Merge ~lucaskanashiro/ubuntu/+source/strongswan:merge-kinetic into ubuntu/+source/strongswan:debian/sid
- Git
- lp:~lucaskanashiro/ubuntu/+source/strongswan
- merge-kinetic
- Merge into debian/sid
Status: | Merged | ||||
---|---|---|---|---|---|
Approved by: | git-ubuntu bot | ||||
Approved revision: | not available | ||||
Merge reported by: | Lucas Kanashiro | ||||
Merged at revision: | fe75c1e006997228f5f841125e7fc020563b77ac | ||||
Proposed branch: | ~lucaskanashiro/ubuntu/+source/strongswan:merge-kinetic | ||||
Merge into: | ubuntu/+source/strongswan:debian/sid | ||||
Diff against target: |
2040 lines (+1781/-3) 6 files modified
debian/changelog (+1753/-0) debian/control (+8/-3) debian/libcharon-extra-plugins.install (+6/-0) debian/libcharon-extra-plugins.maintscript (+8/-0) debian/libstrongswan-extra-plugins.install (+3/-0) debian/rules (+3/-0) |
||||
Related bugs: |
|
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
git-ubuntu bot | Approve | ||
Sergio Durigan Junior (community) | Approve | ||
Canonical Server | Pending | ||
Review via email: mp+424435@code.launchpad.net |
Commit message
Description of the change
Merge version 5.9.6-1 from Debian. One patch in our delta was dropped because it was applied by upstream, all the rest was kept.
PPA with the proposed package:
https:/
autopkgtest summary:
autopkgtest [15:42:47]: @@@@@@@
admin-strongswa
admin-strongswa
daemon PASS
plugins PASS
Sergio Durigan Junior (sergiodj) wrote : | # |
Sergio Durigan Junior (sergiodj) wrote : | # |
Thanks for the MP, Lucas.
I took the liberty to trigger autopkgtest runs for all supported architectures using your PPA, and everything has passed. The package builds, installs and upgrades OK.
I found the 2 Merge Requests you submitted to Debian a couple of years ago, and noticed that they seem stale. WDYT about pinging them?
I also looked at the list of open bugs for the package and everything seems OK. I left a comment on bug #1330486 because it's really old and looks abandoned.
There's a very small nit in the changelog entry, but otherwise everything LGTM.
+1
Lucas Kanashiro (lucaskanashiro) : | # |
Lucas Kanashiro (lucaskanashiro) wrote : | # |
Thanks for the review Sergio. I did ping some of the old MRs on salsa, let's see if the Debian maintainer will reply to them.
Package uploaded:
Uploading strongswan_
Uploading strongswan_
Uploading strongswan_
Uploading strongswan_
Uploading strongswan_
Uploading strongswan_
git-ubuntu bot (git-ubuntu-bot) wrote : | # |
Approvers: lucaskanashiro, sergiodj
Uploaders: lucaskanashiro, sergiodj
MP auto-approved
Preview Diff
1 | diff --git a/debian/changelog b/debian/changelog | |||
2 | index 4a7616f..f63aa55 100644 | |||
3 | --- a/debian/changelog | |||
4 | +++ b/debian/changelog | |||
5 | @@ -1,3 +1,33 @@ | |||
6 | 1 | strongswan (5.9.6-1ubuntu1) kinetic; urgency=medium | ||
7 | 2 | |||
8 | 3 | * Merge with Debian unstable (LP: #1971328). Remaining changes: | ||
9 | 4 | - d/control: strongswan-starter hard-depends on strongswan-charon, | ||
10 | 5 | therefore bump the dependency from Recommends to Depends. At the same | ||
11 | 6 | time avoid a circular dependency by dropping | ||
12 | 7 | strongswan-charon->strongswan-starter from Depends to Recommends as the | ||
13 | 8 | binaries can work without the services but not vice versa. | ||
14 | 9 | - re-add post-quantum encryption algorithm (NTRU) (LP #1863749) | ||
15 | 10 | + d/control: mention plugins in package description | ||
16 | 11 | + d/rules: enable ntru at build time | ||
17 | 12 | + d/libstrongswan-extra-plugins.install: ship config and shared objects | ||
18 | 13 | - Re-enable eap-{dynamic,peap} libcharon plugins (LP #1878887) | ||
19 | 14 | + d/control: update libcharon-extra-plugins description. | ||
20 | 15 | + d/libcharon-extra-plugins.install: install .so and conf files. | ||
21 | 16 | + d/rules: add plugins to the configuration arguments. | ||
22 | 17 | - Remove conf files of plugins removed from libcharon-extra-plugins | ||
23 | 18 | + The conf file of the following plugins were removed: eap-aka-3gpp2, | ||
24 | 19 | eap-sim-file, eap-sim-pcsc, eap-sim, eap-simaka-pseudonym, | ||
25 | 20 | eap-simaka-reauth, eap-simaka-sql, xauth-noauth. | ||
26 | 21 | + Created d/libcharon-extra-plugins.maintscript to handle the removals | ||
27 | 22 | properly. | ||
28 | 23 | * Dropped: | ||
29 | 24 | - d/p/lp1964977-fix-ipsec-pki-segfault.patch: Fix "ipsec pki" | ||
30 | 25 | segmentation fault; don't access OpenSSL objects inside atexit() | ||
31 | 26 | handlers. (LP #1964977) | ||
32 | 27 | [included by upstream in version 5.9.6] | ||
33 | 28 | |||
34 | 29 | -- Lucas Kanashiro <kanashiro@ubuntu.com> Fri, 10 Jun 2022 15:03:17 -0300 | ||
35 | 30 | |||
36 | 1 | strongswan (5.9.6-1) unstable; urgency=medium | 31 | strongswan (5.9.6-1) unstable; urgency=medium |
37 | 2 | 32 | ||
38 | 3 | * New upstream version 5.9.6 | 33 | * New upstream version 5.9.6 |
39 | @@ -6,6 +36,42 @@ strongswan (5.9.6-1) unstable; urgency=medium | |||
40 | 6 | 36 | ||
41 | 7 | -- Yves-Alexis Perez <corsac@debian.org> Sat, 07 May 2022 20:19:18 +0200 | 37 | -- Yves-Alexis Perez <corsac@debian.org> Sat, 07 May 2022 20:19:18 +0200 |
42 | 8 | 38 | ||
43 | 39 | strongswan (5.9.5-2ubuntu2) jammy; urgency=medium | ||
44 | 40 | |||
45 | 41 | * d/p/lp1964977-fix-ipsec-pki-segfault.patch: Fix "ipsec pki" | ||
46 | 42 | segmentation fault; don't access OpenSSL objects inside atexit() | ||
47 | 43 | handlers. (LP: #1964977) | ||
48 | 44 | |||
49 | 45 | -- Sergio Durigan Junior <sergio.durigan@canonical.com> Fri, 18 Mar 2022 14:24:34 -0400 | ||
50 | 46 | |||
51 | 47 | strongswan (5.9.5-2ubuntu1) jammy; urgency=medium | ||
52 | 48 | |||
53 | 49 | * Merge with Debian unstable. Remaining changes: | ||
54 | 50 | - d/control: strongswan-starter hard-depends on strongswan-charon, | ||
55 | 51 | therefore bump the dependency from Recommends to Depends. At the same | ||
56 | 52 | time avoid a circular dependency by dropping | ||
57 | 53 | strongswan-charon->strongswan-starter from Depends to Recommends as the | ||
58 | 54 | binaries can work without the services but not vice versa. | ||
59 | 55 | - re-add post-quantum encryption algorithm (NTRU) (LP #1863749) | ||
60 | 56 | + d/control: mention plugins in package description | ||
61 | 57 | + d/rules: enable ntru at build time | ||
62 | 58 | + d/libstrongswan-extra-plugins.install: ship config and shared objects | ||
63 | 59 | - Re-enable eap-{dynamic,peap} libcharon plugins (LP: 1878887) | ||
64 | 60 | + d/control: update libcharon-extra-plugins description. | ||
65 | 61 | + d/libcharon-extra-plugins.install: install .so and conf files. | ||
66 | 62 | + d/rules: add plugins to the configuration arguments. | ||
67 | 63 | - Remove conf files of plugins removed from libcharon-extra-plugins | ||
68 | 64 | + The conf file of the following plugins were removed: eap-aka-3gpp2, | ||
69 | 65 | eap-sim-file, eap-sim-pcsc, eap-sim, eap-simaka-pseudonym, | ||
70 | 66 | eap-simaka-reauth, eap-simaka-sql, xauth-noauth. | ||
71 | 67 | + Created d/libcharon-extra-plugins.maintscript to handle the removals | ||
72 | 68 | properly. | ||
73 | 69 | * Dropped patches included in new version: | ||
74 | 70 | - debian/patches/CVE-2021-45079.patch | ||
75 | 71 | - debian/patches/load-legacy-provider-in-openssl3.patch | ||
76 | 72 | |||
77 | 73 | -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 03 Feb 2022 10:49:49 -0500 | ||
78 | 74 | |||
79 | 9 | strongswan (5.9.5-2) unstable; urgency=medium | 75 | strongswan (5.9.5-2) unstable; urgency=medium |
80 | 10 | 76 | ||
81 | 11 | * actually fix lintian overrides | 77 | * actually fix lintian overrides |
82 | @@ -21,6 +87,60 @@ strongswan (5.9.5-1) unstable; urgency=medium | |||
83 | 21 | 87 | ||
84 | 22 | -- Yves-Alexis Perez <corsac@debian.org> Wed, 26 Jan 2022 14:38:54 +0100 | 88 | -- Yves-Alexis Perez <corsac@debian.org> Wed, 26 Jan 2022 14:38:54 +0100 |
85 | 23 | 89 | ||
86 | 90 | strongswan (5.9.4-1ubuntu4) jammy; urgency=medium | ||
87 | 91 | |||
88 | 92 | * SECURITY UPDATE: Incorrect Handling of Early EAP-Success Messages | ||
89 | 93 | - debian/patches/CVE-2021-45079.patch: enforce failure if MSK | ||
90 | 94 | generation fails in src/libcharon/plugins/eap_gtc/eap_gtc.c, | ||
91 | 95 | src/libcharon/plugins/eap_md5/eap_md5.c, | ||
92 | 96 | src/libcharon/plugins/eap_radius/eap_radius.c, | ||
93 | 97 | src/libcharon/sa/eap/eap_method.h, | ||
94 | 98 | src/libcharon/sa/ikev2/authenticators/eap_authenticator.c. | ||
95 | 99 | - CVE-2021-45079 | ||
96 | 100 | |||
97 | 101 | -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 01 Feb 2022 07:23:37 -0500 | ||
98 | 102 | |||
99 | 103 | strongswan (5.9.4-1ubuntu3) jammy; urgency=medium | ||
100 | 104 | |||
101 | 105 | * No-change rebuild against libssl3 | ||
102 | 106 | |||
103 | 107 | -- Steve Langasek <steve.langasek@ubuntu.com> Thu, 09 Dec 2021 00:19:38 +0000 | ||
104 | 108 | |||
105 | 109 | strongswan (5.9.4-1ubuntu2) jammy; urgency=medium | ||
106 | 110 | |||
107 | 111 | * Add d/p/load-legacy-provider-in-openssl3.patch. | ||
108 | 112 | Upstream cherry-pick to fix FTBFS against OpenSSL 3.0. (LP: #1946213) | ||
109 | 113 | |||
110 | 114 | -- Paride Legovini <paride@ubuntu.com> Wed, 17 Nov 2021 17:04:27 +0100 | ||
111 | 115 | |||
112 | 116 | strongswan (5.9.4-1ubuntu1) jammy; urgency=medium | ||
113 | 117 | |||
114 | 118 | * Merge with Debian unstable. Remaining changes: | ||
115 | 119 | - d/control: strongswan-starter hard-depends on strongswan-charon, | ||
116 | 120 | therefore bump the dependency from Recommends to Depends. At the same | ||
117 | 121 | time avoid a circular dependency by dropping | ||
118 | 122 | strongswan-charon->strongswan-starter from Depends to Recommends as the | ||
119 | 123 | binaries can work without the services but not vice versa. | ||
120 | 124 | - re-add post-quantum encryption algorithm (NTRU) (LP #1863749) | ||
121 | 125 | + d/control: mention plugins in package description | ||
122 | 126 | + d/rules: enable ntru at build time | ||
123 | 127 | + d/libstrongswan-extra-plugins.install: ship config and shared objects | ||
124 | 128 | - Re-enable eap-{dynamic,peap} libcharon plugins (LP: 1878887) | ||
125 | 129 | + d/control: update libcharon-extra-plugins description. | ||
126 | 130 | + d/libcharon-extra-plugins.install: install .so and conf files. | ||
127 | 131 | + d/rules: add plugins to the configuration arguments. | ||
128 | 132 | - Remove conf files of plugins removed from libcharon-extra-plugins | ||
129 | 133 | + The conf file of the following plugins were removed: eap-aka-3gpp2, | ||
130 | 134 | eap-sim-file, eap-sim-pcsc, eap-sim, eap-simaka-pseudonym, | ||
131 | 135 | eap-simaka-reauth, eap-simaka-sql, xauth-noauth. | ||
132 | 136 | + Created d/libcharon-extra-plugins.maintscript to handle the removals | ||
133 | 137 | properly. | ||
134 | 138 | * Dropped changes: | ||
135 | 139 | - Compile the tpm plugin against the tpm2 software stack (tss2). | ||
136 | 140 | Merged in Debian (5.9.4-1). | ||
137 | 141 | |||
138 | 142 | -- Paride Legovini <paride@ubuntu.com> Fri, 12 Nov 2021 12:34:30 +0100 | ||
139 | 143 | |||
140 | 24 | strongswan (5.9.4-1) unstable; urgency=medium | 144 | strongswan (5.9.4-1) unstable; urgency=medium |
141 | 25 | 145 | ||
142 | 26 | [ Paride Legovini ] | 146 | [ Paride Legovini ] |
143 | @@ -37,6 +157,62 @@ strongswan (5.9.4-1) unstable; urgency=medium | |||
144 | 37 | 157 | ||
145 | 38 | -- Yves-Alexis Perez <corsac@debian.org> Tue, 19 Oct 2021 22:34:40 +0200 | 158 | -- Yves-Alexis Perez <corsac@debian.org> Tue, 19 Oct 2021 22:34:40 +0200 |
146 | 39 | 159 | ||
147 | 160 | strongswan (5.9.1-1ubuntu3.1) impish-security; urgency=medium | ||
148 | 161 | |||
149 | 162 | * SECURITY UPDATE: Integer Overflow in gmp Plugin | ||
150 | 163 | - debian/patches/CVE-2021-41990.patch: reject RSASSA-PSS params with | ||
151 | 164 | negative salt length in | ||
152 | 165 | src/libstrongswan/credentials/keys/signature_params.c, | ||
153 | 166 | src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c. | ||
154 | 167 | - CVE-2021-41990 | ||
155 | 168 | * SECURITY UPDATE: Integer Overflow When Replacing Certificates in Cache | ||
156 | 169 | - debian/patches/CVE-2021-41991.patch: prevent crash due to integer | ||
157 | 170 | overflow/sign change in | ||
158 | 171 | src/libstrongswan/credentials/sets/cert_cache.c. | ||
159 | 172 | - CVE-2021-41991 | ||
160 | 173 | |||
161 | 174 | -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 18 Oct 2021 13:10:30 -0400 | ||
162 | 175 | |||
163 | 176 | strongswan (5.9.1-1ubuntu3) impish; urgency=medium | ||
164 | 177 | |||
165 | 178 | * Compile the tpm plugin against the tpm2 software stack (tss2) | ||
166 | 179 | (Debian packaging cherry-pick, LP: #1940079) | ||
167 | 180 | - d/rules: add the --enable-tss-tss2 configure flag | ||
168 | 181 | - d/control: add Build-Depends: libtss2-dev | ||
169 | 182 | |||
170 | 183 | -- Paride Legovini <paride@ubuntu.com> Thu, 16 Sep 2021 11:40:38 +0200 | ||
171 | 184 | |||
172 | 185 | strongswan (5.9.1-1ubuntu2) impish; urgency=medium | ||
173 | 186 | |||
174 | 187 | * No-change rebuild due to OpenLDAP soname bump. | ||
175 | 188 | |||
176 | 189 | -- Sergio Durigan Junior <sergio.durigan@canonical.com> Mon, 21 Jun 2021 18:09:22 -0400 | ||
177 | 190 | |||
178 | 191 | strongswan (5.9.1-1ubuntu1) hirsute; urgency=medium | ||
179 | 192 | |||
180 | 193 | * Merge with Debian unstable. Remaining changes: | ||
181 | 194 | - d/control: strongswan-starter hard-depends on strongswan-charon, | ||
182 | 195 | therefore bump the dependency from Recommends to Depends. At the same | ||
183 | 196 | time avoid a circular dependency by dropping | ||
184 | 197 | strongswan-charon->strongswan-starter from Depends to Recommends as the | ||
185 | 198 | binaries can work without the services but not vice versa. | ||
186 | 199 | - re-add post-quantum encryption algorithm (NTRU) (LP: 1863749) | ||
187 | 200 | + d/control: mention plugins in package description | ||
188 | 201 | + d/rules: enable ntru at build time | ||
189 | 202 | + d/libstrongswan-extra-plugins.install: ship config and shared objects | ||
190 | 203 | - Re-enable eap-{dynamic,peap} libcharon plugins (LP: 1878887) | ||
191 | 204 | + d/control: update libcharon-extra-plugins description. | ||
192 | 205 | + d/libcharon-extra-plugins.install: install .so and conf files. | ||
193 | 206 | + d/rules: add plugins to the configuration arguments. | ||
194 | 207 | - Remove conf files of plugins removed from libcharon-extra-plugins | ||
195 | 208 | + The conf file of the following plugins were removed: eap-aka-3gpp2, | ||
196 | 209 | eap-sim-file, eap-sim-pcsc, eap-sim, eap-simaka-pseudonym, | ||
197 | 210 | eap-simaka-reauth, eap-simaka-sql, xauth-noauth. | ||
198 | 211 | + Created d/libcharon-extra-plugins.maintscript to handle the removals | ||
199 | 212 | properly. | ||
200 | 213 | |||
201 | 214 | -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Tue, 19 Jan 2021 12:39:11 +0100 | ||
202 | 215 | |||
203 | 40 | strongswan (5.9.1-1) unstable; urgency=medium | 216 | strongswan (5.9.1-1) unstable; urgency=medium |
204 | 41 | 217 | ||
205 | 42 | * New upstream version 5.9.1 | 218 | * New upstream version 5.9.1 |
206 | @@ -51,6 +227,45 @@ strongswan (5.9.0-1) unstable; urgency=medium | |||
207 | 51 | 227 | ||
208 | 52 | -- Yves-Alexis Perez <corsac@debian.org> Thu, 17 Sep 2020 10:21:30 +0200 | 228 | -- Yves-Alexis Perez <corsac@debian.org> Thu, 17 Sep 2020 10:21:30 +0200 |
209 | 53 | 229 | ||
210 | 230 | strongswan (5.8.4-1ubuntu2) groovy; urgency=medium | ||
211 | 231 | |||
212 | 232 | * Re-enable eap-{dynamic,peap} libcharon plugins (LP: #1878887) | ||
213 | 233 | - d/control: update libcharon-extra-plugins description. | ||
214 | 234 | - d/libcharon-extra-plugins.install: install .so and conf files. | ||
215 | 235 | - d/rules: add plugins to the configuration arguments. | ||
216 | 236 | * Remove conf files of plugins removed from libcharon-extra-plugins | ||
217 | 237 | - The conf file of the following plugins were removed: eap-aka-3gpp2, | ||
218 | 238 | eap-sim-file, eap-sim-pcsc, eap-sim, eap-simaka-pseudonym, | ||
219 | 239 | eap-simaka-reauth, eap-simaka-sql, xauth-noauth. | ||
220 | 240 | - Created d/libcharon-extra-plugins.maintscript to handle the removals | ||
221 | 241 | properly. | ||
222 | 242 | |||
223 | 243 | -- Lucas Kanashiro <kanashiro@ubuntu.com> Thu, 21 May 2020 14:53:05 -0300 | ||
224 | 244 | |||
225 | 245 | strongswan (5.8.4-1ubuntu1) groovy; urgency=medium | ||
226 | 246 | |||
227 | 247 | * Merge with Debian unstable. Remaining changes: | ||
228 | 248 | - d/control: strongswan-starter hard-depends on strongswan-charon, | ||
229 | 249 | therefore bump the dependency from Recommends to Depends. At the same | ||
230 | 250 | time avoid a circular dependency by dropping | ||
231 | 251 | strongswan-charon->strongswan-starter from Depends to Recommends as the | ||
232 | 252 | binaries can work without the services but not vice versa. | ||
233 | 253 | - re-add post-quantum encryption algorithm (NTRU) (LP: 1863749) | ||
234 | 254 | + d/control: mention plugins in package description | ||
235 | 255 | + d/rules: enable ntru at build time | ||
236 | 256 | + d/libstrongswan-extra-plugins.install: ship config and shared objects | ||
237 | 257 | * Dropped: | ||
238 | 258 | - d/control: build-depend on libiptc-dev to avoid FTBFS (LP: #1861975) | ||
239 | 259 | This is needed due to changes in regard to Debian bug 947176 and 939243 | ||
240 | 260 | and can later be dropped again. | ||
241 | 261 | [applied by Debian in version 5.8.2-2] | ||
242 | 262 | - d/control: Transition from former Ubuntu only libcharon-standard-plugins | ||
243 | 263 | to common libcharon-extauth-plugins (drop after 20.04) | ||
244 | 264 | - d/control: Transition from strongswan-tnc-* being in extra packages | ||
245 | 265 | to libcharon-extra-plugins (drop after 20.04) | ||
246 | 266 | |||
247 | 267 | -- Lucas Kanashiro <lucas.kanashiro@canonical.com> Thu, 30 Apr 2020 18:06:55 -0300 | ||
248 | 268 | |||
249 | 54 | strongswan (5.8.4-1) unstable; urgency=medium | 269 | strongswan (5.8.4-1) unstable; urgency=medium |
250 | 55 | 270 | ||
251 | 56 | * New upstream version 5.8.4 (Closes: #956446) | 271 | * New upstream version 5.8.4 (Closes: #956446) |
252 | @@ -66,6 +281,43 @@ strongswan (5.8.2-2) unstable; urgency=medium | |||
253 | 66 | 281 | ||
254 | 67 | -- Yves-Alexis Perez <corsac@debian.org> Thu, 13 Feb 2020 22:46:40 +0100 | 282 | -- Yves-Alexis Perez <corsac@debian.org> Thu, 13 Feb 2020 22:46:40 +0100 |
255 | 68 | 283 | ||
256 | 284 | strongswan (5.8.2-1ubuntu3) focal; urgency=medium | ||
257 | 285 | |||
258 | 286 | * Reverting part of 5.8.2-1ubuntu2 changes to remove BLISS again as | ||
259 | 287 | there is a potential local side-channel attack on strongSwan's BLISS | ||
260 | 288 | implementation (https://eprint.iacr.org/2017/505). (LP: #1866765) | ||
261 | 289 | |||
262 | 290 | -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Tue, 10 Mar 2020 07:56:56 +0100 | ||
263 | 291 | |||
264 | 292 | strongswan (5.8.2-1ubuntu2) focal; urgency=medium | ||
265 | 293 | |||
266 | 294 | * re-add post-quantum computer signature scheme (BLISS) and encryption | ||
267 | 295 | algorithm (NTRU) as well as the dependent nttfft library (LP: #1863749) | ||
268 | 296 | - d/control: mention plugins in package description | ||
269 | 297 | - d/rules: enable ntru and bliss at build time | ||
270 | 298 | - d/libstrongswan-extra-plugins.install: ship config and shared objects | ||
271 | 299 | |||
272 | 300 | -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Wed, 04 Mar 2020 07:54:26 +0100 | ||
273 | 301 | |||
274 | 302 | strongswan (5.8.2-1ubuntu1) focal; urgency=medium | ||
275 | 303 | |||
276 | 304 | * Merge with Debian unstable (LP: #1861971). Remaining changes: | ||
277 | 305 | - d/control: Transition from strongswan-tnc-* being in extra packages | ||
278 | 306 | to libcharon-extra-plugins (drop after 20.04) | ||
279 | 307 | - d/control: Transition from former Ubuntu only libcharon-standard-plugins | ||
280 | 308 | to common libcharon-extauth-plugins (drop after 20.04) | ||
281 | 309 | - d/control: strongswan-starter hard-depends on strongswan-charon, | ||
282 | 310 | therefore bump the dependency from Recommends to Depends. At the same | ||
283 | 311 | time avoid a circular dependency by dropping | ||
284 | 312 | strongswan-charon->strongswan-starter from Depends to Recommends as the | ||
285 | 313 | binaries can work without the services but not vice versa. | ||
286 | 314 | * Added Changes | ||
287 | 315 | - d/control: build-depend on libiptc-dev to avoid FTBFS (LP: #1861975) | ||
288 | 316 | This is needed due to changes in regard to Debian bug 947176 and 939243 | ||
289 | 317 | and can later be dropped again. | ||
290 | 318 | |||
291 | 319 | -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Wed, 05 Feb 2020 08:28:30 +0100 | ||
292 | 320 | |||
293 | 69 | strongswan (5.8.2-1) unstable; urgency=medium | 321 | strongswan (5.8.2-1) unstable; urgency=medium |
294 | 70 | 322 | ||
295 | 71 | [ Jean-Michel Vourgère ] | 323 | [ Jean-Michel Vourgère ] |
296 | @@ -82,6 +334,83 @@ strongswan (5.8.2-1) unstable; urgency=medium | |||
297 | 82 | 334 | ||
298 | 83 | -- Yves-Alexis Perez <corsac@debian.org> Wed, 01 Jan 2020 14:35:46 +0100 | 335 | -- Yves-Alexis Perez <corsac@debian.org> Wed, 01 Jan 2020 14:35:46 +0100 |
299 | 84 | 336 | ||
300 | 337 | strongswan (5.8.1-1ubuntu1) focal; urgency=medium | ||
301 | 338 | |||
302 | 339 | * Merge with Debian unstable (LP: #1852579). Remaining changes: | ||
303 | 340 | - d/control: Transition from strongswan-tnc-* being in extra packages | ||
304 | 341 | to libcharon-extra-plugins | ||
305 | 342 | * Added Changes: | ||
306 | 343 | - d/control: Transition from former Ubuntu only libcharon-standard-plugins | ||
307 | 344 | to common libcharon-extauth-plugins (drop after 20.04) | ||
308 | 345 | - d/control: strongswan-starter hard-depends on strongswan-charon, | ||
309 | 346 | therefore bump the dependency from Recommends to Depends. At the same | ||
310 | 347 | time avoid a circular dependency by dropping | ||
311 | 348 | strongswan-charon->strongswan-starter from Depends to Recommends as the | ||
312 | 349 | binaries can work without the services but not vice versa. | ||
313 | 350 | * Dropped Changes (now in Debian): | ||
314 | 351 | - Clean up d/strongswan-starter.postinst: section about runlevel changes | ||
315 | 352 | - Clean up d/strongswan-starter.postinst: Removed entire section on | ||
316 | 353 | opportunistic encryption disabling - this was never in strongSwan and | ||
317 | 354 | won't be see upstream issue #2160. | ||
318 | 355 | - d/rules: Removed patching ipsec.conf on build (not using the | ||
319 | 356 | debconf-managed config.) | ||
320 | 357 | - d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was | ||
321 | 358 | used for debconf-managed include of private key). | ||
322 | 359 | - Add plugin kernel-libipsec to allow the use of strongswan in containers | ||
323 | 360 | via this userspace implementation (please do note that this is still | ||
324 | 361 | considered experimental by upstream). | ||
325 | 362 | + d/libcharon-extra-plugins.install: Add kernel-libipsec components | ||
326 | 363 | + d/control: List kernel-libipsec plugin at extra plugins description | ||
327 | 364 | + d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As | ||
328 | 365 | upstream recommends to not load kernel-libipsec by default. | ||
329 | 366 | - d/control: Mention mgf1 plugin which is in libstrongswan now | ||
330 | 367 | - Complete the disabling of libfast; This was partially accepted in Debian, | ||
331 | 368 | it is no more packaging medcli and medsrv, but still builds and | ||
332 | 369 | mentions it. | ||
333 | 370 | + d/rules: Add --disable-fast to avoid build time and dependencies | ||
334 | 371 | + d/control: Remove medcli, medsrv from package description | ||
335 | 372 | - Add now built (since 5.5.1) libraries libtpmtss and nttfft to | ||
336 | 373 | libstrongswan-extra-plugins (no deps from default plugins). | ||
337 | 374 | - d/control, d/libcharon-{extras,standard}-plugins.install: Move charon | ||
338 | 375 | plugins for the most common use cases from extra-plugins into a new | ||
339 | 376 | standard-plugins package. This will allow those use cases without pulling | ||
340 | 377 | in too much more plugins (a bit like the tnc package). Recommend that | ||
341 | 378 | package from strongswan-libcharon. | ||
342 | 379 | - d/usr.lib.ipsec.charon: allow reading of own FDs (LP 1786250) | ||
343 | 380 | - d/usr.sbin.charon-systemd: allow CLUSTERIP for ha plugin (LP 1773956) | ||
344 | 381 | - executables need to be able to read map and execute themselves otherwise | ||
345 | 382 | execution in some environments e.g. containers is blocked (LP 1780534) | ||
346 | 383 | + d/usr.lib.ipsec.stroke: add rmix permission to stroke binary | ||
347 | 384 | + d/usr.lib.ipsec.lookip: add rmix permission to lookip binary | ||
348 | 385 | - d/usr.lib.ipsec.charon, d/usr.sbin.charon-systemd: resync apparmor | ||
349 | 386 | profiles of both ways to start charon (LP 1807664) | ||
350 | 387 | - d/usr.sbin.swanctl: add apparmor rule for af-alg plugin (LP 1807962) | ||
351 | 388 | - We fixed up tpmtss and nttfft in the past, but tpmtss is now packaged in | ||
352 | 389 | Debian so this part was be dropped. Two changes remain | ||
353 | 390 | - d/control: fix the mentioning of tpmtss in d/control | ||
354 | 391 | - apparmor fixes for container and root usage (LP 1826238) | ||
355 | 392 | + d/usr.sbin.swanctl: allow reading own binary | ||
356 | 393 | + d/usr.sbin.charon-systemd: allow accessing the binary | ||
357 | 394 | + d/usr.sbin.swanctl: add attach_disconnected to work inside containers | ||
358 | 395 | + d/usr.lib.ipsec.charon, d/usr.sbin.charon-systemd: add CAP_SETPCAP | ||
359 | 396 | to apparmor to allow dropping caps | ||
360 | 397 | * Dropped Changes (too uncommon to support by default) | ||
361 | 398 | - d/libstrongswan.install: Add kernel-netlink configuration files | ||
362 | 399 | - d/usr.sbin.charon-systemd: allow to contact mysql for sql and | ||
363 | 400 | attr-sql plugins (LP 1766240) - no more needed as itisn't enabled. | ||
364 | 401 | - Mass enablement of extra plugins and features to allow a user to use | ||
365 | 402 | strongswan for a variety of extra use cases without having to rebuild. | ||
366 | 403 | + d/control: Add required additional build-deps | ||
367 | 404 | + d/control: Mention addtionally enabled plugins | ||
368 | 405 | + d/rules: Enable features at configure stage | ||
369 | 406 | + d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf) | ||
370 | 407 | + d/libstrongswan.install: Add plugins (so, conf) | ||
371 | 408 | + d/strongswan-starter.install: Install pool feature, which is useful | ||
372 | 409 | since we now have attr-sql plugin enabled it. | ||
373 | 410 | - Enable additional TNC plugins and add them to libcharon-extra-plugins | ||
374 | 411 | |||
375 | 412 | -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Thu, 14 Nov 2019 15:00:15 +0100 | ||
376 | 413 | |||
377 | 85 | strongswan (5.8.1-1) unstable; urgency=medium | 414 | strongswan (5.8.1-1) unstable; urgency=medium |
378 | 86 | 415 | ||
379 | 87 | * d/rules: disable http and stream tests under CI | 416 | * d/rules: disable http and stream tests under CI |
380 | @@ -151,6 +480,99 @@ strongswan (5.8.0-1) unstable; urgency=medium | |||
381 | 151 | 480 | ||
382 | 152 | -- Yves-Alexis Perez <corsac@debian.org> Mon, 26 Aug 2019 12:58:23 +0200 | 481 | -- Yves-Alexis Perez <corsac@debian.org> Mon, 26 Aug 2019 12:58:23 +0200 |
383 | 153 | 482 | ||
384 | 483 | strongswan (5.7.2-1ubuntu3) eoan; urgency=medium | ||
385 | 484 | |||
386 | 485 | * No change rebuild for libmysqlclient21. | ||
387 | 486 | |||
388 | 487 | -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Thu, 15 Aug 2019 09:34:34 +0200 | ||
389 | 488 | |||
390 | 489 | strongswan (5.7.2-1ubuntu2) eoan; urgency=medium | ||
391 | 490 | |||
392 | 491 | * Rebuild against new libjson-c4. | ||
393 | 492 | |||
394 | 493 | -- Gianfranco Costamagna <locutusofborg@debian.org> Mon, 01 Jul 2019 10:53:07 +0200 | ||
395 | 494 | |||
396 | 495 | strongswan (5.7.2-1ubuntu1) eoan; urgency=medium | ||
397 | 496 | |||
398 | 497 | [ Christian Ehrhardt ] | ||
399 | 498 | * Merge with Debian unstable. Remaining changes: | ||
400 | 499 | - Clean up d/strongswan-starter.postinst: section about runlevel changes | ||
401 | 500 | - Clean up d/strongswan-starter.postinst: Removed entire section on | ||
402 | 501 | opportunistic encryption disabling - this was never in strongSwan and | ||
403 | 502 | won't be see upstream issue #2160. | ||
404 | 503 | - d/rules: Removed patching ipsec.conf on build (not using the | ||
405 | 504 | debconf-managed config.) | ||
406 | 505 | - d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was | ||
407 | 506 | used for debconf-managed include of private key). | ||
408 | 507 | - Mass enablement of extra plugins and features to allow a user to use | ||
409 | 508 | strongswan for a variety of extra use cases without having to rebuild. | ||
410 | 509 | + d/control: Add required additional build-deps | ||
411 | 510 | + d/control: Mention addtionally enabled plugins | ||
412 | 511 | + d/rules: Enable features at configure stage | ||
413 | 512 | + d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf) | ||
414 | 513 | + d/libstrongswan.install: Add plugins (so, conf) | ||
415 | 514 | + d/strongswan-starter.install: Install pool feature, which is useful | ||
416 | 515 | since we now have attr-sql plugin enabled it. | ||
417 | 516 | - Add plugin kernel-libipsec to allow the use of strongswan in containers | ||
418 | 517 | via this userspace implementation (please do note that this is still | ||
419 | 518 | considered experimental by upstream). | ||
420 | 519 | + d/libcharon-extra-plugins.install: Add kernel-libipsec components | ||
421 | 520 | + d/control: List kernel-libipsec plugin at extra plugins description | ||
422 | 521 | + d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As | ||
423 | 522 | upstream recommends to not load kernel-libipsec by default. | ||
424 | 523 | - d/libstrongswan.install: Add kernel-netlink configuration files | ||
425 | 524 | - Complete the disabling of libfast; This was partially accepted in Debian, | ||
426 | 525 | it is no more packaging medcli and medsrv, but still builds and | ||
427 | 526 | mentions it. | ||
428 | 527 | + d/rules: Add --disable-fast to avoid build time and dependencies | ||
429 | 528 | + d/control: Remove medcli, medsrv from package description | ||
430 | 529 | - d/control: Mention mgf1 plugin which is in libstrongswan now | ||
431 | 530 | - Add now built (since 5.5.1) libraries libtpmtss and nttfft to | ||
432 | 531 | libstrongswan-extra-plugins (no deps from default plugins). | ||
433 | 532 | - d/control, d/libcharon-{extras,standard}-plugins.install: Move charon | ||
434 | 533 | plugins for the most common use cases from extra-plugins into a new | ||
435 | 534 | standard-plugins package. This will allow those use cases without pulling | ||
436 | 535 | in too much more plugins (a bit like the tnc package). Recommend that | ||
437 | 536 | package from strongswan-libcharon. | ||
438 | 537 | - d/usr.sbin.charon-systemd: allow to contact mysql for sql and | ||
439 | 538 | attr-sql plugins (LP #1766240) | ||
440 | 539 | - d/usr.lib.ipsec.charon: allow reading of own FDs (LP #1786250) | ||
441 | 540 | - d/usr.sbin.charon-systemd: allow CLUSTERIP for ha plugin (LP: 1773956) | ||
442 | 541 | - executables need to be able to read map and execute themselves otherwise | ||
443 | 542 | execution in some environments e.g. containers is blocked (LP: 1780534) | ||
444 | 543 | + d/usr.lib.ipsec.stroke: add rmix permission to stroke binary | ||
445 | 544 | + d/usr.lib.ipsec.lookip: add rmix permission to lookip binary | ||
446 | 545 | - d/usr.lib.ipsec.charon, d/usr.sbin.charon-systemd: resync apparmor | ||
447 | 546 | profiles of both ways to start charon (LP: 1807664) | ||
448 | 547 | - d/usr.sbin.swanctl: add apparmor rule for af-alg plugin (LP: 1807962) | ||
449 | 548 | * Dropped changes | ||
450 | 549 | - d/p/lp1795813-mysql-Don-t-release-the-connection-if-transactions-a.patch: | ||
451 | 550 | fix SIGSEGV when using mysql plugin (LP: 1795813) | ||
452 | 551 | [upstream in 5.7.2] | ||
453 | 552 | - d/libstrongswan.install: Reorder conf and .so alphabetically | ||
454 | 553 | [was a non functional change, dropped to avoid merge noise] | ||
455 | 554 | - Relocate tnc plugin | ||
456 | 555 | [TNC is back at libcharon-extra-plugins as it is in Debian] | ||
457 | 556 | * Added changes: | ||
458 | 557 | - We fixed up tpmtss and nttfft in the past, but tpmtss is now packaged in | ||
459 | 558 | Debian so this part was be dropped. Two changes remain | ||
460 | 559 | - d/control: fix the mentioning of tpmtss in d/control | ||
461 | 560 | - add nttfft (can be merged with the mass enablement change later) | ||
462 | 561 | - Transitional packages to go back from strongswan-tnc-* being in extra | ||
463 | 562 | packages to be part of libcharon-extra-plugins. | ||
464 | 563 | [can be dropped after 20.04] | ||
465 | 564 | |||
466 | 565 | [ Simon Deziel ] | ||
467 | 566 | * Added changes: | ||
468 | 567 | - apparmor fixes for container and root usage (LP: #1826238) | ||
469 | 568 | + d/usr.sbin.swanctl: allow reading own binary | ||
470 | 569 | + d/usr.sbin.charon-systemd: allow accessing the binary | ||
471 | 570 | + d/usr.sbin.swanctl: add attach_disconnected to work inside containers | ||
472 | 571 | + d/usr.lib.ipsec.charon, d/usr.sbin.charon-systemd: add CAP_SETPCAP | ||
473 | 572 | to apparmor to allow dropping caps | ||
474 | 573 | |||
475 | 574 | -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Fri, 26 Apr 2019 11:31:17 +0200 | ||
476 | 575 | |||
477 | 154 | strongswan (5.7.2-1) unstable; urgency=medium | 576 | strongswan (5.7.2-1) unstable; urgency=medium |
478 | 155 | 577 | ||
479 | 156 | * d/control: remove Rene from Uploaders, thanks! | 578 | * d/control: remove Rene from Uploaders, thanks! |
480 | @@ -169,6 +591,86 @@ strongswan (5.7.2-1) unstable; urgency=medium | |||
481 | 169 | 591 | ||
482 | 170 | -- Yves-Alexis Perez <corsac@debian.org> Wed, 02 Jan 2019 13:02:11 +0100 | 592 | -- Yves-Alexis Perez <corsac@debian.org> Wed, 02 Jan 2019 13:02:11 +0100 |
483 | 171 | 593 | ||
484 | 594 | strongswan (5.7.1-1ubuntu2) disco; urgency=medium | ||
485 | 595 | |||
486 | 596 | * d/usr.sbin.charon-systemd: fix rule for CLUSTERIP to match effective | ||
487 | 597 | path (LP: #1773956) | ||
488 | 598 | * d/usr.lib.ipsec.charon, d/usr.sbin.charon-systemd: resync apparmor | ||
489 | 599 | profiles of both ways to start charon (LP: #1807664) | ||
490 | 600 | * d/usr.sbin.swanctl: add apparmor rule for af-alg plugin (LP: #1807962) | ||
491 | 601 | |||
492 | 602 | -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 10 Dec 2018 08:30:01 +0100 | ||
493 | 603 | |||
494 | 604 | strongswan (5.7.1-1ubuntu1) disco; urgency=medium | ||
495 | 605 | |||
496 | 606 | * Merge with Debian unstable (LP: #1806401). Remaining changes: | ||
497 | 607 | - Clean up d/strongswan-starter.postinst: section about runlevel changes | ||
498 | 608 | - Clean up d/strongswan-starter.postinst: Removed entire section on | ||
499 | 609 | opportunistic encryption disabling - this was never in strongSwan and | ||
500 | 610 | won't be see upstream issue #2160. | ||
501 | 611 | - d/rules: Removed patching ipsec.conf on build (not using the | ||
502 | 612 | debconf-managed config.) | ||
503 | 613 | - d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was | ||
504 | 614 | used for debconf-managed include of private key). | ||
505 | 615 | - Mass enablement of extra plugins and features to allow a user to use | ||
506 | 616 | strongswan for a variety of extra use cases without having to rebuild. | ||
507 | 617 | + d/control: Add required additional build-deps | ||
508 | 618 | + d/control: Mention addtionally enabled plugins | ||
509 | 619 | + d/rules: Enable features at configure stage | ||
510 | 620 | + d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf) | ||
511 | 621 | + d/libstrongswan.install: Add plugins (so, conf) | ||
512 | 622 | - d/strongswan-starter.install: Install pool feature, which is useful since | ||
513 | 623 | we have attr-sql plugin enabled as well using it. | ||
514 | 624 | - Add plugin kernel-libipsec to allow the use of strongswan in containers | ||
515 | 625 | via this userspace implementation (please do note that this is still | ||
516 | 626 | considered experimental by upstream). | ||
517 | 627 | + d/libcharon-extra-plugins.install: Add kernel-libipsec components | ||
518 | 628 | + d/control: List kernel-libipsec plugin at extra plugins description | ||
519 | 629 | + d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As | ||
520 | 630 | upstream recommends to not load kernel-libipsec by default. | ||
521 | 631 | - Relocate tnc plugin | ||
522 | 632 | + debian/libcharon-extra-plugins.install: Drop tnc from extra plugins | ||
523 | 633 | + Add new subpackage for TNC in d/strongswan-tnc-* and d/control | ||
524 | 634 | - d/libstrongswan.install: Reorder conf and .so alphabetically | ||
525 | 635 | - d/libstrongswan.install: Add kernel-netlink configuration files | ||
526 | 636 | - Complete the disabling of libfast; This was partially accepted in Debian, | ||
527 | 637 | it is no more packaging medcli and medsrv, but still builds and | ||
528 | 638 | mentions it. | ||
529 | 639 | + d/rules: Add --disable-fast to avoid build time and dependencies | ||
530 | 640 | + d/control: Remove medcli, medsrv from package description | ||
531 | 641 | - d/control: Mention mgf1 plugin which is in libstrongswan now | ||
532 | 642 | - Add now built (since 5.5.1) libraries libtpmtss and nttfft to | ||
533 | 643 | libstrongswan-extra-plugins (no deps from default plugins). | ||
534 | 644 | - d/control, d/libcharon-{extras,standard}-plugins.install: Move charon | ||
535 | 645 | plugins for the most common use cases from extra-plugins into a new | ||
536 | 646 | standard-plugins package. This will allow those use cases without pulling | ||
537 | 647 | in too much more plugins (a bit like the tnc package). Recommend that | ||
538 | 648 | package from strongswan-libcharon. | ||
539 | 649 | - d/usr.sbin.charon-systemd: allow to contact mysql for sql and | ||
540 | 650 | attr-sql plugins (LP #1766240) | ||
541 | 651 | - d/usr.lib.ipsec.charon: allow reading of own FDs (LP #1786250) | ||
542 | 652 | * Added Changes: | ||
543 | 653 | - d/p/lp1795813-mysql-Don-t-release-the-connection-if-transactions-a.patch: | ||
544 | 654 | fix SIGSEGV when using mysql plugin (LP: #1795813) | ||
545 | 655 | - d/usr.sbin.charon-systemd: allow CLUSTERIP for ha plugin (LP: #1773956) | ||
546 | 656 | - executables need to be able to read map and execute themselves otherwise | ||
547 | 657 | execution in some environments e.g. containers is blocked (LP: #1780534) | ||
548 | 658 | + d/usr.lib.ipsec.stroke: add rmix permission to stroke binary | ||
549 | 659 | + d/usr.lib.ipsec.lookip: add rmix permission to lookip binary | ||
550 | 660 | - adapt "mass enablement of extra plugins" to match 5.7.x changes | ||
551 | 661 | + d/rules: use new options for swima instead of swid | ||
552 | 662 | + d/strongswan-tnc-server.install: add new sec updater tool | ||
553 | 663 | + d/strongswan-tnc-client.install: add new sw-collector tool | ||
554 | 664 | * Dropped (in Debian now): | ||
555 | 665 | - SECURITY UPDATE: Insufficient input validation in gmp plugin | ||
556 | 666 | (CVE-2018-17540) | ||
557 | 667 | - SECURITY UPDATE: Insufficient input validation in gmp plugin | ||
558 | 668 | (CVE-2018-16151 CVE-2018-16152) | ||
559 | 669 | - d/usr.lib.ipsec.charon, d/usr/sbin/charon-systemd: Add support for | ||
560 | 670 | usr-merge, thanks to Christian Ehrhardt. LP #1784023 | ||
561 | 671 | |||
562 | 672 | -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 03 Dec 2018 15:18:31 +0100 | ||
563 | 673 | |||
564 | 172 | strongswan (5.7.1-1) unstable; urgency=medium | 674 | strongswan (5.7.1-1) unstable; urgency=medium |
565 | 173 | 675 | ||
566 | 174 | [ Ondřej Nový ] | 676 | [ Ondřej Nový ] |
567 | @@ -199,6 +701,96 @@ strongswan (5.7.0-1) unstable; urgency=medium | |||
568 | 199 | 701 | ||
569 | 200 | -- Yves-Alexis Perez <corsac@debian.org> Mon, 24 Sep 2018 16:36:28 +0200 | 702 | -- Yves-Alexis Perez <corsac@debian.org> Mon, 24 Sep 2018 16:36:28 +0200 |
570 | 201 | 703 | ||
571 | 704 | strongswan (5.6.3-1ubuntu5) disco; urgency=medium | ||
572 | 705 | |||
573 | 706 | * No-change rebuild against libunbound8 | ||
574 | 707 | |||
575 | 708 | -- Steve Langasek <steve.langasek@ubuntu.com> Sun, 11 Nov 2018 09:01:53 +0000 | ||
576 | 709 | |||
577 | 710 | strongswan (5.6.3-1ubuntu4) cosmic; urgency=medium | ||
578 | 711 | |||
579 | 712 | * d/usr.lib.ipsec.charon: allow reading of own FDs (LP: #1786250) | ||
580 | 713 | Thanks to Matt Callaghan. | ||
581 | 714 | |||
582 | 715 | -- Andreas Hasenack <andreas@canonical.com> Thu, 04 Oct 2018 10:34:01 -0300 | ||
583 | 716 | |||
584 | 717 | strongswan (5.6.3-1ubuntu3) cosmic; urgency=medium | ||
585 | 718 | |||
586 | 719 | * SECURITY UPDATE: Insufficient input validation in gmp plugin | ||
587 | 720 | - debian/patches/strongswan-4.4.0-5.7.0_gmp-pkcs1-overflow.patch: fix | ||
588 | 721 | buffer overflow with very small RSA keys in | ||
589 | 722 | src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c. | ||
590 | 723 | - CVE-2018-17540 | ||
591 | 724 | |||
592 | 725 | -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 01 Oct 2018 13:23:59 -0400 | ||
593 | 726 | |||
594 | 727 | strongswan (5.6.3-1ubuntu2) cosmic; urgency=medium | ||
595 | 728 | |||
596 | 729 | * SECURITY UPDATE: Insufficient input validation in gmp plugin | ||
597 | 730 | - debian/patches/strongswan-5.6.1-5.6.3_gmp-pkcs1-verify.patch: don't | ||
598 | 731 | parse PKCS1 v1.5 RSA signatures to verify them in | ||
599 | 732 | src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c, | ||
600 | 733 | src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c. | ||
601 | 734 | - CVE-2018-16151 | ||
602 | 735 | - CVE-2018-16152 | ||
603 | 736 | |||
604 | 737 | -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 25 Sep 2018 10:16:15 -0400 | ||
605 | 738 | |||
606 | 739 | strongswan (5.6.3-1ubuntu1) cosmic; urgency=medium | ||
607 | 740 | |||
608 | 741 | * Merge with Debian unstable. Remaining changes: | ||
609 | 742 | - Clean up d/strongswan-starter.postinst: section about runlevel changes | ||
610 | 743 | - Clean up d/strongswan-starter.postinst: Removed entire section on | ||
611 | 744 | opportunistic encryption disabling - this was never in strongSwan and | ||
612 | 745 | won't be see upstream issue #2160. | ||
613 | 746 | - d/rules: Removed patching ipsec.conf on build (not using the | ||
614 | 747 | debconf-managed config.) | ||
615 | 748 | - d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was | ||
616 | 749 | used for debconf-managed include of private key). | ||
617 | 750 | - Mass enablement of extra plugins and features to allow a user to use | ||
618 | 751 | strongswan for a variety of extra use cases without having to rebuild. | ||
619 | 752 | + d/control: Add required additional build-deps | ||
620 | 753 | + d/control: Mention addtionally enabled plugins | ||
621 | 754 | + d/rules: Enable features at configure stage | ||
622 | 755 | + d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf) | ||
623 | 756 | + d/libstrongswan.install: Add plugins (so, conf) | ||
624 | 757 | - d/strongswan-starter.install: Install pool feature, which is useful since | ||
625 | 758 | we have attr-sql plugin enabled as well using it. | ||
626 | 759 | - Add plugin kernel-libipsec to allow the use of strongswan in containers | ||
627 | 760 | via this userspace implementation (please do note that this is still | ||
628 | 761 | considered experimental by upstream). | ||
629 | 762 | + d/libcharon-extra-plugins.install: Add kernel-libipsec components | ||
630 | 763 | + d/control: List kernel-libipsec plugin at extra plugins description | ||
631 | 764 | + d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As | ||
632 | 765 | upstream recommends to not load kernel-libipsec by default. | ||
633 | 766 | - Relocate tnc plugin | ||
634 | 767 | + debian/libcharon-extra-plugins.install: Drop tnc from extra plugins | ||
635 | 768 | + Add new subpackage for TNC in d/strongswan-tnc-* and d/control | ||
636 | 769 | - d/libstrongswan.install: Reorder conf and .so alphabetically | ||
637 | 770 | - d/libstrongswan.install: Add kernel-netlink configuration files | ||
638 | 771 | - Complete the disabling of libfast; This was partially accepted in Debian, | ||
639 | 772 | it is no more packaging medcli and medsrv, but still builds and | ||
640 | 773 | mentions it. | ||
641 | 774 | + d/rules: Add --disable-fast to avoid build time and dependencies | ||
642 | 775 | + d/control: Remove medcli, medsrv from package description | ||
643 | 776 | - d/control: Mention mgf1 plugin which is in libstrongswan now | ||
644 | 777 | - Add now built (since 5.5.1) libraries libtpmtss and nttfft to | ||
645 | 778 | libstrongswan-extra-plugins (no deps from default plugins). | ||
646 | 779 | - d/control, d/libcharon-{extras,standard}-plugins.install: Move charon | ||
647 | 780 | plugins for the most common use cases from extra-plugins into a new | ||
648 | 781 | standard-plugins package. This will allow those use cases without pulling | ||
649 | 782 | in too much more plugins (a bit like the tnc package). Recommend that | ||
650 | 783 | package from strongswan-libcharon. | ||
651 | 784 | - d/usr.sbin.charon-systemd: allow to contact mysql for sql and | ||
652 | 785 | attr-sql plugins (LP #1766240) | ||
653 | 786 | - d/usr.lib.ipsec.charon, d/usr/sbin/charon-systemd: Add support for | ||
654 | 787 | usr-merge, thanks to Christian Ehrhardt. LP #1784023 | ||
655 | 788 | * Dropped: | ||
656 | 789 | - d/usr.sbin.charon-systemd: allow systemd notifications (LP: #1765652) | ||
657 | 790 | [Fixed in 5.6.3-1] | ||
658 | 791 | |||
659 | 792 | -- Andreas Hasenack <andreas@canonical.com> Thu, 23 Aug 2018 13:05:11 -0300 | ||
660 | 793 | |||
661 | 202 | strongswan (5.6.3-1) unstable; urgency=medium | 794 | strongswan (5.6.3-1) unstable; urgency=medium |
662 | 203 | 795 | ||
663 | 204 | * New upstream version 5.6.2 | 796 | * New upstream version 5.6.2 |
664 | @@ -214,6 +806,78 @@ strongswan (5.6.3-1) unstable; urgency=medium | |||
665 | 214 | 806 | ||
666 | 215 | -- Yves-Alexis Perez <corsac@debian.org> Mon, 04 Jun 2018 10:23:22 +0200 | 807 | -- Yves-Alexis Perez <corsac@debian.org> Mon, 04 Jun 2018 10:23:22 +0200 |
667 | 216 | 808 | ||
668 | 809 | strongswan (5.6.2-2ubuntu2) cosmic; urgency=medium | ||
669 | 810 | |||
670 | 811 | * Add support for usr-merge, thanks to Christian Ehrhardt. LP: #1784023 | ||
671 | 812 | |||
672 | 813 | -- Dimitri John Ledkov <xnox@ubuntu.com> Tue, 21 Aug 2018 00:42:38 +0100 | ||
673 | 814 | |||
674 | 815 | strongswan (5.6.2-2ubuntu1) cosmic; urgency=medium | ||
675 | 816 | |||
676 | 817 | * Merge with Debian unstable, closes LP: #1773814 and LP: #1772705. | ||
677 | 818 | Remaining changes: | ||
678 | 819 | + Clean up d/strongswan-starter.postinst: section about runlevel changes | ||
679 | 820 | + Clean up d/strongswan-starter.postinst: Removed entire section on | ||
680 | 821 | opportunistic encryption disabling - this was never in strongSwan and | ||
681 | 822 | won't be see upstream issue #2160. | ||
682 | 823 | + d/rules: Removed patching ipsec.conf on build (not using the | ||
683 | 824 | debconf-managed config.) | ||
684 | 825 | + d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was | ||
685 | 826 | used for debconf-managed include of private key). | ||
686 | 827 | + Mass enablement of extra plugins and features to allow a user to use | ||
687 | 828 | strongswan for a variety of extra use cases without having to rebuild. | ||
688 | 829 | - d/control: Add required additional build-deps | ||
689 | 830 | - d/control: Mention addtionally enabled plugins | ||
690 | 831 | - d/rules: Enable features at configure stage | ||
691 | 832 | - d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf) | ||
692 | 833 | - d/libstrongswan.install: Add plugins (so, conf) | ||
693 | 834 | + d/strongswan-starter.install: Install pool feature, which is useful since | ||
694 | 835 | we have attr-sql plugin enabled as well using it. | ||
695 | 836 | + Add plugin kernel-libipsec to allow the use of strongswan in containers | ||
696 | 837 | via this userspace implementation (please do note that this is still | ||
697 | 838 | considered experimental by upstream). | ||
698 | 839 | - d/libcharon-extra-plugins.install: Add kernel-libipsec components | ||
699 | 840 | - d/control: List kernel-libipsec plugin at extra plugins description | ||
700 | 841 | - d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As | ||
701 | 842 | upstream recommends to not load kernel-libipsec by default. | ||
702 | 843 | + Relocate tnc plugin | ||
703 | 844 | - debian/libcharon-extra-plugins.install: Drop tnc from extra plugins | ||
704 | 845 | - Add new subpackage for TNC in d/strongswan-tnc-* and d/control | ||
705 | 846 | + d/libstrongswan.install: Reorder conf and .so alphabetically | ||
706 | 847 | + d/libstrongswan.install: Add kernel-netlink configuration files | ||
707 | 848 | + Complete the disabling of libfast; This was partially accepted in Debian, | ||
708 | 849 | it is no more packaging medcli and medsrv, but still builds and | ||
709 | 850 | mentions it. | ||
710 | 851 | - d/rules: Add --disable-fast to avoid build time and dependencies | ||
711 | 852 | - d/control: Remove medcli, medsrv from package description | ||
712 | 853 | + d/control: Mention mgf1 plugin which is in libstrongswan now | ||
713 | 854 | + Add now built (since 5.5.1) libraries libtpmtss and nttfft to | ||
714 | 855 | libstrongswan-extra-plugins (no deps from default plugins). | ||
715 | 856 | + d/control, d/libcharon-{extras,standard}-plugins.install: Move charon | ||
716 | 857 | plugins for the most common use cases from extra-plugins into a new | ||
717 | 858 | standard-plugins package. This will allow those use cases without pulling | ||
718 | 859 | in too much more plugins (a bit like the tnc package). Recommend that | ||
719 | 860 | package from strongswan-libcharon. | ||
720 | 861 | * Dropped Changes (no more needed after 18.04) | ||
721 | 862 | + Add rm_conffile for /etc/init.d/ipsec (transition from precies had | ||
722 | 863 | missed that, droppable after 18.04) | ||
723 | 864 | + d/control: bump breaks/replaces from libstrongswan-extra-plugins to | ||
724 | 865 | libstrongswan as we dropped relocating ccm and test-vectors. | ||
725 | 866 | (droppable >18.04). | ||
726 | 867 | + d/control: add breaks/replace from libstrongswan to | ||
727 | 868 | libstrongswan-extra-plugins for the move of mgf1 to libstrongswan. | ||
728 | 869 | (droppable >18.04). | ||
729 | 870 | + d/control: bump breaks/replaces for the move of the updown plugin | ||
730 | 871 | (Missed Changelog entry on last merge) | ||
731 | 872 | + d/control: fix dependencies of strongswan-libcharon due to the move | ||
732 | 873 | the updown plugin (droppable >18.04). | ||
733 | 874 | * Added Changes: | ||
734 | 875 | + d/usr.sbin.charon-systemd: allow to contact mysql for sql and | ||
735 | 876 | attr-sql plugins (LP: #1766240) | ||
736 | 877 | + d/usr.sbin.charon-systemd: allow systemd notifications (LP: #1765652) | ||
737 | 878 | |||
738 | 879 | -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Tue, 29 May 2018 08:21:42 +0200 | ||
739 | 880 | |||
740 | 217 | strongswan (5.6.2-2) unstable; urgency=medium | 881 | strongswan (5.6.2-2) unstable; urgency=medium |
741 | 218 | 882 | ||
742 | 219 | * charon-nm: Fix building list of DNS/MDNS servers with libnm | 883 | * charon-nm: Fix building list of DNS/MDNS servers with libnm |
743 | @@ -224,6 +888,74 @@ strongswan (5.6.2-2) unstable; urgency=medium | |||
744 | 224 | 888 | ||
745 | 225 | -- Yves-Alexis Perez <corsac@debian.org> Fri, 13 Apr 2018 13:46:04 +0200 | 889 | -- Yves-Alexis Perez <corsac@debian.org> Fri, 13 Apr 2018 13:46:04 +0200 |
746 | 226 | 890 | ||
747 | 891 | strongswan (5.6.2-1ubuntu2) bionic; urgency=medium | ||
748 | 892 | |||
749 | 893 | * d/control: fix dependencies of strongswan-libcharon due to the move | ||
750 | 894 | the updown plugin. | ||
751 | 895 | |||
752 | 896 | -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Tue, 20 Mar 2018 07:37:29 +0100 | ||
753 | 897 | |||
754 | 898 | strongswan (5.6.2-1ubuntu1) bionic; urgency=medium | ||
755 | 899 | |||
756 | 900 | * Merge with Debian unstable (LP: #1753018). Remaining changes: | ||
757 | 901 | + Clean up d/strongswan-starter.postinst: section about runlevel changes | ||
758 | 902 | + Clean up d/strongswan-starter.postinst: Removed entire section on | ||
759 | 903 | opportunistic encryption disabling - this was never in strongSwan and | ||
760 | 904 | won't be see upstream issue #2160. | ||
761 | 905 | + Ubuntu is not using the debconf triggered private key generation | ||
762 | 906 | - d/rules: Removed patching ipsec.conf on build (not using the | ||
763 | 907 | debconf-managed config.) | ||
764 | 908 | - d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was | ||
765 | 909 | used for debconf-managed include of private key). | ||
766 | 910 | + Mass enablement of extra plugins and features to allow a user to use | ||
767 | 911 | strongswan for a variety of extra use cases without having to rebuild. | ||
768 | 912 | - d/control: Add required additional build-deps | ||
769 | 913 | - d/control: Mention addtionally enabled plugins | ||
770 | 914 | - d/rules: Enable features at configure stage | ||
771 | 915 | - d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf) | ||
772 | 916 | - d/libstrongswan.install: Add plugins (so, conf) | ||
773 | 917 | + d/strongswan-starter.install: Install pool feature, which is useful since | ||
774 | 918 | we have attr-sql plugin enabled as well using it. | ||
775 | 919 | + Add plugin kernel-libipsec to allow the use of strongswan in containers | ||
776 | 920 | via this userspace implementation (please do note that this is still | ||
777 | 921 | considered experimental by upstream). | ||
778 | 922 | - d/libcharon-extra-plugins.install: Add kernel-libipsec components | ||
779 | 923 | - d/control: List kernel-libipsec plugin at extra plugins description | ||
780 | 924 | - d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As | ||
781 | 925 | upstream recommends to not load kernel-libipsec by default. | ||
782 | 926 | + Relocate tnc plugin | ||
783 | 927 | - debian/libcharon-extra-plugins.install: Drop tnc from extra plugins | ||
784 | 928 | - Add new subpackage for TNC in d/strongswan-tnc-* and d/control | ||
785 | 929 | + d/libstrongswan.install: Reorder conf and .so alphabetically | ||
786 | 930 | + d/libstrongswan.install: Add kernel-netlink configuration files | ||
787 | 931 | + Complete the disabling of libfast; This was partially accepted in Debian, | ||
788 | 932 | it is no more packaging medcli and medsrv, but still builds and | ||
789 | 933 | mentions it. | ||
790 | 934 | - d/rules: Add --disable-fast to avoid build time and dependencies | ||
791 | 935 | - d/control: Remove medcli, medsrv from package description | ||
792 | 936 | + d/control: Mention mgf1 plugin which is in libstrongswan now | ||
793 | 937 | + Add now built (since 5.5.1) libraries libtpmtss and nttfft to | ||
794 | 938 | libstrongswan-extra-plugins (no deps from default plugins). | ||
795 | 939 | + Add rm_conffile for /etc/init.d/ipsec (transition from precies had | ||
796 | 940 | missed that, droppable after 18.04) | ||
797 | 941 | + d/control, d/libcharon-{extras,standard}-plugins.install: Move charon | ||
798 | 942 | plugins for the most common use cases from extra-plugins into a new | ||
799 | 943 | standard-plugins package. This will allow those use cases without pulling | ||
800 | 944 | in too much more plugins (a bit like the tnc package). Recommend that | ||
801 | 945 | package from strongswan-libcharon. | ||
802 | 946 | + d/control: bump breaks/replaces from libstrongswan-extra-plugins to | ||
803 | 947 | libstrongswan as we dropped relocating ccm and test-vectors. | ||
804 | 948 | (droppable >18.04). | ||
805 | 949 | + d/control: add breaks/replace from libstrongswan to | ||
806 | 950 | libstrongswan-extra-plugins for the move of mgf1 to libstrongswan. | ||
807 | 951 | (droppable >18.04). | ||
808 | 952 | * Added Changes: | ||
809 | 953 | + d/control: bump breaks/replaces from strongswan-libcharon to strongswan- | ||
810 | 954 | starter as we followed Debian to move the updown plugin but need to | ||
811 | 955 | match Ubuntu versions (Droppable >18.04). | ||
812 | 956 | |||
813 | 957 | -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Fri, 16 Mar 2018 11:08:47 +0100 | ||
814 | 958 | |||
815 | 227 | strongswan (5.6.2-1) unstable; urgency=medium | 959 | strongswan (5.6.2-1) unstable; urgency=medium |
816 | 228 | 960 | ||
817 | 229 | * d/NEWS: add information about disabled algorithms (closes: #883072) | 961 | * d/NEWS: add information about disabled algorithms (closes: #883072) |
818 | @@ -246,6 +978,129 @@ strongswan (5.6.1-3) unstable; urgency=medium | |||
819 | 246 | 978 | ||
820 | 247 | -- Yves-Alexis Perez <corsac@debian.org> Sun, 17 Dec 2017 16:40:39 +0100 | 979 | -- Yves-Alexis Perez <corsac@debian.org> Sun, 17 Dec 2017 16:40:39 +0100 |
821 | 248 | 980 | ||
822 | 981 | strongswan (5.6.1-2ubuntu4) bionic; urgency=medium | ||
823 | 982 | |||
824 | 983 | * SECURITY UPDATE: DoS via crafted RSASSA-PSS signature | ||
825 | 984 | - debian/patches/CVE-2018-6459.patch: Properly handle MGF1 algorithm | ||
826 | 985 | identifier without parameters in | ||
827 | 986 | src/libstrongswan/credentials/keys/signature_params.c. | ||
828 | 987 | - CVE-2018-6459 | ||
829 | 988 | |||
830 | 989 | -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 07 Mar 2018 14:52:02 +0100 | ||
831 | 990 | |||
832 | 991 | strongswan (5.6.1-2ubuntu3) bionic; urgency=medium | ||
833 | 992 | |||
834 | 993 | * No-change rebuild against libcurl4 | ||
835 | 994 | |||
836 | 995 | -- Steve Langasek <steve.langasek@ubuntu.com> Wed, 28 Feb 2018 08:52:09 +0000 | ||
837 | 996 | |||
838 | 997 | strongswan (5.6.1-2ubuntu2) bionic; urgency=high | ||
839 | 998 | |||
840 | 999 | * No change rebuild against openssl1.1. | ||
841 | 1000 | |||
842 | 1001 | -- Dimitri John Ledkov <xnox@ubuntu.com> Mon, 12 Feb 2018 16:00:24 +0000 | ||
843 | 1002 | |||
844 | 1003 | strongswan (5.6.1-2ubuntu1) bionic; urgency=medium | ||
845 | 1004 | |||
846 | 1005 | * Merge with Debian unstable (LP: #1717343). | ||
847 | 1006 | Also fixes and issue with multiple psk's (LP: #1734207). Remaining changes: | ||
848 | 1007 | + Clean up d/strongswan-starter.postinst: section about runlevel changes | ||
849 | 1008 | + Clean up d/strongswan-starter.postinst: Removed entire section on | ||
850 | 1009 | opportunistic encryption disabling - this was never in strongSwan and | ||
851 | 1010 | won't be see upstream issue #2160. | ||
852 | 1011 | + Ubuntu is not using the debconf triggered private key generation | ||
853 | 1012 | - d/rules: Removed patching ipsec.conf on build (not using the | ||
854 | 1013 | debconf-managed config.) | ||
855 | 1014 | - d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was | ||
856 | 1015 | used for debconf-managed include of private key). | ||
857 | 1016 | + Mass enablement of extra plugins and features to allow a user to use | ||
858 | 1017 | strongswan for a variety of extra use cases without having to rebuild. | ||
859 | 1018 | - d/control: Add required additional build-deps | ||
860 | 1019 | - d/control: Mention addtionally enabled plugins | ||
861 | 1020 | - d/rules: Enable features at configure stage | ||
862 | 1021 | - d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf) | ||
863 | 1022 | - d/libstrongswan.install: Add plugins (so, conf) | ||
864 | 1023 | + d/strongswan-starter.install: Install pool feature, which is useful since | ||
865 | 1024 | we have attr-sql plugin enabled as well using it. | ||
866 | 1025 | + Add plugin kernel-libipsec to allow the use of strongswan in containers | ||
867 | 1026 | via this userspace implementation (please do note that this is still | ||
868 | 1027 | considered experimental by upstream). | ||
869 | 1028 | - d/libcharon-extra-plugins.install: Add kernel-libipsec components | ||
870 | 1029 | - d/control: List kernel-libipsec plugin at extra plugins description | ||
871 | 1030 | - d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As | ||
872 | 1031 | upstream recommends to not load kernel-libipsec by default. | ||
873 | 1032 | + Relocate tnc plugin | ||
874 | 1033 | - debian/libcharon-extra-plugins.install: Drop tnc from extra plugins | ||
875 | 1034 | - Add new subpackage for TNC in d/strongswan-tnc-* and d/control | ||
876 | 1035 | + d/libstrongswan.install: Reorder conf and .so alphabetically | ||
877 | 1036 | + d/libstrongswan.install: Add kernel-netlink configuration files | ||
878 | 1037 | + Complete the disabling of libfast; This was partially accepted in Debian, | ||
879 | 1038 | it is no more packaging medcli and medsrv, but still builds and | ||
880 | 1039 | mentions it. | ||
881 | 1040 | - d/rules: Add --disable-fast to avoid build time and dependencies | ||
882 | 1041 | - d/control: Remove medcli, medsrv from package description | ||
883 | 1042 | + d/control: Mention mgf1 plugin which is in libstrongswan now | ||
884 | 1043 | + Add now built (since 5.5.1) libraries libtpmtss and nttfft to | ||
885 | 1044 | libstrongswan-extra-plugins (no deps from default plugins). | ||
886 | 1045 | + Add rm_conffile for /etc/init.d/ipsec (transition from precies had | ||
887 | 1046 | missed that, droppable after 18.04) | ||
888 | 1047 | + d/control, d/libcharon-{extras,standard}-plugins.install: Move charon | ||
889 | 1048 | plugins for the most common use cases from extra-plugins into a new | ||
890 | 1049 | standard-plugins package. This will allow those use cases without pulling | ||
891 | 1050 | in too much more plugins (a bit like the tnc package). Recommend that | ||
892 | 1051 | package from strongswan-libcharon. | ||
893 | 1052 | * Added changes: | ||
894 | 1053 | + d/strongswan-tnc-client.install (relocate tnc) swidtag creation changed | ||
895 | 1054 | in 5.6 | ||
896 | 1055 | + d/strongswan-tnc-server.install (relocate tnc) pacman no more needed | ||
897 | 1056 | + d/control: bump breaks/replaces from libstrongswan-extra-plugins to | ||
898 | 1057 | libstrongswan as we dropped relocating ccm and test-vectors. | ||
899 | 1058 | (droppable >18.04). | ||
900 | 1059 | - d/control: add breaks/replace from libstrongswan to | ||
901 | 1060 | libstrongswan-extra-plugins for the move of mgf1 to libstrongswan. | ||
902 | 1061 | (droppable >18.04). | ||
903 | 1062 | * Dropped changes: | ||
904 | 1063 | + Update init/service handling (debian default matches Ubuntu past now) | ||
905 | 1064 | Dropping this fixes (LP: #1734886) | ||
906 | 1065 | - d/rules: Change init/systemd program name to strongswan | ||
907 | 1066 | - d/strongswan-starter.strongswan.service: Add new systemd file instead of | ||
908 | 1067 | patching upstream | ||
909 | 1068 | - d/strongswan-starter.links: Removed, use Ubuntu systemd file instead of | ||
910 | 1069 | linking to upstream | ||
911 | 1070 | + d/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call | ||
912 | 1071 | (this is a never failing no-op for us, no need for Delta). | ||
913 | 1072 | + d/strongswan-starter.prerm: Stop strongswan service on package removal | ||
914 | 1073 | (ipsec now maps to strongswan service, so this works as-is). | ||
915 | 1074 | + Clean up d/strongswan-starter.postinst: rename service ipsec to | ||
916 | 1075 | strongswan (ipsec now maps to strongswan service, so this works as-is) | ||
917 | 1076 | + Clean up d/strongswan-starter.postinst: daemon enable/disable (the | ||
918 | 1077 | whole section is disabled, so no need for delta) | ||
919 | 1078 | + (is upstream) CVE-2017-11185 patches | ||
920 | 1079 | + (is upstream) FTBFS upstream fix for changed include files | ||
921 | 1080 | + (is upstream) debian/patches/increase-bliss-test-timeout.patch: Under | ||
922 | 1081 | QEMU/KVM autopkgtest the bliss test takes longer than the default | ||
923 | 1082 | + (in Debian) add now built (since 5.5.1) mgf1 plugin to | ||
924 | 1083 | libstrongswan-extra-plugins. | ||
925 | 1084 | + (in Debian) d/strongswan-starter.install: install stroke apparmor profile | ||
926 | 1085 | + (this was enabled as part of the former delta, squash changes to no-up) | ||
927 | 1086 | d/rules: Disable duplicheck. | ||
928 | 1087 | + (not needed) Relocate plugins test-vectors from extra-plugins to | ||
929 | 1088 | libstrongswan | ||
930 | 1089 | - d/libstrongswan-extra-plugins.install: Remove plugins/conffiles | ||
931 | 1090 | - d/libstrongswan.install: Add plugins/confiles | ||
932 | 1091 | - d/control: move package descriptions and add required breaks/replaces | ||
933 | 1092 | + (not needed) Relocate plugins ccm from extra-plugins to libstrongswan | ||
934 | 1093 | - d/libstrongswan-extra-plugins.install: Remove plugins/conffiles | ||
935 | 1094 | - d/libstrongswan.install: Add plugins/confiles | ||
936 | 1095 | - d/control: move package descriptions and add required breaks/replaces | ||
937 | 1096 | + (while using it requires special kernel, it does not hurt to be | ||
938 | 1097 | available in the package) Remove ha plugin | ||
939 | 1098 | - d/libcharon-extra-plugins.install: Stop installing ha (so, conf) | ||
940 | 1099 | - d/rules: Do not enable ha plugin | ||
941 | 1100 | - d/control: Drop listing the ha plugin in the package description | ||
942 | 1101 | |||
943 | 1102 | -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Wed, 29 Nov 2017 15:55:18 +0100 | ||
944 | 1103 | |||
945 | 249 | strongswan (5.6.1-2) unstable; urgency=medium | 1104 | strongswan (5.6.1-2) unstable; urgency=medium |
946 | 250 | 1105 | ||
947 | 251 | * move counters plugin from -starter to -libcharon. closes: #882431 | 1106 | * move counters plugin from -starter to -libcharon. closes: #882431 |
948 | @@ -332,6 +1187,213 @@ strongswan (5.5.2-1) experimental; urgency=medium | |||
949 | 332 | 1187 | ||
950 | 333 | -- Yves-Alexis Perez <corsac@debian.org> Fri, 19 May 2017 11:32:00 +0200 | 1188 | -- Yves-Alexis Perez <corsac@debian.org> Fri, 19 May 2017 11:32:00 +0200 |
951 | 334 | 1189 | ||
952 | 1190 | strongswan (5.5.1-4ubuntu3) bionic; urgency=medium | ||
953 | 1191 | |||
954 | 1192 | * Fix Artful FTBFS due to newer glibc (LP: #1724859) | ||
955 | 1193 | - d/p/utils-Include-stdint.h.patch: upstream fix for changed include | ||
956 | 1194 | files. | ||
957 | 1195 | |||
958 | 1196 | -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Thu, 19 Oct 2017 15:18:52 +0200 | ||
959 | 1197 | |||
960 | 1198 | strongswan (5.5.1-4ubuntu2) artful; urgency=medium | ||
961 | 1199 | |||
962 | 1200 | * SECURITY UPDATE: Fix RSA signature verification | ||
963 | 1201 | - debian/patches/CVE-2017-11185.patch: does some | ||
964 | 1202 | verifications in order to avoid null-point dereference | ||
965 | 1203 | in src/libstrongswan/gmp/gmp_rsa_public_key.c | ||
966 | 1204 | - CVE-2017-11185 | ||
967 | 1205 | |||
968 | 1206 | -- Leonidas S. Barbosa <leo.barbosa@canonical.com> Tue, 15 Aug 2017 14:49:49 -0300 | ||
969 | 1207 | |||
970 | 1208 | strongswan (5.5.1-4ubuntu1) artful; urgency=medium | ||
971 | 1209 | |||
972 | 1210 | * Merge from Debian to pick up latest security changes (CVE-2017-9022, | ||
973 | 1211 | CVE-2017-9023). | ||
974 | 1212 | * Remaining Changes: | ||
975 | 1213 | + Update init/service handling | ||
976 | 1214 | - d/rules: Change init/systemd program name to strongswan | ||
977 | 1215 | - d/strongswan-starter.strongswan.service: Add new systemd file instead of | ||
978 | 1216 | patching upstream | ||
979 | 1217 | - d/strongswan-starter.links: Removed, use Ubuntu systemd file instead of | ||
980 | 1218 | linking to upstream | ||
981 | 1219 | - d/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call. | ||
982 | 1220 | - d/strongswan-starter.prerm: Stop strongswan service on package | ||
983 | 1221 | removal (as opposed to using the old init.d script). | ||
984 | 1222 | + Clean up d/strongswan-starter.postinst: | ||
985 | 1223 | - Removed section about runlevel changes | ||
986 | 1224 | - Adapted service restart section for Upstart (kept to be Trusty | ||
987 | 1225 | backportable). | ||
988 | 1226 | - Remove old symlinks to init.d files is necessary. | ||
989 | 1227 | - Removed further out-dated code | ||
990 | 1228 | - Removed entire section on opportunistic encryption - this was never in | ||
991 | 1229 | strongSwan. | ||
992 | 1230 | + d/rules: Removed pieces on 'patching ipsec.conf' on build. | ||
993 | 1231 | + Mass enablement of extra plugins and features to allow a user to use | ||
994 | 1232 | strongswan for a variety of use cases without having to rebuild. | ||
995 | 1233 | - d/control: Add required additional build-deps | ||
996 | 1234 | - d/rules: Enable features at configure stage | ||
997 | 1235 | - d/control: Mention addtionally enabled plugins | ||
998 | 1236 | - d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf) | ||
999 | 1237 | - d/libstrongswan.install: Add plugins (so, conf) | ||
1000 | 1238 | + d/rules: Disable duplicheck as per | ||
1001 | 1239 | https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718291#10 | ||
1002 | 1240 | + Remove ha plugin (requires special kernel) | ||
1003 | 1241 | - d/libcharon-extra-plugins.install: Stop installing ha (so, conf) | ||
1004 | 1242 | - d/rules: Do not enable ha plugin | ||
1005 | 1243 | - d/control: Drop listing the ha plugin in the package description | ||
1006 | 1244 | + Add plugin kernel-libipsec to allow the use of strongswan in containers | ||
1007 | 1245 | via this userspace implementation (please do note that this is still | ||
1008 | 1246 | considered experimental by upstream). | ||
1009 | 1247 | - d/libcharon-extra-plugins.install: Add kernel-libipsec components | ||
1010 | 1248 | - d/control: List kernel-libipsec plugin at extra plugins description | ||
1011 | 1249 | - d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As | ||
1012 | 1250 | upstream recommends to not load kernel-libipsec by default. | ||
1013 | 1251 | + Relocate tnc plugin | ||
1014 | 1252 | - debian/libcharon-extra-plugins.install: Drop tnc from extra plugins | ||
1015 | 1253 | - Add new subpackage for TNC in d/strongswan-tnc-* and d/control | ||
1016 | 1254 | + d/strongswan-starter.install: Install pool feature, that useful due to | ||
1017 | 1255 | having attr-sql plugin that is enabled now. | ||
1018 | 1256 | + Relocate plugins test-vectors and ccm from extra-plugins to libstrongswan | ||
1019 | 1257 | - d/libstrongswan-extra-plugins.install: Remove plugins/conffiles | ||
1020 | 1258 | - d/libstrongswan.install: Add plugins/confiles | ||
1021 | 1259 | - d/control: move package descriptions and add required breaks/replaces | ||
1022 | 1260 | + d/libstrongswan.install: Reorder conf and .so alphabetically | ||
1023 | 1261 | + d/libstrongswan.install: Add kernel-netlink configuration files | ||
1024 | 1262 | + d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference. | ||
1025 | 1263 | + debian/patches/increase-bliss-test-timeout.patch: Under QEMU/KVM | ||
1026 | 1264 | autopkgtest the bliss test takes longer than the default (Upstream in | ||
1027 | 1265 | 5.5.2 via issue 2204) | ||
1028 | 1266 | + Complete the disabling of libfast; This was partially accepted in Debian, | ||
1029 | 1267 | it is no more packaging medcli and medsrv, but still builds and | ||
1030 | 1268 | mentions it. | ||
1031 | 1269 | - d/rules: Add --disable-fast to avoid build time and dependencies | ||
1032 | 1270 | - d/control: Remove medcli, medsrv from package description | ||
1033 | 1271 | + Add now built (5.5.1 vs 5.3.5) mgf1 plugin to libstrongswan-extra-plugins. | ||
1034 | 1272 | "only" to extra-plugins Mgf1 is not listed as default plugin at | ||
1035 | 1273 | https://wiki.strongswan.org/projects/strongswan/wiki/Pluginlist. | ||
1036 | 1274 | + Add now built (5.5.1 vs 5.3.5) libraries libtpmtss and nttfft to | ||
1037 | 1275 | libstrongswan-extra-plugins. | ||
1038 | 1276 | + Add missing mention of md4 plugin in d/control | ||
1039 | 1277 | + Add rm_conffile for /etc/init.d/ipsec (transition from precies had | ||
1040 | 1278 | missed that) | ||
1041 | 1279 | + d/control, d/libcharon-{extras,standard}-plugins.install: Move charon | ||
1042 | 1280 | plugins for the most common use cases from extra-plugins into a new | ||
1043 | 1281 | standard-plugins package. This will allow those use cases without pulling | ||
1044 | 1282 | in too much more plugins (a bit like the tnc package). Recommend that | ||
1045 | 1283 | package from strongswan-libcharon. | ||
1046 | 1284 | |||
1047 | 1285 | -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Wed, 31 May 2017 15:57:54 +0200 | ||
1048 | 1286 | |||
1049 | 1287 | strongswan (5.5.1-3ubuntu1) artful; urgency=medium | ||
1050 | 1288 | |||
1051 | 1289 | * Merge from Debian to pick up latest changes. Among others this includes: | ||
1052 | 1290 | - a lot of the Delta we upstreamed to Debian (more discussions are ongoing | ||
1053 | 1291 | but likely have to wait until Debian stretch was released) | ||
1054 | 1292 | - enabling mediation support (LP: #1657413) | ||
1055 | 1293 | * Remaining Changes: | ||
1056 | 1294 | + Update init/service handling | ||
1057 | 1295 | - d/rules: Change init/systemd program name to strongswan | ||
1058 | 1296 | - d/strongswan-starter.strongswan.service: Add new systemd file instead of | ||
1059 | 1297 | patching upstream | ||
1060 | 1298 | - d/strongswan-starter.links: Removed, use Ubuntu systemd file instead of | ||
1061 | 1299 | linking to upstream | ||
1062 | 1300 | - d/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call. | ||
1063 | 1301 | - d/strongswan-starter.prerm: Stop strongswan service on package | ||
1064 | 1302 | removal (as opposed to using the old init.d script). | ||
1065 | 1303 | + Clean up d/strongswan-starter.postinst: | ||
1066 | 1304 | - Removed section about runlevel changes | ||
1067 | 1305 | - Adapted service restart section for Upstart (kept to be Trusty | ||
1068 | 1306 | backportable). | ||
1069 | 1307 | - Remove old symlinks to init.d files is necessary. | ||
1070 | 1308 | - Removed further out-dated code | ||
1071 | 1309 | - Removed entire section on opportunistic encryption - this was never in | ||
1072 | 1310 | strongSwan. | ||
1073 | 1311 | + d/rules: Removed pieces on 'patching ipsec.conf' on build. | ||
1074 | 1312 | + Mass enablement of extra plugins and features to allow a user to use | ||
1075 | 1313 | strongswan for a variety of use cases without having to rebuild. | ||
1076 | 1314 | - d/control: Add required additional build-deps | ||
1077 | 1315 | - d/rules: Enable features at configure stage | ||
1078 | 1316 | - d/control: Mention addtionally enabled plugins | ||
1079 | 1317 | - d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf) | ||
1080 | 1318 | - d/libstrongswan.install: Add plugins (so, conf) | ||
1081 | 1319 | + d/rules: Disable duplicheck as per | ||
1082 | 1320 | https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718291#10 | ||
1083 | 1321 | + Remove ha plugin (requires special kernel) | ||
1084 | 1322 | - d/libcharon-extra-plugins.install: Stop installing ha (so, conf) | ||
1085 | 1323 | - d/rules: Do not enable ha plugin | ||
1086 | 1324 | - d/control: Drop listing the ha plugin in the package description | ||
1087 | 1325 | + Add plugin kernel-libipsec to allow the use of strongswan in containers | ||
1088 | 1326 | via this userspace implementation (please do note that this is still | ||
1089 | 1327 | considered experimental by upstream). | ||
1090 | 1328 | - d/libcharon-extra-plugins.install: Add kernel-libipsec components | ||
1091 | 1329 | - d/control: List kernel-libipsec plugin at extra plugins description | ||
1092 | 1330 | - d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As | ||
1093 | 1331 | upstream recommends to not load kernel-libipsec by default. | ||
1094 | 1332 | + Relocate tnc plugin | ||
1095 | 1333 | - debian/libcharon-extra-plugins.install: Drop tnc from extra plugins | ||
1096 | 1334 | - Add new subpackage for TNC in d/strongswan-tnc-* and d/control | ||
1097 | 1335 | + d/strongswan-starter.install: Install pool feature, that useful due to | ||
1098 | 1336 | having attr-sql plugin that is enabled now. | ||
1099 | 1337 | + Relocate plugins test-vectors and ccm from extra-plugins to libstrongswan | ||
1100 | 1338 | - d/libstrongswan-extra-plugins.install: Remove plugins/conffiles | ||
1101 | 1339 | - d/libstrongswan.install: Add plugins/confiles | ||
1102 | 1340 | - d/control: move package descriptions and add required breaks/replaces | ||
1103 | 1341 | + d/libstrongswan.install: Reorder conf and .so alphabetically | ||
1104 | 1342 | + d/libstrongswan.install: Add kernel-netlink configuration files | ||
1105 | 1343 | + d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference. | ||
1106 | 1344 | + debian/patches/increase-bliss-test-timeout.patch: Under QEMU/KVM | ||
1107 | 1345 | autopkgtest the bliss test takes longer than the default (Upstream in | ||
1108 | 1346 | 5.5.2 via issue 2204) | ||
1109 | 1347 | + Complete the disabling of libfast; This was partially accepted in Debian, | ||
1110 | 1348 | it is no more packaging medcli and medsrv, but still builds and | ||
1111 | 1349 | mentions it. | ||
1112 | 1350 | - d/rules: Add --disable-fast to avoid build time and dependencies | ||
1113 | 1351 | - d/control: Remove medcli, medsrv from package description | ||
1114 | 1352 | + Add now built (5.5.1 vs 5.3.5) mgf1 plugin to libstrongswan-extra-plugins. | ||
1115 | 1353 | "only" to extra-plugins Mgf1 is not listed as default plugin at | ||
1116 | 1354 | https://wiki.strongswan.org/projects/strongswan/wiki/Pluginlist. | ||
1117 | 1355 | + Add now built (5.5.1 vs 5.3.5) libraries libtpmtss and nttfft to | ||
1118 | 1356 | libstrongswan-extra-plugins. | ||
1119 | 1357 | + Add missing mention of md4 plugin in d/control | ||
1120 | 1358 | + Add rm_conffile for /etc/init.d/ipsec (transition from precies had | ||
1121 | 1359 | missed that) | ||
1122 | 1360 | + d/control, d/libcharon-{extras,standard}-plugins.install: Move charon | ||
1123 | 1361 | plugins for the most common use cases from extra-plugins into a new | ||
1124 | 1362 | standard-plugins package. This will allow those use cases without pulling | ||
1125 | 1363 | in too much more plugins (a bit like the tnc package). Recommend that | ||
1126 | 1364 | package from strongswan-libcharon. | ||
1127 | 1365 | * Dropped Changes: | ||
1128 | 1366 | + Add and install apparmor profiles (in Debian) | ||
1129 | 1367 | - d/rules: Install AppArmor profiles | ||
1130 | 1368 | - d/control: Add dh-apparmor build-dep | ||
1131 | 1369 | - d/usr.lib.ipsec.{charon, lookip, stroke}: Add latest AppArmor profiles | ||
1132 | 1370 | for charon, lookip and stroke | ||
1133 | 1371 | - d/libcharon-extra-plugins.install: Install profile for lookip | ||
1134 | 1372 | - d/strongswan-charon.install: Install profile for charon | ||
1135 | 1373 | - d/strongswan-starter.install: Install profile for stroke | ||
1136 | 1374 | - Fix strongswan ipsec status issue with apparmor | ||
1137 | 1375 | - Fix Dep8 tests for the now extra strongswan-pki package for pki | ||
1138 | 1376 | - Fix Dep8 tests for the now extra strongswan-scepclient package | ||
1139 | 1377 | + d/rules: Sorted and only one enable option per configure line (in | ||
1140 | 1378 | Debian) | ||
1141 | 1379 | + Add updated logcheck rules (in Debian) | ||
1142 | 1380 | - debian/libstrongswan.strongswan.logcheck.*: Remove outdated files | ||
1143 | 1381 | - debian/strongswan.logcheck: Add updated logcheck rules | ||
1144 | 1382 | + Add updated DEP8 tests (in Debian) | ||
1145 | 1383 | - d/tests/*: Add DEP8 tests | ||
1146 | 1384 | - d/control: Enable autotestpkg | ||
1147 | 1385 | + d/rules: do not strip for library integrity checking (After Discussion | ||
1148 | 1386 | with Debian this isn't acceptable there, but at the same time it turned | ||
1149 | 1387 | out the real use-case of this never uses this lib but instead third | ||
1150 | 1388 | party checks of checksums for e.g. FIPS cert; so drop the Delta) | ||
1151 | 1389 | - Use override_dh_strip to to avoid overwriting user build flags. | ||
1152 | 1390 | - Add missing mention of libchecksum integrity test in d/control | ||
1153 | 1391 | + d/rules: Set TESTS_REDUCED_KEYLENGTHS to one generate smallest key-lengths | ||
1154 | 1392 | in tests to avoid issues in low entropy environments. (Debian has | ||
1155 | 1393 | disabled !x86 tests for the same reason, one solution is enough) | ||
1156 | 1394 | |||
1157 | 1395 | -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Thu, 04 May 2017 14:06:23 +0200 | ||
1158 | 1396 | |||
1159 | 335 | strongswan (5.5.1-3) unstable; urgency=medium | 1397 | strongswan (5.5.1-3) unstable; urgency=medium |
1160 | 336 | 1398 | ||
1161 | 337 | [ Christian Ehrhardt ] | 1399 | [ Christian Ehrhardt ] |
1162 | @@ -365,6 +1427,136 @@ strongswan (5.5.1-2) unstable; urgency=medium | |||
1163 | 365 | 1427 | ||
1164 | 366 | -- Yves-Alexis Perez <corsac@debian.org> Wed, 07 Dec 2016 08:34:52 +0100 | 1428 | -- Yves-Alexis Perez <corsac@debian.org> Wed, 07 Dec 2016 08:34:52 +0100 |
1165 | 367 | 1429 | ||
1166 | 1430 | strongswan (5.5.1-1ubuntu2) zesty; urgency=medium | ||
1167 | 1431 | |||
1168 | 1432 | * Update Maintainers which was missed while merging 5.5.1-1. | ||
1169 | 1433 | |||
1170 | 1434 | -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 19 Dec 2016 16:02:40 +0100 | ||
1171 | 1435 | |||
1172 | 1436 | strongswan (5.5.1-1ubuntu1) zesty; urgency=medium | ||
1173 | 1437 | |||
1174 | 1438 | * Merge from Debian (complex delta, discussions and broken out changes can be | ||
1175 | 1439 | found in the merge proposal linked from the merge bug LP: #1631198) | ||
1176 | 1440 | * Remaining Changes: | ||
1177 | 1441 | + d/rules: Enforcing DEB_BUILD_OPTIONS=nostrip for library integrity | ||
1178 | 1442 | checking. | ||
1179 | 1443 | + d/rules: Set TESTS_REDUCED_KEYLENGTHS to one generate smallest key-lengths | ||
1180 | 1444 | in tests to avoid issues in low entropy environments. | ||
1181 | 1445 | + Update init/service handling | ||
1182 | 1446 | - d/rules: Change init/systemd program name to strongswan | ||
1183 | 1447 | - d/strongswan-starter.strongswan.service: Add new systemd file instead of | ||
1184 | 1448 | patching upstream | ||
1185 | 1449 | - d/strongswan-starter.links: Removed, use Ubuntu systemd file instead of | ||
1186 | 1450 | linking to upstream | ||
1187 | 1451 | - d/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call. | ||
1188 | 1452 | - d/strongswan-starter.prerm: Stop strongswan service on package | ||
1189 | 1453 | removal (as opposed to using the old init.d script). | ||
1190 | 1454 | + Clean up d/strongswan-starter.postinst: | ||
1191 | 1455 | - Removed section about runlevel changes | ||
1192 | 1456 | - Adapted service restart section for Upstart (kept to be Trusty | ||
1193 | 1457 | backportable). | ||
1194 | 1458 | - Remove old symlinks to init.d files is necessary. | ||
1195 | 1459 | - Removed further out-dated code | ||
1196 | 1460 | - Removed entire section on opportunistic encryption - this was never in | ||
1197 | 1461 | strongSwan. | ||
1198 | 1462 | + Add and install apparmor profiles | ||
1199 | 1463 | - d/rules: Install AppArmor profiles | ||
1200 | 1464 | - d/control: Add dh-apparmor build-dep | ||
1201 | 1465 | - d/usr.lib.ipsec.{charon, lookip, stroke}: Add latest AppArmor profiles | ||
1202 | 1466 | for charon, lookip and stroke | ||
1203 | 1467 | - d/libcharon-extra-plugins.install: Install profile for lookip | ||
1204 | 1468 | - d/strongswan-charon.install: Install profile for charon | ||
1205 | 1469 | - d/strongswan-starter.install: Install profile for stroke | ||
1206 | 1470 | + d/rules: Removed pieces on 'patching ipsec.conf' on build. | ||
1207 | 1471 | + d/rules: Sorted and only one enable option per configure line | ||
1208 | 1472 | + Mass enablement of extra plugins and features to allow a user to use | ||
1209 | 1473 | strongswan for a variety of use cases without having to rebuild. | ||
1210 | 1474 | - d/control: Add required additional build-deps | ||
1211 | 1475 | - d/rules: Enable features at configure stage | ||
1212 | 1476 | - d/control: Mention addtionally enabled plugins | ||
1213 | 1477 | - d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf) | ||
1214 | 1478 | - d/libstrongswan.install: Add plugins (so, conf) | ||
1215 | 1479 | + d/rules: Disable duplicheck as per | ||
1216 | 1480 | https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718291#10 | ||
1217 | 1481 | + Remove ha plugin (requires special kernel) | ||
1218 | 1482 | - d/libcharon-extra-plugins.install: Stop installing ha (so, conf) | ||
1219 | 1483 | - d/rules: Do not enable ha plugin | ||
1220 | 1484 | - d/control: Drop listing the ha plugin in the package description | ||
1221 | 1485 | + Add plugin kernel-libipsec to allow the use of strongswan in containers | ||
1222 | 1486 | via this userspace implementation (please do note that this is still | ||
1223 | 1487 | considered experimental by upstream). | ||
1224 | 1488 | - d/libcharon-extra-plugins.install: Add kernel-libipsec components | ||
1225 | 1489 | - d/control: List kernel-libipsec plugin at extra plugins description | ||
1226 | 1490 | - d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As | ||
1227 | 1491 | upstream recommends to not load kernel-libipsec by default. | ||
1228 | 1492 | + Relocate tnc plugin | ||
1229 | 1493 | - debian/libcharon-extra-plugins.install: Drop tnc from extra plugins | ||
1230 | 1494 | - Add new subpackage for TNC in d/strongswan-tnc-* and d/control | ||
1231 | 1495 | + d/strongswan-starter.install: Install pool feature, that useful due to | ||
1232 | 1496 | having attr-sql plugin that is enabled now. | ||
1233 | 1497 | + Relocate plugins test-vectors and ccm from extra-plugins to libstrongswan | ||
1234 | 1498 | - d/libstrongswan-extra-plugins.install: Remove plugins | ||
1235 | 1499 | - d/libstrongswan.install: Add plugins | ||
1236 | 1500 | + d/libstrongswan.install: Reorder conf and .so alphabetically | ||
1237 | 1501 | + d/libstrongswan.install: Add kernel-netlink configuration files | ||
1238 | 1502 | + d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference. | ||
1239 | 1503 | + Add updated logcheck rules | ||
1240 | 1504 | - debian/libstrongswan.strongswan.logcheck.*: Remove outdated files | ||
1241 | 1505 | - debian/strongswan.logcheck: Add updated logcheck rules | ||
1242 | 1506 | + Add updated DEP8 tests | ||
1243 | 1507 | - d/tests/*: Add DEP8 tests | ||
1244 | 1508 | - d/control: Enable autotestpkg | ||
1245 | 1509 | + debian/patches/increase-bliss-test-timeout.patch: Under QEMU/KVM | ||
1246 | 1510 | autopkgtest the bliss test takes longer than the default | ||
1247 | 1511 | + Complete the disabling of libfast | ||
1248 | 1512 | - Note: This was partially accepted in Debian, it is no more | ||
1249 | 1513 | packaging medcli and medsrv, but still builds and mentions it | ||
1250 | 1514 | - d/rules: Add --disable-fast to avoid build time and dependencies | ||
1251 | 1515 | - d/control: Remove medcli, medsrv from package description | ||
1252 | 1516 | * Dropped Changes: | ||
1253 | 1517 | + Adding build-dep to iptables-dev (no change, was only in Changelog) | ||
1254 | 1518 | + Dropping of build deps libfcgi-dev, clearsilver-dev (in Debian) | ||
1255 | 1519 | + Adding strongswan-plugin-* virtual packages for dist-upgrade (no | ||
1256 | 1520 | upgrade path left needing them) | ||
1257 | 1521 | + Most of "disabling libfast" (Debian dropped it from package content) | ||
1258 | 1522 | + Transition for ipsec service (no upgrade path left) | ||
1259 | 1523 | + Reverted part of the cleanup to d/strongswan-starter.postinst as using | ||
1260 | 1524 | service should rather use invoke-rc.d (so it is a partial revert of our | ||
1261 | 1525 | delta) | ||
1262 | 1526 | + Transition handling (breaks/replaces) from per-plugin packages to the | ||
1263 | 1527 | three grouped plugin packages (no upgrade path left) | ||
1264 | 1528 | + debian/strongswan-starter.dirs: Don't touch /etc/init.d. (while "correct" | ||
1265 | 1529 | it is effectively a no-op still, so not worth the delta) | ||
1266 | 1530 | + Lower dpkg-dev to 1.16.1 from 1.16.2 to enable backporting to Precise | ||
1267 | 1531 | (no more needed) | ||
1268 | 1532 | + d/rules: Remove configure option --enable-unit-test (unit tests run by | ||
1269 | 1533 | default) | ||
1270 | 1534 | * Added Changes: | ||
1271 | 1535 | + Fix strongswan ipsec status issue with apparmor (LP: #1587886) | ||
1272 | 1536 | + d/control, d/libstrongswan.install, d/libstrongswan-extra-plugins: Fixup | ||
1273 | 1537 | the relocation of the ccm plugin which missed to move the conffiles. | ||
1274 | 1538 | + Complete move of test-vectors (was missing in d/control) | ||
1275 | 1539 | + Add now built (5.5.1 vs 5.3.5) mgf1 plugin to libstrongswan-extra-plugins. | ||
1276 | 1540 | "only" to extra-plugins Mgf1 is not listed as default plugin at | ||
1277 | 1541 | https://wiki.strongswan.org/projects/strongswan/wiki/Pluginlist. | ||
1278 | 1542 | + Add now built (5.5.1 vs 5.3.5) libraries libtpmtss and nttfft to | ||
1279 | 1543 | libstrongswan-extra-plugins. | ||
1280 | 1544 | + Add missing mention of md4 plugin in d/control | ||
1281 | 1545 | + Add missing mention of libchecksum integrity test in d/control | ||
1282 | 1546 | + Add rm_conffile for /etc/init.d/ipsec (transition from precies had | ||
1283 | 1547 | missed that) | ||
1284 | 1548 | + Use override_dh_strip to to fix library integrity checking instead of | ||
1285 | 1549 | DEB_BUILD_OPTION to avoid overwriting user build flags. | ||
1286 | 1550 | + d/control, d/libcharon-{extras,standard}-plugins.install: Move charon | ||
1287 | 1551 | plugins for the most common use cases from extra-plugins into a new | ||
1288 | 1552 | standard-plugins package. This will allow those use cases without pulling | ||
1289 | 1553 | in too much more plugins (a bit like the tnc package). Recommend that | ||
1290 | 1554 | package from strongswan-libcharon (LP: #1640826). | ||
1291 | 1555 | + Fix Dep8 tests for the now extra strongswan-pki package for pki | ||
1292 | 1556 | + Fix Dep8 tests for the now extra strongswan-scepclient package | ||
1293 | 1557 | |||
1294 | 1558 | -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 07 Nov 2016 16:16:41 +0100 | ||
1295 | 1559 | |||
1296 | 368 | strongswan (5.5.1-1) unstable; urgency=medium | 1560 | strongswan (5.5.1-1) unstable; urgency=medium |
1297 | 369 | 1561 | ||
1298 | 370 | * New upstream bugfix release. | 1562 | * New upstream bugfix release. |
1299 | @@ -481,6 +1673,177 @@ strongswan (5.3.5-2) unstable; urgency=medium | |||
1300 | 481 | 1673 | ||
1301 | 482 | -- Yves-Alexis Perez <corsac@debian.org> Mon, 14 Mar 2016 23:53:34 +0100 | 1674 | -- Yves-Alexis Perez <corsac@debian.org> Mon, 14 Mar 2016 23:53:34 +0100 |
1302 | 483 | 1675 | ||
1303 | 1676 | strongswan (5.3.5-1ubuntu4) yakkety; urgency=medium | ||
1304 | 1677 | |||
1305 | 1678 | * Build-depend on libjson-c-dev instead of libjson0-dev. | ||
1306 | 1679 | * Rebuild against libjson-c3. | ||
1307 | 1680 | |||
1308 | 1681 | -- Graham Inggs <ginggs@ubuntu.com> Fri, 29 Apr 2016 19:04:22 +0200 | ||
1309 | 1682 | |||
1310 | 1683 | strongswan (5.3.5-1ubuntu3) xenial; urgency=medium | ||
1311 | 1684 | |||
1312 | 1685 | * Rebuild against libmysqlclient20. | ||
1313 | 1686 | |||
1314 | 1687 | -- Robie Basak <robie.basak@ubuntu.com> Tue, 05 Apr 2016 13:02:48 +0000 | ||
1315 | 1688 | |||
1316 | 1689 | strongswan (5.3.5-1ubuntu2) xenial; urgency=medium | ||
1317 | 1690 | |||
1318 | 1691 | * debian/tests/plugins: rdrand may or may not be loaded, depending on the | ||
1319 | 1692 | cpu features. | ||
1320 | 1693 | |||
1321 | 1694 | -- Iain Lane <iain@orangesquash.org.uk> Mon, 22 Feb 2016 17:13:01 +0000 | ||
1322 | 1695 | |||
1323 | 1696 | strongswan (5.3.5-1ubuntu1) xenial; urgency=medium | ||
1324 | 1697 | |||
1325 | 1698 | * debian/{rules,control,libstrongswan-extra-plugins.install} | ||
1326 | 1699 | Enable bliss plugin | ||
1327 | 1700 | * debian/{rules,control,libstrongswan-extra-plugins.install} | ||
1328 | 1701 | Enable chapoly plugin | ||
1329 | 1702 | * debian/patches/dont-load-kernel-libipsec-plugin-by-default.patch | ||
1330 | 1703 | Upstream suggests to not load this plugin by default as it has | ||
1331 | 1704 | some limitations. | ||
1332 | 1705 | https://wiki.strongswan.org/projects/strongswan/wiki/Kernel-libipsec | ||
1333 | 1706 | * debian/patches/increase-bliss-test-timeout.patch | ||
1334 | 1707 | Under QEMU/KVM for autopkgtest bliss test takes a bit longer then default | ||
1335 | 1708 | * Update Apparmor profiles | ||
1336 | 1709 | - usr.lib.ipsec.charon | ||
1337 | 1710 | - add capability audit_write for xauth-pam (LP: #1470277) | ||
1338 | 1711 | - add capability dac_override (needed by agent plugin) | ||
1339 | 1712 | - allow priv dropping (LP: #1333655) | ||
1340 | 1713 | - allow caching CRLs (LP: #1505222) | ||
1341 | 1714 | - allow rw access to /dev/net/tun for kernel-libipsec (LP: #1309594) | ||
1342 | 1715 | - usr.lib.ipsec.stroke | ||
1343 | 1716 | - allow priv dropping (LP: #1333655) | ||
1344 | 1717 | - add local include | ||
1345 | 1718 | - usr.lib.ipsec.lookip | ||
1346 | 1719 | - add local include | ||
1347 | 1720 | * Merge from Debian, which includes fixes for all previous CVEs | ||
1348 | 1721 | Fixes (LP: #1330504, #1451091, #1448870, #1470277) | ||
1349 | 1722 | Remaining changes: | ||
1350 | 1723 | * debian/control | ||
1351 | 1724 | - Lower dpkg-dev to 1.16.1 from 1.16.2 to enable backporting to Precise | ||
1352 | 1725 | - Update Maintainer for Ubuntu | ||
1353 | 1726 | - Add build-deps | ||
1354 | 1727 | - dh-apparmor | ||
1355 | 1728 | - iptables-dev | ||
1356 | 1729 | - libjson0-dev | ||
1357 | 1730 | - libldns-dev | ||
1358 | 1731 | - libmysqlclient-dev | ||
1359 | 1732 | - libpcsclite-dev | ||
1360 | 1733 | - libsoup2.4-dev | ||
1361 | 1734 | - libtspi-dev | ||
1362 | 1735 | - libunbound-dev | ||
1363 | 1736 | - Drop build-deps | ||
1364 | 1737 | - libfcgi-dev | ||
1365 | 1738 | - clearsilver-dev | ||
1366 | 1739 | - Create virtual packages for all strongswan-plugin-* for dist-upgrade | ||
1367 | 1740 | - Set XS-Testsuite: autopkgtest | ||
1368 | 1741 | * debian/rules: | ||
1369 | 1742 | - Enforcing DEB_BUILD_OPTIONS=nostrip for library integrity checking. | ||
1370 | 1743 | - Set TESTS_REDUCED_KEYLENGTHS to one generate smallest key-lengths in | ||
1371 | 1744 | tests. | ||
1372 | 1745 | - Change init/systemd program name to strongswan | ||
1373 | 1746 | - Install AppArmor profiles | ||
1374 | 1747 | - Removed pieces on 'patching ipsec.conf' on build. | ||
1375 | 1748 | - Enablement of features per Ubuntu current config suggested from | ||
1376 | 1749 | upstream recommendation | ||
1377 | 1750 | - Unpack and sort enabled features to one-per-line | ||
1378 | 1751 | - Disable duplicheck as per | ||
1379 | 1752 | https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718291#10 | ||
1380 | 1753 | - Disable libfast (--disable-fast): | ||
1381 | 1754 | Requires dropping medsrv, medcli plugins which depend on libfast | ||
1382 | 1755 | - Add configure options | ||
1383 | 1756 | --with-tss=trousers | ||
1384 | 1757 | - Remove configure options: | ||
1385 | 1758 | --enable-ha (requires special kernel) | ||
1386 | 1759 | --enable-unit-test (unit tests run by default) | ||
1387 | 1760 | - Drop logcheck install | ||
1388 | 1761 | * debian/tests/* | ||
1389 | 1762 | - Add DEP8 test for strongswan service and plugins | ||
1390 | 1763 | * debian/strongswan-starter.strongswan.service | ||
1391 | 1764 | - Add new systemd file instead of patching upstream | ||
1392 | 1765 | * debian/strongswan-starter.links | ||
1393 | 1766 | - removed, use Ubuntu systemd file instead of linking to upstream | ||
1394 | 1767 | * debian/usr.lib.ipsec.{charon, lookip, stroke} | ||
1395 | 1768 | - added AppArmor profiles for charon, lookip and stroke | ||
1396 | 1769 | * debian/libcharon-extra-plugins.install | ||
1397 | 1770 | - Add plugins | ||
1398 | 1771 | - kernel-libipsec.{so, lib, conf, apparmor} | ||
1399 | 1772 | - Remove plugins | ||
1400 | 1773 | - libstrongswan-ha.so | ||
1401 | 1774 | - Relocate plugins | ||
1402 | 1775 | - libstrongswan-tnc-tnccs.so (strongswan-tnc-base.install) | ||
1403 | 1776 | * debian/libstrongswan-extra-plugins.install | ||
1404 | 1777 | - Add plugins (so, lib, conf) | ||
1405 | 1778 | - acert | ||
1406 | 1779 | - attr-sql | ||
1407 | 1780 | - coupling | ||
1408 | 1781 | - dnscert | ||
1409 | 1782 | - fips-prf | ||
1410 | 1783 | - gmp | ||
1411 | 1784 | - ipseckey | ||
1412 | 1785 | - load-tester | ||
1413 | 1786 | - mysql | ||
1414 | 1787 | - ntru | ||
1415 | 1788 | - radattr | ||
1416 | 1789 | - soup | ||
1417 | 1790 | - sqlite | ||
1418 | 1791 | - sql | ||
1419 | 1792 | - systime-fix | ||
1420 | 1793 | - unbound | ||
1421 | 1794 | - whitelist | ||
1422 | 1795 | - Relocate plugins (so, lib, conf) | ||
1423 | 1796 | - ccm (libstrongswan.install) | ||
1424 | 1797 | - test-vectors (libstrongswan.install) | ||
1425 | 1798 | * debian/libstrongswan.install | ||
1426 | 1799 | - Sort sections | ||
1427 | 1800 | - Add plugins (so, lib, conf) | ||
1428 | 1801 | - libchecksum | ||
1429 | 1802 | - ccm | ||
1430 | 1803 | - eap-identity | ||
1431 | 1804 | - md4 | ||
1432 | 1805 | - test-vectors | ||
1433 | 1806 | * debian/strongswan-charon.install | ||
1434 | 1807 | - Add AppArmor profile for charon | ||
1435 | 1808 | * debian/strongswan-starter.install | ||
1436 | 1809 | - Add tools, manpages, conf | ||
1437 | 1810 | - openac | ||
1438 | 1811 | - pool | ||
1439 | 1812 | - _updown_espmark | ||
1440 | 1813 | - Add AppArmor profile for stroke | ||
1441 | 1814 | * debian/strongswan-tnc-base.install | ||
1442 | 1815 | - Add new subpackage for TNC | ||
1443 | 1816 | - remove non-existent (dropped in 5.2.1) libpts library files | ||
1444 | 1817 | * debian/strongswan-tnc-client.install | ||
1445 | 1818 | - Add new subpackage for TNC | ||
1446 | 1819 | * debian/strongswan-tnc-ifmap.install | ||
1447 | 1820 | - Add new subpackage for TNC | ||
1448 | 1821 | * debian/strongswan-tnc-pdp.install | ||
1449 | 1822 | - Add new subpackage for TNC | ||
1450 | 1823 | * debian/strongswan-tnc-server.install | ||
1451 | 1824 | - Add new subpackage for TNC | ||
1452 | 1825 | * debian/strongswan-starter.postinit: | ||
1453 | 1826 | - Removed section about runlevel changes, it's almost 2014. | ||
1454 | 1827 | - Adapted service restart section for Upstart. | ||
1455 | 1828 | - Remove old symlinks to init.d files is necessary. | ||
1456 | 1829 | * debian/strongswan-starter.dirs: Don't touch /etc/init.d. | ||
1457 | 1830 | * debian/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call. | ||
1458 | 1831 | * debian/strongswan-starter.prerm: Stop strongswan service on package | ||
1459 | 1832 | removal (as opposed to using the old init.d script). | ||
1460 | 1833 | * debian/libstrongswan.strongswan.logcheck combined into debian/strongswan.logcheck | ||
1461 | 1834 | - logcheck patterns updated to be helpful | ||
1462 | 1835 | * debian/strongswan-starter.postinst: Removed further out-dated code and | ||
1463 | 1836 | entire section on opportunistic encryption - this was never in strongSwan. | ||
1464 | 1837 | * debian/ipsec.secrets.proto: Removed ipsec.secrets.inc reference. | ||
1465 | 1838 | Drop changes: | ||
1466 | 1839 | * debian/control | ||
1467 | 1840 | - Per-plugin package breakup: Reducing packaging delta from Debian | ||
1468 | 1841 | - Don't build dhcp, farp subpackages: Reduce packging delta from Debian | ||
1469 | 1842 | * debian/watch: Already exists in Debian merge | ||
1470 | 1843 | * debian/upstream/signing-key.asc: Upstream has newer version. | ||
1471 | 1844 | |||
1472 | 1845 | -- Ryan Harper <ryan.harper@canonical.com> Fri, 12 Feb 2016 11:24:53 -0600 | ||
1473 | 1846 | |||
1474 | 484 | strongswan (5.3.5-1) unstable; urgency=medium | 1847 | strongswan (5.3.5-1) unstable; urgency=medium |
1475 | 485 | 1848 | ||
1476 | 486 | * New upstream bugfix release. | 1849 | * New upstream bugfix release. |
1477 | @@ -753,6 +2116,210 @@ strongswan (5.1.2-1) unstable; urgency=medium | |||
1478 | 753 | 2116 | ||
1479 | 754 | -- Yves-Alexis Perez <corsac@debian.org> Wed, 12 Mar 2014 11:22:38 +0100 | 2117 | -- Yves-Alexis Perez <corsac@debian.org> Wed, 12 Mar 2014 11:22:38 +0100 |
1480 | 755 | 2118 | ||
1481 | 2119 | strongswan (5.1.2-0ubuntu8) xenial; urgency=medium | ||
1482 | 2120 | |||
1483 | 2121 | * Import FTBFS for s390x from Debian 5.1.2-3 upload. (LP: #1521240) | ||
1484 | 2122 | |||
1485 | 2123 | -- Dimitri John Ledkov <xnox@ubuntu.com> Mon, 30 Nov 2015 15:46:06 +0000 | ||
1486 | 2124 | |||
1487 | 2125 | strongswan (5.1.2-0ubuntu7) xenial; urgency=medium | ||
1488 | 2126 | |||
1489 | 2127 | * SECURITY UPDATE: authentication bypass in eap-mschapv2 plugin | ||
1490 | 2128 | - debian/patches/CVE-2015-8023.patch: only succeed authentication if | ||
1491 | 2129 | MSK was established in | ||
1492 | 2130 | src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c. | ||
1493 | 2131 | - CVE-2015-8023 | ||
1494 | 2132 | * debian/patches/disable_ntru_test.patch: disable test causing FTBFS | ||
1495 | 2133 | until regression is properly investigated. | ||
1496 | 2134 | |||
1497 | 2135 | -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 19 Nov 2015 14:00:17 -0500 | ||
1498 | 2136 | |||
1499 | 2137 | strongswan (5.1.2-0ubuntu6) wily; urgency=medium | ||
1500 | 2138 | |||
1501 | 2139 | * SECURITY UPDATE: user credential disclosure to rogue servers | ||
1502 | 2140 | - debian/patches/CVE-2015-4171.patch: enforce remote authentication | ||
1503 | 2141 | config before proceeding with own authentication in | ||
1504 | 2142 | src/libcharon/sa/ikev2/tasks/ike_auth.c. | ||
1505 | 2143 | - CVE-2015-4171 | ||
1506 | 2144 | * debian/rules: don't FTBFS from unused service file | ||
1507 | 2145 | |||
1508 | 2146 | -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 08 Jun 2015 12:50:38 -0400 | ||
1509 | 2147 | |||
1510 | 2148 | strongswan (5.1.2-0ubuntu5) vivid; urgency=medium | ||
1511 | 2149 | |||
1512 | 2150 | * Add a systemd unit corresponding to strongswan-starter.strongswan.upstart. | ||
1513 | 2151 | |||
1514 | 2152 | -- Martin Pitt <martin.pitt@ubuntu.com> Fri, 16 Jan 2015 08:27:54 +0100 | ||
1515 | 2153 | |||
1516 | 2154 | strongswan (5.1.2-0ubuntu4) vivid; urgency=medium | ||
1517 | 2155 | |||
1518 | 2156 | * SECURITY UPDATE: denial of service via DH group 1025 | ||
1519 | 2157 | - debian/patches/CVE-2014-9221.patch: define MODP_CUSTOM outside of | ||
1520 | 2158 | IKE DH range in src/libstrongswan/crypto/diffie_hellman.c, | ||
1521 | 2159 | src/libstrongswan/crypto/diffie_hellman.h. | ||
1522 | 2160 | - CVE-2014-9221 | ||
1523 | 2161 | |||
1524 | 2162 | -- Tyler Hicks <tyhicks@canonical.com> Mon, 05 Jan 2015 08:25:29 -0500 | ||
1525 | 2163 | |||
1526 | 2164 | strongswan (5.1.2-0ubuntu3) utopic; urgency=low | ||
1527 | 2165 | |||
1528 | 2166 | * Added "libgcrypt20-dev | libgcrypt11-dev" to build dependencies to fix | ||
1529 | 2167 | build. | ||
1530 | 2168 | |||
1531 | 2169 | -- Jonathan Davies <jonathan.davies@canonical.com> Wed, 15 Oct 2014 16:49:18 +0000 | ||
1532 | 2170 | |||
1533 | 2171 | strongswan (5.1.2-0ubuntu2) trusty; urgency=medium | ||
1534 | 2172 | |||
1535 | 2173 | * SECURITY UPDATE: remote authentication bypass | ||
1536 | 2174 | - debian/patches/CVE-2014-2338.patch: reject CREATE_CHILD_SA exchange | ||
1537 | 2175 | on unestablished IKE_SAs in src/libcharon/sa/ikev2/task_manager_v2.c. | ||
1538 | 2176 | - CVE-2014-2338 | ||
1539 | 2177 | |||
1540 | 2178 | -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 14 Apr 2014 11:24:34 -0400 | ||
1541 | 2179 | |||
1542 | 2180 | strongswan (5.1.2-0ubuntu1) trusty; urgency=low | ||
1543 | 2181 | |||
1544 | 2182 | * New upstream release. | ||
1545 | 2183 | |||
1546 | 2184 | -- Jonathan Davies <jonathan.davies@canonical.com> Sat, 01 Mar 2014 08:53:17 +0000 | ||
1547 | 2185 | |||
1548 | 2186 | strongswan (5.1.2~rc2-0ubuntu2) trusty; urgency=low | ||
1549 | 2187 | |||
1550 | 2188 | * debian/ipsec.secrets.proto: Removed ipsec.secrets.inc reference. | ||
1551 | 2189 | * debian/usr.lib.ipsec.charon: Allow read access to /run/charon. | ||
1552 | 2190 | |||
1553 | 2191 | -- Jonathan Davies <jonathan.davies@canonical.com> Wed, 19 Feb 2014 13:07:16 +0000 | ||
1554 | 2192 | |||
1555 | 2193 | strongswan (5.1.2~rc2-0ubuntu1) trusty; urgency=low | ||
1556 | 2194 | |||
1557 | 2195 | * New upstream release candidate. | ||
1558 | 2196 | |||
1559 | 2197 | -- Jonathan Davies <jonathan.davies@canonical.com> Wed, 19 Feb 2014 12:59:21 +0000 | ||
1560 | 2198 | |||
1561 | 2199 | strongswan (5.1.2~rc1-0ubuntu4) trusty; urgency=medium | ||
1562 | 2200 | |||
1563 | 2201 | * debian/strongswan-tnc-*.install: Fixed files so libraries go into correct | ||
1564 | 2202 | packages. | ||
1565 | 2203 | * debian/usr.lib.ipsec.stroke: Allow access to strongswan.d directories. | ||
1566 | 2204 | |||
1567 | 2205 | -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 17 Feb 2014 18:12:38 +0000 | ||
1568 | 2206 | |||
1569 | 2207 | strongswan (5.1.2~rc1-0ubuntu3) trusty; urgency=low | ||
1570 | 2208 | |||
1571 | 2209 | * debian/rules: Exclude rdrand.conf in dh_install's --fail-missing. | ||
1572 | 2210 | |||
1573 | 2211 | -- Jonathan Davies <jonathan.davies@canonical.com> Sat, 15 Feb 2014 15:46:46 +0000 | ||
1574 | 2212 | |||
1575 | 2213 | strongswan (5.1.2~rc1-0ubuntu2) trusty; urgency=low | ||
1576 | 2214 | |||
1577 | 2215 | * debian/libstrongswan.install: Moved rdrand plugin configuration to rules | ||
1578 | 2216 | as it's only useful on amd64. | ||
1579 | 2217 | * debian/watch: Added opts=pgpsigurlmangle option. | ||
1580 | 2218 | * debian/upstream/signing-key.asc: Added key: 0xB34DBA77. | ||
1581 | 2219 | |||
1582 | 2220 | -- Jonathan Davies <jonathan.davies@canonical.com> Sat, 15 Feb 2014 15:32:10 +0000 | ||
1583 | 2221 | |||
1584 | 2222 | strongswan (5.1.2~rc1-0ubuntu1) trusty; urgency=medium | ||
1585 | 2223 | |||
1586 | 2224 | * New upstream release candidate. | ||
1587 | 2225 | * debian/*.install - include new configuration files for plugins in | ||
1588 | 2226 | appropiate packages. | ||
1589 | 2227 | |||
1590 | 2228 | -- Jonathan Davies <jonathan.davies@canonical.com> Sat, 15 Feb 2014 15:03:14 +0000 | ||
1591 | 2229 | |||
1592 | 2230 | strongswan (5.1.2~dr3+git20130120-0ubuntu3) trusty; urgency=low | ||
1593 | 2231 | |||
1594 | 2232 | * debian/control: | ||
1595 | 2233 | - Added Breaks/Replaces for all library files which have been moved | ||
1596 | 2234 | about (LP: #1278176). | ||
1597 | 2235 | - Removed build-dependency on check and added one on dh-apparmor. | ||
1598 | 2236 | * debian/strongswan-starter.postinst: Removed further out-dated code and | ||
1599 | 2237 | entire section on opportunistic encryption - this was never in strongSwan. | ||
1600 | 2238 | * debian/rules: Removed pieces on 'patching ipsec.conf' on build. | ||
1601 | 2239 | |||
1602 | 2240 | -- Jonathan Davies <jonathan.davies@canonical.com> Sun, 09 Feb 2014 23:53:23 +0000 | ||
1603 | 2241 | |||
1604 | 2242 | strongswan (5.1.2~dr3+git20130120-0ubuntu2) trusty; urgency=low | ||
1605 | 2243 | |||
1606 | 2244 | * debian/control: Fixed references to plugin-fips-prf. | ||
1607 | 2245 | |||
1608 | 2246 | -- Jonathan Davies <jonathan.davies@canonical.com> Wed, 22 Jan 2014 11:22:14 +0000 | ||
1609 | 2247 | |||
1610 | 2248 | strongswan (5.1.2~dr3+git20130120-0ubuntu1) trusty; urgency=low | ||
1611 | 2249 | |||
1612 | 2250 | * Upstream Git snapshot for build fixes with regards to entropy. | ||
1613 | 2251 | * debian/rules: | ||
1614 | 2252 | - Enforcing DEB_BUILD_OPTIONS=nostrip for library integrity checking. | ||
1615 | 2253 | - Set TESTS_REDUCED_KEYLENGTHS to one generate smallest key-lengths in | ||
1616 | 2254 | tests. | ||
1617 | 2255 | |||
1618 | 2256 | -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 20 Jan 2014 19:00:59 +0000 | ||
1619 | 2257 | |||
1620 | 2258 | strongswan (5.1.2~dr3-0ubuntu1) trusty; urgency=low | ||
1621 | 2259 | |||
1622 | 2260 | * New upstream developer release. | ||
1623 | 2261 | * Made changes to packaging per upstream suggestions. | ||
1624 | 2262 | - Dropped medcli and medsrv packages - not recommended by upstream at this | ||
1625 | 2263 | time. | ||
1626 | 2264 | - Dropped ha plugin - needs special kernel. | ||
1627 | 2265 | - Improved all package descriptions in general. | ||
1628 | 2266 | - Drop build-dep on clearsilver-dev and libfcgi-dev - no longer needed. | ||
1629 | 2267 | - Removed debian/*logcheck* files - not relevant to strongSwan. | ||
1630 | 2268 | - Split dhcp and farp packages into sub-packages. | ||
1631 | 2269 | - Build kernel-libipsec, ntru, systime-fix, and xauth-noauth plugins. | ||
1632 | 2270 | - Changes to TNC-related packages. | ||
1633 | 2271 | * Created AppArmor profiles for lookip and stroke. | ||
1634 | 2272 | |||
1635 | 2273 | -- Jonathan Davies <jonathan.davies@canonical.com> Wed, 15 Jan 2014 22:52:53 +0000 | ||
1636 | 2274 | |||
1637 | 2275 | strongswan (5.1.2~dr2+git20130106-0ubuntu2) trusty; urgency=low | ||
1638 | 2276 | |||
1639 | 2277 | * libstrongswan.install: Removed lingering unit-tester.so reference. | ||
1640 | 2278 | |||
1641 | 2279 | -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 06 Jan 2014 20:29:59 +0000 | ||
1642 | 2280 | |||
1643 | 2281 | strongswan (5.1.2~dr2+git20130106-0ubuntu1) trusty; urgency=low | ||
1644 | 2282 | |||
1645 | 2283 | * Git snapshot of commit 94e10f15e51ead788d9947e966878ebfdc95b7ce. | ||
1646 | 2284 | Incorporates upstream fixes for: | ||
1647 | 2285 | - Integrity testing. | ||
1648 | 2286 | - Unit test failures on little endian systems. | ||
1649 | 2287 | * Dropped debian/patches/02_test_asn1_fix_32bit_time_test.patch - fixed | ||
1650 | 2288 | upstream. | ||
1651 | 2289 | * debian/rules: | ||
1652 | 2290 | - Stop using CK_TIMEOUT_MULTIPLIER. | ||
1653 | 2291 | - Stop enabling the test suite only on non-powerpc arches (it runs | ||
1654 | 2292 | anyway). | ||
1655 | 2293 | |||
1656 | 2294 | -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 06 Jan 2014 20:17:20 +0000 | ||
1657 | 2295 | |||
1658 | 2296 | strongswan (5.1.2~dr2-0ubuntu3) trusty; urgency=low | ||
1659 | 2297 | |||
1660 | 2298 | * debian/control: Reinstate missing comma in dependencies. | ||
1661 | 2299 | |||
1662 | 2300 | -- Jonathan Davies <jonathan.davies@canonical.com> Fri, 03 Jan 2014 05:39:13 +0000 | ||
1663 | 2301 | |||
1664 | 2302 | strongswan (5.1.2~dr2-0ubuntu2) trusty; urgency=low | ||
1665 | 2303 | |||
1666 | 2304 | * Added debian/patches/02_test_asn1_fix_32bit_time_test.patch - fixes issue | ||
1667 | 2305 | where test for >2038 tests on 32-bit platforms is broken. | ||
1668 | 2306 | - Reported upstream: https://wiki.strongswan.org/issues/477 | ||
1669 | 2307 | * debian/control: Added strongswan-plugin-ntru to strongswan-ike Suggests. | ||
1670 | 2308 | |||
1671 | 2309 | -- Jonathan Davies <jonathan.davies@canonical.com> Fri, 03 Jan 2014 05:02:32 +0000 | ||
1672 | 2310 | |||
1673 | 2311 | strongswan (5.1.2~dr2-0ubuntu1) trusty; urgency=low | ||
1674 | 2312 | |||
1675 | 2313 | * New upstream developer release. | ||
1676 | 2314 | * debian/rules: Configure with: --enable-af-alg, --enable-ntru, --enable-soup, | ||
1677 | 2315 | and --enable-unity. | ||
1678 | 2316 | * debian/control: | ||
1679 | 2317 | - New plugin packages created for the above | ||
1680 | 2318 | - Split fips-prf into its own package. | ||
1681 | 2319 | - Added build-dependency on libsoup2.4-dev. | ||
1682 | 2320 | |||
1683 | 2321 | -- Jonathan Davies <jonathan.davies@canonical.com> Thu, 02 Jan 2014 17:37:33 +0000 | ||
1684 | 2322 | |||
1685 | 756 | strongswan (5.1.1-3) unstable; urgency=low | 2323 | strongswan (5.1.1-3) unstable; urgency=low |
1686 | 757 | 2324 | ||
1687 | 758 | * Upload to unstable. | 2325 | * Upload to unstable. |
1688 | @@ -844,6 +2411,192 @@ strongswan (5.1.1-1) unstable; urgency=low | |||
1689 | 844 | 2411 | ||
1690 | 845 | -- Yves-Alexis Perez <corsac@debian.org> Fri, 24 Jan 2014 21:22:32 +0100 | 2412 | -- Yves-Alexis Perez <corsac@debian.org> Fri, 24 Jan 2014 21:22:32 +0100 |
1691 | 846 | 2413 | ||
1692 | 2414 | strongswan (5.1.1-0ubuntu17) trusty; urgency=low | ||
1693 | 2415 | |||
1694 | 2416 | * debian/control: | ||
1695 | 2417 | - Make strongswan-ike depend on iproute2. | ||
1696 | 2418 | - Added xauth plugin dependency on strongswan-plugin-eap-gtc. | ||
1697 | 2419 | - Created strongswan-libfast package. | ||
1698 | 2420 | |||
1699 | 2421 | -- Jonathan Davies <jonathan.davies@canonical.com> Wed, 01 Jan 2014 17:04:45 +0000 | ||
1700 | 2422 | |||
1701 | 2423 | strongswan (5.1.1-0ubuntu16) trusty; urgency=low | ||
1702 | 2424 | |||
1703 | 2425 | * debian/control: | ||
1704 | 2426 | - Further splitting of plugins into subpackages (such as all EAP plugins | ||
1705 | 2427 | to their own packages). | ||
1706 | 2428 | - Added libpcsclite-dev to build-dependencies. | ||
1707 | 2429 | * debian/rules: | ||
1708 | 2430 | - Sort configure options in alphabetical order. | ||
1709 | 2431 | - Added configure option of --enable-eap-aka-3gpp2, --enable-eap-dynamic, | ||
1710 | 2432 | --enable-eap-sim-file, --enable-eap-sim-pcsc, | ||
1711 | 2433 | --enable-eap-simaka-pseudonym, --enable-eap-simaka-reauth and | ||
1712 | 2434 | --enable-eap-simaka-sql. | ||
1713 | 2435 | - Don't exclude medsrv from install. | ||
1714 | 2436 | * Moved eap-identity.so to libstrongswan package as it's used by all the | ||
1715 | 2437 | other EAP plugins. | ||
1716 | 2438 | |||
1717 | 2439 | -- Jonathan Davies <jonathan.davies@canonical.com> Tue, 31 Dec 2013 21:25:50 +0000 | ||
1718 | 2440 | |||
1719 | 2441 | strongswan (5.1.1-0ubuntu15) trusty; urgency=low | ||
1720 | 2442 | |||
1721 | 2443 | * debian/control: | ||
1722 | 2444 | - Split plugins from libstrongswan package into modular subpackages. | ||
1723 | 2445 | - Added libmysqlclient-dev to build-dependencies. | ||
1724 | 2446 | - strongswan-ike: Set to depend on either strongswan-plugins-openssl or | ||
1725 | 2447 | strongswan-plugins-gcrypt. | ||
1726 | 2448 | - strongswan-ike: All other plugins added to Suggests. | ||
1727 | 2449 | - Created two new TNC packages: strongswan-tnc-ifmap and | ||
1728 | 2450 | strongswan-tnc-pdp and added to tnc-imcvs Suggests. | ||
1729 | 2451 | * debian/rules: Added to CONFIGUREARGS: --enable-certexpire, | ||
1730 | 2452 | --enable-error-notify, --enable-mysql, --enable-load-tester, | ||
1731 | 2453 | --enable-radattr, --enable-tnc-pdp, and --enable-whitelist. | ||
1732 | 2454 | * debian/strongswan-ike.install: Moved eap-identity.so to -tnc-imcvs package. | ||
1733 | 2455 | |||
1734 | 2456 | -- Jonathan Davies <jonathan.davies@canonical.com> Tue, 31 Dec 2013 16:15:32 +0000 | ||
1735 | 2457 | |||
1736 | 2458 | strongswan (5.1.1-0ubuntu14) trusty; urgency=low | ||
1737 | 2459 | |||
1738 | 2460 | * debian/rules: | ||
1739 | 2461 | - CK_TIMEOUT_MULTIPLIER back down to 6. | ||
1740 | 2462 | - Disable unit tests on powerpc. | ||
1741 | 2463 | |||
1742 | 2464 | -- Jonathan Davies <jonathan.davies@canonical.com> Tue, 31 Dec 2013 07:39:48 +0000 | ||
1743 | 2465 | |||
1744 | 2466 | strongswan (5.1.1-0ubuntu13) trusty; urgency=low | ||
1745 | 2467 | |||
1746 | 2468 | * debian/rules: CK_TIMEOUT_MULTIPLIER to 10 as just powerppc is being stubborn. | ||
1747 | 2469 | |||
1748 | 2470 | -- Jonathan Davies <jonathan.davies@canonical.com> Tue, 31 Dec 2013 07:23:42 +0000 | ||
1749 | 2471 | |||
1750 | 2472 | strongswan (5.1.1-0ubuntu12) trusty; urgency=low | ||
1751 | 2473 | |||
1752 | 2474 | * debian/rules: Bring CK_TIMEOUT_MULTIPLIER up to 6 to fix powerppc and | ||
1753 | 2475 | armhf. | ||
1754 | 2476 | |||
1755 | 2477 | -- Jonathan Davies <jonathan.davies@canonical.com> Tue, 31 Dec 2013 07:03:40 +0000 | ||
1756 | 2478 | |||
1757 | 2479 | strongswan (5.1.1-0ubuntu11) trusty; urgency=low | ||
1758 | 2480 | |||
1759 | 2481 | * 02_increase-test_rsa_generate-timeout.patch: Removed - only fixed build on | ||
1760 | 2482 | one extra arch. | ||
1761 | 2483 | * debian/rules: Set CK_TIMEOUT_MULTIPLIER to 4. | ||
1762 | 2484 | |||
1763 | 2485 | -- Jonathan Davies <jonathan.davies@canonical.com> Tue, 31 Dec 2013 06:51:47 +0000 | ||
1764 | 2486 | |||
1765 | 2487 | strongswan (5.1.1-0ubuntu10) trusty; urgency=low | ||
1766 | 2488 | |||
1767 | 2489 | * debian/patches: Added patch 02_increase-test_rsa_generate-timeout.patch - | ||
1768 | 2490 | - Increases RSA key generate test timeout to 30 seconds so that it doesn't | ||
1769 | 2491 | fail on armhf, arm64, and powerppc. | ||
1770 | 2492 | * Contrary to what the last changelog entry says, we are still running | ||
1771 | 2493 | strongswan as root (with AppArmor protection). | ||
1772 | 2494 | |||
1773 | 2495 | -- Jonathan Davies <jonathan.davies@canonical.com> Tue, 31 Dec 2013 06:06:47 +0000 | ||
1774 | 2496 | |||
1775 | 2497 | strongswan (5.1.1-0ubuntu9) trusty; urgency=low | ||
1776 | 2498 | |||
1777 | 2499 | * debian/rules: Added to configure options: | ||
1778 | 2500 | - --enable-tnc-ifmap: enable TNC IF-MAP module. | ||
1779 | 2501 | - --enable-duplicheck: enable duplicheck plugin. | ||
1780 | 2502 | - --enable-imv-swid, --enable-imc-swid: Added. | ||
1781 | 2503 | - Run strongswan as it's own user. | ||
1782 | 2504 | * debian/strongswan-starter.install: Install duplicheck. | ||
1783 | 2505 | * debian/strongswan-tnc-imcvs.install: Install swidtags. | ||
1784 | 2506 | |||
1785 | 2507 | -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 30 Dec 2013 19:33:27 +0000 | ||
1786 | 2508 | |||
1787 | 2509 | strongswan (5.1.1-0ubuntu8) trusty; urgency=low | ||
1788 | 2510 | |||
1789 | 2511 | * debian/rules: Added to configure options: | ||
1790 | 2512 | - --enable-unit-tests: check unit testing on build. | ||
1791 | 2513 | - --enable-unbound: for validating DNS lookups. | ||
1792 | 2514 | - --enable-dnscert: for DNSCERT peer authentication. | ||
1793 | 2515 | - --enable-ipseckey: for IPSEC key authentication. | ||
1794 | 2516 | - --enable-lookip: for LookIP functionality. | ||
1795 | 2517 | - --enable-coupling: certificate coupling functionality. | ||
1796 | 2518 | * debian/control: Added check, libldns-dev, libunbound-dev to | ||
1797 | 2519 | build-dependencies. | ||
1798 | 2520 | * debian/libstrongswan.install: Install new plugin .so's. | ||
1799 | 2521 | * debian/strongswan-starter.install: Added lookip. | ||
1800 | 2522 | |||
1801 | 2523 | -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 30 Dec 2013 17:52:07 +0000 | ||
1802 | 2524 | |||
1803 | 2525 | strongswan (5.1.1-0ubuntu7) trusty; urgency=low | ||
1804 | 2526 | |||
1805 | 2527 | * strongswan-starter.install: Moved pt-tls-client to tnc-imcvs (to prevent | ||
1806 | 2528 | the former from depending on the latter). | ||
1807 | 2529 | |||
1808 | 2530 | -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 30 Dec 2013 17:30:19 +0000 | ||
1809 | 2531 | |||
1810 | 2532 | strongswan (5.1.1-0ubuntu6) trusty; urgency=low | ||
1811 | 2533 | |||
1812 | 2534 | * debian/strongswan-starter.prerm: Stop strongswan service on package | ||
1813 | 2535 | removal (as opposed to using the old init.d script). | ||
1814 | 2536 | |||
1815 | 2537 | -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 30 Dec 2013 17:22:10 +0000 | ||
1816 | 2538 | |||
1817 | 2539 | strongswan (5.1.1-0ubuntu5) trusty; urgency=low | ||
1818 | 2540 | |||
1819 | 2541 | * debian/rules: | ||
1820 | 2542 | - CONFIGUREARGS: Merged Debian and RPM options. | ||
1821 | 2543 | - Brings in TNC functionality. | ||
1822 | 2544 | * debian/control: | ||
1823 | 2545 | - Added build-dependency on libtspi-dev. | ||
1824 | 2546 | - Created strongswan-tnc-imcvs binary package for TNC components. | ||
1825 | 2547 | - Added strongswan-tnc-imcvs to libstrongswan's Suggests. | ||
1826 | 2548 | * debian/libstrongswan.install: | ||
1827 | 2549 | - Included newly built MD4 and SQLite libraries. | ||
1828 | 2550 | - Removed 'tnc' references (moved to TNC package). | ||
1829 | 2551 | * debian/strongswan-tnc-imcvs.install: Created - handle new TNC libraries and | ||
1830 | 2552 | binaries. | ||
1831 | 2553 | * debian/usr.lib.ipsec.charon: Allow access to TNC modules. | ||
1832 | 2554 | |||
1833 | 2555 | -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 30 Dec 2013 14:05:43 +0000 | ||
1834 | 2556 | |||
1835 | 2557 | strongswan (5.1.1-0ubuntu4) trusty; urgency=low | ||
1836 | 2558 | |||
1837 | 2559 | * debian/usr.lib.ipsec.charon: Added - AppArmor profile for charon. | ||
1838 | 2560 | * debian/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call. | ||
1839 | 2561 | * debian/control: strongswan-ike - Stop depending on ipsec-tools. | ||
1840 | 2562 | |||
1841 | 2563 | -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 30 Dec 2013 05:35:17 +0000 | ||
1842 | 2564 | |||
1843 | 2565 | strongswan (5.1.1-0ubuntu3) trusty; urgency=low | ||
1844 | 2566 | |||
1845 | 2567 | * strongswan-starter.strongswan.upstart - Only start strongSwan when a | ||
1846 | 2568 | network connection is available. | ||
1847 | 2569 | * debian/control: Downgrade build-dep version of dpkg-dev from 1.16.2 to | ||
1848 | 2570 | 1.16.1 - to make precise backporting easier. | ||
1849 | 2571 | |||
1850 | 2572 | -- Jonathan Davies <jonathan.davies@canonical.com> Thu, 12 Dec 2013 10:43:15 +0000 | ||
1851 | 2573 | |||
1852 | 2574 | strongswan (5.1.1-0ubuntu2) trusty; urgency=low | ||
1853 | 2575 | |||
1854 | 2576 | * strongswan-starter.strongswan.upstart - Created Upstart job for | ||
1855 | 2577 | strongSwan. | ||
1856 | 2578 | * debian/rules: Set dh_installinit to install above file. | ||
1857 | 2579 | * debian/strongswan-starter.postinit: | ||
1858 | 2580 | - Removed section about runlevel changes, it's almost 2014. | ||
1859 | 2581 | - Adapted service restart section for Upstart. | ||
1860 | 2582 | - Remove old symlinks to init.d files is necessary. | ||
1861 | 2583 | * debian/strongswan-starter.dirs: Don't touch /etc/init.d. | ||
1862 | 2584 | |||
1863 | 2585 | -- Jonathan Davies <jonathan.davies@canonical.com> Wed, 11 Dec 2013 23:10:28 +0000 | ||
1864 | 2586 | |||
1865 | 2587 | strongswan (5.1.1-0ubuntu1) trusty; urgency=low | ||
1866 | 2588 | |||
1867 | 2589 | * New upstream release. | ||
1868 | 2590 | * Removed: debian/patches/CVE-2013-6075, CVE-2013-6076.patch - upsteamed. | ||
1869 | 2591 | * debian/control: Updated Standards-Version to 3.9.5 and applied | ||
1870 | 2592 | XSBC-Original-Maintainer policy. | ||
1871 | 2593 | * strongswan-starter.install: | ||
1872 | 2594 | - pki tool is now in /usr/bin. | ||
1873 | 2595 | - Install pt-tls-client. | ||
1874 | 2596 | - Install manpages (LP: #1206263). | ||
1875 | 2597 | |||
1876 | 2598 | -- Jonathan Davies <jpds@ubuntu.com> Sun, 01 Dec 2013 17:43:59 +0000 | ||
1877 | 2599 | |||
1878 | 847 | strongswan (5.1.0-3) unstable; urgency=high | 2600 | strongswan (5.1.0-3) unstable; urgency=high |
1879 | 848 | 2601 | ||
1880 | 849 | * urgency=high for the security fixes. | 2602 | * urgency=high for the security fixes. |
1881 | diff --git a/debian/control b/debian/control | |||
1882 | index 9ed97b7..06faee6 100644 | |||
1883 | --- a/debian/control | |||
1884 | +++ b/debian/control | |||
1885 | @@ -1,7 +1,8 @@ | |||
1886 | 1 | Source: strongswan | 1 | Source: strongswan |
1887 | 2 | Section: net | 2 | Section: net |
1888 | 3 | Priority: optional | 3 | Priority: optional |
1890 | 4 | Maintainer: strongSwan Maintainers <pkg-swan-devel@lists.alioth.debian.org> | 4 | Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com> |
1891 | 5 | XSBC-Original-Maintainer: strongSwan Maintainers <pkg-swan-devel@lists.alioth.debian.org> | ||
1892 | 5 | Uploaders: Yves-Alexis Perez <corsac@debian.org> | 6 | Uploaders: Yves-Alexis Perez <corsac@debian.org> |
1893 | 6 | Standards-Version: 4.6.0 | 7 | Standards-Version: 4.6.0 |
1894 | 7 | Vcs-Browser: https://salsa.debian.org/debian/strongswan | 8 | Vcs-Browser: https://salsa.debian.org/debian/strongswan |
1895 | @@ -136,6 +137,7 @@ Description: strongSwan utility and crypto library (extra plugins) | |||
1896 | 136 | - gcrypt (Crypto backend based on libgcrypt, provides | 137 | - gcrypt (Crypto backend based on libgcrypt, provides |
1897 | 137 | RSA/DH/ciphers/hashers/rng) | 138 | RSA/DH/ciphers/hashers/rng) |
1898 | 138 | - ldap (LDAP fetching plugin based on libldap) | 139 | - ldap (LDAP fetching plugin based on libldap) |
1899 | 140 | - ntru (key exchanged based on post-quantum computer NTRU) | ||
1900 | 139 | - padlock (VIA padlock crypto backend, provides AES128/SHA1) | 141 | - padlock (VIA padlock crypto backend, provides AES128/SHA1) |
1901 | 140 | - pkcs11 (PKCS#11 smartcard backend) | 142 | - pkcs11 (PKCS#11 smartcard backend) |
1902 | 141 | - rdrand (High quality / high performance random source using the Intel | 143 | - rdrand (High quality / high performance random source using the Intel |
1903 | @@ -203,6 +205,9 @@ Description: strongSwan charon library (extra plugins) | |||
1904 | 203 | - unity (Cisco Unity extensions for IKEv1) | 205 | - unity (Cisco Unity extensions for IKEv1) |
1905 | 204 | - xauth-eap (XAuth backend that uses EAP methods to verify passwords) | 206 | - xauth-eap (XAuth backend that uses EAP methods to verify passwords) |
1906 | 205 | - xauth-pam (XAuth backend that uses PAM modules to verify passwords) | 207 | - xauth-pam (XAuth backend that uses PAM modules to verify passwords) |
1907 | 208 | - eap-dynamic (EAP proxy plugin that dynamically selects an EAP method | ||
1908 | 209 | requested/supported by the client (since 5.0.1)) | ||
1909 | 210 | - eap-peap (EAP-PEAP protocol handler, wraps other EAP methods securely) | ||
1910 | 206 | 211 | ||
1911 | 207 | Package: strongswan-starter | 212 | Package: strongswan-starter |
1912 | 208 | Architecture: any | 213 | Architecture: any |
1913 | @@ -210,9 +215,9 @@ Pre-Depends: ${misc:Pre-Depends} | |||
1914 | 210 | Depends: adduser, | 215 | Depends: adduser, |
1915 | 211 | libstrongswan (= ${binary:Version}), | 216 | libstrongswan (= ${binary:Version}), |
1916 | 212 | lsb-base (>= 3.0-6), | 217 | lsb-base (>= 3.0-6), |
1917 | 218 | strongswan-charon, | ||
1918 | 213 | ${misc:Depends}, | 219 | ${misc:Depends}, |
1919 | 214 | ${shlibs:Depends} | 220 | ${shlibs:Depends} |
1920 | 215 | Recommends: strongswan-charon | ||
1921 | 216 | Conflicts: openswan | 221 | Conflicts: openswan |
1922 | 217 | Description: strongSwan daemon starter and configuration file parser | 222 | Description: strongSwan daemon starter and configuration file parser |
1923 | 218 | The strongSwan VPN suite uses the native IPsec stack in the standard | 223 | The strongSwan VPN suite uses the native IPsec stack in the standard |
1924 | @@ -251,9 +256,9 @@ Architecture: any | |||
1925 | 251 | Pre-Depends: debconf | debconf-2.0 | 256 | Pre-Depends: debconf | debconf-2.0 |
1926 | 252 | Depends: iproute2 [linux-any] | iproute [linux-any], | 257 | Depends: iproute2 [linux-any] | iproute [linux-any], |
1927 | 253 | libstrongswan (= ${binary:Version}), | 258 | libstrongswan (= ${binary:Version}), |
1928 | 254 | strongswan-starter, | ||
1929 | 255 | ${misc:Depends}, | 259 | ${misc:Depends}, |
1930 | 256 | ${shlibs:Depends} | 260 | ${shlibs:Depends} |
1931 | 261 | Recommends: strongswan-starter, | ||
1932 | 257 | Provides: ike-server | 262 | Provides: ike-server |
1933 | 258 | Description: strongSwan Internet Key Exchange daemon | 263 | Description: strongSwan Internet Key Exchange daemon |
1934 | 259 | The strongSwan VPN suite uses the native IPsec stack in the standard | 264 | The strongSwan VPN suite uses the native IPsec stack in the standard |
1935 | diff --git a/debian/libcharon-extra-plugins.install b/debian/libcharon-extra-plugins.install | |||
1936 | index 94fbabd..91ca716 100644 | |||
1937 | --- a/debian/libcharon-extra-plugins.install | |||
1938 | +++ b/debian/libcharon-extra-plugins.install | |||
1939 | @@ -2,9 +2,11 @@ | |||
1940 | 2 | usr/lib/ipsec/plugins/libstrongswan-addrblock.so | 2 | usr/lib/ipsec/plugins/libstrongswan-addrblock.so |
1941 | 3 | usr/lib/ipsec/plugins/libstrongswan-certexpire.so | 3 | usr/lib/ipsec/plugins/libstrongswan-certexpire.so |
1942 | 4 | usr/lib/ipsec/plugins/libstrongswan-eap-aka.so | 4 | usr/lib/ipsec/plugins/libstrongswan-eap-aka.so |
1943 | 5 | usr/lib/ipsec/plugins/libstrongswan-eap-dynamic.so | ||
1944 | 5 | usr/lib/ipsec/plugins/libstrongswan-eap-gtc.so | 6 | usr/lib/ipsec/plugins/libstrongswan-eap-gtc.so |
1945 | 6 | usr/lib/ipsec/plugins/libstrongswan-eap-identity.so | 7 | usr/lib/ipsec/plugins/libstrongswan-eap-identity.so |
1946 | 7 | usr/lib/ipsec/plugins/libstrongswan-eap-md5.so | 8 | usr/lib/ipsec/plugins/libstrongswan-eap-md5.so |
1947 | 9 | usr/lib/ipsec/plugins/libstrongswan-eap-peap.so | ||
1948 | 8 | usr/lib/ipsec/plugins/libstrongswan-eap-radius.so | 10 | usr/lib/ipsec/plugins/libstrongswan-eap-radius.so |
1949 | 9 | usr/lib/ipsec/plugins/libstrongswan-eap-tls.so | 11 | usr/lib/ipsec/plugins/libstrongswan-eap-tls.so |
1950 | 10 | usr/lib/ipsec/plugins/libstrongswan-eap-tnc.so | 12 | usr/lib/ipsec/plugins/libstrongswan-eap-tnc.so |
1951 | @@ -25,9 +27,11 @@ usr/lib/ipsec/plugins/libstrongswan-xauth-pam.so | |||
1952 | 25 | usr/share/strongswan/templates/config/plugins/addrblock.conf | 27 | usr/share/strongswan/templates/config/plugins/addrblock.conf |
1953 | 26 | usr/share/strongswan/templates/config/plugins/certexpire.conf | 28 | usr/share/strongswan/templates/config/plugins/certexpire.conf |
1954 | 27 | usr/share/strongswan/templates/config/plugins/eap-aka.conf | 29 | usr/share/strongswan/templates/config/plugins/eap-aka.conf |
1955 | 30 | usr/share/strongswan/templates/config/plugins/eap-dynamic.conf | ||
1956 | 28 | usr/share/strongswan/templates/config/plugins/eap-gtc.conf | 31 | usr/share/strongswan/templates/config/plugins/eap-gtc.conf |
1957 | 29 | usr/share/strongswan/templates/config/plugins/eap-identity.conf | 32 | usr/share/strongswan/templates/config/plugins/eap-identity.conf |
1958 | 30 | usr/share/strongswan/templates/config/plugins/eap-md5.conf | 33 | usr/share/strongswan/templates/config/plugins/eap-md5.conf |
1959 | 34 | usr/share/strongswan/templates/config/plugins/eap-peap.conf | ||
1960 | 31 | usr/share/strongswan/templates/config/plugins/eap-radius.conf | 35 | usr/share/strongswan/templates/config/plugins/eap-radius.conf |
1961 | 32 | usr/share/strongswan/templates/config/plugins/eap-tls.conf | 36 | usr/share/strongswan/templates/config/plugins/eap-tls.conf |
1962 | 33 | usr/share/strongswan/templates/config/plugins/eap-tnc.conf | 37 | usr/share/strongswan/templates/config/plugins/eap-tnc.conf |
1963 | @@ -49,9 +53,11 @@ etc/strongswan.d/tnc.conf | |||
1964 | 49 | etc/strongswan.d/charon/addrblock.conf | 53 | etc/strongswan.d/charon/addrblock.conf |
1965 | 50 | etc/strongswan.d/charon/certexpire.conf | 54 | etc/strongswan.d/charon/certexpire.conf |
1966 | 51 | etc/strongswan.d/charon/eap-aka.conf | 55 | etc/strongswan.d/charon/eap-aka.conf |
1967 | 56 | etc/strongswan.d/charon/eap-dynamic.conf | ||
1968 | 52 | etc/strongswan.d/charon/eap-gtc.conf | 57 | etc/strongswan.d/charon/eap-gtc.conf |
1969 | 53 | etc/strongswan.d/charon/eap-identity.conf | 58 | etc/strongswan.d/charon/eap-identity.conf |
1970 | 54 | etc/strongswan.d/charon/eap-md5.conf | 59 | etc/strongswan.d/charon/eap-md5.conf |
1971 | 60 | etc/strongswan.d/charon/eap-peap.conf | ||
1972 | 55 | etc/strongswan.d/charon/eap-radius.conf | 61 | etc/strongswan.d/charon/eap-radius.conf |
1973 | 56 | etc/strongswan.d/charon/eap-tls.conf | 62 | etc/strongswan.d/charon/eap-tls.conf |
1974 | 57 | etc/strongswan.d/charon/eap-tnc.conf | 63 | etc/strongswan.d/charon/eap-tnc.conf |
1975 | diff --git a/debian/libcharon-extra-plugins.maintscript b/debian/libcharon-extra-plugins.maintscript | |||
1976 | 58 | new file mode 100644 | 64 | new file mode 100644 |
1977 | index 0000000..f6e7a3a | |||
1978 | --- /dev/null | |||
1979 | +++ b/debian/libcharon-extra-plugins.maintscript | |||
1980 | @@ -0,0 +1,8 @@ | |||
1981 | 1 | rm_conffile /etc/strongswan.d/charon/eap-aka-3gpp2.conf 5.8.4-1ubuntu2~ libcharon-extra-plugins | ||
1982 | 2 | rm_conffile /etc/strongswan.d/charon/eap-sim-file.conf 5.8.4-1ubuntu2~ libcharon-extra-plugins | ||
1983 | 3 | rm_conffile /etc/strongswan.d/charon/eap-sim-pcsc.conf 5.8.4-1ubuntu2~ libcharon-extra-plugins | ||
1984 | 4 | rm_conffile /etc/strongswan.d/charon/eap-sim.conf 5.8.4-1ubuntu2~ libcharon-extra-plugins | ||
1985 | 5 | rm_conffile /etc/strongswan.d/charon/eap-simaka-pseudonym.conf 5.8.4-1ubuntu2~ libcharon-extra-plugins | ||
1986 | 6 | rm_conffile /etc/strongswan.d/charon/eap-simaka-reauth.conf 5.8.4-1ubuntu2~ libcharon-extra-plugins | ||
1987 | 7 | rm_conffile /etc/strongswan.d/charon/eap-simaka-sql.conf 5.8.4-1ubuntu2~ libcharon-extra-plugins | ||
1988 | 8 | rm_conffile /etc/strongswan.d/charon/xauth-noauth.conf 5.8.4-1ubuntu2~ libcharon-extra-plugins | ||
1989 | diff --git a/debian/libstrongswan-extra-plugins.install b/debian/libstrongswan-extra-plugins.install | |||
1990 | index 2846e21..8f71239 100644 | |||
1991 | --- a/debian/libstrongswan-extra-plugins.install | |||
1992 | +++ b/debian/libstrongswan-extra-plugins.install | |||
1993 | @@ -9,6 +9,7 @@ usr/lib/ipsec/plugins/libstrongswan-curl.so | |||
1994 | 9 | usr/lib/ipsec/plugins/libstrongswan-curve25519.so | 9 | usr/lib/ipsec/plugins/libstrongswan-curve25519.so |
1995 | 10 | usr/lib/ipsec/plugins/libstrongswan-gcrypt.so | 10 | usr/lib/ipsec/plugins/libstrongswan-gcrypt.so |
1996 | 11 | usr/lib/ipsec/plugins/libstrongswan-ldap.so | 11 | usr/lib/ipsec/plugins/libstrongswan-ldap.so |
1997 | 12 | usr/lib/ipsec/plugins/libstrongswan-ntru.so | ||
1998 | 12 | usr/lib/ipsec/plugins/libstrongswan-pkcs11.so | 13 | usr/lib/ipsec/plugins/libstrongswan-pkcs11.so |
1999 | 13 | usr/lib/ipsec/plugins/libstrongswan-test-vectors.so | 14 | usr/lib/ipsec/plugins/libstrongswan-test-vectors.so |
2000 | 14 | usr/lib/ipsec/plugins/libstrongswan-tpm.so | 15 | usr/lib/ipsec/plugins/libstrongswan-tpm.so |
2001 | @@ -21,6 +22,7 @@ usr/share/strongswan/templates/config/plugins/curl.conf | |||
2002 | 21 | usr/share/strongswan/templates/config/plugins/curve25519.conf | 22 | usr/share/strongswan/templates/config/plugins/curve25519.conf |
2003 | 22 | usr/share/strongswan/templates/config/plugins/gcrypt.conf | 23 | usr/share/strongswan/templates/config/plugins/gcrypt.conf |
2004 | 23 | usr/share/strongswan/templates/config/plugins/ldap.conf | 24 | usr/share/strongswan/templates/config/plugins/ldap.conf |
2005 | 25 | usr/share/strongswan/templates/config/plugins/ntru.conf | ||
2006 | 24 | usr/share/strongswan/templates/config/plugins/pkcs11.conf | 26 | usr/share/strongswan/templates/config/plugins/pkcs11.conf |
2007 | 25 | usr/share/strongswan/templates/config/plugins/test-vectors.conf | 27 | usr/share/strongswan/templates/config/plugins/test-vectors.conf |
2008 | 26 | usr/share/strongswan/templates/config/plugins/tpm.conf | 28 | usr/share/strongswan/templates/config/plugins/tpm.conf |
2009 | @@ -32,6 +34,7 @@ etc/strongswan.d/charon/curl.conf | |||
2010 | 32 | etc/strongswan.d/charon/curve25519.conf | 34 | etc/strongswan.d/charon/curve25519.conf |
2011 | 33 | etc/strongswan.d/charon/gcrypt.conf | 35 | etc/strongswan.d/charon/gcrypt.conf |
2012 | 34 | etc/strongswan.d/charon/ldap.conf | 36 | etc/strongswan.d/charon/ldap.conf |
2013 | 37 | etc/strongswan.d/charon/ntru.conf | ||
2014 | 35 | etc/strongswan.d/charon/pkcs11.conf | 38 | etc/strongswan.d/charon/pkcs11.conf |
2015 | 36 | etc/strongswan.d/charon/test-vectors.conf | 39 | etc/strongswan.d/charon/test-vectors.conf |
2016 | 37 | etc/strongswan.d/charon/tpm.conf | 40 | etc/strongswan.d/charon/tpm.conf |
2017 | diff --git a/debian/rules b/debian/rules | |||
2018 | index 2fed1f1..8ca4bd7 100755 | |||
2019 | --- a/debian/rules | |||
2020 | +++ b/debian/rules | |||
2021 | @@ -15,9 +15,11 @@ CONFIGUREARGS := --libdir=/usr/lib --libexecdir=/usr/lib \ | |||
2022 | 15 | --enable-curl \ | 15 | --enable-curl \ |
2023 | 16 | --enable-eap-aka \ | 16 | --enable-eap-aka \ |
2024 | 17 | --enable-eap-gtc \ | 17 | --enable-eap-gtc \ |
2025 | 18 | --enable-eap-dynamic \ | ||
2026 | 18 | --enable-eap-identity \ | 19 | --enable-eap-identity \ |
2027 | 19 | --enable-eap-md5 \ | 20 | --enable-eap-md5 \ |
2028 | 20 | --enable-eap-mschapv2 \ | 21 | --enable-eap-mschapv2 \ |
2029 | 22 | --enable-eap-peap \ | ||
2030 | 21 | --enable-eap-radius \ | 23 | --enable-eap-radius \ |
2031 | 22 | --enable-eap-tls \ | 24 | --enable-eap-tls \ |
2032 | 23 | --enable-eap-tnc \ | 25 | --enable-eap-tnc \ |
2033 | @@ -32,6 +34,7 @@ CONFIGUREARGS := --libdir=/usr/lib --libexecdir=/usr/lib \ | |||
2034 | 32 | --enable-led \ | 34 | --enable-led \ |
2035 | 33 | --enable-lookip \ | 35 | --enable-lookip \ |
2036 | 34 | --enable-mediation \ | 36 | --enable-mediation \ |
2037 | 37 | --enable-ntru \ | ||
2038 | 35 | --enable-openssl \ | 38 | --enable-openssl \ |
2039 | 36 | --enable-pkcs11 \ | 39 | --enable-pkcs11 \ |
2040 | 37 | --enable-test-vectors \ | 40 | --enable-test-vectors \ |
I'll review this one.