charon-systemd: allow to contact mysql for sql and
++      attr-sql plugins (LP #1766240)
++    - d/usr.lib.ipsec.charon, d/usr/sbin/charon-systemd: Add support for
++      usr-merge, thanks to Christian Ehrhardt. LP #1784023
++  * Dropped:
++    - d/usr.sbin.charon-systemd: allow systemd notifications (LP: #1765652)
++      [Fixed in 5.6.3-1]
++
++ -- Andreas Hasenack <andreas@canonical.com>  Thu, 23 Aug 2018 13:05:11 -0300
++
  strongswan (5.6.3-1) unstable; urgency=medium
    * New upstream version 5.6.2
@@ -161,6 +562,78 @@ strongswan (5.6.3-1) unstable; urgency=medium
   -- Yves-Alexis Perez <corsac@debian.org>  Mon, 04 Jun 2018 10:23:22 +0200
++strongswan (5.6.2-2ubuntu2) cosmic; urgency=medium
++
++  * Add support for usr-merge, thanks to Christian Ehrhardt. LP: #1784023
++
++ -- Dimitri John Ledkov <xnox@ubuntu.com>  Tue, 21 Aug 2018 00:42:38 +0100
++
++strongswan (5.6.2-2ubuntu1) cosmic; urgency=medium
++
++  * Merge with Debian unstable, closes LP: #1773814 and LP: #1772705.
++    Remaining changes:
++    + Clean up d/strongswan-starter.postinst: section about runlevel changes
++    + Clean up d/strongswan-starter.postinst: Removed entire section on
++      opportunistic encryption disabling - this was never in strongSwan and
++      won't be see upstream issue #2160.
++    + d/rules: Removed patching ipsec.conf on build (not using the
++      debconf-managed config.)
++    + d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was
++      used for debconf-managed include of private key).
++    + Mass enablement of extra plugins and features to allow a user to use
++      strongswan for a variety of extra use cases without having to rebuild.
++      - d/control: Add required additional build-deps
++      - d/control: Mention addtionally enabled plugins
++      - d/rules: Enable features at configure stage
++      - d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
++      - d/libstrongswan.install: Add plugins (so, conf)
++    + d/strongswan-starter.install: Install pool feature, which is useful since
++      we have attr-sql plugin enabled as well using it.
++    + Add plugin kernel-libipsec to allow the use of strongswan in containers
++      via this userspace implementation (please do note that this is still
++      considered experimental by upstream).
++      - d/libcharon-extra-plugins.install: Add kernel-libipsec components
++      - d/control: List kernel-libipsec plugin at extra plugins description
++      - d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
++        upstream recommends to not load kernel-libipsec by default.
++    + Relocate tnc plugin
++     - debian/libcharon-extra-plugins.install: Drop tnc from extra plugins
++     - Add new subpackage for TNC in d/strongswan-tnc-* and d/control
++    + d/libstrongswan.install: Reorder conf and .so alphabetically
++    + d/libstrongswan.install: Add kernel-netlink configuration files
++    + Complete the disabling of libfast; This was partially accepted in Debian,
++        it is no more packaging medcli and medsrv, but still builds and
++        mentions it.
++      - d/rules: Add --disable-fast to avoid build time and dependencies
++      - d/control: Remove medcli, medsrv from package description
++    + d/control: Mention mgf1 plugin which is in libstrongswan now
++    + Add now built (since 5.5.1) libraries libtpmtss and nttfft to
++      libstrongswan-extra-plugins (no deps from default plugins).
++    + d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
++      plugins for the most common use cases from extra-plugins into a new
++      standard-plugins package. This will allow those use cases without pulling
++      in too much more plugins (a bit like the tnc package). Recommend that
++      package from strongswan-libcharon.
++  * Dropped Changes (no more needed after 18.04)
++    + Add rm_conffile for /etc/init.d/ipsec (transition from precies had
++      missed that, droppable after 18.04)
++    + d/control: bump breaks/replaces from libstrongswan-extra-plugins to
++      libstrongswan as we dropped relocating ccm and test-vectors.
++      (droppable >18.04).
++    + d/control: add breaks/replace from libstrongswan to
++      libstrongswan-extra-plugins for the move of mgf1 to libstrongswan.
++      (droppable >18.04).
++    + d/control: bump breaks/replaces for the move of the updown plugin
++      (Missed Changelog entry on last merge)
++    + d/control: fix dependencies of strongswan-libcharon due to the move
++      the updown plugin (droppable >18.04).
++  * Added Changes:
++    + d/usr.sbin.charon-systemd: allow to contact mysql for sql and
++      attr-sql plugins (LP: #1766240)
++    + d/usr.sbin.charon-systemd: allow systemd notifications (LP: #1765652)
++
++ -- Christian Ehrhardt <christian.ehrhardt@canonical.com>  Tue, 29 May 2018 08:21:42 +0200
++
  strongswan (5.6.2-2) unstable; urgency=medium
    * charon-nm: Fix building list of DNS/MDNS servers with libnm
@@ -171,6 +644,74 @@ strongswan (5.6.2-2) unstable; urgency=medium
   -- Yves-Alexis Perez <corsac@debian.org>  Fri, 13 Apr 2018 13:46:04 +0200
++strongswan (5.6.2-1ubuntu2) bionic; urgency=medium
++
++  * d/control: fix dependencies of strongswan-libcharon due to the move
++    the updown plugin.
++
++ -- Christian Ehrhardt <christian.ehrhardt@canonical.com>  Tue, 20 Mar 2018 07:37:29 +0100
++
++strongswan (5.6.2-1ubuntu1) bionic; urgency=medium
++
++  * Merge with Debian unstable (LP: #1753018). Remaining changes:
++    + Clean up d/strongswan-starter.postinst: section about runlevel changes
++    + Clean up d/strongswan-starter.postinst: Removed entire section on
++      opportunistic encryption disabling - this was never in strongSwan and
++      won't be see upstream issue #2160.
++    + Ubuntu is not using the debconf triggered private key generation
++      - d/rules: Removed patching ipsec.conf on build (not using the
++        debconf-managed config.)
++      - d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was
++        used for debconf-managed include of private key).
++    + Mass enablement of extra plugins and features to allow a user to use
++      strongswan for a variety of extra use cases without having to rebuild.
++      - d/control: Add required additional build-deps
++      - d/control: Mention addtionally enabled plugins
++      - d/rules: Enable features at configure stage
++      - d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
++      - d/libstrongswan.install: Add plugins (so, conf)
++    + d/strongswan-starter.install: Install pool feature, which is useful since
++      we have attr-sql plugin enabled as well using it.
++    + Add plugin kernel-libipsec to allow the use of strongswan in containers
++      via this userspace implementation (please do note that this is still
++      considered experimental by upstream).
++      - d/libcharon-extra-plugins.install: Add kernel-libipsec components
++      - d/control: List kernel-libipsec plugin at extra plugins description
++      - d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
++        upstream recommends to not load kernel-libipsec by default.
++    + Relocate tnc plugin
++     - debian/libcharon-extra-plugins.install: Drop tnc from extra plugins
++     - Add new subpackage for TNC in d/strongswan-tnc-* and d/control
++    + d/libstrongswan.install: Reorder conf and .so alphabetically
++    + d/libstrongswan.install: Add kernel-netlink configuration files
++    + Complete the disabling of libfast; This was partially accepted in Debian,
++        it is no more packaging medcli and medsrv, but still builds and
++        mentions it.
++      - d/rules: Add --disable-fast to avoid build time and dependencies
++      - d/control: Remove medcli, medsrv from package description
++    + d/control: Mention mgf1 plugin which is in libstrongswan now
++    + Add now built (since 5.5.1) libraries libtpmtss and nttfft to
++      libstrongswan-extra-plugins (no deps from default plugins).
++    + Add rm_conffile for /etc/init.d/ipsec (transition from precies had
++      missed that, droppable after 18.04)
++    + d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
++      plugins for the most common use cases from extra-plugins into a new
++      standard-plugins package. This will allow those use cases without pulling
++      in too much more plugins (a bit like the tnc package). Recommend that
++      package from strongswan-libcharon.
++    + d/control: bump breaks/replaces from libstrongswan-extra-plugins to
++      libstrongswan as we dropped relocating ccm and test-vectors.
++      (droppable >18.04).
++    + d/control: add breaks/replace from libstrongswan to
++      libstrongswan-extra-plugins for the move of mgf1 to libstrongswan.
++      (droppable >18.04).
++  * Added Changes:
++    + d/control: bump breaks/replaces from strongswan-libcharon to strongswan-
++      starter as we followed Debian to move the updown plugin but need to
++      match Ubuntu versions (Droppable >18.04).
++
++ -- Christian Ehrhardt <christian.ehrhardt@canonical.com>  Fri, 16 Mar 2018 11:08:47 +0100
++
  strongswan (5.6.2-1) unstable; urgency=medium
    * d/NEWS: add information about disabled algorithms (closes: #883072)
@@ -193,6 +734,129 @@ strongswan (5.6.1-3) unstable; urgency=medium
   -- Yves-Alexis Perez <corsac@debian.org>  Sun, 17 Dec 2017 16:40:39 +0100
++strongswan (5.6.1-2ubuntu4) bionic; urgency=medium
++
++  * SECURITY UPDATE: DoS via crafted RSASSA-PSS signature
++    - debian/patches/CVE-2018-6459.patch: Properly handle MGF1 algorithm
++      identifier without parameters in
++      src/libstrongswan/credentials/keys/signature_params.c.
++    - CVE-2018-6459
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Wed, 07 Mar 2018 14:52:02 +0100
++
++strongswan (5.6.1-2ubuntu3) bionic; urgency=medium
++
++  * No-change rebuild against libcurl4
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Wed, 28 Feb 2018 08:52:09 +0000
++
++strongswan (5.6.1-2ubuntu2) bionic; urgency=high
++
++  * No change rebuild against openssl1.1.
++
++ -- Dimitri John Ledkov <xnox@ubuntu.com>  Mon, 12 Feb 2018 16:00:24 +0000
++
++strongswan (5.6.1-2ubuntu1) bionic; urgency=medium
++
++  * Merge with Debian unstable (LP: #1717343).
++    Also fixes and issue with multiple psk's (LP: #1734207). Remaining changes:
++    + Clean up d/strongswan-starter.postinst: section about runlevel changes
++    + Clean up d/strongswan-starter.postinst: Removed entire section on
++      opportunistic encryption disabling - this was never in strongSwan and
++      won't be see upstream issue #2160.
++    + Ubuntu is not using the debconf triggered private key generation
++      - d/rules: Removed patching ipsec.conf on build (not using the
++        debconf-managed config.)
++      - d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was
++        used for debconf-managed include of private key).
++    + Mass enablement of extra plugins and features to allow a user to use
++      strongswan for a variety of extra use cases without having to rebuild.
++      - d/control: Add required additional build-deps
++      - d/control: Mention addtionally enabled plugins
++      - d/rules: Enable features at configure stage
++      - d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
++      - d/libstrongswan.install: Add plugins (so, conf)
++    + d/strongswan-starter.install: Install pool feature, which is useful since
++      we have attr-sql plugin enabled as well using it.
++    + Add plugin kernel-libipsec to allow the use of strongswan in containers
++      via this userspace implementation (please do note that this is still
++      considered experimental by upstream).
++      - d/libcharon-extra-plugins.install: Add kernel-libipsec components
++      - d/control: List kernel-libipsec plugin at extra plugins description
++      - d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
++        upstream recommends to not load kernel-libipsec by default.
++    + Relocate tnc plugin
++     - debian/libcharon-extra-plugins.install: Drop tnc from extra plugins
++     - Add new subpackage for TNC in d/strongswan-tnc-* and d/control
++    + d/libstrongswan.install: Reorder conf and .so alphabetically
++    + d/libstrongswan.install: Add kernel-netlink configuration files
++    + Complete the disabling of libfast; This was partially accepted in Debian,
++        it is no more packaging medcli and medsrv, but still builds and
++        mentions it.
++      - d/rules: Add --disable-fast to avoid build time and dependencies
++      - d/control: Remove medcli, medsrv from package description
++    + d/control: Mention mgf1 plugin which is in libstrongswan now
++    + Add now built (since 5.5.1) libraries libtpmtss and nttfft to
++      libstrongswan-extra-plugins (no deps from default plugins).
++    + Add rm_conffile for /etc/init.d/ipsec (transition from precies had
++      missed that, droppable after 18.04)
++    + d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
++      plugins for the most common use cases from extra-plugins into a new
++      standard-plugins package. This will allow those use cases without pulling
++      in too much more plugins (a bit like the tnc package). Recommend that
++      package from strongswan-libcharon.
++  * Added changes:
++    + d/strongswan-tnc-client.install (relocate tnc) swidtag creation changed
++      in 5.6
++    + d/strongswan-tnc-server.install (relocate tnc) pacman no more needed
++    + d/control: bump breaks/replaces from libstrongswan-extra-plugins to
++      libstrongswan as we dropped relocating ccm and test-vectors.
++      (droppable >18.04).
++    - d/control: add breaks/replace from libstrongswan to
++      libstrongswan-extra-plugins for the move of mgf1 to libstrongswan.
++      (droppable >18.04).
++  * Dropped changes:
++    + Update init/service handling (debian default matches Ubuntu past now)
++      Dropping this fixes (LP: #1734886)
++      - d/rules: Change init/systemd program name to strongswan
++      - d/strongswan-starter.strongswan.service: Add new systemd file instead of
++        patching upstream
++      - d/strongswan-starter.links: Removed, use Ubuntu systemd file instead of
++        linking to upstream
++    + d/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call
++      (this is a never failing no-op for us, no need for Delta).
++    + d/strongswan-starter.prerm: Stop strongswan service on package removal
++      (ipsec now maps to strongswan service, so this works as-is).
++    + Clean up d/strongswan-starter.postinst: rename service ipsec to
++      strongswan (ipsec now maps to strongswan service, so this works as-is)
++    + Clean up d/strongswan-starter.postinst: daemon enable/disable (the
++      whole section is disabled, so no need for delta)
++    + (is upstream) CVE-2017-11185 patches
++    + (is upstream) FTBFS upstream fix for changed include files
++    + (is upstream) debian/patches/increase-bliss-test-timeout.patch: Under
++       QEMU/KVM autopkgtest the bliss test takes longer than the default
++    + (in Debian) add now built (since 5.5.1) mgf1 plugin to
++      libstrongswan-extra-plugins.
++    + (in Debian) d/strongswan-starter.install: install stroke apparmor profile
++    + (this was enabled as part of the former delta, squash changes to no-up)
++      d/rules: Disable duplicheck.
++    + (not needed) Relocate plugins test-vectors from extra-plugins to
++      libstrongswan
++      - d/libstrongswan-extra-plugins.install: Remove plugins/conffiles
++      - d/libstrongswan.install: Add plugins/confiles
++      - d/control: move package descriptions and add required breaks/replaces
++    + (not needed) Relocate plugins ccm from extra-plugins to libstrongswan
++      - d/libstrongswan-extra-plugins.install: Remove plugins/conffiles
++      - d/libstrongswan.install: Add plugins/confiles
++      - d/control: move package descriptions and add required breaks/replaces
++    + (while using it requires special kernel, it does not hurt to be
++      available in the package) Remove ha plugin
++      - d/libcharon-extra-plugins.install: Stop installing ha (so, conf)
++      - d/rules: Do not enable ha plugin
++      - d/control: Drop listing the ha plugin in the package description
++
++ -- Christian Ehrhardt <christian.ehrhardt@canonical.com>  Wed, 29 Nov 2017 15:55:18 +0100
++
  strongswan (5.6.1-2) unstable; urgency=medium
    * move counters plugin from -starter to -libcharon. closes: #882431
@@ -279,6 +943,213 @@ strongswan (5.5.2-1) experimental; urgency=medium
   -- Yves-Alexis Perez <corsac@debian.org>  Fri, 19 May 2017 11:32:00 +0200
++strongswan (5.5.1-4ubuntu3) bionic; urgency=medium
++
++  * Fix Artful FTBFS due to newer glibc (LP: #1724859)
++    - d/p/utils-Include-stdint.h.patch: upstream fix for changed include
++      files.
++
++ -- Christian Ehrhardt <christian.ehrhardt@canonical.com>  Thu, 19 Oct 2017 15:18:52 +0200
++
++strongswan (5.5.1-4ubuntu2) artful; urgency=medium
++
++  * SECURITY UPDATE: Fix RSA signature verification
++    - debian/patches/CVE-2017-11185.patch: does some
++      verifications in order to avoid null-point dereference
++      in src/libstrongswan/gmp/gmp_rsa_public_key.c
++    - CVE-2017-11185
++
++ -- Leonidas S. Barbosa <leo.barbosa@canonical.com>  Tue, 15 Aug 2017 14:49:49 -0300
++
++strongswan (5.5.1-4ubuntu1) artful; urgency=medium
++
++  * Merge from Debian to pick up latest security changes (CVE-2017-9022,
++    CVE-2017-9023).
++  * Remaining Changes:
++    + Update init/service handling
++      - d/rules: Change init/systemd program name to strongswan
++      - d/strongswan-starter.strongswan.service: Add new systemd file instead of
++        patching upstream
++      - d/strongswan-starter.links: Removed, use Ubuntu systemd file instead of
++        linking to upstream
++      - d/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call.
++      - d/strongswan-starter.prerm: Stop strongswan service on package
++        removal (as opposed to using the old init.d script).
++    + Clean up d/strongswan-starter.postinst:
++      - Removed section about runlevel changes
++      - Adapted service restart section for Upstart (kept to be Trusty
++        backportable).
++      - Remove old symlinks to init.d files is necessary.
++      - Removed further out-dated code
++      - Removed entire section on opportunistic encryption - this was never in
++        strongSwan.
++    + d/rules: Removed pieces on 'patching ipsec.conf' on build.
++    + Mass enablement of extra plugins and features to allow a user to use
++      strongswan for a variety of use cases without having to rebuild.
++      - d/control: Add required additional build-deps
++      - d/rules: Enable features at configure stage
++      - d/control: Mention addtionally enabled plugins
++      - d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
++      - d/libstrongswan.install: Add plugins (so, conf)
++    + d/rules: Disable duplicheck as per
++      https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718291#10
++    + Remove ha plugin (requires special kernel)
++      - d/libcharon-extra-plugins.install: Stop installing ha (so, conf)
++      - d/rules: Do not enable ha plugin
++      - d/control: Drop listing the ha plugin in the package description
++    + Add plugin kernel-libipsec to allow the use of strongswan in containers
++      via this userspace implementation (please do note that this is still
++      considered experimental by upstream).
++      - d/libcharon-extra-plugins.install: Add kernel-libipsec components
++      - d/control: List kernel-libipsec plugin at extra plugins description
++      - d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
++        upstream recommends to not load kernel-libipsec by default.
++    + Relocate tnc plugin
++     - debian/libcharon-extra-plugins.install: Drop tnc from extra plugins
++     - Add new subpackage for TNC in d/strongswan-tnc-* and d/control
++    + d/strongswan-starter.install: Install pool feature, that useful due to
++      having attr-sql plugin that is enabled now.
++    + Relocate plugins test-vectors and ccm from extra-plugins to libstrongswan
++      - d/libstrongswan-extra-plugins.install: Remove plugins/conffiles
++      - d/libstrongswan.install: Add plugins/confiles
++      - d/control: move package descriptions and add required breaks/replaces
++    + d/libstrongswan.install: Reorder conf and .so alphabetically
++    + d/libstrongswan.install: Add kernel-netlink configuration files
++    + d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference.
++    + debian/patches/increase-bliss-test-timeout.patch: Under QEMU/KVM
++      autopkgtest the bliss test takes longer than the default (Upstream in
++      5.5.2 via issue 2204)
++    + Complete the disabling of libfast; This was partially accepted in Debian,
++        it is no more packaging medcli and medsrv, but still builds and
++        mentions it.
++      - d/rules: Add --disable-fast to avoid build time and dependencies
++      - d/control: Remove medcli, medsrv from package description
++    + Add now built (5.5.1 vs 5.3.5) mgf1 plugin to libstrongswan-extra-plugins.
++      "only" to extra-plugins Mgf1 is not listed as default plugin at
++      https://wiki.strongswan.org/projects/strongswan/wiki/Pluginlist.
++    + Add now built (5.5.1 vs 5.3.5) libraries libtpmtss and nttfft to
++      libstrongswan-extra-plugins.
++    + Add missing mention of md4 plugin in d/control
++    + Add rm_conffile for /etc/init.d/ipsec (transition from precies had
++      missed that)
++    + d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
++      plugins for the most common use cases from extra-plugins into a new
++      standard-plugins package. This will allow those use cases without pulling
++      in too much more plugins (a bit like the tnc package). Recommend that
++      package from strongswan-libcharon.
++
++ -- Christian Ehrhardt <christian.ehrhardt@canonical.com>  Wed, 31 May 2017 15:57:54 +0200
++
++strongswan (5.5.1-3ubuntu1) artful; urgency=medium
++
++  * Merge from Debian to pick up latest changes. Among others this includes:
++    - a lot of the Delta we upstreamed to Debian (more discussions are ongoing
++      but likely have to wait until Debian stretch was released)
++    - enabling mediation support (LP: #1657413)
++  * Remaining Changes:
++    + Update init/service handling
++      - d/rules: Change init/systemd program name to strongswan
++      - d/strongswan-starter.strongswan.service: Add new systemd file instead of
++        patching upstream
++      - d/strongswan-starter.links: Removed, use Ubuntu systemd file instead of
++        linking to upstream
++      - d/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call.
++      - d/strongswan-starter.prerm: Stop strongswan service on package
++        removal (as opposed to using the old init.d script).
++    + Clean up d/strongswan-starter.postinst:
++      - Removed section about runlevel changes
++      - Adapted service restart section for Upstart (kept to be Trusty
++        backportable).
++      - Remove old symlinks to init.d files is necessary.
++      - Removed further out-dated code
++      - Removed entire section on opportunistic encryption - this was never in
++        strongSwan.
++    + d/rules: Removed pieces on 'patching ipsec.conf' on build.
++    + Mass enablement of extra plugins and features to allow a user to use
++      strongswan for a variety of use cases without having to rebuild.
++      - d/control: Add required additional build-deps
++      - d/rules: Enable features at configure stage
++      - d/control: Mention addtionally enabled plugins
++      - d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
++      - d/libstrongswan.install: Add plugins (so, conf)
++    + d/rules: Disable duplicheck as per
++      https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718291#10
++    + Remove ha plugin (requires special kernel)
++      - d/libcharon-extra-plugins.install: Stop installing ha (so, conf)
++      - d/rules: Do not enable ha plugin
++      - d/control: Drop listing the ha plugin in the package description
++    + Add plugin kernel-libipsec to allow the use of strongswan in containers
++      via this userspace implementation (please do note that this is still
++      considered experimental by upstream).
++      - d/libcharon-extra-plugins.install: Add kernel-libipsec components
++      - d/control: List kernel-libipsec plugin at extra plugins description
++      - d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
++        upstream recommends to not load kernel-libipsec by default.
++    + Relocate tnc plugin
++     - debian/libcharon-extra-plugins.install: Drop tnc from extra plugins
++     - Add new subpackage for TNC in d/strongswan-tnc-* and d/control
++    + d/strongswan-starter.install: Install pool feature, that useful due to
++      having attr-sql plugin that is enabled now.
++    + Relocate plugins test-vectors and ccm from extra-plugins to libstrongswan
++      - d/libstrongswan-extra-plugins.install: Remove plugins/conffiles
++      - d/libstrongswan.install: Add plugins/confiles
++      - d/control: move package descriptions and add required breaks/replaces
++    + d/libstrongswan.install: Reorder conf and .so alphabetically
++    + d/libstrongswan.install: Add kernel-netlink configuration files
++    + d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference.
++    + debian/patches/increase-bliss-test-timeout.patch: Under QEMU/KVM
++      autopkgtest the bliss test takes longer than the default (Upstream in
++      5.5.2 via issue 2204)
++    + Complete the disabling of libfast; This was partially accepted in Debian,
++        it is no more packaging medcli and medsrv, but still builds and
++        mentions it.
++      - d/rules: Add --disable-fast to avoid build time and dependencies
++      - d/control: Remove medcli, medsrv from package description
++    + Add now built (5.5.1 vs 5.3.5) mgf1 plugin to libstrongswan-extra-plugins.
++      "only" to extra-plugins Mgf1 is not listed as default plugin at
++      https://wiki.strongswan.org/projects/strongswan/wiki/Pluginlist.
++    + Add now built (5.5.1 vs 5.3.5) libraries libtpmtss and nttfft to
++      libstrongswan-extra-plugins.
++    + Add missing mention of md4 plugin in d/control
++    + Add rm_conffile for /etc/init.d/ipsec (transition from precies had
++      missed that)
++    + d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
++      plugins for the most common use cases from extra-plugins into a new
++      standard-plugins package. This will allow those use cases without pulling
++      in too much more plugins (a bit like the tnc package). Recommend that
++      package from strongswan-libcharon.
++  * Dropped Changes:
++    + Add and install apparmor profiles (in Debian)
++      - d/rules: Install AppArmor profiles
++      - d/control: Add dh-apparmor build-dep
++      - d/usr.lib.ipsec.{charon, lookip, stroke}: Add latest AppArmor profiles
++        for charon, lookip and stroke
++      - d/libcharon-extra-plugins.install: Install profile for lookip
++      - d/strongswan-charon.install: Install profile for charon
++      - d/strongswan-starter.install: Install profile for stroke
++      - Fix strongswan ipsec status issue with apparmor
++      - Fix Dep8 tests for the now extra strongswan-pki package for pki
++      - Fix Dep8 tests for the now extra strongswan-scepclient package
++    + d/rules: Sorted and only one enable option per configure line (in
++      Debian)
++    + Add updated logcheck rules (in Debian)
++      - debian/libstrongswan.strongswan.logcheck.*:  Remove outdated files
++      - debian/strongswan.logcheck: Add updated logcheck rules
++    + Add updated DEP8 tests (in Debian)
++      - d/tests/*: Add DEP8 tests
++      - d/control: Enable autotestpkg
++    + d/rules: do not strip for library integrity checking (After Discussion
++      with Debian this isn't acceptable there, but at the same time it turned
++      out the real use-case of this never uses this lib but instead third
++      party checks of checksums for e.g. FIPS cert; so drop the Delta)
++      - Use override_dh_strip to to avoid overwriting user build flags.
++      - Add missing mention of libchecksum integrity test in d/control
++    + d/rules: Set TESTS_REDUCED_KEYLENGTHS to one generate smallest key-lengths
++      in tests to avoid issues in low entropy environments. (Debian has
++      disabled !x86 tests for the same reason, one solution is enough)
++
++ -- Christian Ehrhardt <christian.ehrhardt@canonical.com>  Thu, 04 May 2017 14:06:23 +0200
++
  strongswan (5.5.1-3) unstable; urgency=medium
    [ Christian Ehrhardt ]
@@ -312,6 +1183,136 @@ strongswan (5.5.1-2) unstable; urgency=medium
   -- Yves-Alexis Perez <corsac@debian.org>  Wed, 07 Dec 2016 08:34:52 +0100
++strongswan (5.5.1-1ubuntu2) zesty; urgency=medium
++
++  * Update Maintainers which was missed while merging 5.5.1-1.
++
++ -- Christian Ehrhardt <christian.ehrhardt@canonical.com>  Mon, 19 Dec 2016 16:02:40 +0100
++
++strongswan (5.5.1-1ubuntu1) zesty; urgency=medium
++
++  * Merge from Debian (complex delta, discussions and broken out changes can be
++    found in the merge proposal linked from the merge bug LP: #1631198)
++  * Remaining Changes:
++    + d/rules: Enforcing DEB_BUILD_OPTIONS=nostrip for library integrity
++      checking.
++    + d/rules: Set TESTS_REDUCED_KEYLENGTHS to one generate smallest key-lengths
++      in tests to avoid issues in low entropy environments.
++    + Update init/service handling
++      - d/rules: Change init/systemd program name to strongswan
++      - d/strongswan-starter.strongswan.service: Add new systemd file instead of
++        patching upstream
++      - d/strongswan-starter.links: Removed, use Ubuntu systemd file instead of
++        linking to upstream
++      - d/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call.
++      - d/strongswan-starter.prerm: Stop strongswan service on package
++        removal (as opposed to using the old init.d script).
++    + Clean up d/strongswan-starter.postinst:
++      - Removed section about runlevel changes
++      - Adapted service restart section for Upstart (kept to be Trusty
++        backportable).
++      - Remove old symlinks to init.d files is necessary.
++      - Removed further out-dated code
++      - Removed entire section on opportunistic encryption - this was never in
++        strongSwan.
++    + Add and install apparmor profiles
++      - d/rules: Install AppArmor profiles
++      - d/control: Add dh-apparmor build-dep
++      - d/usr.lib.ipsec.{charon, lookip, stroke}: Add latest AppArmor profiles
++        for charon, lookip and stroke
++      - d/libcharon-extra-plugins.install: Install profile for lookip
++      - d/strongswan-charon.install: Install profile for charon
++      - d/strongswan-starter.install: Install profile for stroke
++    + d/rules: Removed pieces on 'patching ipsec.conf' on build.
++    + d/rules: Sorted and only one enable option per configure line
++    + Mass enablement of extra plugins and features to allow a user to use
++      strongswan for a variety of use cases without having to rebuild.
++      - d/control: Add required additional build-deps
++      - d/rules: Enable features at configure stage
++      - d/control: Mention addtionally enabled plugins
++      - d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
++      - d/libstrongswan.install: Add plugins (so, conf)
++    + d/rules: Disable duplicheck as per
++      https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718291#10
++    + Remove ha plugin (requires special kernel)
++      - d/libcharon-extra-plugins.install: Stop installing ha (so, conf)
++      - d/rules: Do not enable ha plugin
++      - d/control: Drop listing the ha plugin in the package description
++    + Add plugin kernel-libipsec to allow the use of strongswan in containers
++      via this userspace implementation (please do note that this is still
++      considered experimental by upstream).
++      - d/libcharon-extra-plugins.install: Add kernel-libipsec components
++      - d/control: List kernel-libipsec plugin at extra plugins description
++      - d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
++        upstream recommends to not load kernel-libipsec by default.
++    + Relocate tnc plugin
++     - debian/libcharon-extra-plugins.install: Drop tnc from extra plugins
++     - Add new subpackage for TNC in d/strongswan-tnc-* and d/control
++    + d/strongswan-starter.install: Install pool feature, that useful due to
++      having attr-sql plugin that is enabled now.
++    + Relocate plugins test-vectors and ccm from extra-plugins to libstrongswan
++      - d/libstrongswan-extra-plugins.install: Remove plugins
++      - d/libstrongswan.install: Add plugins
++    + d/libstrongswan.install: Reorder conf and .so alphabetically
++    + d/libstrongswan.install: Add kernel-netlink configuration files
++    + d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference.
++    + Add updated logcheck rules
++      - debian/libstrongswan.strongswan.logcheck.*:  Remove outdated files
++      - debian/strongswan.logcheck: Add updated logcheck rules
++    + Add updated DEP8 tests
++      - d/tests/*: Add DEP8 tests
++      - d/control: Enable autotestpkg
++    + debian/patches/increase-bliss-test-timeout.patch: Under QEMU/KVM
++      autopkgtest the bliss test takes longer than the default
++    + Complete the disabling of libfast
++      - Note: This was partially accepted in Debian, it is no more
++        packaging medcli and medsrv, but still builds and mentions it
++      - d/rules: Add --disable-fast to avoid build time and dependencies
++      - d/control: Remove medcli, medsrv from package description
++  * Dropped Changes:
++    + Adding build-dep to iptables-dev (no change, was only in Changelog)
++    + Dropping of build deps libfcgi-dev, clearsilver-dev (in Debian)
++    + Adding strongswan-plugin-* virtual packages for dist-upgrade (no
++      upgrade path left needing them)
++    + Most of "disabling libfast" (Debian dropped it from package content)
++    + Transition for ipsec service (no upgrade path left)
++    + Reverted part of the cleanup to d/strongswan-starter.postinst as using
++      service should rather use invoke-rc.d (so it is a partial revert of our
++      delta)
++    + Transition handling (breaks/replaces) from per-plugin packages to the
++      three grouped plugin packages (no upgrade path left)
++    + debian/strongswan-starter.dirs: Don't touch /etc/init.d. (while "correct"
++      it is effectively a no-op still, so not worth the delta)
++    + Lower dpkg-dev to 1.16.1 from 1.16.2 to enable backporting to Precise
++      (no more needed)
++    + d/rules: Remove configure option --enable-unit-test (unit tests run by
++      default)
++  * Added Changes:
++    + Fix strongswan ipsec status issue with apparmor (LP: #1587886)
++    + d/control, d/libstrongswan.install, d/libstrongswan-extra-plugins: Fixup
++      the relocation of the ccm plugin which missed to move the conffiles.
++    + Complete move of test-vectors (was missing in d/control)
++    + Add now built (5.5.1 vs 5.3.5) mgf1 plugin to libstrongswan-extra-plugins.
++      "only" to extra-plugins Mgf1 is not listed as default plugin at
++      https://wiki.strongswan.org/projects/strongswan/wiki/Pluginlist.
++    + Add now built (5.5.1 vs 5.3.5) libraries libtpmtss and nttfft to
++      libstrongswan-extra-plugins.
++    + Add missing mention of md4 plugin in d/control
++    + Add missing mention of libchecksum integrity test in d/control
++    + Add rm_conffile for /etc/init.d/ipsec (transition from precies had
++      missed that)
++    + Use override_dh_strip to to fix library integrity checking instead of
++      DEB_BUILD_OPTION to avoid overwriting user build flags.
++    + d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
++      plugins for the most common use cases from extra-plugins into a new
++      standard-plugins package. This will allow those use cases without pulling
++      in too much more plugins (a bit like the tnc package). Recommend that
++      package from strongswan-libcharon (LP: #1640826).
++    + Fix Dep8 tests for the now extra strongswan-pki package for pki
++    + Fix Dep8 tests for the now extra strongswan-scepclient package
++
++ -- Christian Ehrhardt <christian.ehrhardt@canonical.com>  Mon, 07 Nov 2016 16:16:41 +0100
++
  strongswan (5.5.1-1) unstable; urgency=medium
    * New upstream bugfix release.
@@ -428,6 +1429,177 @@ strongswan (5.3.5-2) unstable; urgency=medium
   -- Yves-Alexis Perez <corsac@debian.org>  Mon, 14 Mar 2016 23:53:34 +0100
++strongswan (5.3.5-1ubuntu4) yakkety; urgency=medium
++
++  * Build-depend on libjson-c-dev instead of libjson0-dev.
++  * Rebuild against libjson-c3.
++
++ -- Graham Inggs <ginggs@ubuntu.com>  Fri, 29 Apr 2016 19:04:22 +0200
++
++strongswan (5.3.5-1ubuntu3) xenial; urgency=medium
++
++  * Rebuild against libmysqlclient20.
++
++ -- Robie Basak <robie.basak@ubuntu.com>  Tue, 05 Apr 2016 13:02:48 +0000
++
++strongswan (5.3.5-1ubuntu2) xenial; urgency=medium
++
++  * debian/tests/plugins: rdrand may or may not be loaded, depending on the
++    cpu features.
++
++ -- Iain Lane <iain@orangesquash.org.uk>  Mon, 22 Feb 2016 17:13:01 +0000
++
++strongswan (5.3.5-1ubuntu1) xenial; urgency=medium
++
++  * debian/{rules,control,libstrongswan-extra-plugins.install}
++    Enable bliss plugin
++  * debian/{rules,control,libstrongswan-extra-plugins.install}
++    Enable chapoly plugin
++  * debian/patches/dont-load-kernel-libipsec-plugin-by-default.patch
++    Upstream suggests to not load this plugin by default as it has
++    some limitations.
++    https://wiki.strongswan.org/projects/strongswan/wiki/Kernel-libipsec
++  * debian/patches/increase-bliss-test-timeout.patch
++    Under QEMU/KVM for autopkgtest bliss test takes a bit longer then default
++  * Update Apparmor profiles
++    - usr.lib.ipsec.charon
++      - add capability audit_write for xauth-pam (LP: #1470277)
++      - add capability dac_override (needed by agent plugin)
++      - allow priv dropping (LP: #1333655)
++      - allow caching CRLs (LP: #1505222)
++      - allow rw access to /dev/net/tun for kernel-libipsec (LP: #1309594)
++    - usr.lib.ipsec.stroke
++      - allow priv dropping (LP: #1333655)
++      - add local include
++    - usr.lib.ipsec.lookip
++      - add local include
++  * Merge from Debian, which includes fixes for all previous CVEs
++    Fixes (LP: #1330504, #1451091, #1448870, #1470277)
++    Remaining changes:
++      * debian/control
++        - Lower dpkg-dev to 1.16.1 from 1.16.2 to enable backporting to Precise
++        - Update Maintainer for Ubuntu
++        - Add build-deps
++          - dh-apparmor
++          - iptables-dev
++          - libjson0-dev
++          - libldns-dev
++          - libmysqlclient-dev
++          - libpcsclite-dev
++          - libsoup2.4-dev
++          - libtspi-dev
++          - libunbound-dev
++        - Drop build-deps
++          - libfcgi-dev
++          - clearsilver-dev
++        - Create virtual packages for all strongswan-plugin-* for dist-upgrade
++        - Set XS-Testsuite: autopkgtest
++      * debian/rules:
++        - Enforcing DEB_BUILD_OPTIONS=nostrip for library integrity checking.
++        - Set TESTS_REDUCED_KEYLENGTHS to one generate smallest key-lengths in
++          tests.
++        - Change init/systemd program name to strongswan
++        - Install AppArmor profiles
++        - Removed pieces on 'patching ipsec.conf' on build.
++        - Enablement of features per Ubuntu current config suggested from
++          upstream recommendation
++        - Unpack and sort enabled features to one-per-line
++        - Disable duplicheck as per
++          https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718291#10
++        - Disable libfast (--disable-fast):
++          Requires dropping medsrv, medcli plugins which depend on libfast
++        - Add configure options
++          --with-tss=trousers
++        - Remove configure options:
++          --enable-ha (requires special kernel)
++          --enable-unit-test (unit tests run by default)
++        - Drop logcheck install
++      * debian/tests/*
++        - Add DEP8 test for strongswan service and plugins
++      * debian/strongswan-starter.strongswan.service
++        - Add new systemd file instead of patching upstream
++      * debian/strongswan-starter.links
++        - removed, use Ubuntu systemd file instead of linking to upstream
++      * debian/usr.lib.ipsec.{charon, lookip, stroke}
++        - added AppArmor profiles for charon, lookip and stroke
++      * debian/libcharon-extra-plugins.install
++        - Add plugins
++          - kernel-libipsec.{so, lib, conf, apparmor}
++        - Remove plugins
++          - libstrongswan-ha.so
++        - Relocate plugins
++          - libstrongswan-tnc-tnccs.so (strongswan-tnc-base.install)
++      * debian/libstrongswan-extra-plugins.install
++        - Add plugins (so, lib, conf)
++          - acert
++          - attr-sql
++          - coupling
++          - dnscert
++          - fips-prf
++          - gmp
++          - ipseckey
++          - load-tester
++          - mysql
++          - ntru
++          - radattr
++          - soup
++          - sqlite
++          - sql
++          - systime-fix
++          - unbound
++          - whitelist
++        - Relocate plugins (so, lib, conf)
++          - ccm (libstrongswan.install)
++          - test-vectors (libstrongswan.install)
++      * debian/libstrongswan.install
++        - Sort sections
++        - Add plugins (so, lib, conf)
++          - libchecksum
++          - ccm
++          - eap-identity
++          - md4
++          - test-vectors
++      * debian/strongswan-charon.install
++        - Add AppArmor profile for charon
++      * debian/strongswan-starter.install
++        - Add tools, manpages, conf
++          - openac
++          - pool
++          - _updown_espmark
++        - Add AppArmor profile for stroke
++      * debian/strongswan-tnc-base.install
++        - Add new subpackage for TNC
++        - remove non-existent (dropped in 5.2.1) libpts library files
++      * debian/strongswan-tnc-client.install
++        - Add new subpackage for TNC
++      * debian/strongswan-tnc-ifmap.install
++        - Add new subpackage for TNC
++      * debian/strongswan-tnc-pdp.install
++        - Add new subpackage for TNC
++      * debian/strongswan-tnc-server.install
++        - Add new subpackage for TNC
++      * debian/strongswan-starter.postinit:
++        - Removed section about runlevel changes, it's almost 2014.
++        - Adapted service restart section for Upstart.
++        - Remove old symlinks to init.d files is necessary.
++      * debian/strongswan-starter.dirs: Don't touch /etc/init.d.
++      * debian/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call.
++      * debian/strongswan-starter.prerm: Stop strongswan service on package
++        removal (as opposed to using the old init.d script).
++      * debian/libstrongswan.strongswan.logcheck combined into debian/strongswan.logcheck
++        - logcheck patterns updated to be helpful
++      * debian/strongswan-starter.postinst: Removed further out-dated code and
++        entire section on opportunistic encryption - this was never in strongSwan.
++      * debian/ipsec.secrets.proto: Removed ipsec.secrets.inc reference.
++    Drop changes:
++      * debian/control
++        - Per-plugin package breakup: Reducing packaging delta from Debian
++        - Don't build dhcp, farp subpackages: Reduce packging delta from Debian
++      * debian/watch: Already exists in Debian merge
++      * debian/upstream/signing-key.asc:  Upstream has newer version.
++
++ -- Ryan Harper <ryan.harper@canonical.com>  Fri, 12 Feb 2016 11:24:53 -0600
++
  strongswan (5.3.5-1) unstable; urgency=medium
    * New upstream bugfix release.
@@ -700,6 +1872,210 @@ strongswan (5.1.2-1) unstable; urgency=medium
   -- Yves-Alexis Perez <corsac@debian.org>  Wed, 12 Mar 2014 11:22:38 +0100
++strongswan (5.1.2-0ubuntu8) xenial; urgency=medium
++
++  * Import FTBFS for s390x from Debian 5.1.2-3 upload. (LP: #1521240)
++
++ -- Dimitri John Ledkov <xnox@ubuntu.com>  Mon, 30 Nov 2015 15:46:06 +0000
++
++strongswan (5.1.2-0ubuntu7) xenial; urgency=medium
++
++  * SECURITY UPDATE: authentication bypass in eap-mschapv2 plugin
++    - debian/patches/CVE-2015-8023.patch: only succeed authentication if
++      MSK was established in
++      src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c.
++    - CVE-2015-8023
++  * debian/patches/disable_ntru_test.patch: disable test causing FTBFS
++    until regression is properly investigated.
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Thu, 19 Nov 2015 14:00:17 -0500
++
++strongswan (5.1.2-0ubuntu6) wily; urgency=medium
++
++  * SECURITY UPDATE: user credential disclosure to rogue servers
++    - debian/patches/CVE-2015-4171.patch: enforce remote authentication
++      config before proceeding with own authentication in
++      src/libcharon/sa/ikev2/tasks/ike_auth.c.
++    - CVE-2015-4171
++  * debian/rules: don't FTBFS from unused service file
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Mon, 08 Jun 2015 12:50:38 -0400
++
++strongswan (5.1.2-0ubuntu5) vivid; urgency=medium
++
++  * Add a systemd unit corresponding to strongswan-starter.strongswan.upstart.
++
++ -- Martin Pitt <martin.pitt@ubuntu.com>  Fri, 16 Jan 2015 08:27:54 +0100
++
++strongswan (5.1.2-0ubuntu4) vivid; urgency=medium
++
++  * SECURITY UPDATE: denial of service via DH group 1025
++    - debian/patches/CVE-2014-9221.patch: define MODP_CUSTOM outside of
++      IKE DH range in src/libstrongswan/crypto/diffie_hellman.c,
++      src/libstrongswan/crypto/diffie_hellman.h.
++    - CVE-2014-9221
++
++ -- Tyler Hicks <tyhicks@canonical.com>  Mon, 05 Jan 2015 08:25:29 -0500
++
++strongswan (5.1.2-0ubuntu3) utopic; urgency=low
++
++  * Added "libgcrypt20-dev | libgcrypt11-dev" to build dependencies to fix
++    build.
++
++ -- Jonathan Davies <jonathan.davies@canonical.com>  Wed, 15 Oct 2014 16:49:18 +0000
++
++strongswan (5.1.2-0ubuntu2) trusty; urgency=medium
++
++  * SECURITY UPDATE: remote authentication bypass
++    - debian/patches/CVE-2014-2338.patch: reject CREATE_CHILD_SA exchange
++      on unestablished IKE_SAs in src/libcharon/sa/ikev2/task_manager_v2.c.
++    - CVE-2014-2338
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Mon, 14 Apr 2014 11:24:34 -0400
++
++strongswan (5.1.2-0ubuntu1) trusty; urgency=low
++
++  * New upstream release.
++
++ -- Jonathan Davies <jonathan.davies@canonical.com>  Sat, 01 Mar 2014 08:53:17 +0000
++
++strongswan (5.1.2~rc2-0ubuntu2) trusty; urgency=low
++
++  * debian/ipsec.secrets.proto: Removed ipsec.secrets.inc reference.
++  * debian/usr.lib.ipsec.charon: Allow read access to /run/charon.
++
++ -- Jonathan Davies <jonathan.davies@canonical.com>  Wed, 19 Feb 2014 13:07:16 +0000
++
++strongswan (5.1.2~rc2-0ubuntu1) trusty; urgency=low
++
++  * New upstream release candidate.
++
++ -- Jonathan Davies <jonathan.davies@canonical.com>  Wed, 19 Feb 2014 12:59:21 +0000
++
++strongswan (5.1.2~rc1-0ubuntu4) trusty; urgency=medium
++
++  * debian/strongswan-tnc-*.install: Fixed files so libraries go into correct
++    packages.
++  * debian/usr.lib.ipsec.stroke: Allow access to strongswan.d directories.
++
++ -- Jonathan Davies <jonathan.davies@canonical.com>  Mon, 17 Feb 2014 18:12:38 +0000
++
++strongswan (5.1.2~rc1-0ubuntu3) trusty; urgency=low
++
++  * debian/rules: Exclude rdrand.conf in dh_install's --fail-missing.
++
++ -- Jonathan Davies <jonathan.davies@canonical.com>  Sat, 15 Feb 2014 15:46:46 +0000
++
++strongswan (5.1.2~rc1-0ubuntu2) trusty; urgency=low
++
++  * debian/libstrongswan.install: Moved rdrand plugin configuration to rules
++    as it's only useful on amd64.
++  * debian/watch: Added opts=pgpsigurlmangle option.
++  * debian/upstream/signing-key.asc: Added key: 0xB34DBA77.
++
++ -- Jonathan Davies <jonathan.davies@canonical.com>  Sat, 15 Feb 2014 15:32:10 +0000
++
++strongswan (5.1.2~rc1-0ubuntu1) trusty; urgency=medium
++
++  * New upstream release candidate.
++  * debian/*.install - include new configuration files for plugins in
++    appropiate packages.
++
++ -- Jonathan Davies <jonathan.davies@canonical.com>  Sat, 15 Feb 2014 15:03:14 +0000
++
++strongswan (5.1.2~dr3+git20130120-0ubuntu3) trusty; urgency=low
++
++  * debian/control:
++    - Added Breaks/Replaces for all library files which have been moved
++      about (LP: #1278176).
++    - Removed build-dependency on check and added one on dh-apparmor.
++  * debian/strongswan-starter.postinst: Removed further out-dated code and
++    entire section on opportunistic encryption - this was never in strongSwan.
++  * debian/rules: Removed pieces on 'patching ipsec.conf' on build.
++
++ -- Jonathan Davies <jonathan.davies@canonical.com>  Sun, 09 Feb 2014 23:53:23 +0000
++
++strongswan (5.1.2~dr3+git20130120-0ubuntu2) trusty; urgency=low
++
++  * debian/control: Fixed references to plugin-fips-prf.
++
++ -- Jonathan Davies <jonathan.davies@canonical.com>  Wed, 22 Jan 2014 11:22:14 +0000
++
++strongswan (5.1.2~dr3+git20130120-0ubuntu1) trusty; urgency=low
++
++  * Upstream Git snapshot for build fixes with regards to entropy.
++  * debian/rules:
++    - Enforcing DEB_BUILD_OPTIONS=nostrip for library integrity checking.
++    - Set TESTS_REDUCED_KEYLENGTHS to one generate smallest key-lengths in
++      tests.
++
++ -- Jonathan Davies <jonathan.davies@canonical.com>  Mon, 20 Jan 2014 19:00:59 +0000
++
++strongswan (5.1.2~dr3-0ubuntu1) trusty; urgency=low
++
++  * New upstream developer release.
++  * Made changes to packaging per upstream suggestions.
++    - Dropped medcli and medsrv packages - not recommended by upstream at this
++      time.
++    - Dropped ha plugin - needs special kernel.
++    - Improved all package descriptions in general.
++    - Drop build-dep on clearsilver-dev and libfcgi-dev - no longer needed.
++    - Removed debian/*logcheck* files - not relevant to strongSwan.
++    - Split dhcp and farp packages into sub-packages.
++    - Build kernel-libipsec, ntru, systime-fix, and xauth-noauth plugins.
++    - Changes to TNC-related packages.
++  * Created AppArmor profiles for lookip and stroke.
++
++ -- Jonathan Davies <jonathan.davies@canonical.com>  Wed, 15 Jan 2014 22:52:53 +0000
++
++strongswan (5.1.2~dr2+git20130106-0ubuntu2) trusty; urgency=low
++
++  * libstrongswan.install: Removed lingering unit-tester.so reference.
++
++ -- Jonathan Davies <jonathan.davies@canonical.com>  Mon, 06 Jan 2014 20:29:59 +0000
++
++strongswan (5.1.2~dr2+git20130106-0ubuntu1) trusty; urgency=low
++
++  * Git snapshot of commit 94e10f15e51ead788d9947e966878ebfdc95b7ce.
++    Incorporates upstream fixes for:
++      - Integrity testing.
++      - Unit test failures on little endian systems.
++  * Dropped debian/patches/02_test_asn1_fix_32bit_time_test.patch - fixed
++    upstream.
++  * debian/rules:
++    - Stop using CK_TIMEOUT_MULTIPLIER.
++    - Stop enabling the test suite only on non-powerpc arches (it runs
++      anyway).
++
++ -- Jonathan Davies <jonathan.davies@canonical.com>  Mon, 06 Jan 2014 20:17:20 +0000
++
++strongswan (5.1.2~dr2-0ubuntu3) trusty; urgency=low
++
++  * debian/control: Reinstate missing comma in dependencies.
++
++ -- Jonathan Davies <jonathan.davies@canonical.com>  Fri, 03 Jan 2014 05:39:13 +0000
++
++strongswan (5.1.2~dr2-0ubuntu2) trusty; urgency=low
++
++  * Added debian/patches/02_test_asn1_fix_32bit_time_test.patch - fixes issue
++    where test for >2038 tests on 32-bit platforms is broken.
++    - Reported upstream: https://wiki.strongswan.org/issues/477
++  * debian/control: Added strongswan-plugin-ntru to strongswan-ike Suggests.
++
++ -- Jonathan Davies <jonathan.davies@canonical.com>  Fri, 03 Jan 2014 05:02:32 +0000
++
++strongswan (5.1.2~dr2-0ubuntu1) trusty; urgency=low
++
++  * New upstream developer release.
++  * debian/rules: Configure with: --enable-af-alg, --enable-ntru, --enable-soup,
++    and --enable-unity.
++  * debian/control:
++    - New plugin packages created for the above
++    - Split fips-prf into its own package.
++    - Added build-dependency on libsoup2.4-dev.
++
++ -- Jonathan Davies <jonathan.davies@canonical.com>  Thu, 02 Jan 2014 17:37:33 +0000
++
  strongswan (5.1.1-3) unstable; urgency=low
    * Upload to unstable.
@@ -791,6 +2167,192 @@ strongswan (5.1.1-1) unstable; urgency=low
   -- Yves-Alexis Perez <corsac@debian.org>  Fri, 24 Jan 2014 21:22:32 +0100
++strongswan (5.1.1-0ubuntu17) trusty; urgency=low
++
++  * debian/control:
++    - Make strongswan-ike depend on iproute2.
++    - Added xauth plugin dependency on strongswan-plugin-eap-gtc.
++    - Created strongswan-libfast package.
++
++ -- Jonathan Davies <jonathan.davies@canonical.com>  Wed, 01 Jan 2014 17:04:45 +0000
++
++strongswan (5.1.1-0ubuntu16) trusty; urgency=low
++
++  * debian/control:
++    - Further splitting of plugins into subpackages (such as all EAP plugins
++      to their own packages).
++    - Added libpcsclite-dev to build-dependencies.
++  * debian/rules:
++    - Sort configure options in alphabetical order.
++    - Added configure option of --enable-eap-aka-3gpp2, --enable-eap-dynamic,
++      --enable-eap-sim-file, --enable-eap-sim-pcsc,
++      --enable-eap-simaka-pseudonym, --enable-eap-simaka-reauth and
++      --enable-eap-simaka-sql.
++    - Don't exclude medsrv from install.
++  * Moved eap-identity.so to libstrongswan package as it's used by all the
++    other EAP plugins.
++
++ -- Jonathan Davies <jonathan.davies@canonical.com>  Tue, 31 Dec 2013 21:25:50 +0000
++
++strongswan (5.1.1-0ubuntu15) trusty; urgency=low
++
++  * debian/control:
++    - Split plugins from libstrongswan package into modular subpackages.
++    - Added libmysqlclient-dev to build-dependencies.
++    - strongswan-ike: Set to depend on either strongswan-plugins-openssl or
++      strongswan-plugins-gcrypt.
++    - strongswan-ike: All other plugins added to Suggests.
++    - Created two new TNC packages: strongswan-tnc-ifmap and
++      strongswan-tnc-pdp and added to tnc-imcvs Suggests.
++  * debian/rules: Added to CONFIGUREARGS: --enable-certexpire,
++    --enable-error-notify, --enable-mysql, --enable-load-tester,
++    --enable-radattr, --enable-tnc-pdp, and --enable-whitelist.
++  * debian/strongswan-ike.install: Moved eap-identity.so to -tnc-imcvs package.
++
++ -- Jonathan Davies <jonathan.davies@canonical.com>  Tue, 31 Dec 2013 16:15:32 +0000
++
++strongswan (5.1.1-0ubuntu14) trusty; urgency=low
++
++  * debian/rules:
++    - CK_TIMEOUT_MULTIPLIER back down to 6.
++    - Disable unit tests on powerpc.
++
++ -- Jonathan Davies <jonathan.davies@canonical.com>  Tue, 31 Dec 2013 07:39:48 +0000
++
++strongswan (5.1.1-0ubuntu13) trusty; urgency=low
++
++  * debian/rules: CK_TIMEOUT_MULTIPLIER to 10 as just powerppc is being stubborn.
++
++ -- Jonathan Davies <jonathan.davies@canonical.com>  Tue, 31 Dec 2013 07:23:42 +0000
++
++strongswan (5.1.1-0ubuntu12) trusty; urgency=low
++
++  * debian/rules: Bring CK_TIMEOUT_MULTIPLIER up to 6 to fix powerppc and
++    armhf.
++
++ -- Jonathan Davies <jonathan.davies@canonical.com>  Tue, 31 Dec 2013 07:03:40 +0000
++
++strongswan (5.1.1-0ubuntu11) trusty; urgency=low
++
++  * 02_increase-test_rsa_generate-timeout.patch: Removed - only fixed build on
++    one extra arch.
++  * debian/rules: Set CK_TIMEOUT_MULTIPLIER to 4.
++
++ -- Jonathan Davies <jonathan.davies@canonical.com>  Tue, 31 Dec 2013 06:51:47 +0000
++
++strongswan (5.1.1-0ubuntu10) trusty; urgency=low
++
++  * debian/patches: Added patch 02_increase-test_rsa_generate-timeout.patch -
++    - Increases RSA key generate test timeout to 30 seconds so that it doesn't
++      fail on armhf, arm64, and powerppc.
++  * Contrary to what the last changelog entry says, we are still running
++    strongswan as root (with AppArmor protection).
++
++ -- Jonathan Davies <jonathan.davies@canonical.com>  Tue, 31 Dec 2013 06:06:47 +0000
++
++strongswan (5.1.1-0ubuntu9) trusty; urgency=low
++
++  * debian/rules: Added to configure options:
++    - --enable-tnc-ifmap: enable TNC IF-MAP module.
++    - --enable-duplicheck: enable duplicheck plugin.
++    - --enable-imv-swid, --enable-imc-swid: Added.
++    - Run strongswan as it's own user.
++  * debian/strongswan-starter.install: Install duplicheck.
++  * debian/strongswan-tnc-imcvs.install: Install swidtags.
++
++ -- Jonathan Davies <jonathan.davies@canonical.com>  Mon, 30 Dec 2013 19:33:27 +0000
++
++strongswan (5.1.1-0ubuntu8) trusty; urgency=low
++
++  * debian/rules: Added to configure options:
++    - --enable-unit-tests: check unit testing on build.
++    - --enable-unbound: for validating DNS lookups.
++    - --enable-dnscert: for DNSCERT peer authentication.
++    - --enable-ipseckey: for IPSEC key authentication.
++    - --enable-lookip: for LookIP functionality.
++    - --enable-coupling: certificate coupling functionality.
++  * debian/control: Added check, libldns-dev, libunbound-dev to
++    build-dependencies.
++  * debian/libstrongswan.install: Install new plugin .so's.
++  * debian/strongswan-starter.install: Added lookip.
++
++ -- Jonathan Davies <jonathan.davies@canonical.com>  Mon, 30 Dec 2013 17:52:07 +0000
++
++strongswan (5.1.1-0ubuntu7) trusty; urgency=low
++
++  * strongswan-starter.install: Moved pt-tls-client to tnc-imcvs (to prevent
++    the former from depending on the latter).
++
++ -- Jonathan Davies <jonathan.davies@canonical.com>  Mon, 30 Dec 2013 17:30:19 +0000
++
++strongswan (5.1.1-0ubuntu6) trusty; urgency=low
++
++  * debian/strongswan-starter.prerm: Stop strongswan service on package
++    removal (as opposed to using the old init.d script).
++
++ -- Jonathan Davies <jonathan.davies@canonical.com>  Mon, 30 Dec 2013 17:22:10 +0000
++
++strongswan (5.1.1-0ubuntu5) trusty; urgency=low
++
++  * debian/rules:
++    - CONFIGUREARGS: Merged Debian and RPM options.
++    - Brings in TNC functionality.
++  * debian/control:
++    - Added build-dependency on libtspi-dev.
++    - Created strongswan-tnc-imcvs binary package for TNC components.
++    - Added strongswan-tnc-imcvs to libstrongswan's Suggests.
++  * debian/libstrongswan.install:
++    - Included newly built MD4 and SQLite libraries.
++    - Removed 'tnc' references (moved to TNC package).
++  * debian/strongswan-tnc-imcvs.install: Created - handle new TNC libraries and
++    binaries.
++  * debian/usr.lib.ipsec.charon: Allow access to TNC modules.
++
++ -- Jonathan Davies <jonathan.davies@canonical.com>  Mon, 30 Dec 2013 14:05:43 +0000
++
++strongswan (5.1.1-0ubuntu4) trusty; urgency=low
++
++  * debian/usr.lib.ipsec.charon: Added - AppArmor profile for charon.
++  * debian/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call.
++  * debian/control: strongswan-ike - Stop depending on ipsec-tools.
++
++ -- Jonathan Davies <jonathan.davies@canonical.com>  Mon, 30 Dec 2013 05:35:17 +0000
++
++strongswan (5.1.1-0ubuntu3) trusty; urgency=low
++
++  * strongswan-starter.strongswan.upstart - Only start strongSwan when a
++    network connection is available.
++  * debian/control: Downgrade build-dep version of dpkg-dev from 1.16.2 to
++    1.16.1 - to make precise backporting easier.
++
++ -- Jonathan Davies <jonathan.davies@canonical.com>  Thu, 12 Dec 2013 10:43:15 +0000
++
++strongswan (5.1.1-0ubuntu2) trusty; urgency=low
++
++  * strongswan-starter.strongswan.upstart - Created Upstart job for
++    strongSwan.
++  * debian/rules: Set dh_installinit to install above file.
++  * debian/strongswan-starter.postinit:
++    - Removed section about runlevel changes, it's almost 2014.
++    - Adapted service restart section for Upstart.
++    - Remove old symlinks to init.d files is necessary.
++  * debian/strongswan-starter.dirs: Don't touch /etc/init.d.
++
++ -- Jonathan Davies <jonathan.davies@canonical.com>  Wed, 11 Dec 2013 23:10:28 +0000
++
++strongswan (5.1.1-0ubuntu1) trusty; urgency=low
++
++  * New upstream release.
++  * Removed: debian/patches/CVE-2013-6075, CVE-2013-6076.patch - upsteamed.
++  * debian/control: Updated Standards-Version to 3.9.5 and applied
++    XSBC-Original-Maintainer policy.
++  * strongswan-starter.install:
++    - pki tool is now in /usr/bin.
++    - Install pt-tls-client.
++    - Install manpages (LP: #1206263).
++
++ -- Jonathan Davies <jpds@ubuntu.com>  Sun, 01 Dec 2013 17:43:59 +0000
++
  strongswan (5.1.0-3) unstable; urgency=high
    * urgency=high for the security fixes.
 diff --git a/debian/control b/debian/control
 index 9c0d909..5ee5ad5 100644
 --- a/debian/control
 +++ b/debian/control
@@ -1,7 +1,8 @@
  Source: strongswan
  Section: net
  Priority: optional
--Maintainer: strongSwan Maintainers <pkg-swan-devel@lists.alioth.debian.org>
++Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
++XSBC-Original-Maintainer: strongSwan Maintainers <pkg-swan-devel@lists.alioth.debian.org>
  Uploaders: Yves-Alexis Perez <corsac@debian.org>
  Standards-Version: 4.5.0
  Vcs-Browser: https://salsa.debian.org/debian/strongswan
@@ -135,6 +136,7 @@ Description: strongSwan utility and crypto library (extra plugins)
    - gcrypt (Crypto backend based on libgcrypt, provides
      RSA/DH/ciphers/hashers/rng)
    - ldap (LDAP fetching plugin based on libldap)
++  - ntru (key exchanged based on post-quantum computer NTRU)
    - padlock (VIA padlock crypto backend, provides AES128/SHA1)
    - pkcs11 (PKCS#11 smartcard backend)
    - rdrand (High quality / high performance random source using the Intel
@@ -209,9 +211,9 @@ Pre-Depends: ${misc:Pre-Depends}
  Depends: adduser,
           libstrongswan (= ${binary:Version}),
           lsb-base (>= 3.0-6),
++         strongswan-charon,
           ${misc:Depends},
           ${shlibs:Depends}
--Recommends: strongswan-charon
  Conflicts: openswan
  Description: strongSwan daemon starter and configuration file parser
   The strongSwan VPN suite uses the native IPsec stack in the standard
@@ -250,9 +252,9 @@ Architecture: any
  Pre-Depends: debconf | debconf-2.0
  Depends: iproute2 [linux-any] | iproute [linux-any],
           libstrongswan (= ${binary:Version}),
--         strongswan-starter,
           ${misc:Depends},
           ${shlibs:Depends}
++Recommends: strongswan-starter,
  Provides: ike-server
  Description: strongSwan Internet Key Exchange daemon
   The strongSwan VPN suite uses the native IPsec stack in the standard
 diff --git a/debian/libstrongswan-extra-plugins.install b/debian/libstrongswan-extra-plugins.install
 index 2846e21..8f71239 100644
 --- a/debian/libstrongswan-extra-plugins.install
 +++ b/debian/libstrongswan-extra-plugins.install
@@ -9,6 +9,7 @@ usr/lib/ipsec/plugins/libstrongswan-curl.so
  usr/lib/ipsec/plugins/libstrongswan-curve25519.so
  usr/lib/ipsec/plugins/libstrongswan-gcrypt.so
  usr/lib/ipsec/plugins/libstrongswan-ldap.so
++usr/lib/ipsec/plugins/libstrongswan-ntru.so
  usr/lib/ipsec/plugins/libstrongswan-pkcs11.so
  usr/lib/ipsec/plugins/libstrongswan-test-vectors.so
  usr/lib/ipsec/plugins/libstrongswan-tpm.so
@@ -21,6 +22,7 @@ usr/share/strongswan/templates/config/plugins/curl.conf
  usr/share/strongswan/templates/config/plugins/curve25519.conf
  usr/share/strongswan/templates/config/plugins/gcrypt.conf
  usr/share/strongswan/templates/config/plugins/ldap.conf
++usr/share/strongswan/templates/config/plugins/ntru.conf
  usr/share/strongswan/templates/config/plugins/pkcs11.conf
  usr/share/strongswan/templates/config/plugins/test-vectors.conf
  usr/share/strongswan/templates/config/plugins/tpm.conf
@@ -32,6 +34,7 @@ etc/strongswan.d/charon/curl.conf
  etc/strongswan.d/charon/curve25519.conf
  etc/strongswan.d/charon/gcrypt.conf
  etc/strongswan.d/charon/ldap.conf
++etc/strongswan.d/charon/ntru.conf
  etc/strongswan.d/charon/pkcs11.conf
  etc/strongswan.d/charon/test-vectors.conf
  etc/strongswan.d/charon/tpm.conf
 diff --git a/debian/rules b/debian/rules
 index eacfe14..8f2d740 100755
 --- a/debian/rules
 +++ b/debian/rules
@@ -31,6 +31,7 @@ CONFIGUREARGS := --libdir=/usr/lib --libexecdir=/usr/lib \
  		--enable-led \
  		--enable-lookip \
  		--enable-mediation \
++		--enable-ntru \
  		--enable-openssl \
  		--enable-pkcs11 \
  		--enable-test-vectors \

Ubuntustrongswan package

Merge ~lucaskanashiro/ubuntu/+source/strongswan:groovy-merge into ubuntu/+source/strongswan:debian/sid

Commit message

Description of the change

Preview Diff

Subscribers

Ubuntu
strongswan package