Merge ~lucaskanashiro/ubuntu/+source/strongswan:groovy-merge into ubuntu/+source/strongswan:debian/sid
- Git
- lp:~lucaskanashiro/ubuntu/+source/strongswan
- groovy-merge
- Merge into debian/sid
Status: | Merged | ||||
---|---|---|---|---|---|
Merge reported by: | Lucas Kanashiro | ||||
Merged at revision: | 9a36f8ee2983a7d33bc5f0bded47bccd7b80ae6e | ||||
Proposed branch: | ~lucaskanashiro/ubuntu/+source/strongswan:groovy-merge | ||||
Merge into: | ubuntu/+source/strongswan:debian/sid | ||||
Diff against target: |
1745 lines (+1571/-3) 4 files modified
debian/changelog (+1562/-0) debian/control (+5/-3) debian/libstrongswan-extra-plugins.install (+3/-0) debian/rules (+1/-0) |
||||
Related bugs: |
|
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Christian Ehrhardt (community) | Approve | ||
Canonical Server | Pending | ||
Review via email: mp+383258@code.launchpad.net |
Commit message
Description of the change
Merge version 5.8.4-1 from Debian. Part of the delta was dropped because it was fixed by Debian or it was part of a transition and it should be removed after Focal release. Take a look at the changes removed in this version:
* Dropped:
- d/control: build-depend on libiptc-dev to avoid FTBFS (LP: #1861975)
This is needed due to changes in regard to Debian bug 947176 and 939243
and can later be dropped again.
[applied by Debian in version 5.8.2-2]
- d/control: Transition from former Ubuntu only libcharon-
to common libcharon-
- d/control: Transition from strongswan-tnc-* being in extra packages
to libcharon-
The rest of the delta was kept. Those changes were forwarded upstream but there are some discussions going on. Christian and I will sync about them next week.
* Merge with Debian unstable. Remaining changes:
- d/control: strongswan-starter hard-depends on strongswan-charon,
therefore bump the dependency from Recommends to Depends. At the same
time avoid a circular dependency by dropping
strongswa
binaries can work without the services but not vice versa.
- re-add post-quantum encryption algorithm (NTRU) (LP: #1863749)
+ d/control: mention plugins in package description
+ d/rules: enable ntru at build time
+ d/libstrongswan
PPA with the proposed package:
https:/
autopkgtest output:
autopkgtest [19:21:35]: @@@@@@@
admin-strongswa
admin-strongswa
daemon PASS
plugins PASS
Christian Ehrhardt (paelzer) wrote : | # |
Christian Ehrhardt (paelzer) wrote : | # |
can you also take a look at https:/
Lucas Kanashiro (lucaskanashiro) wrote : | # |
The mentioned bug was marked as incomplete and asked for more information. Christian, could you take at the changes and approve this MP if they are good enough? I believe we can upload this new version and investigate the issue reported by the user in parallel.
Christian Ehrhardt (paelzer) wrote : | # |
Agreed to continue ont hat bug in the background.
The changes LGTM.
- drops are ok
- retained delta seems right
´
And we discussed all that is left (e.g. continue to discuss the strongswan-starter dependencies) yesterday.
+1
Lucas Kanashiro (lucaskanashiro) wrote : | # |
$ dput ubuntu ../strongswan_
Checking signature on .changes
gpg: /home/kanashiro
Checking signature on .dsc
gpg: /home/kanashiro
Uploading to ubuntu (via ftp to upload.ubuntu.com):
Uploading strongswan_
Uploading strongswan_
Uploading strongswan_
Uploading strongswan_
Uploading strongswan_
Successfully uploaded packages.
$ git push pkg upload/
Enumerating objects: 32, done.
Counting objects: 100% (32/32), done.
Delta compression using up to 8 threads
Compressing objects: 100% (26/26), done.
Writing objects: 100% (26/26), 35.26 KiB | 4.41 MiB/s, done.
Total 26 (delta 17), reused 0 (delta 0)
To ssh://git.
* [new tag] upload/
Preview Diff
1 | diff --git a/debian/changelog b/debian/changelog |
2 | index 4153bfd..aa2a2b3 100644 |
3 | --- a/debian/changelog |
4 | +++ b/debian/changelog |
5 | @@ -1,3 +1,27 @@ |
6 | +strongswan (5.8.4-1ubuntu1) groovy; urgency=medium |
7 | + |
8 | + * Merge with Debian unstable. Remaining changes: |
9 | + - d/control: strongswan-starter hard-depends on strongswan-charon, |
10 | + therefore bump the dependency from Recommends to Depends. At the same |
11 | + time avoid a circular dependency by dropping |
12 | + strongswan-charon->strongswan-starter from Depends to Recommends as the |
13 | + binaries can work without the services but not vice versa. |
14 | + - re-add post-quantum encryption algorithm (NTRU) (LP: 1863749) |
15 | + + d/control: mention plugins in package description |
16 | + + d/rules: enable ntru at build time |
17 | + + d/libstrongswan-extra-plugins.install: ship config and shared objects |
18 | + * Dropped: |
19 | + - d/control: build-depend on libiptc-dev to avoid FTBFS (LP: #1861975) |
20 | + This is needed due to changes in regard to Debian bug 947176 and 939243 |
21 | + and can later be dropped again. |
22 | + [applied by Debian in version 5.8.2-2] |
23 | + - d/control: Transition from former Ubuntu only libcharon-standard-plugins |
24 | + to common libcharon-extauth-plugins (drop after 20.04) |
25 | + - d/control: Transition from strongswan-tnc-* being in extra packages |
26 | + to libcharon-extra-plugins (drop after 20.04) |
27 | + |
28 | + -- Lucas Kanashiro <lucas.kanashiro@canonical.com> Thu, 30 Apr 2020 18:06:55 -0300 |
29 | + |
30 | strongswan (5.8.4-1) unstable; urgency=medium |
31 | |
32 | * New upstream version 5.8.4 (Closes: #956446) |
33 | @@ -13,6 +37,43 @@ strongswan (5.8.2-2) unstable; urgency=medium |
34 | |
35 | -- Yves-Alexis Perez <corsac@debian.org> Thu, 13 Feb 2020 22:46:40 +0100 |
36 | |
37 | +strongswan (5.8.2-1ubuntu3) focal; urgency=medium |
38 | + |
39 | + * Reverting part of 5.8.2-1ubuntu2 changes to remove BLISS again as |
40 | + there is a potential local side-channel attack on strongSwan's BLISS |
41 | + implementation (https://eprint.iacr.org/2017/505). (LP: #1866765) |
42 | + |
43 | + -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Tue, 10 Mar 2020 07:56:56 +0100 |
44 | + |
45 | +strongswan (5.8.2-1ubuntu2) focal; urgency=medium |
46 | + |
47 | + * re-add post-quantum computer signature scheme (BLISS) and encryption |
48 | + algorithm (NTRU) as well as the dependent nttfft library (LP: #1863749) |
49 | + - d/control: mention plugins in package description |
50 | + - d/rules: enable ntru and bliss at build time |
51 | + - d/libstrongswan-extra-plugins.install: ship config and shared objects |
52 | + |
53 | + -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Wed, 04 Mar 2020 07:54:26 +0100 |
54 | + |
55 | +strongswan (5.8.2-1ubuntu1) focal; urgency=medium |
56 | + |
57 | + * Merge with Debian unstable (LP: #1861971). Remaining changes: |
58 | + - d/control: Transition from strongswan-tnc-* being in extra packages |
59 | + to libcharon-extra-plugins (drop after 20.04) |
60 | + - d/control: Transition from former Ubuntu only libcharon-standard-plugins |
61 | + to common libcharon-extauth-plugins (drop after 20.04) |
62 | + - d/control: strongswan-starter hard-depends on strongswan-charon, |
63 | + therefore bump the dependency from Recommends to Depends. At the same |
64 | + time avoid a circular dependency by dropping |
65 | + strongswan-charon->strongswan-starter from Depends to Recommends as the |
66 | + binaries can work without the services but not vice versa. |
67 | + * Added Changes |
68 | + - d/control: build-depend on libiptc-dev to avoid FTBFS (LP: #1861975) |
69 | + This is needed due to changes in regard to Debian bug 947176 and 939243 |
70 | + and can later be dropped again. |
71 | + |
72 | + -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Wed, 05 Feb 2020 08:28:30 +0100 |
73 | + |
74 | strongswan (5.8.2-1) unstable; urgency=medium |
75 | |
76 | [ Jean-Michel Vourgère ] |
77 | @@ -29,6 +90,83 @@ strongswan (5.8.2-1) unstable; urgency=medium |
78 | |
79 | -- Yves-Alexis Perez <corsac@debian.org> Wed, 01 Jan 2020 14:35:46 +0100 |
80 | |
81 | +strongswan (5.8.1-1ubuntu1) focal; urgency=medium |
82 | + |
83 | + * Merge with Debian unstable (LP: #1852579). Remaining changes: |
84 | + - d/control: Transition from strongswan-tnc-* being in extra packages |
85 | + to libcharon-extra-plugins |
86 | + * Added Changes: |
87 | + - d/control: Transition from former Ubuntu only libcharon-standard-plugins |
88 | + to common libcharon-extauth-plugins (drop after 20.04) |
89 | + - d/control: strongswan-starter hard-depends on strongswan-charon, |
90 | + therefore bump the dependency from Recommends to Depends. At the same |
91 | + time avoid a circular dependency by dropping |
92 | + strongswan-charon->strongswan-starter from Depends to Recommends as the |
93 | + binaries can work without the services but not vice versa. |
94 | + * Dropped Changes (now in Debian): |
95 | + - Clean up d/strongswan-starter.postinst: section about runlevel changes |
96 | + - Clean up d/strongswan-starter.postinst: Removed entire section on |
97 | + opportunistic encryption disabling - this was never in strongSwan and |
98 | + won't be see upstream issue #2160. |
99 | + - d/rules: Removed patching ipsec.conf on build (not using the |
100 | + debconf-managed config.) |
101 | + - d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was |
102 | + used for debconf-managed include of private key). |
103 | + - Add plugin kernel-libipsec to allow the use of strongswan in containers |
104 | + via this userspace implementation (please do note that this is still |
105 | + considered experimental by upstream). |
106 | + + d/libcharon-extra-plugins.install: Add kernel-libipsec components |
107 | + + d/control: List kernel-libipsec plugin at extra plugins description |
108 | + + d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As |
109 | + upstream recommends to not load kernel-libipsec by default. |
110 | + - d/control: Mention mgf1 plugin which is in libstrongswan now |
111 | + - Complete the disabling of libfast; This was partially accepted in Debian, |
112 | + it is no more packaging medcli and medsrv, but still builds and |
113 | + mentions it. |
114 | + + d/rules: Add --disable-fast to avoid build time and dependencies |
115 | + + d/control: Remove medcli, medsrv from package description |
116 | + - Add now built (since 5.5.1) libraries libtpmtss and nttfft to |
117 | + libstrongswan-extra-plugins (no deps from default plugins). |
118 | + - d/control, d/libcharon-{extras,standard}-plugins.install: Move charon |
119 | + plugins for the most common use cases from extra-plugins into a new |
120 | + standard-plugins package. This will allow those use cases without pulling |
121 | + in too much more plugins (a bit like the tnc package). Recommend that |
122 | + package from strongswan-libcharon. |
123 | + - d/usr.lib.ipsec.charon: allow reading of own FDs (LP 1786250) |
124 | + - d/usr.sbin.charon-systemd: allow CLUSTERIP for ha plugin (LP 1773956) |
125 | + - executables need to be able to read map and execute themselves otherwise |
126 | + execution in some environments e.g. containers is blocked (LP 1780534) |
127 | + + d/usr.lib.ipsec.stroke: add rmix permission to stroke binary |
128 | + + d/usr.lib.ipsec.lookip: add rmix permission to lookip binary |
129 | + - d/usr.lib.ipsec.charon, d/usr.sbin.charon-systemd: resync apparmor |
130 | + profiles of both ways to start charon (LP 1807664) |
131 | + - d/usr.sbin.swanctl: add apparmor rule for af-alg plugin (LP 1807962) |
132 | + - We fixed up tpmtss and nttfft in the past, but tpmtss is now packaged in |
133 | + Debian so this part was be dropped. Two changes remain |
134 | + - d/control: fix the mentioning of tpmtss in d/control |
135 | + - apparmor fixes for container and root usage (LP 1826238) |
136 | + + d/usr.sbin.swanctl: allow reading own binary |
137 | + + d/usr.sbin.charon-systemd: allow accessing the binary |
138 | + + d/usr.sbin.swanctl: add attach_disconnected to work inside containers |
139 | + + d/usr.lib.ipsec.charon, d/usr.sbin.charon-systemd: add CAP_SETPCAP |
140 | + to apparmor to allow dropping caps |
141 | + * Dropped Changes (too uncommon to support by default) |
142 | + - d/libstrongswan.install: Add kernel-netlink configuration files |
143 | + - d/usr.sbin.charon-systemd: allow to contact mysql for sql and |
144 | + attr-sql plugins (LP 1766240) - no more needed as itisn't enabled. |
145 | + - Mass enablement of extra plugins and features to allow a user to use |
146 | + strongswan for a variety of extra use cases without having to rebuild. |
147 | + + d/control: Add required additional build-deps |
148 | + + d/control: Mention addtionally enabled plugins |
149 | + + d/rules: Enable features at configure stage |
150 | + + d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf) |
151 | + + d/libstrongswan.install: Add plugins (so, conf) |
152 | + + d/strongswan-starter.install: Install pool feature, which is useful |
153 | + since we now have attr-sql plugin enabled it. |
154 | + - Enable additional TNC plugins and add them to libcharon-extra-plugins |
155 | + |
156 | + -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Thu, 14 Nov 2019 15:00:15 +0100 |
157 | + |
158 | strongswan (5.8.1-1) unstable; urgency=medium |
159 | |
160 | * d/rules: disable http and stream tests under CI |
161 | @@ -98,6 +236,99 @@ strongswan (5.8.0-1) unstable; urgency=medium |
162 | |
163 | -- Yves-Alexis Perez <corsac@debian.org> Mon, 26 Aug 2019 12:58:23 +0200 |
164 | |
165 | +strongswan (5.7.2-1ubuntu3) eoan; urgency=medium |
166 | + |
167 | + * No change rebuild for libmysqlclient21. |
168 | + |
169 | + -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Thu, 15 Aug 2019 09:34:34 +0200 |
170 | + |
171 | +strongswan (5.7.2-1ubuntu2) eoan; urgency=medium |
172 | + |
173 | + * Rebuild against new libjson-c4. |
174 | + |
175 | + -- Gianfranco Costamagna <locutusofborg@debian.org> Mon, 01 Jul 2019 10:53:07 +0200 |
176 | + |
177 | +strongswan (5.7.2-1ubuntu1) eoan; urgency=medium |
178 | + |
179 | + [ Christian Ehrhardt ] |
180 | + * Merge with Debian unstable. Remaining changes: |
181 | + - Clean up d/strongswan-starter.postinst: section about runlevel changes |
182 | + - Clean up d/strongswan-starter.postinst: Removed entire section on |
183 | + opportunistic encryption disabling - this was never in strongSwan and |
184 | + won't be see upstream issue #2160. |
185 | + - d/rules: Removed patching ipsec.conf on build (not using the |
186 | + debconf-managed config.) |
187 | + - d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was |
188 | + used for debconf-managed include of private key). |
189 | + - Mass enablement of extra plugins and features to allow a user to use |
190 | + strongswan for a variety of extra use cases without having to rebuild. |
191 | + + d/control: Add required additional build-deps |
192 | + + d/control: Mention addtionally enabled plugins |
193 | + + d/rules: Enable features at configure stage |
194 | + + d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf) |
195 | + + d/libstrongswan.install: Add plugins (so, conf) |
196 | + + d/strongswan-starter.install: Install pool feature, which is useful |
197 | + since we now have attr-sql plugin enabled it. |
198 | + - Add plugin kernel-libipsec to allow the use of strongswan in containers |
199 | + via this userspace implementation (please do note that this is still |
200 | + considered experimental by upstream). |
201 | + + d/libcharon-extra-plugins.install: Add kernel-libipsec components |
202 | + + d/control: List kernel-libipsec plugin at extra plugins description |
203 | + + d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As |
204 | + upstream recommends to not load kernel-libipsec by default. |
205 | + - d/libstrongswan.install: Add kernel-netlink configuration files |
206 | + - Complete the disabling of libfast; This was partially accepted in Debian, |
207 | + it is no more packaging medcli and medsrv, but still builds and |
208 | + mentions it. |
209 | + + d/rules: Add --disable-fast to avoid build time and dependencies |
210 | + + d/control: Remove medcli, medsrv from package description |
211 | + - d/control: Mention mgf1 plugin which is in libstrongswan now |
212 | + - Add now built (since 5.5.1) libraries libtpmtss and nttfft to |
213 | + libstrongswan-extra-plugins (no deps from default plugins). |
214 | + - d/control, d/libcharon-{extras,standard}-plugins.install: Move charon |
215 | + plugins for the most common use cases from extra-plugins into a new |
216 | + standard-plugins package. This will allow those use cases without pulling |
217 | + in too much more plugins (a bit like the tnc package). Recommend that |
218 | + package from strongswan-libcharon. |
219 | + - d/usr.sbin.charon-systemd: allow to contact mysql for sql and |
220 | + attr-sql plugins (LP #1766240) |
221 | + - d/usr.lib.ipsec.charon: allow reading of own FDs (LP #1786250) |
222 | + - d/usr.sbin.charon-systemd: allow CLUSTERIP for ha plugin (LP: 1773956) |
223 | + - executables need to be able to read map and execute themselves otherwise |
224 | + execution in some environments e.g. containers is blocked (LP: 1780534) |
225 | + + d/usr.lib.ipsec.stroke: add rmix permission to stroke binary |
226 | + + d/usr.lib.ipsec.lookip: add rmix permission to lookip binary |
227 | + - d/usr.lib.ipsec.charon, d/usr.sbin.charon-systemd: resync apparmor |
228 | + profiles of both ways to start charon (LP: 1807664) |
229 | + - d/usr.sbin.swanctl: add apparmor rule for af-alg plugin (LP: 1807962) |
230 | + * Dropped changes |
231 | + - d/p/lp1795813-mysql-Don-t-release-the-connection-if-transactions-a.patch: |
232 | + fix SIGSEGV when using mysql plugin (LP: 1795813) |
233 | + [upstream in 5.7.2] |
234 | + - d/libstrongswan.install: Reorder conf and .so alphabetically |
235 | + [was a non functional change, dropped to avoid merge noise] |
236 | + - Relocate tnc plugin |
237 | + [TNC is back at libcharon-extra-plugins as it is in Debian] |
238 | + * Added changes: |
239 | + - We fixed up tpmtss and nttfft in the past, but tpmtss is now packaged in |
240 | + Debian so this part was be dropped. Two changes remain |
241 | + - d/control: fix the mentioning of tpmtss in d/control |
242 | + - add nttfft (can be merged with the mass enablement change later) |
243 | + - Transitional packages to go back from strongswan-tnc-* being in extra |
244 | + packages to be part of libcharon-extra-plugins. |
245 | + [can be dropped after 20.04] |
246 | + |
247 | + [ Simon Deziel ] |
248 | + * Added changes: |
249 | + - apparmor fixes for container and root usage (LP: #1826238) |
250 | + + d/usr.sbin.swanctl: allow reading own binary |
251 | + + d/usr.sbin.charon-systemd: allow accessing the binary |
252 | + + d/usr.sbin.swanctl: add attach_disconnected to work inside containers |
253 | + + d/usr.lib.ipsec.charon, d/usr.sbin.charon-systemd: add CAP_SETPCAP |
254 | + to apparmor to allow dropping caps |
255 | + |
256 | + -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Fri, 26 Apr 2019 11:31:17 +0200 |
257 | + |
258 | strongswan (5.7.2-1) unstable; urgency=medium |
259 | |
260 | * d/control: remove Rene from Uploaders, thanks! |
261 | @@ -116,6 +347,86 @@ strongswan (5.7.2-1) unstable; urgency=medium |
262 | |
263 | -- Yves-Alexis Perez <corsac@debian.org> Wed, 02 Jan 2019 13:02:11 +0100 |
264 | |
265 | +strongswan (5.7.1-1ubuntu2) disco; urgency=medium |
266 | + |
267 | + * d/usr.sbin.charon-systemd: fix rule for CLUSTERIP to match effective |
268 | + path (LP: #1773956) |
269 | + * d/usr.lib.ipsec.charon, d/usr.sbin.charon-systemd: resync apparmor |
270 | + profiles of both ways to start charon (LP: #1807664) |
271 | + * d/usr.sbin.swanctl: add apparmor rule for af-alg plugin (LP: #1807962) |
272 | + |
273 | + -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 10 Dec 2018 08:30:01 +0100 |
274 | + |
275 | +strongswan (5.7.1-1ubuntu1) disco; urgency=medium |
276 | + |
277 | + * Merge with Debian unstable (LP: #1806401). Remaining changes: |
278 | + - Clean up d/strongswan-starter.postinst: section about runlevel changes |
279 | + - Clean up d/strongswan-starter.postinst: Removed entire section on |
280 | + opportunistic encryption disabling - this was never in strongSwan and |
281 | + won't be see upstream issue #2160. |
282 | + - d/rules: Removed patching ipsec.conf on build (not using the |
283 | + debconf-managed config.) |
284 | + - d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was |
285 | + used for debconf-managed include of private key). |
286 | + - Mass enablement of extra plugins and features to allow a user to use |
287 | + strongswan for a variety of extra use cases without having to rebuild. |
288 | + + d/control: Add required additional build-deps |
289 | + + d/control: Mention addtionally enabled plugins |
290 | + + d/rules: Enable features at configure stage |
291 | + + d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf) |
292 | + + d/libstrongswan.install: Add plugins (so, conf) |
293 | + - d/strongswan-starter.install: Install pool feature, which is useful since |
294 | + we have attr-sql plugin enabled as well using it. |
295 | + - Add plugin kernel-libipsec to allow the use of strongswan in containers |
296 | + via this userspace implementation (please do note that this is still |
297 | + considered experimental by upstream). |
298 | + + d/libcharon-extra-plugins.install: Add kernel-libipsec components |
299 | + + d/control: List kernel-libipsec plugin at extra plugins description |
300 | + + d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As |
301 | + upstream recommends to not load kernel-libipsec by default. |
302 | + - Relocate tnc plugin |
303 | + + debian/libcharon-extra-plugins.install: Drop tnc from extra plugins |
304 | + + Add new subpackage for TNC in d/strongswan-tnc-* and d/control |
305 | + - d/libstrongswan.install: Reorder conf and .so alphabetically |
306 | + - d/libstrongswan.install: Add kernel-netlink configuration files |
307 | + - Complete the disabling of libfast; This was partially accepted in Debian, |
308 | + it is no more packaging medcli and medsrv, but still builds and |
309 | + mentions it. |
310 | + + d/rules: Add --disable-fast to avoid build time and dependencies |
311 | + + d/control: Remove medcli, medsrv from package description |
312 | + - d/control: Mention mgf1 plugin which is in libstrongswan now |
313 | + - Add now built (since 5.5.1) libraries libtpmtss and nttfft to |
314 | + libstrongswan-extra-plugins (no deps from default plugins). |
315 | + - d/control, d/libcharon-{extras,standard}-plugins.install: Move charon |
316 | + plugins for the most common use cases from extra-plugins into a new |
317 | + standard-plugins package. This will allow those use cases without pulling |
318 | + in too much more plugins (a bit like the tnc package). Recommend that |
319 | + package from strongswan-libcharon. |
320 | + - d/usr.sbin.charon-systemd: allow to contact mysql for sql and |
321 | + attr-sql plugins (LP #1766240) |
322 | + - d/usr.lib.ipsec.charon: allow reading of own FDs (LP #1786250) |
323 | + * Added Changes: |
324 | + - d/p/lp1795813-mysql-Don-t-release-the-connection-if-transactions-a.patch: |
325 | + fix SIGSEGV when using mysql plugin (LP: #1795813) |
326 | + - d/usr.sbin.charon-systemd: allow CLUSTERIP for ha plugin (LP: #1773956) |
327 | + - executables need to be able to read map and execute themselves otherwise |
328 | + execution in some environments e.g. containers is blocked (LP: #1780534) |
329 | + + d/usr.lib.ipsec.stroke: add rmix permission to stroke binary |
330 | + + d/usr.lib.ipsec.lookip: add rmix permission to lookip binary |
331 | + - adapt "mass enablement of extra plugins" to match 5.7.x changes |
332 | + + d/rules: use new options for swima instead of swid |
333 | + + d/strongswan-tnc-server.install: add new sec updater tool |
334 | + + d/strongswan-tnc-client.install: add new sw-collector tool |
335 | + * Dropped (in Debian now): |
336 | + - SECURITY UPDATE: Insufficient input validation in gmp plugin |
337 | + (CVE-2018-17540) |
338 | + - SECURITY UPDATE: Insufficient input validation in gmp plugin |
339 | + (CVE-2018-16151 CVE-2018-16152) |
340 | + - d/usr.lib.ipsec.charon, d/usr/sbin/charon-systemd: Add support for |
341 | + usr-merge, thanks to Christian Ehrhardt. LP #1784023 |
342 | + |
343 | + -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 03 Dec 2018 15:18:31 +0100 |
344 | + |
345 | strongswan (5.7.1-1) unstable; urgency=medium |
346 | |
347 | [ Ondřej Nový ] |
348 | @@ -146,6 +457,96 @@ strongswan (5.7.0-1) unstable; urgency=medium |
349 | |
350 | -- Yves-Alexis Perez <corsac@debian.org> Mon, 24 Sep 2018 16:36:28 +0200 |
351 | |
352 | +strongswan (5.6.3-1ubuntu5) disco; urgency=medium |
353 | + |
354 | + * No-change rebuild against libunbound8 |
355 | + |
356 | + -- Steve Langasek <steve.langasek@ubuntu.com> Sun, 11 Nov 2018 09:01:53 +0000 |
357 | + |
358 | +strongswan (5.6.3-1ubuntu4) cosmic; urgency=medium |
359 | + |
360 | + * d/usr.lib.ipsec.charon: allow reading of own FDs (LP: #1786250) |
361 | + Thanks to Matt Callaghan. |
362 | + |
363 | + -- Andreas Hasenack <andreas@canonical.com> Thu, 04 Oct 2018 10:34:01 -0300 |
364 | + |
365 | +strongswan (5.6.3-1ubuntu3) cosmic; urgency=medium |
366 | + |
367 | + * SECURITY UPDATE: Insufficient input validation in gmp plugin |
368 | + - debian/patches/strongswan-4.4.0-5.7.0_gmp-pkcs1-overflow.patch: fix |
369 | + buffer overflow with very small RSA keys in |
370 | + src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c. |
371 | + - CVE-2018-17540 |
372 | + |
373 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 01 Oct 2018 13:23:59 -0400 |
374 | + |
375 | +strongswan (5.6.3-1ubuntu2) cosmic; urgency=medium |
376 | + |
377 | + * SECURITY UPDATE: Insufficient input validation in gmp plugin |
378 | + - debian/patches/strongswan-5.6.1-5.6.3_gmp-pkcs1-verify.patch: don't |
379 | + parse PKCS1 v1.5 RSA signatures to verify them in |
380 | + src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c, |
381 | + src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c. |
382 | + - CVE-2018-16151 |
383 | + - CVE-2018-16152 |
384 | + |
385 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 25 Sep 2018 10:16:15 -0400 |
386 | + |
387 | +strongswan (5.6.3-1ubuntu1) cosmic; urgency=medium |
388 | + |
389 | + * Merge with Debian unstable. Remaining changes: |
390 | + - Clean up d/strongswan-starter.postinst: section about runlevel changes |
391 | + - Clean up d/strongswan-starter.postinst: Removed entire section on |
392 | + opportunistic encryption disabling - this was never in strongSwan and |
393 | + won't be see upstream issue #2160. |
394 | + - d/rules: Removed patching ipsec.conf on build (not using the |
395 | + debconf-managed config.) |
396 | + - d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was |
397 | + used for debconf-managed include of private key). |
398 | + - Mass enablement of extra plugins and features to allow a user to use |
399 | + strongswan for a variety of extra use cases without having to rebuild. |
400 | + + d/control: Add required additional build-deps |
401 | + + d/control: Mention addtionally enabled plugins |
402 | + + d/rules: Enable features at configure stage |
403 | + + d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf) |
404 | + + d/libstrongswan.install: Add plugins (so, conf) |
405 | + - d/strongswan-starter.install: Install pool feature, which is useful since |
406 | + we have attr-sql plugin enabled as well using it. |
407 | + - Add plugin kernel-libipsec to allow the use of strongswan in containers |
408 | + via this userspace implementation (please do note that this is still |
409 | + considered experimental by upstream). |
410 | + + d/libcharon-extra-plugins.install: Add kernel-libipsec components |
411 | + + d/control: List kernel-libipsec plugin at extra plugins description |
412 | + + d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As |
413 | + upstream recommends to not load kernel-libipsec by default. |
414 | + - Relocate tnc plugin |
415 | + + debian/libcharon-extra-plugins.install: Drop tnc from extra plugins |
416 | + + Add new subpackage for TNC in d/strongswan-tnc-* and d/control |
417 | + - d/libstrongswan.install: Reorder conf and .so alphabetically |
418 | + - d/libstrongswan.install: Add kernel-netlink configuration files |
419 | + - Complete the disabling of libfast; This was partially accepted in Debian, |
420 | + it is no more packaging medcli and medsrv, but still builds and |
421 | + mentions it. |
422 | + + d/rules: Add --disable-fast to avoid build time and dependencies |
423 | + + d/control: Remove medcli, medsrv from package description |
424 | + - d/control: Mention mgf1 plugin which is in libstrongswan now |
425 | + - Add now built (since 5.5.1) libraries libtpmtss and nttfft to |
426 | + libstrongswan-extra-plugins (no deps from default plugins). |
427 | + - d/control, d/libcharon-{extras,standard}-plugins.install: Move charon |
428 | + plugins for the most common use cases from extra-plugins into a new |
429 | + standard-plugins package. This will allow those use cases without pulling |
430 | + in too much more plugins (a bit like the tnc package). Recommend that |
431 | + package from strongswan-libcharon. |
432 | + - d/usr.sbin.charon-systemd: allow to contact mysql for sql and |
433 | + attr-sql plugins (LP #1766240) |
434 | + - d/usr.lib.ipsec.charon, d/usr/sbin/charon-systemd: Add support for |
435 | + usr-merge, thanks to Christian Ehrhardt. LP #1784023 |
436 | + * Dropped: |
437 | + - d/usr.sbin.charon-systemd: allow systemd notifications (LP: #1765652) |
438 | + [Fixed in 5.6.3-1] |
439 | + |
440 | + -- Andreas Hasenack <andreas@canonical.com> Thu, 23 Aug 2018 13:05:11 -0300 |
441 | + |
442 | strongswan (5.6.3-1) unstable; urgency=medium |
443 | |
444 | * New upstream version 5.6.2 |
445 | @@ -161,6 +562,78 @@ strongswan (5.6.3-1) unstable; urgency=medium |
446 | |
447 | -- Yves-Alexis Perez <corsac@debian.org> Mon, 04 Jun 2018 10:23:22 +0200 |
448 | |
449 | +strongswan (5.6.2-2ubuntu2) cosmic; urgency=medium |
450 | + |
451 | + * Add support for usr-merge, thanks to Christian Ehrhardt. LP: #1784023 |
452 | + |
453 | + -- Dimitri John Ledkov <xnox@ubuntu.com> Tue, 21 Aug 2018 00:42:38 +0100 |
454 | + |
455 | +strongswan (5.6.2-2ubuntu1) cosmic; urgency=medium |
456 | + |
457 | + * Merge with Debian unstable, closes LP: #1773814 and LP: #1772705. |
458 | + Remaining changes: |
459 | + + Clean up d/strongswan-starter.postinst: section about runlevel changes |
460 | + + Clean up d/strongswan-starter.postinst: Removed entire section on |
461 | + opportunistic encryption disabling - this was never in strongSwan and |
462 | + won't be see upstream issue #2160. |
463 | + + d/rules: Removed patching ipsec.conf on build (not using the |
464 | + debconf-managed config.) |
465 | + + d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was |
466 | + used for debconf-managed include of private key). |
467 | + + Mass enablement of extra plugins and features to allow a user to use |
468 | + strongswan for a variety of extra use cases without having to rebuild. |
469 | + - d/control: Add required additional build-deps |
470 | + - d/control: Mention addtionally enabled plugins |
471 | + - d/rules: Enable features at configure stage |
472 | + - d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf) |
473 | + - d/libstrongswan.install: Add plugins (so, conf) |
474 | + + d/strongswan-starter.install: Install pool feature, which is useful since |
475 | + we have attr-sql plugin enabled as well using it. |
476 | + + Add plugin kernel-libipsec to allow the use of strongswan in containers |
477 | + via this userspace implementation (please do note that this is still |
478 | + considered experimental by upstream). |
479 | + - d/libcharon-extra-plugins.install: Add kernel-libipsec components |
480 | + - d/control: List kernel-libipsec plugin at extra plugins description |
481 | + - d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As |
482 | + upstream recommends to not load kernel-libipsec by default. |
483 | + + Relocate tnc plugin |
484 | + - debian/libcharon-extra-plugins.install: Drop tnc from extra plugins |
485 | + - Add new subpackage for TNC in d/strongswan-tnc-* and d/control |
486 | + + d/libstrongswan.install: Reorder conf and .so alphabetically |
487 | + + d/libstrongswan.install: Add kernel-netlink configuration files |
488 | + + Complete the disabling of libfast; This was partially accepted in Debian, |
489 | + it is no more packaging medcli and medsrv, but still builds and |
490 | + mentions it. |
491 | + - d/rules: Add --disable-fast to avoid build time and dependencies |
492 | + - d/control: Remove medcli, medsrv from package description |
493 | + + d/control: Mention mgf1 plugin which is in libstrongswan now |
494 | + + Add now built (since 5.5.1) libraries libtpmtss and nttfft to |
495 | + libstrongswan-extra-plugins (no deps from default plugins). |
496 | + + d/control, d/libcharon-{extras,standard}-plugins.install: Move charon |
497 | + plugins for the most common use cases from extra-plugins into a new |
498 | + standard-plugins package. This will allow those use cases without pulling |
499 | + in too much more plugins (a bit like the tnc package). Recommend that |
500 | + package from strongswan-libcharon. |
501 | + * Dropped Changes (no more needed after 18.04) |
502 | + + Add rm_conffile for /etc/init.d/ipsec (transition from precies had |
503 | + missed that, droppable after 18.04) |
504 | + + d/control: bump breaks/replaces from libstrongswan-extra-plugins to |
505 | + libstrongswan as we dropped relocating ccm and test-vectors. |
506 | + (droppable >18.04). |
507 | + + d/control: add breaks/replace from libstrongswan to |
508 | + libstrongswan-extra-plugins for the move of mgf1 to libstrongswan. |
509 | + (droppable >18.04). |
510 | + + d/control: bump breaks/replaces for the move of the updown plugin |
511 | + (Missed Changelog entry on last merge) |
512 | + + d/control: fix dependencies of strongswan-libcharon due to the move |
513 | + the updown plugin (droppable >18.04). |
514 | + * Added Changes: |
515 | + + d/usr.sbin.charon-systemd: allow to contact mysql for sql and |
516 | + attr-sql plugins (LP: #1766240) |
517 | + + d/usr.sbin.charon-systemd: allow systemd notifications (LP: #1765652) |
518 | + |
519 | + -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Tue, 29 May 2018 08:21:42 +0200 |
520 | + |
521 | strongswan (5.6.2-2) unstable; urgency=medium |
522 | |
523 | * charon-nm: Fix building list of DNS/MDNS servers with libnm |
524 | @@ -171,6 +644,74 @@ strongswan (5.6.2-2) unstable; urgency=medium |
525 | |
526 | -- Yves-Alexis Perez <corsac@debian.org> Fri, 13 Apr 2018 13:46:04 +0200 |
527 | |
528 | +strongswan (5.6.2-1ubuntu2) bionic; urgency=medium |
529 | + |
530 | + * d/control: fix dependencies of strongswan-libcharon due to the move |
531 | + the updown plugin. |
532 | + |
533 | + -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Tue, 20 Mar 2018 07:37:29 +0100 |
534 | + |
535 | +strongswan (5.6.2-1ubuntu1) bionic; urgency=medium |
536 | + |
537 | + * Merge with Debian unstable (LP: #1753018). Remaining changes: |
538 | + + Clean up d/strongswan-starter.postinst: section about runlevel changes |
539 | + + Clean up d/strongswan-starter.postinst: Removed entire section on |
540 | + opportunistic encryption disabling - this was never in strongSwan and |
541 | + won't be see upstream issue #2160. |
542 | + + Ubuntu is not using the debconf triggered private key generation |
543 | + - d/rules: Removed patching ipsec.conf on build (not using the |
544 | + debconf-managed config.) |
545 | + - d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was |
546 | + used for debconf-managed include of private key). |
547 | + + Mass enablement of extra plugins and features to allow a user to use |
548 | + strongswan for a variety of extra use cases without having to rebuild. |
549 | + - d/control: Add required additional build-deps |
550 | + - d/control: Mention addtionally enabled plugins |
551 | + - d/rules: Enable features at configure stage |
552 | + - d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf) |
553 | + - d/libstrongswan.install: Add plugins (so, conf) |
554 | + + d/strongswan-starter.install: Install pool feature, which is useful since |
555 | + we have attr-sql plugin enabled as well using it. |
556 | + + Add plugin kernel-libipsec to allow the use of strongswan in containers |
557 | + via this userspace implementation (please do note that this is still |
558 | + considered experimental by upstream). |
559 | + - d/libcharon-extra-plugins.install: Add kernel-libipsec components |
560 | + - d/control: List kernel-libipsec plugin at extra plugins description |
561 | + - d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As |
562 | + upstream recommends to not load kernel-libipsec by default. |
563 | + + Relocate tnc plugin |
564 | + - debian/libcharon-extra-plugins.install: Drop tnc from extra plugins |
565 | + - Add new subpackage for TNC in d/strongswan-tnc-* and d/control |
566 | + + d/libstrongswan.install: Reorder conf and .so alphabetically |
567 | + + d/libstrongswan.install: Add kernel-netlink configuration files |
568 | + + Complete the disabling of libfast; This was partially accepted in Debian, |
569 | + it is no more packaging medcli and medsrv, but still builds and |
570 | + mentions it. |
571 | + - d/rules: Add --disable-fast to avoid build time and dependencies |
572 | + - d/control: Remove medcli, medsrv from package description |
573 | + + d/control: Mention mgf1 plugin which is in libstrongswan now |
574 | + + Add now built (since 5.5.1) libraries libtpmtss and nttfft to |
575 | + libstrongswan-extra-plugins (no deps from default plugins). |
576 | + + Add rm_conffile for /etc/init.d/ipsec (transition from precies had |
577 | + missed that, droppable after 18.04) |
578 | + + d/control, d/libcharon-{extras,standard}-plugins.install: Move charon |
579 | + plugins for the most common use cases from extra-plugins into a new |
580 | + standard-plugins package. This will allow those use cases without pulling |
581 | + in too much more plugins (a bit like the tnc package). Recommend that |
582 | + package from strongswan-libcharon. |
583 | + + d/control: bump breaks/replaces from libstrongswan-extra-plugins to |
584 | + libstrongswan as we dropped relocating ccm and test-vectors. |
585 | + (droppable >18.04). |
586 | + + d/control: add breaks/replace from libstrongswan to |
587 | + libstrongswan-extra-plugins for the move of mgf1 to libstrongswan. |
588 | + (droppable >18.04). |
589 | + * Added Changes: |
590 | + + d/control: bump breaks/replaces from strongswan-libcharon to strongswan- |
591 | + starter as we followed Debian to move the updown plugin but need to |
592 | + match Ubuntu versions (Droppable >18.04). |
593 | + |
594 | + -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Fri, 16 Mar 2018 11:08:47 +0100 |
595 | + |
596 | strongswan (5.6.2-1) unstable; urgency=medium |
597 | |
598 | * d/NEWS: add information about disabled algorithms (closes: #883072) |
599 | @@ -193,6 +734,129 @@ strongswan (5.6.1-3) unstable; urgency=medium |
600 | |
601 | -- Yves-Alexis Perez <corsac@debian.org> Sun, 17 Dec 2017 16:40:39 +0100 |
602 | |
603 | +strongswan (5.6.1-2ubuntu4) bionic; urgency=medium |
604 | + |
605 | + * SECURITY UPDATE: DoS via crafted RSASSA-PSS signature |
606 | + - debian/patches/CVE-2018-6459.patch: Properly handle MGF1 algorithm |
607 | + identifier without parameters in |
608 | + src/libstrongswan/credentials/keys/signature_params.c. |
609 | + - CVE-2018-6459 |
610 | + |
611 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 07 Mar 2018 14:52:02 +0100 |
612 | + |
613 | +strongswan (5.6.1-2ubuntu3) bionic; urgency=medium |
614 | + |
615 | + * No-change rebuild against libcurl4 |
616 | + |
617 | + -- Steve Langasek <steve.langasek@ubuntu.com> Wed, 28 Feb 2018 08:52:09 +0000 |
618 | + |
619 | +strongswan (5.6.1-2ubuntu2) bionic; urgency=high |
620 | + |
621 | + * No change rebuild against openssl1.1. |
622 | + |
623 | + -- Dimitri John Ledkov <xnox@ubuntu.com> Mon, 12 Feb 2018 16:00:24 +0000 |
624 | + |
625 | +strongswan (5.6.1-2ubuntu1) bionic; urgency=medium |
626 | + |
627 | + * Merge with Debian unstable (LP: #1717343). |
628 | + Also fixes and issue with multiple psk's (LP: #1734207). Remaining changes: |
629 | + + Clean up d/strongswan-starter.postinst: section about runlevel changes |
630 | + + Clean up d/strongswan-starter.postinst: Removed entire section on |
631 | + opportunistic encryption disabling - this was never in strongSwan and |
632 | + won't be see upstream issue #2160. |
633 | + + Ubuntu is not using the debconf triggered private key generation |
634 | + - d/rules: Removed patching ipsec.conf on build (not using the |
635 | + debconf-managed config.) |
636 | + - d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was |
637 | + used for debconf-managed include of private key). |
638 | + + Mass enablement of extra plugins and features to allow a user to use |
639 | + strongswan for a variety of extra use cases without having to rebuild. |
640 | + - d/control: Add required additional build-deps |
641 | + - d/control: Mention addtionally enabled plugins |
642 | + - d/rules: Enable features at configure stage |
643 | + - d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf) |
644 | + - d/libstrongswan.install: Add plugins (so, conf) |
645 | + + d/strongswan-starter.install: Install pool feature, which is useful since |
646 | + we have attr-sql plugin enabled as well using it. |
647 | + + Add plugin kernel-libipsec to allow the use of strongswan in containers |
648 | + via this userspace implementation (please do note that this is still |
649 | + considered experimental by upstream). |
650 | + - d/libcharon-extra-plugins.install: Add kernel-libipsec components |
651 | + - d/control: List kernel-libipsec plugin at extra plugins description |
652 | + - d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As |
653 | + upstream recommends to not load kernel-libipsec by default. |
654 | + + Relocate tnc plugin |
655 | + - debian/libcharon-extra-plugins.install: Drop tnc from extra plugins |
656 | + - Add new subpackage for TNC in d/strongswan-tnc-* and d/control |
657 | + + d/libstrongswan.install: Reorder conf and .so alphabetically |
658 | + + d/libstrongswan.install: Add kernel-netlink configuration files |
659 | + + Complete the disabling of libfast; This was partially accepted in Debian, |
660 | + it is no more packaging medcli and medsrv, but still builds and |
661 | + mentions it. |
662 | + - d/rules: Add --disable-fast to avoid build time and dependencies |
663 | + - d/control: Remove medcli, medsrv from package description |
664 | + + d/control: Mention mgf1 plugin which is in libstrongswan now |
665 | + + Add now built (since 5.5.1) libraries libtpmtss and nttfft to |
666 | + libstrongswan-extra-plugins (no deps from default plugins). |
667 | + + Add rm_conffile for /etc/init.d/ipsec (transition from precies had |
668 | + missed that, droppable after 18.04) |
669 | + + d/control, d/libcharon-{extras,standard}-plugins.install: Move charon |
670 | + plugins for the most common use cases from extra-plugins into a new |
671 | + standard-plugins package. This will allow those use cases without pulling |
672 | + in too much more plugins (a bit like the tnc package). Recommend that |
673 | + package from strongswan-libcharon. |
674 | + * Added changes: |
675 | + + d/strongswan-tnc-client.install (relocate tnc) swidtag creation changed |
676 | + in 5.6 |
677 | + + d/strongswan-tnc-server.install (relocate tnc) pacman no more needed |
678 | + + d/control: bump breaks/replaces from libstrongswan-extra-plugins to |
679 | + libstrongswan as we dropped relocating ccm and test-vectors. |
680 | + (droppable >18.04). |
681 | + - d/control: add breaks/replace from libstrongswan to |
682 | + libstrongswan-extra-plugins for the move of mgf1 to libstrongswan. |
683 | + (droppable >18.04). |
684 | + * Dropped changes: |
685 | + + Update init/service handling (debian default matches Ubuntu past now) |
686 | + Dropping this fixes (LP: #1734886) |
687 | + - d/rules: Change init/systemd program name to strongswan |
688 | + - d/strongswan-starter.strongswan.service: Add new systemd file instead of |
689 | + patching upstream |
690 | + - d/strongswan-starter.links: Removed, use Ubuntu systemd file instead of |
691 | + linking to upstream |
692 | + + d/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call |
693 | + (this is a never failing no-op for us, no need for Delta). |
694 | + + d/strongswan-starter.prerm: Stop strongswan service on package removal |
695 | + (ipsec now maps to strongswan service, so this works as-is). |
696 | + + Clean up d/strongswan-starter.postinst: rename service ipsec to |
697 | + strongswan (ipsec now maps to strongswan service, so this works as-is) |
698 | + + Clean up d/strongswan-starter.postinst: daemon enable/disable (the |
699 | + whole section is disabled, so no need for delta) |
700 | + + (is upstream) CVE-2017-11185 patches |
701 | + + (is upstream) FTBFS upstream fix for changed include files |
702 | + + (is upstream) debian/patches/increase-bliss-test-timeout.patch: Under |
703 | + QEMU/KVM autopkgtest the bliss test takes longer than the default |
704 | + + (in Debian) add now built (since 5.5.1) mgf1 plugin to |
705 | + libstrongswan-extra-plugins. |
706 | + + (in Debian) d/strongswan-starter.install: install stroke apparmor profile |
707 | + + (this was enabled as part of the former delta, squash changes to no-up) |
708 | + d/rules: Disable duplicheck. |
709 | + + (not needed) Relocate plugins test-vectors from extra-plugins to |
710 | + libstrongswan |
711 | + - d/libstrongswan-extra-plugins.install: Remove plugins/conffiles |
712 | + - d/libstrongswan.install: Add plugins/confiles |
713 | + - d/control: move package descriptions and add required breaks/replaces |
714 | + + (not needed) Relocate plugins ccm from extra-plugins to libstrongswan |
715 | + - d/libstrongswan-extra-plugins.install: Remove plugins/conffiles |
716 | + - d/libstrongswan.install: Add plugins/confiles |
717 | + - d/control: move package descriptions and add required breaks/replaces |
718 | + + (while using it requires special kernel, it does not hurt to be |
719 | + available in the package) Remove ha plugin |
720 | + - d/libcharon-extra-plugins.install: Stop installing ha (so, conf) |
721 | + - d/rules: Do not enable ha plugin |
722 | + - d/control: Drop listing the ha plugin in the package description |
723 | + |
724 | + -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Wed, 29 Nov 2017 15:55:18 +0100 |
725 | + |
726 | strongswan (5.6.1-2) unstable; urgency=medium |
727 | |
728 | * move counters plugin from -starter to -libcharon. closes: #882431 |
729 | @@ -279,6 +943,213 @@ strongswan (5.5.2-1) experimental; urgency=medium |
730 | |
731 | -- Yves-Alexis Perez <corsac@debian.org> Fri, 19 May 2017 11:32:00 +0200 |
732 | |
733 | +strongswan (5.5.1-4ubuntu3) bionic; urgency=medium |
734 | + |
735 | + * Fix Artful FTBFS due to newer glibc (LP: #1724859) |
736 | + - d/p/utils-Include-stdint.h.patch: upstream fix for changed include |
737 | + files. |
738 | + |
739 | + -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Thu, 19 Oct 2017 15:18:52 +0200 |
740 | + |
741 | +strongswan (5.5.1-4ubuntu2) artful; urgency=medium |
742 | + |
743 | + * SECURITY UPDATE: Fix RSA signature verification |
744 | + - debian/patches/CVE-2017-11185.patch: does some |
745 | + verifications in order to avoid null-point dereference |
746 | + in src/libstrongswan/gmp/gmp_rsa_public_key.c |
747 | + - CVE-2017-11185 |
748 | + |
749 | + -- Leonidas S. Barbosa <leo.barbosa@canonical.com> Tue, 15 Aug 2017 14:49:49 -0300 |
750 | + |
751 | +strongswan (5.5.1-4ubuntu1) artful; urgency=medium |
752 | + |
753 | + * Merge from Debian to pick up latest security changes (CVE-2017-9022, |
754 | + CVE-2017-9023). |
755 | + * Remaining Changes: |
756 | + + Update init/service handling |
757 | + - d/rules: Change init/systemd program name to strongswan |
758 | + - d/strongswan-starter.strongswan.service: Add new systemd file instead of |
759 | + patching upstream |
760 | + - d/strongswan-starter.links: Removed, use Ubuntu systemd file instead of |
761 | + linking to upstream |
762 | + - d/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call. |
763 | + - d/strongswan-starter.prerm: Stop strongswan service on package |
764 | + removal (as opposed to using the old init.d script). |
765 | + + Clean up d/strongswan-starter.postinst: |
766 | + - Removed section about runlevel changes |
767 | + - Adapted service restart section for Upstart (kept to be Trusty |
768 | + backportable). |
769 | + - Remove old symlinks to init.d files is necessary. |
770 | + - Removed further out-dated code |
771 | + - Removed entire section on opportunistic encryption - this was never in |
772 | + strongSwan. |
773 | + + d/rules: Removed pieces on 'patching ipsec.conf' on build. |
774 | + + Mass enablement of extra plugins and features to allow a user to use |
775 | + strongswan for a variety of use cases without having to rebuild. |
776 | + - d/control: Add required additional build-deps |
777 | + - d/rules: Enable features at configure stage |
778 | + - d/control: Mention addtionally enabled plugins |
779 | + - d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf) |
780 | + - d/libstrongswan.install: Add plugins (so, conf) |
781 | + + d/rules: Disable duplicheck as per |
782 | + https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718291#10 |
783 | + + Remove ha plugin (requires special kernel) |
784 | + - d/libcharon-extra-plugins.install: Stop installing ha (so, conf) |
785 | + - d/rules: Do not enable ha plugin |
786 | + - d/control: Drop listing the ha plugin in the package description |
787 | + + Add plugin kernel-libipsec to allow the use of strongswan in containers |
788 | + via this userspace implementation (please do note that this is still |
789 | + considered experimental by upstream). |
790 | + - d/libcharon-extra-plugins.install: Add kernel-libipsec components |
791 | + - d/control: List kernel-libipsec plugin at extra plugins description |
792 | + - d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As |
793 | + upstream recommends to not load kernel-libipsec by default. |
794 | + + Relocate tnc plugin |
795 | + - debian/libcharon-extra-plugins.install: Drop tnc from extra plugins |
796 | + - Add new subpackage for TNC in d/strongswan-tnc-* and d/control |
797 | + + d/strongswan-starter.install: Install pool feature, that useful due to |
798 | + having attr-sql plugin that is enabled now. |
799 | + + Relocate plugins test-vectors and ccm from extra-plugins to libstrongswan |
800 | + - d/libstrongswan-extra-plugins.install: Remove plugins/conffiles |
801 | + - d/libstrongswan.install: Add plugins/confiles |
802 | + - d/control: move package descriptions and add required breaks/replaces |
803 | + + d/libstrongswan.install: Reorder conf and .so alphabetically |
804 | + + d/libstrongswan.install: Add kernel-netlink configuration files |
805 | + + d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference. |
806 | + + debian/patches/increase-bliss-test-timeout.patch: Under QEMU/KVM |
807 | + autopkgtest the bliss test takes longer than the default (Upstream in |
808 | + 5.5.2 via issue 2204) |
809 | + + Complete the disabling of libfast; This was partially accepted in Debian, |
810 | + it is no more packaging medcli and medsrv, but still builds and |
811 | + mentions it. |
812 | + - d/rules: Add --disable-fast to avoid build time and dependencies |
813 | + - d/control: Remove medcli, medsrv from package description |
814 | + + Add now built (5.5.1 vs 5.3.5) mgf1 plugin to libstrongswan-extra-plugins. |
815 | + "only" to extra-plugins Mgf1 is not listed as default plugin at |
816 | + https://wiki.strongswan.org/projects/strongswan/wiki/Pluginlist. |
817 | + + Add now built (5.5.1 vs 5.3.5) libraries libtpmtss and nttfft to |
818 | + libstrongswan-extra-plugins. |
819 | + + Add missing mention of md4 plugin in d/control |
820 | + + Add rm_conffile for /etc/init.d/ipsec (transition from precies had |
821 | + missed that) |
822 | + + d/control, d/libcharon-{extras,standard}-plugins.install: Move charon |
823 | + plugins for the most common use cases from extra-plugins into a new |
824 | + standard-plugins package. This will allow those use cases without pulling |
825 | + in too much more plugins (a bit like the tnc package). Recommend that |
826 | + package from strongswan-libcharon. |
827 | + |
828 | + -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Wed, 31 May 2017 15:57:54 +0200 |
829 | + |
830 | +strongswan (5.5.1-3ubuntu1) artful; urgency=medium |
831 | + |
832 | + * Merge from Debian to pick up latest changes. Among others this includes: |
833 | + - a lot of the Delta we upstreamed to Debian (more discussions are ongoing |
834 | + but likely have to wait until Debian stretch was released) |
835 | + - enabling mediation support (LP: #1657413) |
836 | + * Remaining Changes: |
837 | + + Update init/service handling |
838 | + - d/rules: Change init/systemd program name to strongswan |
839 | + - d/strongswan-starter.strongswan.service: Add new systemd file instead of |
840 | + patching upstream |
841 | + - d/strongswan-starter.links: Removed, use Ubuntu systemd file instead of |
842 | + linking to upstream |
843 | + - d/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call. |
844 | + - d/strongswan-starter.prerm: Stop strongswan service on package |
845 | + removal (as opposed to using the old init.d script). |
846 | + + Clean up d/strongswan-starter.postinst: |
847 | + - Removed section about runlevel changes |
848 | + - Adapted service restart section for Upstart (kept to be Trusty |
849 | + backportable). |
850 | + - Remove old symlinks to init.d files is necessary. |
851 | + - Removed further out-dated code |
852 | + - Removed entire section on opportunistic encryption - this was never in |
853 | + strongSwan. |
854 | + + d/rules: Removed pieces on 'patching ipsec.conf' on build. |
855 | + + Mass enablement of extra plugins and features to allow a user to use |
856 | + strongswan for a variety of use cases without having to rebuild. |
857 | + - d/control: Add required additional build-deps |
858 | + - d/rules: Enable features at configure stage |
859 | + - d/control: Mention addtionally enabled plugins |
860 | + - d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf) |
861 | + - d/libstrongswan.install: Add plugins (so, conf) |
862 | + + d/rules: Disable duplicheck as per |
863 | + https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718291#10 |
864 | + + Remove ha plugin (requires special kernel) |
865 | + - d/libcharon-extra-plugins.install: Stop installing ha (so, conf) |
866 | + - d/rules: Do not enable ha plugin |
867 | + - d/control: Drop listing the ha plugin in the package description |
868 | + + Add plugin kernel-libipsec to allow the use of strongswan in containers |
869 | + via this userspace implementation (please do note that this is still |
870 | + considered experimental by upstream). |
871 | + - d/libcharon-extra-plugins.install: Add kernel-libipsec components |
872 | + - d/control: List kernel-libipsec plugin at extra plugins description |
873 | + - d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As |
874 | + upstream recommends to not load kernel-libipsec by default. |
875 | + + Relocate tnc plugin |
876 | + - debian/libcharon-extra-plugins.install: Drop tnc from extra plugins |
877 | + - Add new subpackage for TNC in d/strongswan-tnc-* and d/control |
878 | + + d/strongswan-starter.install: Install pool feature, that useful due to |
879 | + having attr-sql plugin that is enabled now. |
880 | + + Relocate plugins test-vectors and ccm from extra-plugins to libstrongswan |
881 | + - d/libstrongswan-extra-plugins.install: Remove plugins/conffiles |
882 | + - d/libstrongswan.install: Add plugins/confiles |
883 | + - d/control: move package descriptions and add required breaks/replaces |
884 | + + d/libstrongswan.install: Reorder conf and .so alphabetically |
885 | + + d/libstrongswan.install: Add kernel-netlink configuration files |
886 | + + d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference. |
887 | + + debian/patches/increase-bliss-test-timeout.patch: Under QEMU/KVM |
888 | + autopkgtest the bliss test takes longer than the default (Upstream in |
889 | + 5.5.2 via issue 2204) |
890 | + + Complete the disabling of libfast; This was partially accepted in Debian, |
891 | + it is no more packaging medcli and medsrv, but still builds and |
892 | + mentions it. |
893 | + - d/rules: Add --disable-fast to avoid build time and dependencies |
894 | + - d/control: Remove medcli, medsrv from package description |
895 | + + Add now built (5.5.1 vs 5.3.5) mgf1 plugin to libstrongswan-extra-plugins. |
896 | + "only" to extra-plugins Mgf1 is not listed as default plugin at |
897 | + https://wiki.strongswan.org/projects/strongswan/wiki/Pluginlist. |
898 | + + Add now built (5.5.1 vs 5.3.5) libraries libtpmtss and nttfft to |
899 | + libstrongswan-extra-plugins. |
900 | + + Add missing mention of md4 plugin in d/control |
901 | + + Add rm_conffile for /etc/init.d/ipsec (transition from precies had |
902 | + missed that) |
903 | + + d/control, d/libcharon-{extras,standard}-plugins.install: Move charon |
904 | + plugins for the most common use cases from extra-plugins into a new |
905 | + standard-plugins package. This will allow those use cases without pulling |
906 | + in too much more plugins (a bit like the tnc package). Recommend that |
907 | + package from strongswan-libcharon. |
908 | + * Dropped Changes: |
909 | + + Add and install apparmor profiles (in Debian) |
910 | + - d/rules: Install AppArmor profiles |
911 | + - d/control: Add dh-apparmor build-dep |
912 | + - d/usr.lib.ipsec.{charon, lookip, stroke}: Add latest AppArmor profiles |
913 | + for charon, lookip and stroke |
914 | + - d/libcharon-extra-plugins.install: Install profile for lookip |
915 | + - d/strongswan-charon.install: Install profile for charon |
916 | + - d/strongswan-starter.install: Install profile for stroke |
917 | + - Fix strongswan ipsec status issue with apparmor |
918 | + - Fix Dep8 tests for the now extra strongswan-pki package for pki |
919 | + - Fix Dep8 tests for the now extra strongswan-scepclient package |
920 | + + d/rules: Sorted and only one enable option per configure line (in |
921 | + Debian) |
922 | + + Add updated logcheck rules (in Debian) |
923 | + - debian/libstrongswan.strongswan.logcheck.*: Remove outdated files |
924 | + - debian/strongswan.logcheck: Add updated logcheck rules |
925 | + + Add updated DEP8 tests (in Debian) |
926 | + - d/tests/*: Add DEP8 tests |
927 | + - d/control: Enable autotestpkg |
928 | + + d/rules: do not strip for library integrity checking (After Discussion |
929 | + with Debian this isn't acceptable there, but at the same time it turned |
930 | + out the real use-case of this never uses this lib but instead third |
931 | + party checks of checksums for e.g. FIPS cert; so drop the Delta) |
932 | + - Use override_dh_strip to to avoid overwriting user build flags. |
933 | + - Add missing mention of libchecksum integrity test in d/control |
934 | + + d/rules: Set TESTS_REDUCED_KEYLENGTHS to one generate smallest key-lengths |
935 | + in tests to avoid issues in low entropy environments. (Debian has |
936 | + disabled !x86 tests for the same reason, one solution is enough) |
937 | + |
938 | + -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Thu, 04 May 2017 14:06:23 +0200 |
939 | + |
940 | strongswan (5.5.1-3) unstable; urgency=medium |
941 | |
942 | [ Christian Ehrhardt ] |
943 | @@ -312,6 +1183,136 @@ strongswan (5.5.1-2) unstable; urgency=medium |
944 | |
945 | -- Yves-Alexis Perez <corsac@debian.org> Wed, 07 Dec 2016 08:34:52 +0100 |
946 | |
947 | +strongswan (5.5.1-1ubuntu2) zesty; urgency=medium |
948 | + |
949 | + * Update Maintainers which was missed while merging 5.5.1-1. |
950 | + |
951 | + -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 19 Dec 2016 16:02:40 +0100 |
952 | + |
953 | +strongswan (5.5.1-1ubuntu1) zesty; urgency=medium |
954 | + |
955 | + * Merge from Debian (complex delta, discussions and broken out changes can be |
956 | + found in the merge proposal linked from the merge bug LP: #1631198) |
957 | + * Remaining Changes: |
958 | + + d/rules: Enforcing DEB_BUILD_OPTIONS=nostrip for library integrity |
959 | + checking. |
960 | + + d/rules: Set TESTS_REDUCED_KEYLENGTHS to one generate smallest key-lengths |
961 | + in tests to avoid issues in low entropy environments. |
962 | + + Update init/service handling |
963 | + - d/rules: Change init/systemd program name to strongswan |
964 | + - d/strongswan-starter.strongswan.service: Add new systemd file instead of |
965 | + patching upstream |
966 | + - d/strongswan-starter.links: Removed, use Ubuntu systemd file instead of |
967 | + linking to upstream |
968 | + - d/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call. |
969 | + - d/strongswan-starter.prerm: Stop strongswan service on package |
970 | + removal (as opposed to using the old init.d script). |
971 | + + Clean up d/strongswan-starter.postinst: |
972 | + - Removed section about runlevel changes |
973 | + - Adapted service restart section for Upstart (kept to be Trusty |
974 | + backportable). |
975 | + - Remove old symlinks to init.d files is necessary. |
976 | + - Removed further out-dated code |
977 | + - Removed entire section on opportunistic encryption - this was never in |
978 | + strongSwan. |
979 | + + Add and install apparmor profiles |
980 | + - d/rules: Install AppArmor profiles |
981 | + - d/control: Add dh-apparmor build-dep |
982 | + - d/usr.lib.ipsec.{charon, lookip, stroke}: Add latest AppArmor profiles |
983 | + for charon, lookip and stroke |
984 | + - d/libcharon-extra-plugins.install: Install profile for lookip |
985 | + - d/strongswan-charon.install: Install profile for charon |
986 | + - d/strongswan-starter.install: Install profile for stroke |
987 | + + d/rules: Removed pieces on 'patching ipsec.conf' on build. |
988 | + + d/rules: Sorted and only one enable option per configure line |
989 | + + Mass enablement of extra plugins and features to allow a user to use |
990 | + strongswan for a variety of use cases without having to rebuild. |
991 | + - d/control: Add required additional build-deps |
992 | + - d/rules: Enable features at configure stage |
993 | + - d/control: Mention addtionally enabled plugins |
994 | + - d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf) |
995 | + - d/libstrongswan.install: Add plugins (so, conf) |
996 | + + d/rules: Disable duplicheck as per |
997 | + https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718291#10 |
998 | + + Remove ha plugin (requires special kernel) |
999 | + - d/libcharon-extra-plugins.install: Stop installing ha (so, conf) |
1000 | + - d/rules: Do not enable ha plugin |
1001 | + - d/control: Drop listing the ha plugin in the package description |
1002 | + + Add plugin kernel-libipsec to allow the use of strongswan in containers |
1003 | + via this userspace implementation (please do note that this is still |
1004 | + considered experimental by upstream). |
1005 | + - d/libcharon-extra-plugins.install: Add kernel-libipsec components |
1006 | + - d/control: List kernel-libipsec plugin at extra plugins description |
1007 | + - d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As |
1008 | + upstream recommends to not load kernel-libipsec by default. |
1009 | + + Relocate tnc plugin |
1010 | + - debian/libcharon-extra-plugins.install: Drop tnc from extra plugins |
1011 | + - Add new subpackage for TNC in d/strongswan-tnc-* and d/control |
1012 | + + d/strongswan-starter.install: Install pool feature, that useful due to |
1013 | + having attr-sql plugin that is enabled now. |
1014 | + + Relocate plugins test-vectors and ccm from extra-plugins to libstrongswan |
1015 | + - d/libstrongswan-extra-plugins.install: Remove plugins |
1016 | + - d/libstrongswan.install: Add plugins |
1017 | + + d/libstrongswan.install: Reorder conf and .so alphabetically |
1018 | + + d/libstrongswan.install: Add kernel-netlink configuration files |
1019 | + + d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference. |
1020 | + + Add updated logcheck rules |
1021 | + - debian/libstrongswan.strongswan.logcheck.*: Remove outdated files |
1022 | + - debian/strongswan.logcheck: Add updated logcheck rules |
1023 | + + Add updated DEP8 tests |
1024 | + - d/tests/*: Add DEP8 tests |
1025 | + - d/control: Enable autotestpkg |
1026 | + + debian/patches/increase-bliss-test-timeout.patch: Under QEMU/KVM |
1027 | + autopkgtest the bliss test takes longer than the default |
1028 | + + Complete the disabling of libfast |
1029 | + - Note: This was partially accepted in Debian, it is no more |
1030 | + packaging medcli and medsrv, but still builds and mentions it |
1031 | + - d/rules: Add --disable-fast to avoid build time and dependencies |
1032 | + - d/control: Remove medcli, medsrv from package description |
1033 | + * Dropped Changes: |
1034 | + + Adding build-dep to iptables-dev (no change, was only in Changelog) |
1035 | + + Dropping of build deps libfcgi-dev, clearsilver-dev (in Debian) |
1036 | + + Adding strongswan-plugin-* virtual packages for dist-upgrade (no |
1037 | + upgrade path left needing them) |
1038 | + + Most of "disabling libfast" (Debian dropped it from package content) |
1039 | + + Transition for ipsec service (no upgrade path left) |
1040 | + + Reverted part of the cleanup to d/strongswan-starter.postinst as using |
1041 | + service should rather use invoke-rc.d (so it is a partial revert of our |
1042 | + delta) |
1043 | + + Transition handling (breaks/replaces) from per-plugin packages to the |
1044 | + three grouped plugin packages (no upgrade path left) |
1045 | + + debian/strongswan-starter.dirs: Don't touch /etc/init.d. (while "correct" |
1046 | + it is effectively a no-op still, so not worth the delta) |
1047 | + + Lower dpkg-dev to 1.16.1 from 1.16.2 to enable backporting to Precise |
1048 | + (no more needed) |
1049 | + + d/rules: Remove configure option --enable-unit-test (unit tests run by |
1050 | + default) |
1051 | + * Added Changes: |
1052 | + + Fix strongswan ipsec status issue with apparmor (LP: #1587886) |
1053 | + + d/control, d/libstrongswan.install, d/libstrongswan-extra-plugins: Fixup |
1054 | + the relocation of the ccm plugin which missed to move the conffiles. |
1055 | + + Complete move of test-vectors (was missing in d/control) |
1056 | + + Add now built (5.5.1 vs 5.3.5) mgf1 plugin to libstrongswan-extra-plugins. |
1057 | + "only" to extra-plugins Mgf1 is not listed as default plugin at |
1058 | + https://wiki.strongswan.org/projects/strongswan/wiki/Pluginlist. |
1059 | + + Add now built (5.5.1 vs 5.3.5) libraries libtpmtss and nttfft to |
1060 | + libstrongswan-extra-plugins. |
1061 | + + Add missing mention of md4 plugin in d/control |
1062 | + + Add missing mention of libchecksum integrity test in d/control |
1063 | + + Add rm_conffile for /etc/init.d/ipsec (transition from precies had |
1064 | + missed that) |
1065 | + + Use override_dh_strip to to fix library integrity checking instead of |
1066 | + DEB_BUILD_OPTION to avoid overwriting user build flags. |
1067 | + + d/control, d/libcharon-{extras,standard}-plugins.install: Move charon |
1068 | + plugins for the most common use cases from extra-plugins into a new |
1069 | + standard-plugins package. This will allow those use cases without pulling |
1070 | + in too much more plugins (a bit like the tnc package). Recommend that |
1071 | + package from strongswan-libcharon (LP: #1640826). |
1072 | + + Fix Dep8 tests for the now extra strongswan-pki package for pki |
1073 | + + Fix Dep8 tests for the now extra strongswan-scepclient package |
1074 | + |
1075 | + -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 07 Nov 2016 16:16:41 +0100 |
1076 | + |
1077 | strongswan (5.5.1-1) unstable; urgency=medium |
1078 | |
1079 | * New upstream bugfix release. |
1080 | @@ -428,6 +1429,177 @@ strongswan (5.3.5-2) unstable; urgency=medium |
1081 | |
1082 | -- Yves-Alexis Perez <corsac@debian.org> Mon, 14 Mar 2016 23:53:34 +0100 |
1083 | |
1084 | +strongswan (5.3.5-1ubuntu4) yakkety; urgency=medium |
1085 | + |
1086 | + * Build-depend on libjson-c-dev instead of libjson0-dev. |
1087 | + * Rebuild against libjson-c3. |
1088 | + |
1089 | + -- Graham Inggs <ginggs@ubuntu.com> Fri, 29 Apr 2016 19:04:22 +0200 |
1090 | + |
1091 | +strongswan (5.3.5-1ubuntu3) xenial; urgency=medium |
1092 | + |
1093 | + * Rebuild against libmysqlclient20. |
1094 | + |
1095 | + -- Robie Basak <robie.basak@ubuntu.com> Tue, 05 Apr 2016 13:02:48 +0000 |
1096 | + |
1097 | +strongswan (5.3.5-1ubuntu2) xenial; urgency=medium |
1098 | + |
1099 | + * debian/tests/plugins: rdrand may or may not be loaded, depending on the |
1100 | + cpu features. |
1101 | + |
1102 | + -- Iain Lane <iain@orangesquash.org.uk> Mon, 22 Feb 2016 17:13:01 +0000 |
1103 | + |
1104 | +strongswan (5.3.5-1ubuntu1) xenial; urgency=medium |
1105 | + |
1106 | + * debian/{rules,control,libstrongswan-extra-plugins.install} |
1107 | + Enable bliss plugin |
1108 | + * debian/{rules,control,libstrongswan-extra-plugins.install} |
1109 | + Enable chapoly plugin |
1110 | + * debian/patches/dont-load-kernel-libipsec-plugin-by-default.patch |
1111 | + Upstream suggests to not load this plugin by default as it has |
1112 | + some limitations. |
1113 | + https://wiki.strongswan.org/projects/strongswan/wiki/Kernel-libipsec |
1114 | + * debian/patches/increase-bliss-test-timeout.patch |
1115 | + Under QEMU/KVM for autopkgtest bliss test takes a bit longer then default |
1116 | + * Update Apparmor profiles |
1117 | + - usr.lib.ipsec.charon |
1118 | + - add capability audit_write for xauth-pam (LP: #1470277) |
1119 | + - add capability dac_override (needed by agent plugin) |
1120 | + - allow priv dropping (LP: #1333655) |
1121 | + - allow caching CRLs (LP: #1505222) |
1122 | + - allow rw access to /dev/net/tun for kernel-libipsec (LP: #1309594) |
1123 | + - usr.lib.ipsec.stroke |
1124 | + - allow priv dropping (LP: #1333655) |
1125 | + - add local include |
1126 | + - usr.lib.ipsec.lookip |
1127 | + - add local include |
1128 | + * Merge from Debian, which includes fixes for all previous CVEs |
1129 | + Fixes (LP: #1330504, #1451091, #1448870, #1470277) |
1130 | + Remaining changes: |
1131 | + * debian/control |
1132 | + - Lower dpkg-dev to 1.16.1 from 1.16.2 to enable backporting to Precise |
1133 | + - Update Maintainer for Ubuntu |
1134 | + - Add build-deps |
1135 | + - dh-apparmor |
1136 | + - iptables-dev |
1137 | + - libjson0-dev |
1138 | + - libldns-dev |
1139 | + - libmysqlclient-dev |
1140 | + - libpcsclite-dev |
1141 | + - libsoup2.4-dev |
1142 | + - libtspi-dev |
1143 | + - libunbound-dev |
1144 | + - Drop build-deps |
1145 | + - libfcgi-dev |
1146 | + - clearsilver-dev |
1147 | + - Create virtual packages for all strongswan-plugin-* for dist-upgrade |
1148 | + - Set XS-Testsuite: autopkgtest |
1149 | + * debian/rules: |
1150 | + - Enforcing DEB_BUILD_OPTIONS=nostrip for library integrity checking. |
1151 | + - Set TESTS_REDUCED_KEYLENGTHS to one generate smallest key-lengths in |
1152 | + tests. |
1153 | + - Change init/systemd program name to strongswan |
1154 | + - Install AppArmor profiles |
1155 | + - Removed pieces on 'patching ipsec.conf' on build. |
1156 | + - Enablement of features per Ubuntu current config suggested from |
1157 | + upstream recommendation |
1158 | + - Unpack and sort enabled features to one-per-line |
1159 | + - Disable duplicheck as per |
1160 | + https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718291#10 |
1161 | + - Disable libfast (--disable-fast): |
1162 | + Requires dropping medsrv, medcli plugins which depend on libfast |
1163 | + - Add configure options |
1164 | + --with-tss=trousers |
1165 | + - Remove configure options: |
1166 | + --enable-ha (requires special kernel) |
1167 | + --enable-unit-test (unit tests run by default) |
1168 | + - Drop logcheck install |
1169 | + * debian/tests/* |
1170 | + - Add DEP8 test for strongswan service and plugins |
1171 | + * debian/strongswan-starter.strongswan.service |
1172 | + - Add new systemd file instead of patching upstream |
1173 | + * debian/strongswan-starter.links |
1174 | + - removed, use Ubuntu systemd file instead of linking to upstream |
1175 | + * debian/usr.lib.ipsec.{charon, lookip, stroke} |
1176 | + - added AppArmor profiles for charon, lookip and stroke |
1177 | + * debian/libcharon-extra-plugins.install |
1178 | + - Add plugins |
1179 | + - kernel-libipsec.{so, lib, conf, apparmor} |
1180 | + - Remove plugins |
1181 | + - libstrongswan-ha.so |
1182 | + - Relocate plugins |
1183 | + - libstrongswan-tnc-tnccs.so (strongswan-tnc-base.install) |
1184 | + * debian/libstrongswan-extra-plugins.install |
1185 | + - Add plugins (so, lib, conf) |
1186 | + - acert |
1187 | + - attr-sql |
1188 | + - coupling |
1189 | + - dnscert |
1190 | + - fips-prf |
1191 | + - gmp |
1192 | + - ipseckey |
1193 | + - load-tester |
1194 | + - mysql |
1195 | + - ntru |
1196 | + - radattr |
1197 | + - soup |
1198 | + - sqlite |
1199 | + - sql |
1200 | + - systime-fix |
1201 | + - unbound |
1202 | + - whitelist |
1203 | + - Relocate plugins (so, lib, conf) |
1204 | + - ccm (libstrongswan.install) |
1205 | + - test-vectors (libstrongswan.install) |
1206 | + * debian/libstrongswan.install |
1207 | + - Sort sections |
1208 | + - Add plugins (so, lib, conf) |
1209 | + - libchecksum |
1210 | + - ccm |
1211 | + - eap-identity |
1212 | + - md4 |
1213 | + - test-vectors |
1214 | + * debian/strongswan-charon.install |
1215 | + - Add AppArmor profile for charon |
1216 | + * debian/strongswan-starter.install |
1217 | + - Add tools, manpages, conf |
1218 | + - openac |
1219 | + - pool |
1220 | + - _updown_espmark |
1221 | + - Add AppArmor profile for stroke |
1222 | + * debian/strongswan-tnc-base.install |
1223 | + - Add new subpackage for TNC |
1224 | + - remove non-existent (dropped in 5.2.1) libpts library files |
1225 | + * debian/strongswan-tnc-client.install |
1226 | + - Add new subpackage for TNC |
1227 | + * debian/strongswan-tnc-ifmap.install |
1228 | + - Add new subpackage for TNC |
1229 | + * debian/strongswan-tnc-pdp.install |
1230 | + - Add new subpackage for TNC |
1231 | + * debian/strongswan-tnc-server.install |
1232 | + - Add new subpackage for TNC |
1233 | + * debian/strongswan-starter.postinit: |
1234 | + - Removed section about runlevel changes, it's almost 2014. |
1235 | + - Adapted service restart section for Upstart. |
1236 | + - Remove old symlinks to init.d files is necessary. |
1237 | + * debian/strongswan-starter.dirs: Don't touch /etc/init.d. |
1238 | + * debian/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call. |
1239 | + * debian/strongswan-starter.prerm: Stop strongswan service on package |
1240 | + removal (as opposed to using the old init.d script). |
1241 | + * debian/libstrongswan.strongswan.logcheck combined into debian/strongswan.logcheck |
1242 | + - logcheck patterns updated to be helpful |
1243 | + * debian/strongswan-starter.postinst: Removed further out-dated code and |
1244 | + entire section on opportunistic encryption - this was never in strongSwan. |
1245 | + * debian/ipsec.secrets.proto: Removed ipsec.secrets.inc reference. |
1246 | + Drop changes: |
1247 | + * debian/control |
1248 | + - Per-plugin package breakup: Reducing packaging delta from Debian |
1249 | + - Don't build dhcp, farp subpackages: Reduce packging delta from Debian |
1250 | + * debian/watch: Already exists in Debian merge |
1251 | + * debian/upstream/signing-key.asc: Upstream has newer version. |
1252 | + |
1253 | + -- Ryan Harper <ryan.harper@canonical.com> Fri, 12 Feb 2016 11:24:53 -0600 |
1254 | + |
1255 | strongswan (5.3.5-1) unstable; urgency=medium |
1256 | |
1257 | * New upstream bugfix release. |
1258 | @@ -700,6 +1872,210 @@ strongswan (5.1.2-1) unstable; urgency=medium |
1259 | |
1260 | -- Yves-Alexis Perez <corsac@debian.org> Wed, 12 Mar 2014 11:22:38 +0100 |
1261 | |
1262 | +strongswan (5.1.2-0ubuntu8) xenial; urgency=medium |
1263 | + |
1264 | + * Import FTBFS for s390x from Debian 5.1.2-3 upload. (LP: #1521240) |
1265 | + |
1266 | + -- Dimitri John Ledkov <xnox@ubuntu.com> Mon, 30 Nov 2015 15:46:06 +0000 |
1267 | + |
1268 | +strongswan (5.1.2-0ubuntu7) xenial; urgency=medium |
1269 | + |
1270 | + * SECURITY UPDATE: authentication bypass in eap-mschapv2 plugin |
1271 | + - debian/patches/CVE-2015-8023.patch: only succeed authentication if |
1272 | + MSK was established in |
1273 | + src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c. |
1274 | + - CVE-2015-8023 |
1275 | + * debian/patches/disable_ntru_test.patch: disable test causing FTBFS |
1276 | + until regression is properly investigated. |
1277 | + |
1278 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 19 Nov 2015 14:00:17 -0500 |
1279 | + |
1280 | +strongswan (5.1.2-0ubuntu6) wily; urgency=medium |
1281 | + |
1282 | + * SECURITY UPDATE: user credential disclosure to rogue servers |
1283 | + - debian/patches/CVE-2015-4171.patch: enforce remote authentication |
1284 | + config before proceeding with own authentication in |
1285 | + src/libcharon/sa/ikev2/tasks/ike_auth.c. |
1286 | + - CVE-2015-4171 |
1287 | + * debian/rules: don't FTBFS from unused service file |
1288 | + |
1289 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 08 Jun 2015 12:50:38 -0400 |
1290 | + |
1291 | +strongswan (5.1.2-0ubuntu5) vivid; urgency=medium |
1292 | + |
1293 | + * Add a systemd unit corresponding to strongswan-starter.strongswan.upstart. |
1294 | + |
1295 | + -- Martin Pitt <martin.pitt@ubuntu.com> Fri, 16 Jan 2015 08:27:54 +0100 |
1296 | + |
1297 | +strongswan (5.1.2-0ubuntu4) vivid; urgency=medium |
1298 | + |
1299 | + * SECURITY UPDATE: denial of service via DH group 1025 |
1300 | + - debian/patches/CVE-2014-9221.patch: define MODP_CUSTOM outside of |
1301 | + IKE DH range in src/libstrongswan/crypto/diffie_hellman.c, |
1302 | + src/libstrongswan/crypto/diffie_hellman.h. |
1303 | + - CVE-2014-9221 |
1304 | + |
1305 | + -- Tyler Hicks <tyhicks@canonical.com> Mon, 05 Jan 2015 08:25:29 -0500 |
1306 | + |
1307 | +strongswan (5.1.2-0ubuntu3) utopic; urgency=low |
1308 | + |
1309 | + * Added "libgcrypt20-dev | libgcrypt11-dev" to build dependencies to fix |
1310 | + build. |
1311 | + |
1312 | + -- Jonathan Davies <jonathan.davies@canonical.com> Wed, 15 Oct 2014 16:49:18 +0000 |
1313 | + |
1314 | +strongswan (5.1.2-0ubuntu2) trusty; urgency=medium |
1315 | + |
1316 | + * SECURITY UPDATE: remote authentication bypass |
1317 | + - debian/patches/CVE-2014-2338.patch: reject CREATE_CHILD_SA exchange |
1318 | + on unestablished IKE_SAs in src/libcharon/sa/ikev2/task_manager_v2.c. |
1319 | + - CVE-2014-2338 |
1320 | + |
1321 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 14 Apr 2014 11:24:34 -0400 |
1322 | + |
1323 | +strongswan (5.1.2-0ubuntu1) trusty; urgency=low |
1324 | + |
1325 | + * New upstream release. |
1326 | + |
1327 | + -- Jonathan Davies <jonathan.davies@canonical.com> Sat, 01 Mar 2014 08:53:17 +0000 |
1328 | + |
1329 | +strongswan (5.1.2~rc2-0ubuntu2) trusty; urgency=low |
1330 | + |
1331 | + * debian/ipsec.secrets.proto: Removed ipsec.secrets.inc reference. |
1332 | + * debian/usr.lib.ipsec.charon: Allow read access to /run/charon. |
1333 | + |
1334 | + -- Jonathan Davies <jonathan.davies@canonical.com> Wed, 19 Feb 2014 13:07:16 +0000 |
1335 | + |
1336 | +strongswan (5.1.2~rc2-0ubuntu1) trusty; urgency=low |
1337 | + |
1338 | + * New upstream release candidate. |
1339 | + |
1340 | + -- Jonathan Davies <jonathan.davies@canonical.com> Wed, 19 Feb 2014 12:59:21 +0000 |
1341 | + |
1342 | +strongswan (5.1.2~rc1-0ubuntu4) trusty; urgency=medium |
1343 | + |
1344 | + * debian/strongswan-tnc-*.install: Fixed files so libraries go into correct |
1345 | + packages. |
1346 | + * debian/usr.lib.ipsec.stroke: Allow access to strongswan.d directories. |
1347 | + |
1348 | + -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 17 Feb 2014 18:12:38 +0000 |
1349 | + |
1350 | +strongswan (5.1.2~rc1-0ubuntu3) trusty; urgency=low |
1351 | + |
1352 | + * debian/rules: Exclude rdrand.conf in dh_install's --fail-missing. |
1353 | + |
1354 | + -- Jonathan Davies <jonathan.davies@canonical.com> Sat, 15 Feb 2014 15:46:46 +0000 |
1355 | + |
1356 | +strongswan (5.1.2~rc1-0ubuntu2) trusty; urgency=low |
1357 | + |
1358 | + * debian/libstrongswan.install: Moved rdrand plugin configuration to rules |
1359 | + as it's only useful on amd64. |
1360 | + * debian/watch: Added opts=pgpsigurlmangle option. |
1361 | + * debian/upstream/signing-key.asc: Added key: 0xB34DBA77. |
1362 | + |
1363 | + -- Jonathan Davies <jonathan.davies@canonical.com> Sat, 15 Feb 2014 15:32:10 +0000 |
1364 | + |
1365 | +strongswan (5.1.2~rc1-0ubuntu1) trusty; urgency=medium |
1366 | + |
1367 | + * New upstream release candidate. |
1368 | + * debian/*.install - include new configuration files for plugins in |
1369 | + appropiate packages. |
1370 | + |
1371 | + -- Jonathan Davies <jonathan.davies@canonical.com> Sat, 15 Feb 2014 15:03:14 +0000 |
1372 | + |
1373 | +strongswan (5.1.2~dr3+git20130120-0ubuntu3) trusty; urgency=low |
1374 | + |
1375 | + * debian/control: |
1376 | + - Added Breaks/Replaces for all library files which have been moved |
1377 | + about (LP: #1278176). |
1378 | + - Removed build-dependency on check and added one on dh-apparmor. |
1379 | + * debian/strongswan-starter.postinst: Removed further out-dated code and |
1380 | + entire section on opportunistic encryption - this was never in strongSwan. |
1381 | + * debian/rules: Removed pieces on 'patching ipsec.conf' on build. |
1382 | + |
1383 | + -- Jonathan Davies <jonathan.davies@canonical.com> Sun, 09 Feb 2014 23:53:23 +0000 |
1384 | + |
1385 | +strongswan (5.1.2~dr3+git20130120-0ubuntu2) trusty; urgency=low |
1386 | + |
1387 | + * debian/control: Fixed references to plugin-fips-prf. |
1388 | + |
1389 | + -- Jonathan Davies <jonathan.davies@canonical.com> Wed, 22 Jan 2014 11:22:14 +0000 |
1390 | + |
1391 | +strongswan (5.1.2~dr3+git20130120-0ubuntu1) trusty; urgency=low |
1392 | + |
1393 | + * Upstream Git snapshot for build fixes with regards to entropy. |
1394 | + * debian/rules: |
1395 | + - Enforcing DEB_BUILD_OPTIONS=nostrip for library integrity checking. |
1396 | + - Set TESTS_REDUCED_KEYLENGTHS to one generate smallest key-lengths in |
1397 | + tests. |
1398 | + |
1399 | + -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 20 Jan 2014 19:00:59 +0000 |
1400 | + |
1401 | +strongswan (5.1.2~dr3-0ubuntu1) trusty; urgency=low |
1402 | + |
1403 | + * New upstream developer release. |
1404 | + * Made changes to packaging per upstream suggestions. |
1405 | + - Dropped medcli and medsrv packages - not recommended by upstream at this |
1406 | + time. |
1407 | + - Dropped ha plugin - needs special kernel. |
1408 | + - Improved all package descriptions in general. |
1409 | + - Drop build-dep on clearsilver-dev and libfcgi-dev - no longer needed. |
1410 | + - Removed debian/*logcheck* files - not relevant to strongSwan. |
1411 | + - Split dhcp and farp packages into sub-packages. |
1412 | + - Build kernel-libipsec, ntru, systime-fix, and xauth-noauth plugins. |
1413 | + - Changes to TNC-related packages. |
1414 | + * Created AppArmor profiles for lookip and stroke. |
1415 | + |
1416 | + -- Jonathan Davies <jonathan.davies@canonical.com> Wed, 15 Jan 2014 22:52:53 +0000 |
1417 | + |
1418 | +strongswan (5.1.2~dr2+git20130106-0ubuntu2) trusty; urgency=low |
1419 | + |
1420 | + * libstrongswan.install: Removed lingering unit-tester.so reference. |
1421 | + |
1422 | + -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 06 Jan 2014 20:29:59 +0000 |
1423 | + |
1424 | +strongswan (5.1.2~dr2+git20130106-0ubuntu1) trusty; urgency=low |
1425 | + |
1426 | + * Git snapshot of commit 94e10f15e51ead788d9947e966878ebfdc95b7ce. |
1427 | + Incorporates upstream fixes for: |
1428 | + - Integrity testing. |
1429 | + - Unit test failures on little endian systems. |
1430 | + * Dropped debian/patches/02_test_asn1_fix_32bit_time_test.patch - fixed |
1431 | + upstream. |
1432 | + * debian/rules: |
1433 | + - Stop using CK_TIMEOUT_MULTIPLIER. |
1434 | + - Stop enabling the test suite only on non-powerpc arches (it runs |
1435 | + anyway). |
1436 | + |
1437 | + -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 06 Jan 2014 20:17:20 +0000 |
1438 | + |
1439 | +strongswan (5.1.2~dr2-0ubuntu3) trusty; urgency=low |
1440 | + |
1441 | + * debian/control: Reinstate missing comma in dependencies. |
1442 | + |
1443 | + -- Jonathan Davies <jonathan.davies@canonical.com> Fri, 03 Jan 2014 05:39:13 +0000 |
1444 | + |
1445 | +strongswan (5.1.2~dr2-0ubuntu2) trusty; urgency=low |
1446 | + |
1447 | + * Added debian/patches/02_test_asn1_fix_32bit_time_test.patch - fixes issue |
1448 | + where test for >2038 tests on 32-bit platforms is broken. |
1449 | + - Reported upstream: https://wiki.strongswan.org/issues/477 |
1450 | + * debian/control: Added strongswan-plugin-ntru to strongswan-ike Suggests. |
1451 | + |
1452 | + -- Jonathan Davies <jonathan.davies@canonical.com> Fri, 03 Jan 2014 05:02:32 +0000 |
1453 | + |
1454 | +strongswan (5.1.2~dr2-0ubuntu1) trusty; urgency=low |
1455 | + |
1456 | + * New upstream developer release. |
1457 | + * debian/rules: Configure with: --enable-af-alg, --enable-ntru, --enable-soup, |
1458 | + and --enable-unity. |
1459 | + * debian/control: |
1460 | + - New plugin packages created for the above |
1461 | + - Split fips-prf into its own package. |
1462 | + - Added build-dependency on libsoup2.4-dev. |
1463 | + |
1464 | + -- Jonathan Davies <jonathan.davies@canonical.com> Thu, 02 Jan 2014 17:37:33 +0000 |
1465 | + |
1466 | strongswan (5.1.1-3) unstable; urgency=low |
1467 | |
1468 | * Upload to unstable. |
1469 | @@ -791,6 +2167,192 @@ strongswan (5.1.1-1) unstable; urgency=low |
1470 | |
1471 | -- Yves-Alexis Perez <corsac@debian.org> Fri, 24 Jan 2014 21:22:32 +0100 |
1472 | |
1473 | +strongswan (5.1.1-0ubuntu17) trusty; urgency=low |
1474 | + |
1475 | + * debian/control: |
1476 | + - Make strongswan-ike depend on iproute2. |
1477 | + - Added xauth plugin dependency on strongswan-plugin-eap-gtc. |
1478 | + - Created strongswan-libfast package. |
1479 | + |
1480 | + -- Jonathan Davies <jonathan.davies@canonical.com> Wed, 01 Jan 2014 17:04:45 +0000 |
1481 | + |
1482 | +strongswan (5.1.1-0ubuntu16) trusty; urgency=low |
1483 | + |
1484 | + * debian/control: |
1485 | + - Further splitting of plugins into subpackages (such as all EAP plugins |
1486 | + to their own packages). |
1487 | + - Added libpcsclite-dev to build-dependencies. |
1488 | + * debian/rules: |
1489 | + - Sort configure options in alphabetical order. |
1490 | + - Added configure option of --enable-eap-aka-3gpp2, --enable-eap-dynamic, |
1491 | + --enable-eap-sim-file, --enable-eap-sim-pcsc, |
1492 | + --enable-eap-simaka-pseudonym, --enable-eap-simaka-reauth and |
1493 | + --enable-eap-simaka-sql. |
1494 | + - Don't exclude medsrv from install. |
1495 | + * Moved eap-identity.so to libstrongswan package as it's used by all the |
1496 | + other EAP plugins. |
1497 | + |
1498 | + -- Jonathan Davies <jonathan.davies@canonical.com> Tue, 31 Dec 2013 21:25:50 +0000 |
1499 | + |
1500 | +strongswan (5.1.1-0ubuntu15) trusty; urgency=low |
1501 | + |
1502 | + * debian/control: |
1503 | + - Split plugins from libstrongswan package into modular subpackages. |
1504 | + - Added libmysqlclient-dev to build-dependencies. |
1505 | + - strongswan-ike: Set to depend on either strongswan-plugins-openssl or |
1506 | + strongswan-plugins-gcrypt. |
1507 | + - strongswan-ike: All other plugins added to Suggests. |
1508 | + - Created two new TNC packages: strongswan-tnc-ifmap and |
1509 | + strongswan-tnc-pdp and added to tnc-imcvs Suggests. |
1510 | + * debian/rules: Added to CONFIGUREARGS: --enable-certexpire, |
1511 | + --enable-error-notify, --enable-mysql, --enable-load-tester, |
1512 | + --enable-radattr, --enable-tnc-pdp, and --enable-whitelist. |
1513 | + * debian/strongswan-ike.install: Moved eap-identity.so to -tnc-imcvs package. |
1514 | + |
1515 | + -- Jonathan Davies <jonathan.davies@canonical.com> Tue, 31 Dec 2013 16:15:32 +0000 |
1516 | + |
1517 | +strongswan (5.1.1-0ubuntu14) trusty; urgency=low |
1518 | + |
1519 | + * debian/rules: |
1520 | + - CK_TIMEOUT_MULTIPLIER back down to 6. |
1521 | + - Disable unit tests on powerpc. |
1522 | + |
1523 | + -- Jonathan Davies <jonathan.davies@canonical.com> Tue, 31 Dec 2013 07:39:48 +0000 |
1524 | + |
1525 | +strongswan (5.1.1-0ubuntu13) trusty; urgency=low |
1526 | + |
1527 | + * debian/rules: CK_TIMEOUT_MULTIPLIER to 10 as just powerppc is being stubborn. |
1528 | + |
1529 | + -- Jonathan Davies <jonathan.davies@canonical.com> Tue, 31 Dec 2013 07:23:42 +0000 |
1530 | + |
1531 | +strongswan (5.1.1-0ubuntu12) trusty; urgency=low |
1532 | + |
1533 | + * debian/rules: Bring CK_TIMEOUT_MULTIPLIER up to 6 to fix powerppc and |
1534 | + armhf. |
1535 | + |
1536 | + -- Jonathan Davies <jonathan.davies@canonical.com> Tue, 31 Dec 2013 07:03:40 +0000 |
1537 | + |
1538 | +strongswan (5.1.1-0ubuntu11) trusty; urgency=low |
1539 | + |
1540 | + * 02_increase-test_rsa_generate-timeout.patch: Removed - only fixed build on |
1541 | + one extra arch. |
1542 | + * debian/rules: Set CK_TIMEOUT_MULTIPLIER to 4. |
1543 | + |
1544 | + -- Jonathan Davies <jonathan.davies@canonical.com> Tue, 31 Dec 2013 06:51:47 +0000 |
1545 | + |
1546 | +strongswan (5.1.1-0ubuntu10) trusty; urgency=low |
1547 | + |
1548 | + * debian/patches: Added patch 02_increase-test_rsa_generate-timeout.patch - |
1549 | + - Increases RSA key generate test timeout to 30 seconds so that it doesn't |
1550 | + fail on armhf, arm64, and powerppc. |
1551 | + * Contrary to what the last changelog entry says, we are still running |
1552 | + strongswan as root (with AppArmor protection). |
1553 | + |
1554 | + -- Jonathan Davies <jonathan.davies@canonical.com> Tue, 31 Dec 2013 06:06:47 +0000 |
1555 | + |
1556 | +strongswan (5.1.1-0ubuntu9) trusty; urgency=low |
1557 | + |
1558 | + * debian/rules: Added to configure options: |
1559 | + - --enable-tnc-ifmap: enable TNC IF-MAP module. |
1560 | + - --enable-duplicheck: enable duplicheck plugin. |
1561 | + - --enable-imv-swid, --enable-imc-swid: Added. |
1562 | + - Run strongswan as it's own user. |
1563 | + * debian/strongswan-starter.install: Install duplicheck. |
1564 | + * debian/strongswan-tnc-imcvs.install: Install swidtags. |
1565 | + |
1566 | + -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 30 Dec 2013 19:33:27 +0000 |
1567 | + |
1568 | +strongswan (5.1.1-0ubuntu8) trusty; urgency=low |
1569 | + |
1570 | + * debian/rules: Added to configure options: |
1571 | + - --enable-unit-tests: check unit testing on build. |
1572 | + - --enable-unbound: for validating DNS lookups. |
1573 | + - --enable-dnscert: for DNSCERT peer authentication. |
1574 | + - --enable-ipseckey: for IPSEC key authentication. |
1575 | + - --enable-lookip: for LookIP functionality. |
1576 | + - --enable-coupling: certificate coupling functionality. |
1577 | + * debian/control: Added check, libldns-dev, libunbound-dev to |
1578 | + build-dependencies. |
1579 | + * debian/libstrongswan.install: Install new plugin .so's. |
1580 | + * debian/strongswan-starter.install: Added lookip. |
1581 | + |
1582 | + -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 30 Dec 2013 17:52:07 +0000 |
1583 | + |
1584 | +strongswan (5.1.1-0ubuntu7) trusty; urgency=low |
1585 | + |
1586 | + * strongswan-starter.install: Moved pt-tls-client to tnc-imcvs (to prevent |
1587 | + the former from depending on the latter). |
1588 | + |
1589 | + -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 30 Dec 2013 17:30:19 +0000 |
1590 | + |
1591 | +strongswan (5.1.1-0ubuntu6) trusty; urgency=low |
1592 | + |
1593 | + * debian/strongswan-starter.prerm: Stop strongswan service on package |
1594 | + removal (as opposed to using the old init.d script). |
1595 | + |
1596 | + -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 30 Dec 2013 17:22:10 +0000 |
1597 | + |
1598 | +strongswan (5.1.1-0ubuntu5) trusty; urgency=low |
1599 | + |
1600 | + * debian/rules: |
1601 | + - CONFIGUREARGS: Merged Debian and RPM options. |
1602 | + - Brings in TNC functionality. |
1603 | + * debian/control: |
1604 | + - Added build-dependency on libtspi-dev. |
1605 | + - Created strongswan-tnc-imcvs binary package for TNC components. |
1606 | + - Added strongswan-tnc-imcvs to libstrongswan's Suggests. |
1607 | + * debian/libstrongswan.install: |
1608 | + - Included newly built MD4 and SQLite libraries. |
1609 | + - Removed 'tnc' references (moved to TNC package). |
1610 | + * debian/strongswan-tnc-imcvs.install: Created - handle new TNC libraries and |
1611 | + binaries. |
1612 | + * debian/usr.lib.ipsec.charon: Allow access to TNC modules. |
1613 | + |
1614 | + -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 30 Dec 2013 14:05:43 +0000 |
1615 | + |
1616 | +strongswan (5.1.1-0ubuntu4) trusty; urgency=low |
1617 | + |
1618 | + * debian/usr.lib.ipsec.charon: Added - AppArmor profile for charon. |
1619 | + * debian/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call. |
1620 | + * debian/control: strongswan-ike - Stop depending on ipsec-tools. |
1621 | + |
1622 | + -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 30 Dec 2013 05:35:17 +0000 |
1623 | + |
1624 | +strongswan (5.1.1-0ubuntu3) trusty; urgency=low |
1625 | + |
1626 | + * strongswan-starter.strongswan.upstart - Only start strongSwan when a |
1627 | + network connection is available. |
1628 | + * debian/control: Downgrade build-dep version of dpkg-dev from 1.16.2 to |
1629 | + 1.16.1 - to make precise backporting easier. |
1630 | + |
1631 | + -- Jonathan Davies <jonathan.davies@canonical.com> Thu, 12 Dec 2013 10:43:15 +0000 |
1632 | + |
1633 | +strongswan (5.1.1-0ubuntu2) trusty; urgency=low |
1634 | + |
1635 | + * strongswan-starter.strongswan.upstart - Created Upstart job for |
1636 | + strongSwan. |
1637 | + * debian/rules: Set dh_installinit to install above file. |
1638 | + * debian/strongswan-starter.postinit: |
1639 | + - Removed section about runlevel changes, it's almost 2014. |
1640 | + - Adapted service restart section for Upstart. |
1641 | + - Remove old symlinks to init.d files is necessary. |
1642 | + * debian/strongswan-starter.dirs: Don't touch /etc/init.d. |
1643 | + |
1644 | + -- Jonathan Davies <jonathan.davies@canonical.com> Wed, 11 Dec 2013 23:10:28 +0000 |
1645 | + |
1646 | +strongswan (5.1.1-0ubuntu1) trusty; urgency=low |
1647 | + |
1648 | + * New upstream release. |
1649 | + * Removed: debian/patches/CVE-2013-6075, CVE-2013-6076.patch - upsteamed. |
1650 | + * debian/control: Updated Standards-Version to 3.9.5 and applied |
1651 | + XSBC-Original-Maintainer policy. |
1652 | + * strongswan-starter.install: |
1653 | + - pki tool is now in /usr/bin. |
1654 | + - Install pt-tls-client. |
1655 | + - Install manpages (LP: #1206263). |
1656 | + |
1657 | + -- Jonathan Davies <jpds@ubuntu.com> Sun, 01 Dec 2013 17:43:59 +0000 |
1658 | + |
1659 | strongswan (5.1.0-3) unstable; urgency=high |
1660 | |
1661 | * urgency=high for the security fixes. |
1662 | diff --git a/debian/control b/debian/control |
1663 | index 9c0d909..5ee5ad5 100644 |
1664 | --- a/debian/control |
1665 | +++ b/debian/control |
1666 | @@ -1,7 +1,8 @@ |
1667 | Source: strongswan |
1668 | Section: net |
1669 | Priority: optional |
1670 | -Maintainer: strongSwan Maintainers <pkg-swan-devel@lists.alioth.debian.org> |
1671 | +Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com> |
1672 | +XSBC-Original-Maintainer: strongSwan Maintainers <pkg-swan-devel@lists.alioth.debian.org> |
1673 | Uploaders: Yves-Alexis Perez <corsac@debian.org> |
1674 | Standards-Version: 4.5.0 |
1675 | Vcs-Browser: https://salsa.debian.org/debian/strongswan |
1676 | @@ -135,6 +136,7 @@ Description: strongSwan utility and crypto library (extra plugins) |
1677 | - gcrypt (Crypto backend based on libgcrypt, provides |
1678 | RSA/DH/ciphers/hashers/rng) |
1679 | - ldap (LDAP fetching plugin based on libldap) |
1680 | + - ntru (key exchanged based on post-quantum computer NTRU) |
1681 | - padlock (VIA padlock crypto backend, provides AES128/SHA1) |
1682 | - pkcs11 (PKCS#11 smartcard backend) |
1683 | - rdrand (High quality / high performance random source using the Intel |
1684 | @@ -209,9 +211,9 @@ Pre-Depends: ${misc:Pre-Depends} |
1685 | Depends: adduser, |
1686 | libstrongswan (= ${binary:Version}), |
1687 | lsb-base (>= 3.0-6), |
1688 | + strongswan-charon, |
1689 | ${misc:Depends}, |
1690 | ${shlibs:Depends} |
1691 | -Recommends: strongswan-charon |
1692 | Conflicts: openswan |
1693 | Description: strongSwan daemon starter and configuration file parser |
1694 | The strongSwan VPN suite uses the native IPsec stack in the standard |
1695 | @@ -250,9 +252,9 @@ Architecture: any |
1696 | Pre-Depends: debconf | debconf-2.0 |
1697 | Depends: iproute2 [linux-any] | iproute [linux-any], |
1698 | libstrongswan (= ${binary:Version}), |
1699 | - strongswan-starter, |
1700 | ${misc:Depends}, |
1701 | ${shlibs:Depends} |
1702 | +Recommends: strongswan-starter, |
1703 | Provides: ike-server |
1704 | Description: strongSwan Internet Key Exchange daemon |
1705 | The strongSwan VPN suite uses the native IPsec stack in the standard |
1706 | diff --git a/debian/libstrongswan-extra-plugins.install b/debian/libstrongswan-extra-plugins.install |
1707 | index 2846e21..8f71239 100644 |
1708 | --- a/debian/libstrongswan-extra-plugins.install |
1709 | +++ b/debian/libstrongswan-extra-plugins.install |
1710 | @@ -9,6 +9,7 @@ usr/lib/ipsec/plugins/libstrongswan-curl.so |
1711 | usr/lib/ipsec/plugins/libstrongswan-curve25519.so |
1712 | usr/lib/ipsec/plugins/libstrongswan-gcrypt.so |
1713 | usr/lib/ipsec/plugins/libstrongswan-ldap.so |
1714 | +usr/lib/ipsec/plugins/libstrongswan-ntru.so |
1715 | usr/lib/ipsec/plugins/libstrongswan-pkcs11.so |
1716 | usr/lib/ipsec/plugins/libstrongswan-test-vectors.so |
1717 | usr/lib/ipsec/plugins/libstrongswan-tpm.so |
1718 | @@ -21,6 +22,7 @@ usr/share/strongswan/templates/config/plugins/curl.conf |
1719 | usr/share/strongswan/templates/config/plugins/curve25519.conf |
1720 | usr/share/strongswan/templates/config/plugins/gcrypt.conf |
1721 | usr/share/strongswan/templates/config/plugins/ldap.conf |
1722 | +usr/share/strongswan/templates/config/plugins/ntru.conf |
1723 | usr/share/strongswan/templates/config/plugins/pkcs11.conf |
1724 | usr/share/strongswan/templates/config/plugins/test-vectors.conf |
1725 | usr/share/strongswan/templates/config/plugins/tpm.conf |
1726 | @@ -32,6 +34,7 @@ etc/strongswan.d/charon/curl.conf |
1727 | etc/strongswan.d/charon/curve25519.conf |
1728 | etc/strongswan.d/charon/gcrypt.conf |
1729 | etc/strongswan.d/charon/ldap.conf |
1730 | +etc/strongswan.d/charon/ntru.conf |
1731 | etc/strongswan.d/charon/pkcs11.conf |
1732 | etc/strongswan.d/charon/test-vectors.conf |
1733 | etc/strongswan.d/charon/tpm.conf |
1734 | diff --git a/debian/rules b/debian/rules |
1735 | index eacfe14..8f2d740 100755 |
1736 | --- a/debian/rules |
1737 | +++ b/debian/rules |
1738 | @@ -31,6 +31,7 @@ CONFIGUREARGS := --libdir=/usr/lib --libexecdir=/usr/lib \ |
1739 | --enable-led \ |
1740 | --enable-lookip \ |
1741 | --enable-mediation \ |
1742 | + --enable-ntru \ |
1743 | --enable-openssl \ |
1744 | --enable-pkcs11 \ |
1745 | --enable-test-vectors \ |
Glad the "droppable after 20.04" now also could go away :-)
Yeah, the remaining Delta LGTM.
Lets next week (on the invite you sent) talk about the details of these two remaining deltas, why they exists and if/how we might upstream them.
Further I'd want to talk about testing strongswan merges in that session and we'll run the tests I used to use on your PPA together. From there you might have a chance to extend these tests a bit maybe, but you don't need to do the initial-work that already exists.
One feedback on the changelog, the NTRU bug should no more be (LP: #1863749) as that would ping on the bug, make it (LP: 1863749) or such to avoid bumping it. I already saw that LP automatically linked your MP on the bug due to it being referenced on the commit subject - rename that and the changelog on a rebase please :-)