Merge ~paelzer/ubuntu/+source/strongswan:merge-5.7.2-1-eoan into ubuntu/+source/strongswan:debian/sid
- Git
- lp:~paelzer/ubuntu/+source/strongswan
- merge-5.7.2-1-eoan
- Merge into debian/sid
Status: | Merged | ||||
---|---|---|---|---|---|
Approved by: | Christian Ehrhardt | ||||
Approved revision: | 3bd147e83788606535a33447b988ce7941b41348 | ||||
Merge reported by: | Christian Ehrhardt | ||||
Merged at revision: | 3bd147e83788606535a33447b988ce7941b41348 | ||||
Proposed branch: | ~paelzer/ubuntu/+source/strongswan:merge-5.7.2-1-eoan | ||||
Merge into: | ubuntu/+source/strongswan:debian/sid | ||||
Diff against target: |
2385 lines (+1804/-85) 17 files modified
debian/changelog (+1412/-0) debian/control (+107/-11) debian/ipsec.secrets.proto (+0/-3) debian/libcharon-extra-plugins.install (+109/-6) debian/libcharon-standard-plugins.install (+19/-0) debian/libstrongswan-extra-plugins.install (+54/-0) debian/libstrongswan.install (+5/-0) debian/patches/dont-load-kernel-libipsec-plugin-by-default.patch (+11/-0) debian/patches/series (+1/-0) debian/rules (+48/-6) debian/strongswan-starter.install (+4/-0) debian/strongswan-starter.postinst (+0/-57) debian/usr.lib.ipsec.charon (+12/-0) debian/usr.lib.ipsec.lookip (+2/-0) debian/usr.lib.ipsec.stroke (+2/-0) debian/usr.sbin.charon-systemd (+11/-1) debian/usr.sbin.swanctl (+7/-1) |
||||
Related bugs: |
|
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Andreas Hasenack | Approve | ||
Canonical Server packageset reviewers | Pending | ||
Canonical Server | Pending | ||
Review via email: mp+366649@code.launchpad.net |
Commit message
Description of the change
Christian Ehrhardt (paelzer) wrote : | # |
Christian Ehrhardt (paelzer) wrote : | # |
I hope there is not too much confusion, but this time the logical tag looks much different than last time. This was done to re-group and re-order the changes for Debian submission.
Tags pushed for review:
* [new tag] lp999999/
* [new tag] lp999999/new/debian -> lp999999/new/debian
* [new tag] lp999999/old/debian -> lp999999/old/debian
* [new tag] lp999999/old/ubuntu -> lp999999/old/ubuntu
* [new tag] lp999999/
* [new tag] lp999999/
Christian Ehrhardt (paelzer) wrote : | # |
Since we had issues getting the mass enabling into Debian I have now opened [1] which contains all but these and we can re-visit those changes later. Hopefully that allows us to reduce the Delta.
Furthermore as a note, once this is in Eoan I will have to clear the seeds, it seems we already depend on plenty of no more existing binaries and removing the TNC packages made this even worse now.
[1]: https:/
Andreas Hasenack (ahasenack) wrote : | # |
Review ongoing, I'll write up individual questions or points so they are easy to reply to individually.
What happened to the pool feature? It's in reconstruct, split, but gone from logical with no drop mention:
commit a4c1fbe64282b85
Author: Christian Ehrhardt <email address hidden>
Date: Thu May 4 13:50:54 2017 +0200
- d/strongswan-
we have attr-sql plugin enabled as well using it.
Andreas Hasenack (ahasenack) wrote : | # |
This commit mentions one file only, but it changes two;
commit 6d58030fa2e8070
Author: Christian Ehrhardt <email address hidden>
Date: Fri Apr 26 10:59:02 2019 +0200
apparmor: d/usr.sbin.
it also changes d/usr.lib.
Andreas Hasenack (ahasenack) wrote : | # |
This other commit also mentions one file, but changes two:
commit 5bb46ca49e2a42f
Author: Christian Ehrhardt <email address hidden>
Date: Tue May 29 08:53:44 2018 +0200
apparmor: d/usr.sbin.
it also changes d/usr.lib.
Andreas Hasenack (ahasenack) wrote : | # |
Regarding the pool feature, looks like it's part of commit 11741ef89c44870
commit 11741ef89c44870
Author: Christian Ehrhardt <email address hidden>
Date: Fri Apr 26 10:32:21 2019 +0200
- Mass enablement of extra plugins
Add features to allow a user to use strongswan for a variety of extra use
cases without having to rebuild.
+ d/control: Add required additional build-deps
+ d/control: Mention addtionally enabled plugins
+ d/rules: Enable features at configure stage
+ d/libbstrongswa
+ d/libstrongswan
...
--- a/debian/
+++ b/debian/
@@ -16,3 +16,7 @@ usr/lib/
usr/share/
etc/strongswan
debian/
+#pool
+usr/lib/ipsec/pool
+usr/share/
+etc/strongswan
Andreas Hasenack (ahasenack) wrote : | # |
In d/changelog:
[ Simon Deziel ]
* Added changes:
- apparmor fixes for contianer and root usage (LP: #1826238)
- d/usr.sbin.swanctl: allow reading own binary
- d/usr.sbin.
- d/usr.sbin.swanctl: add attach_disconnected to work inside containers
- d/usr.lib.
to apparmor to allow dropping caps
Shouldn't the changes below the bug line be indented? Also, typo: "contianer"
Andreas Hasenack (ahasenack) wrote : | # |
In the "mass enablement" commit f0eab84f7 I mentioned earlier, about the missing debian/
- Mass enablement of extra plugins and features to allow a user to use
strongswan for a variety of extra use cases without having to rebuild.
+ d/control: Add required additional build-deps
+ d/control: Mention addtionally enabled plugins
+ d/rules: Enable features at configure stage
+ d/libbstrongswa
+ d/libstrongswan
--> - d/strongswan-
we have attr-sql plugin enabled as well using it.
Andreas Hasenack (ahasenack) wrote : | # |
Many typos in commit message 0abd1089ba3c9df
Andreas Hasenack (ahasenack) wrote : | # |
In 97c74a90966a9a6
+Provides: strongswan-tnc-base
Even though that line is optional, shouldn't it be providing all the other strongswan-tnc-* packages that are now empty?
Andreas Hasenack (ahasenack) wrote : | # |
+# Transition back from strongswan-tnc-* being in extra packages
+# Can be dropped after 20.04
+Package: strongswan-
+Depends: libcharon-
Don't you need to depend on a specific version of libcharon-
Depends: libcharon-
Andreas Hasenack (ahasenack) wrote : | # |
- d/libstrongswan
is listed twice in d/changelog: once under "remaining changes", and once more under "Dropped changes"
Christian Ehrhardt (paelzer) wrote : | # |
Thanks for the review!
Answers:
- Some commit messages change more files than mentioned
As explained on IRC this is due to merging changes.
I fixed those two up.
- Q: "What happened to the pool feature?"
A: This is only needed due to the "mass enablement", therefore it is now part of that (not lost and intentionally there)
You found that later yourself.
But I added mentioning it in the commit message as well as better indent in the changelog to reflect it is now part of it.
- Q: apparmor fixes for contianer
A: Fixed typo and indented the sub-entries
- Q: typos in 97c74a909
A: yes since this will be gone I'm not cleaning it up
- Q: Provides: strongswan-
A: Provides is optional and only needed for packages which have dependencies "to them". In this case this is only strongswan-tnc-base
- Q: transitionals to get a version depends?
A: The example at
https:/
I have checked other packages and they behavie ... differently.
Some have "(= ${source:Version})" and that would work and not hurt. I'm adding that.
- Q: "Reorder conf" listed twice
A. Fixed
Thanks for the questions, I'll push an updated branch any minute ..
Christian Ehrhardt (paelzer) wrote : | # |
Updated changes pushed.
In addition to the mentioned changes I also squashed the nttftt change to the mass enablement, former commit already was "MERGE mass enablement commit"
Ready for re-review
Andreas Hasenack (ahasenack) wrote : | # |
I entered a rabbit hole troubleshooting postgresql migration issues, but I think I found the issue now. This means I'll go over your changes here only tomorrow, though.
Andreas Hasenack (ahasenack) wrote : | # |
> Thanks for the review!
> Answers:
> - Some commit messages change more files than mentioned
> As explained on IRC this is due to merging changes.
> I fixed those two up.
Thanks. This saves time during reviews.
> - Q: "What happened to the pool feature?"
> A: This is only needed due to the "mass enablement", therefore it is now
> part of that (not lost and intentionally there)
> You found that later yourself.
> But I added mentioning it in the commit message as well as better indent in
> the changelog to reflect it is now part of it.
Thanks. This saves time, as the reviewer then doesn't have to go hunting down the missing piece(s).
> - Q: apparmor fixes for contianer
> A: Fixed typo and indented the sub-entries
> - Q: typos in 97c74a909
> A: yes since this will be gone I'm not cleaning it up
Agreed
> - Q: Provides: strongswan-
> A: Provides is optional and only needed for packages which have dependencies
> "to them". In this case this is only strongswan-tnc-base
ok
> - Q: transitionals to get a version depends?
> A: The example at
> https:/
> version, but it feels right. You don't need a version there, when you have a
> repo that makes the new transitonal available you also have the new version of
> the replacing package.
> I have checked other packages and they behavie ... differently.
> Some have "(= ${source:Version})" and that would work and not hurt. I'm
> adding that.
The #6 example in https:/
A and B existed, all from A goes into B, A becomes transitional
A: strongswan-tnc-*
B: libcharon-
Flags for new A package: Depends: B (>=2)
Flags for new B package:
Breaks: A (<<2)
Replaces: A (<<2)
optional* -- Provides: A
Just making sure we are reading the same thing, up to you :)
I did a quick test with the packages that are in the ppa. They don't have these latest changes yet.
Starting with these installed packages: https:/
Dist upgrade prompted me like this:
The following packages will be REMOVED:
strongswan-
strongswan-
The following packages will be upgraded:
charon-cmd libcharon-
libstrongswan
strongswan-
I found the removal part odd. I was expecting the packages to be upgraded to the transitional ones, which I would later remove via "apt autoremove".
Furthermore, there was this issue during the transaction:
(...)
Fetched 2535 kB in 27s (92.7 kB/s)
(Reading database ... 29859 files and directories currently installed.)
Removing strongswan-
Removing strongswan-tnc-pdp (5.7.1-1ubuntu2) ...
Removing strongswan-
Removing strongswan-
dpkg: strongswan-
Christian Ehrhardt (paelzer) wrote : | # |
FYI: Looks the same with the versioned depends from the transitional packages.
It is actually nice that it cleans up all the transitionals right away.
I see - as you did - that all works fine - yet the message still is here:
dpkg: strongswan-
libcharon-
That dependency is only on "the old" version of libcharon-
The new one breaks, replaces and provides it which should be fine.
The upgrade path is like:
- removal of strongswan-tnc-base (triggers the message as old libcharon-
- It knows it is save as it knows the new libcharon-
- after upgrade all is fine
I think I know why it is different:
- Most of the time a transitional is only going away
- In that case it will stay around as empty transitional
- later autoremoval can remove it (without that warning)
- but in our case we moved the files, so the new libcharon-
- that breaks enforces the strongswan-tnc-base to be removed before unpack starts
I think there is not much we can do, I'd leave it as is if you are ok.
I'm open for suggestions thou if there are any how this would work even better.
Andreas Hasenack (ahasenack) wrote : | # |
+1, thanks for checking.
Christian Ehrhardt (paelzer) wrote : | # |
Thanks, tagged and uploaded
Preview Diff
1 | diff --git a/debian/changelog b/debian/changelog |
2 | index 996d1ff..c849065 100644 |
3 | --- a/debian/changelog |
4 | +++ b/debian/changelog |
5 | @@ -1,3 +1,84 @@ |
6 | +strongswan (5.7.2-1ubuntu1) eoan; urgency=medium |
7 | + |
8 | + [ Christian Ehrhardt ] |
9 | + * Merge with Debian unstable. Remaining changes: |
10 | + - Clean up d/strongswan-starter.postinst: section about runlevel changes |
11 | + - Clean up d/strongswan-starter.postinst: Removed entire section on |
12 | + opportunistic encryption disabling - this was never in strongSwan and |
13 | + won't be see upstream issue #2160. |
14 | + - d/rules: Removed patching ipsec.conf on build (not using the |
15 | + debconf-managed config.) |
16 | + - d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was |
17 | + used for debconf-managed include of private key). |
18 | + - Mass enablement of extra plugins and features to allow a user to use |
19 | + strongswan for a variety of extra use cases without having to rebuild. |
20 | + + d/control: Add required additional build-deps |
21 | + + d/control: Mention addtionally enabled plugins |
22 | + + d/rules: Enable features at configure stage |
23 | + + d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf) |
24 | + + d/libstrongswan.install: Add plugins (so, conf) |
25 | + + d/strongswan-starter.install: Install pool feature, which is useful |
26 | + since we now have attr-sql plugin enabled it. |
27 | + - Add plugin kernel-libipsec to allow the use of strongswan in containers |
28 | + via this userspace implementation (please do note that this is still |
29 | + considered experimental by upstream). |
30 | + + d/libcharon-extra-plugins.install: Add kernel-libipsec components |
31 | + + d/control: List kernel-libipsec plugin at extra plugins description |
32 | + + d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As |
33 | + upstream recommends to not load kernel-libipsec by default. |
34 | + - d/libstrongswan.install: Add kernel-netlink configuration files |
35 | + - Complete the disabling of libfast; This was partially accepted in Debian, |
36 | + it is no more packaging medcli and medsrv, but still builds and |
37 | + mentions it. |
38 | + + d/rules: Add --disable-fast to avoid build time and dependencies |
39 | + + d/control: Remove medcli, medsrv from package description |
40 | + - d/control: Mention mgf1 plugin which is in libstrongswan now |
41 | + - Add now built (since 5.5.1) libraries libtpmtss and nttfft to |
42 | + libstrongswan-extra-plugins (no deps from default plugins). |
43 | + - d/control, d/libcharon-{extras,standard}-plugins.install: Move charon |
44 | + plugins for the most common use cases from extra-plugins into a new |
45 | + standard-plugins package. This will allow those use cases without pulling |
46 | + in too much more plugins (a bit like the tnc package). Recommend that |
47 | + package from strongswan-libcharon. |
48 | + - d/usr.sbin.charon-systemd: allow to contact mysql for sql and |
49 | + attr-sql plugins (LP #1766240) |
50 | + - d/usr.lib.ipsec.charon: allow reading of own FDs (LP #1786250) |
51 | + - d/usr.sbin.charon-systemd: allow CLUSTERIP for ha plugin (LP: 1773956) |
52 | + - executables need to be able to read map and execute themselves otherwise |
53 | + execution in some environments e.g. containers is blocked (LP: 1780534) |
54 | + + d/usr.lib.ipsec.stroke: add rmix permission to stroke binary |
55 | + + d/usr.lib.ipsec.lookip: add rmix permission to lookip binary |
56 | + - d/usr.lib.ipsec.charon, d/usr.sbin.charon-systemd: resync apparmor |
57 | + profiles of both ways to start charon (LP: 1807664) |
58 | + - d/usr.sbin.swanctl: add apparmor rule for af-alg plugin (LP: 1807962) |
59 | + * Dropped changes |
60 | + - d/p/lp1795813-mysql-Don-t-release-the-connection-if-transactions-a.patch: |
61 | + fix SIGSEGV when using mysql plugin (LP: 1795813) |
62 | + [upstream in 5.7.2] |
63 | + - d/libstrongswan.install: Reorder conf and .so alphabetically |
64 | + [was a non functional change, dropped to avoid merge noise] |
65 | + - Relocate tnc plugin |
66 | + [TNC is back at libcharon-extra-plugins as it is in Debian] |
67 | + * Added changes: |
68 | + - We fixed up tpmtss and nttfft in the past, but tpmtss is now packaged in |
69 | + Debian so this part was be dropped. Two changes remain |
70 | + - d/control: fix the mentioning of tpmtss in d/control |
71 | + - add nttfft (can be merged with the mass enablement change later) |
72 | + - Transitional packages to go back from strongswan-tnc-* being in extra |
73 | + packages to be part of libcharon-extra-plugins. |
74 | + [can be dropped after 20.04] |
75 | + |
76 | + [ Simon Deziel ] |
77 | + * Added changes: |
78 | + - apparmor fixes for container and root usage (LP: #1826238) |
79 | + + d/usr.sbin.swanctl: allow reading own binary |
80 | + + d/usr.sbin.charon-systemd: allow accessing the binary |
81 | + + d/usr.sbin.swanctl: add attach_disconnected to work inside containers |
82 | + + d/usr.lib.ipsec.charon, d/usr.sbin.charon-systemd: add CAP_SETPCAP |
83 | + to apparmor to allow dropping caps |
84 | + |
85 | + -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Fri, 26 Apr 2019 11:31:17 +0200 |
86 | + |
87 | strongswan (5.7.2-1) unstable; urgency=medium |
88 | |
89 | * d/control: remove Rene from Uploaders, thanks! |
90 | @@ -16,6 +97,86 @@ strongswan (5.7.2-1) unstable; urgency=medium |
91 | |
92 | -- Yves-Alexis Perez <corsac@debian.org> Wed, 02 Jan 2019 13:02:11 +0100 |
93 | |
94 | +strongswan (5.7.1-1ubuntu2) disco; urgency=medium |
95 | + |
96 | + * d/usr.sbin.charon-systemd: fix rule for CLUSTERIP to match effective |
97 | + path (LP: #1773956) |
98 | + * d/usr.lib.ipsec.charon, d/usr.sbin.charon-systemd: resync apparmor |
99 | + profiles of both ways to start charon (LP: #1807664) |
100 | + * d/usr.sbin.swanctl: add apparmor rule for af-alg plugin (LP: #1807962) |
101 | + |
102 | + -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 10 Dec 2018 08:30:01 +0100 |
103 | + |
104 | +strongswan (5.7.1-1ubuntu1) disco; urgency=medium |
105 | + |
106 | + * Merge with Debian unstable (LP: #1806401). Remaining changes: |
107 | + - Clean up d/strongswan-starter.postinst: section about runlevel changes |
108 | + - Clean up d/strongswan-starter.postinst: Removed entire section on |
109 | + opportunistic encryption disabling - this was never in strongSwan and |
110 | + won't be see upstream issue #2160. |
111 | + - d/rules: Removed patching ipsec.conf on build (not using the |
112 | + debconf-managed config.) |
113 | + - d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was |
114 | + used for debconf-managed include of private key). |
115 | + - Mass enablement of extra plugins and features to allow a user to use |
116 | + strongswan for a variety of extra use cases without having to rebuild. |
117 | + + d/control: Add required additional build-deps |
118 | + + d/control: Mention addtionally enabled plugins |
119 | + + d/rules: Enable features at configure stage |
120 | + + d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf) |
121 | + + d/libstrongswan.install: Add plugins (so, conf) |
122 | + - d/strongswan-starter.install: Install pool feature, which is useful since |
123 | + we have attr-sql plugin enabled as well using it. |
124 | + - Add plugin kernel-libipsec to allow the use of strongswan in containers |
125 | + via this userspace implementation (please do note that this is still |
126 | + considered experimental by upstream). |
127 | + + d/libcharon-extra-plugins.install: Add kernel-libipsec components |
128 | + + d/control: List kernel-libipsec plugin at extra plugins description |
129 | + + d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As |
130 | + upstream recommends to not load kernel-libipsec by default. |
131 | + - Relocate tnc plugin |
132 | + + debian/libcharon-extra-plugins.install: Drop tnc from extra plugins |
133 | + + Add new subpackage for TNC in d/strongswan-tnc-* and d/control |
134 | + - d/libstrongswan.install: Reorder conf and .so alphabetically |
135 | + - d/libstrongswan.install: Add kernel-netlink configuration files |
136 | + - Complete the disabling of libfast; This was partially accepted in Debian, |
137 | + it is no more packaging medcli and medsrv, but still builds and |
138 | + mentions it. |
139 | + + d/rules: Add --disable-fast to avoid build time and dependencies |
140 | + + d/control: Remove medcli, medsrv from package description |
141 | + - d/control: Mention mgf1 plugin which is in libstrongswan now |
142 | + - Add now built (since 5.5.1) libraries libtpmtss and nttfft to |
143 | + libstrongswan-extra-plugins (no deps from default plugins). |
144 | + - d/control, d/libcharon-{extras,standard}-plugins.install: Move charon |
145 | + plugins for the most common use cases from extra-plugins into a new |
146 | + standard-plugins package. This will allow those use cases without pulling |
147 | + in too much more plugins (a bit like the tnc package). Recommend that |
148 | + package from strongswan-libcharon. |
149 | + - d/usr.sbin.charon-systemd: allow to contact mysql for sql and |
150 | + attr-sql plugins (LP #1766240) |
151 | + - d/usr.lib.ipsec.charon: allow reading of own FDs (LP #1786250) |
152 | + * Added Changes: |
153 | + - d/p/lp1795813-mysql-Don-t-release-the-connection-if-transactions-a.patch: |
154 | + fix SIGSEGV when using mysql plugin (LP: #1795813) |
155 | + - d/usr.sbin.charon-systemd: allow CLUSTERIP for ha plugin (LP: #1773956) |
156 | + - executables need to be able to read map and execute themselves otherwise |
157 | + execution in some environments e.g. containers is blocked (LP: #1780534) |
158 | + + d/usr.lib.ipsec.stroke: add rmix permission to stroke binary |
159 | + + d/usr.lib.ipsec.lookip: add rmix permission to lookip binary |
160 | + - adapt "mass enablement of extra plugins" to match 5.7.x changes |
161 | + + d/rules: use new options for swima instead of swid |
162 | + + d/strongswan-tnc-server.install: add new sec updater tool |
163 | + + d/strongswan-tnc-client.install: add new sw-collector tool |
164 | + * Dropped (in Debian now): |
165 | + - SECURITY UPDATE: Insufficient input validation in gmp plugin |
166 | + (CVE-2018-17540) |
167 | + - SECURITY UPDATE: Insufficient input validation in gmp plugin |
168 | + (CVE-2018-16151 CVE-2018-16152) |
169 | + - d/usr.lib.ipsec.charon, d/usr/sbin/charon-systemd: Add support for |
170 | + usr-merge, thanks to Christian Ehrhardt. LP #1784023 |
171 | + |
172 | + -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 03 Dec 2018 15:18:31 +0100 |
173 | + |
174 | strongswan (5.7.1-1) unstable; urgency=medium |
175 | |
176 | [ Ondřej Nový ] |
177 | @@ -46,6 +207,96 @@ strongswan (5.7.0-1) unstable; urgency=medium |
178 | |
179 | -- Yves-Alexis Perez <corsac@debian.org> Mon, 24 Sep 2018 16:36:28 +0200 |
180 | |
181 | +strongswan (5.6.3-1ubuntu5) disco; urgency=medium |
182 | + |
183 | + * No-change rebuild against libunbound8 |
184 | + |
185 | + -- Steve Langasek <steve.langasek@ubuntu.com> Sun, 11 Nov 2018 09:01:53 +0000 |
186 | + |
187 | +strongswan (5.6.3-1ubuntu4) cosmic; urgency=medium |
188 | + |
189 | + * d/usr.lib.ipsec.charon: allow reading of own FDs (LP: #1786250) |
190 | + Thanks to Matt Callaghan. |
191 | + |
192 | + -- Andreas Hasenack <andreas@canonical.com> Thu, 04 Oct 2018 10:34:01 -0300 |
193 | + |
194 | +strongswan (5.6.3-1ubuntu3) cosmic; urgency=medium |
195 | + |
196 | + * SECURITY UPDATE: Insufficient input validation in gmp plugin |
197 | + - debian/patches/strongswan-4.4.0-5.7.0_gmp-pkcs1-overflow.patch: fix |
198 | + buffer overflow with very small RSA keys in |
199 | + src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c. |
200 | + - CVE-2018-17540 |
201 | + |
202 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 01 Oct 2018 13:23:59 -0400 |
203 | + |
204 | +strongswan (5.6.3-1ubuntu2) cosmic; urgency=medium |
205 | + |
206 | + * SECURITY UPDATE: Insufficient input validation in gmp plugin |
207 | + - debian/patches/strongswan-5.6.1-5.6.3_gmp-pkcs1-verify.patch: don't |
208 | + parse PKCS1 v1.5 RSA signatures to verify them in |
209 | + src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c, |
210 | + src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c. |
211 | + - CVE-2018-16151 |
212 | + - CVE-2018-16152 |
213 | + |
214 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 25 Sep 2018 10:16:15 -0400 |
215 | + |
216 | +strongswan (5.6.3-1ubuntu1) cosmic; urgency=medium |
217 | + |
218 | + * Merge with Debian unstable. Remaining changes: |
219 | + - Clean up d/strongswan-starter.postinst: section about runlevel changes |
220 | + - Clean up d/strongswan-starter.postinst: Removed entire section on |
221 | + opportunistic encryption disabling - this was never in strongSwan and |
222 | + won't be see upstream issue #2160. |
223 | + - d/rules: Removed patching ipsec.conf on build (not using the |
224 | + debconf-managed config.) |
225 | + - d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was |
226 | + used for debconf-managed include of private key). |
227 | + - Mass enablement of extra plugins and features to allow a user to use |
228 | + strongswan for a variety of extra use cases without having to rebuild. |
229 | + + d/control: Add required additional build-deps |
230 | + + d/control: Mention addtionally enabled plugins |
231 | + + d/rules: Enable features at configure stage |
232 | + + d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf) |
233 | + + d/libstrongswan.install: Add plugins (so, conf) |
234 | + - d/strongswan-starter.install: Install pool feature, which is useful since |
235 | + we have attr-sql plugin enabled as well using it. |
236 | + - Add plugin kernel-libipsec to allow the use of strongswan in containers |
237 | + via this userspace implementation (please do note that this is still |
238 | + considered experimental by upstream). |
239 | + + d/libcharon-extra-plugins.install: Add kernel-libipsec components |
240 | + + d/control: List kernel-libipsec plugin at extra plugins description |
241 | + + d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As |
242 | + upstream recommends to not load kernel-libipsec by default. |
243 | + - Relocate tnc plugin |
244 | + + debian/libcharon-extra-plugins.install: Drop tnc from extra plugins |
245 | + + Add new subpackage for TNC in d/strongswan-tnc-* and d/control |
246 | + - d/libstrongswan.install: Reorder conf and .so alphabetically |
247 | + - d/libstrongswan.install: Add kernel-netlink configuration files |
248 | + - Complete the disabling of libfast; This was partially accepted in Debian, |
249 | + it is no more packaging medcli and medsrv, but still builds and |
250 | + mentions it. |
251 | + + d/rules: Add --disable-fast to avoid build time and dependencies |
252 | + + d/control: Remove medcli, medsrv from package description |
253 | + - d/control: Mention mgf1 plugin which is in libstrongswan now |
254 | + - Add now built (since 5.5.1) libraries libtpmtss and nttfft to |
255 | + libstrongswan-extra-plugins (no deps from default plugins). |
256 | + - d/control, d/libcharon-{extras,standard}-plugins.install: Move charon |
257 | + plugins for the most common use cases from extra-plugins into a new |
258 | + standard-plugins package. This will allow those use cases without pulling |
259 | + in too much more plugins (a bit like the tnc package). Recommend that |
260 | + package from strongswan-libcharon. |
261 | + - d/usr.sbin.charon-systemd: allow to contact mysql for sql and |
262 | + attr-sql plugins (LP #1766240) |
263 | + - d/usr.lib.ipsec.charon, d/usr/sbin/charon-systemd: Add support for |
264 | + usr-merge, thanks to Christian Ehrhardt. LP #1784023 |
265 | + * Dropped: |
266 | + - d/usr.sbin.charon-systemd: allow systemd notifications (LP: #1765652) |
267 | + [Fixed in 5.6.3-1] |
268 | + |
269 | + -- Andreas Hasenack <andreas@canonical.com> Thu, 23 Aug 2018 13:05:11 -0300 |
270 | + |
271 | strongswan (5.6.3-1) unstable; urgency=medium |
272 | |
273 | * New upstream version 5.6.2 |
274 | @@ -61,6 +312,78 @@ strongswan (5.6.3-1) unstable; urgency=medium |
275 | |
276 | -- Yves-Alexis Perez <corsac@debian.org> Mon, 04 Jun 2018 10:23:22 +0200 |
277 | |
278 | +strongswan (5.6.2-2ubuntu2) cosmic; urgency=medium |
279 | + |
280 | + * Add support for usr-merge, thanks to Christian Ehrhardt. LP: #1784023 |
281 | + |
282 | + -- Dimitri John Ledkov <xnox@ubuntu.com> Tue, 21 Aug 2018 00:42:38 +0100 |
283 | + |
284 | +strongswan (5.6.2-2ubuntu1) cosmic; urgency=medium |
285 | + |
286 | + * Merge with Debian unstable, closes LP: #1773814 and LP: #1772705. |
287 | + Remaining changes: |
288 | + + Clean up d/strongswan-starter.postinst: section about runlevel changes |
289 | + + Clean up d/strongswan-starter.postinst: Removed entire section on |
290 | + opportunistic encryption disabling - this was never in strongSwan and |
291 | + won't be see upstream issue #2160. |
292 | + + d/rules: Removed patching ipsec.conf on build (not using the |
293 | + debconf-managed config.) |
294 | + + d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was |
295 | + used for debconf-managed include of private key). |
296 | + + Mass enablement of extra plugins and features to allow a user to use |
297 | + strongswan for a variety of extra use cases without having to rebuild. |
298 | + - d/control: Add required additional build-deps |
299 | + - d/control: Mention addtionally enabled plugins |
300 | + - d/rules: Enable features at configure stage |
301 | + - d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf) |
302 | + - d/libstrongswan.install: Add plugins (so, conf) |
303 | + + d/strongswan-starter.install: Install pool feature, which is useful since |
304 | + we have attr-sql plugin enabled as well using it. |
305 | + + Add plugin kernel-libipsec to allow the use of strongswan in containers |
306 | + via this userspace implementation (please do note that this is still |
307 | + considered experimental by upstream). |
308 | + - d/libcharon-extra-plugins.install: Add kernel-libipsec components |
309 | + - d/control: List kernel-libipsec plugin at extra plugins description |
310 | + - d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As |
311 | + upstream recommends to not load kernel-libipsec by default. |
312 | + + Relocate tnc plugin |
313 | + - debian/libcharon-extra-plugins.install: Drop tnc from extra plugins |
314 | + - Add new subpackage for TNC in d/strongswan-tnc-* and d/control |
315 | + + d/libstrongswan.install: Reorder conf and .so alphabetically |
316 | + + d/libstrongswan.install: Add kernel-netlink configuration files |
317 | + + Complete the disabling of libfast; This was partially accepted in Debian, |
318 | + it is no more packaging medcli and medsrv, but still builds and |
319 | + mentions it. |
320 | + - d/rules: Add --disable-fast to avoid build time and dependencies |
321 | + - d/control: Remove medcli, medsrv from package description |
322 | + + d/control: Mention mgf1 plugin which is in libstrongswan now |
323 | + + Add now built (since 5.5.1) libraries libtpmtss and nttfft to |
324 | + libstrongswan-extra-plugins (no deps from default plugins). |
325 | + + d/control, d/libcharon-{extras,standard}-plugins.install: Move charon |
326 | + plugins for the most common use cases from extra-plugins into a new |
327 | + standard-plugins package. This will allow those use cases without pulling |
328 | + in too much more plugins (a bit like the tnc package). Recommend that |
329 | + package from strongswan-libcharon. |
330 | + * Dropped Changes (no more needed after 18.04) |
331 | + + Add rm_conffile for /etc/init.d/ipsec (transition from precies had |
332 | + missed that, droppable after 18.04) |
333 | + + d/control: bump breaks/replaces from libstrongswan-extra-plugins to |
334 | + libstrongswan as we dropped relocating ccm and test-vectors. |
335 | + (droppable >18.04). |
336 | + + d/control: add breaks/replace from libstrongswan to |
337 | + libstrongswan-extra-plugins for the move of mgf1 to libstrongswan. |
338 | + (droppable >18.04). |
339 | + + d/control: bump breaks/replaces for the move of the updown plugin |
340 | + (Missed Changelog entry on last merge) |
341 | + + d/control: fix dependencies of strongswan-libcharon due to the move |
342 | + the updown plugin (droppable >18.04). |
343 | + * Added Changes: |
344 | + + d/usr.sbin.charon-systemd: allow to contact mysql for sql and |
345 | + attr-sql plugins (LP: #1766240) |
346 | + + d/usr.sbin.charon-systemd: allow systemd notifications (LP: #1765652) |
347 | + |
348 | + -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Tue, 29 May 2018 08:21:42 +0200 |
349 | + |
350 | strongswan (5.6.2-2) unstable; urgency=medium |
351 | |
352 | * charon-nm: Fix building list of DNS/MDNS servers with libnm |
353 | @@ -71,6 +394,74 @@ strongswan (5.6.2-2) unstable; urgency=medium |
354 | |
355 | -- Yves-Alexis Perez <corsac@debian.org> Fri, 13 Apr 2018 13:46:04 +0200 |
356 | |
357 | +strongswan (5.6.2-1ubuntu2) bionic; urgency=medium |
358 | + |
359 | + * d/control: fix dependencies of strongswan-libcharon due to the move |
360 | + the updown plugin. |
361 | + |
362 | + -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Tue, 20 Mar 2018 07:37:29 +0100 |
363 | + |
364 | +strongswan (5.6.2-1ubuntu1) bionic; urgency=medium |
365 | + |
366 | + * Merge with Debian unstable (LP: #1753018). Remaining changes: |
367 | + + Clean up d/strongswan-starter.postinst: section about runlevel changes |
368 | + + Clean up d/strongswan-starter.postinst: Removed entire section on |
369 | + opportunistic encryption disabling - this was never in strongSwan and |
370 | + won't be see upstream issue #2160. |
371 | + + Ubuntu is not using the debconf triggered private key generation |
372 | + - d/rules: Removed patching ipsec.conf on build (not using the |
373 | + debconf-managed config.) |
374 | + - d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was |
375 | + used for debconf-managed include of private key). |
376 | + + Mass enablement of extra plugins and features to allow a user to use |
377 | + strongswan for a variety of extra use cases without having to rebuild. |
378 | + - d/control: Add required additional build-deps |
379 | + - d/control: Mention addtionally enabled plugins |
380 | + - d/rules: Enable features at configure stage |
381 | + - d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf) |
382 | + - d/libstrongswan.install: Add plugins (so, conf) |
383 | + + d/strongswan-starter.install: Install pool feature, which is useful since |
384 | + we have attr-sql plugin enabled as well using it. |
385 | + + Add plugin kernel-libipsec to allow the use of strongswan in containers |
386 | + via this userspace implementation (please do note that this is still |
387 | + considered experimental by upstream). |
388 | + - d/libcharon-extra-plugins.install: Add kernel-libipsec components |
389 | + - d/control: List kernel-libipsec plugin at extra plugins description |
390 | + - d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As |
391 | + upstream recommends to not load kernel-libipsec by default. |
392 | + + Relocate tnc plugin |
393 | + - debian/libcharon-extra-plugins.install: Drop tnc from extra plugins |
394 | + - Add new subpackage for TNC in d/strongswan-tnc-* and d/control |
395 | + + d/libstrongswan.install: Reorder conf and .so alphabetically |
396 | + + d/libstrongswan.install: Add kernel-netlink configuration files |
397 | + + Complete the disabling of libfast; This was partially accepted in Debian, |
398 | + it is no more packaging medcli and medsrv, but still builds and |
399 | + mentions it. |
400 | + - d/rules: Add --disable-fast to avoid build time and dependencies |
401 | + - d/control: Remove medcli, medsrv from package description |
402 | + + d/control: Mention mgf1 plugin which is in libstrongswan now |
403 | + + Add now built (since 5.5.1) libraries libtpmtss and nttfft to |
404 | + libstrongswan-extra-plugins (no deps from default plugins). |
405 | + + Add rm_conffile for /etc/init.d/ipsec (transition from precies had |
406 | + missed that, droppable after 18.04) |
407 | + + d/control, d/libcharon-{extras,standard}-plugins.install: Move charon |
408 | + plugins for the most common use cases from extra-plugins into a new |
409 | + standard-plugins package. This will allow those use cases without pulling |
410 | + in too much more plugins (a bit like the tnc package). Recommend that |
411 | + package from strongswan-libcharon. |
412 | + + d/control: bump breaks/replaces from libstrongswan-extra-plugins to |
413 | + libstrongswan as we dropped relocating ccm and test-vectors. |
414 | + (droppable >18.04). |
415 | + + d/control: add breaks/replace from libstrongswan to |
416 | + libstrongswan-extra-plugins for the move of mgf1 to libstrongswan. |
417 | + (droppable >18.04). |
418 | + * Added Changes: |
419 | + + d/control: bump breaks/replaces from strongswan-libcharon to strongswan- |
420 | + starter as we followed Debian to move the updown plugin but need to |
421 | + match Ubuntu versions (Droppable >18.04). |
422 | + |
423 | + -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Fri, 16 Mar 2018 11:08:47 +0100 |
424 | + |
425 | strongswan (5.6.2-1) unstable; urgency=medium |
426 | |
427 | * d/NEWS: add information about disabled algorithms (closes: #883072) |
428 | @@ -93,6 +484,129 @@ strongswan (5.6.1-3) unstable; urgency=medium |
429 | |
430 | -- Yves-Alexis Perez <corsac@debian.org> Sun, 17 Dec 2017 16:40:39 +0100 |
431 | |
432 | +strongswan (5.6.1-2ubuntu4) bionic; urgency=medium |
433 | + |
434 | + * SECURITY UPDATE: DoS via crafted RSASSA-PSS signature |
435 | + - debian/patches/CVE-2018-6459.patch: Properly handle MGF1 algorithm |
436 | + identifier without parameters in |
437 | + src/libstrongswan/credentials/keys/signature_params.c. |
438 | + - CVE-2018-6459 |
439 | + |
440 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 07 Mar 2018 14:52:02 +0100 |
441 | + |
442 | +strongswan (5.6.1-2ubuntu3) bionic; urgency=medium |
443 | + |
444 | + * No-change rebuild against libcurl4 |
445 | + |
446 | + -- Steve Langasek <steve.langasek@ubuntu.com> Wed, 28 Feb 2018 08:52:09 +0000 |
447 | + |
448 | +strongswan (5.6.1-2ubuntu2) bionic; urgency=high |
449 | + |
450 | + * No change rebuild against openssl1.1. |
451 | + |
452 | + -- Dimitri John Ledkov <xnox@ubuntu.com> Mon, 12 Feb 2018 16:00:24 +0000 |
453 | + |
454 | +strongswan (5.6.1-2ubuntu1) bionic; urgency=medium |
455 | + |
456 | + * Merge with Debian unstable (LP: #1717343). |
457 | + Also fixes and issue with multiple psk's (LP: #1734207). Remaining changes: |
458 | + + Clean up d/strongswan-starter.postinst: section about runlevel changes |
459 | + + Clean up d/strongswan-starter.postinst: Removed entire section on |
460 | + opportunistic encryption disabling - this was never in strongSwan and |
461 | + won't be see upstream issue #2160. |
462 | + + Ubuntu is not using the debconf triggered private key generation |
463 | + - d/rules: Removed patching ipsec.conf on build (not using the |
464 | + debconf-managed config.) |
465 | + - d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was |
466 | + used for debconf-managed include of private key). |
467 | + + Mass enablement of extra plugins and features to allow a user to use |
468 | + strongswan for a variety of extra use cases without having to rebuild. |
469 | + - d/control: Add required additional build-deps |
470 | + - d/control: Mention addtionally enabled plugins |
471 | + - d/rules: Enable features at configure stage |
472 | + - d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf) |
473 | + - d/libstrongswan.install: Add plugins (so, conf) |
474 | + + d/strongswan-starter.install: Install pool feature, which is useful since |
475 | + we have attr-sql plugin enabled as well using it. |
476 | + + Add plugin kernel-libipsec to allow the use of strongswan in containers |
477 | + via this userspace implementation (please do note that this is still |
478 | + considered experimental by upstream). |
479 | + - d/libcharon-extra-plugins.install: Add kernel-libipsec components |
480 | + - d/control: List kernel-libipsec plugin at extra plugins description |
481 | + - d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As |
482 | + upstream recommends to not load kernel-libipsec by default. |
483 | + + Relocate tnc plugin |
484 | + - debian/libcharon-extra-plugins.install: Drop tnc from extra plugins |
485 | + - Add new subpackage for TNC in d/strongswan-tnc-* and d/control |
486 | + + d/libstrongswan.install: Reorder conf and .so alphabetically |
487 | + + d/libstrongswan.install: Add kernel-netlink configuration files |
488 | + + Complete the disabling of libfast; This was partially accepted in Debian, |
489 | + it is no more packaging medcli and medsrv, but still builds and |
490 | + mentions it. |
491 | + - d/rules: Add --disable-fast to avoid build time and dependencies |
492 | + - d/control: Remove medcli, medsrv from package description |
493 | + + d/control: Mention mgf1 plugin which is in libstrongswan now |
494 | + + Add now built (since 5.5.1) libraries libtpmtss and nttfft to |
495 | + libstrongswan-extra-plugins (no deps from default plugins). |
496 | + + Add rm_conffile for /etc/init.d/ipsec (transition from precies had |
497 | + missed that, droppable after 18.04) |
498 | + + d/control, d/libcharon-{extras,standard}-plugins.install: Move charon |
499 | + plugins for the most common use cases from extra-plugins into a new |
500 | + standard-plugins package. This will allow those use cases without pulling |
501 | + in too much more plugins (a bit like the tnc package). Recommend that |
502 | + package from strongswan-libcharon. |
503 | + * Added changes: |
504 | + + d/strongswan-tnc-client.install (relocate tnc) swidtag creation changed |
505 | + in 5.6 |
506 | + + d/strongswan-tnc-server.install (relocate tnc) pacman no more needed |
507 | + + d/control: bump breaks/replaces from libstrongswan-extra-plugins to |
508 | + libstrongswan as we dropped relocating ccm and test-vectors. |
509 | + (droppable >18.04). |
510 | + - d/control: add breaks/replace from libstrongswan to |
511 | + libstrongswan-extra-plugins for the move of mgf1 to libstrongswan. |
512 | + (droppable >18.04). |
513 | + * Dropped changes: |
514 | + + Update init/service handling (debian default matches Ubuntu past now) |
515 | + Dropping this fixes (LP: #1734886) |
516 | + - d/rules: Change init/systemd program name to strongswan |
517 | + - d/strongswan-starter.strongswan.service: Add new systemd file instead of |
518 | + patching upstream |
519 | + - d/strongswan-starter.links: Removed, use Ubuntu systemd file instead of |
520 | + linking to upstream |
521 | + + d/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call |
522 | + (this is a never failing no-op for us, no need for Delta). |
523 | + + d/strongswan-starter.prerm: Stop strongswan service on package removal |
524 | + (ipsec now maps to strongswan service, so this works as-is). |
525 | + + Clean up d/strongswan-starter.postinst: rename service ipsec to |
526 | + strongswan (ipsec now maps to strongswan service, so this works as-is) |
527 | + + Clean up d/strongswan-starter.postinst: daemon enable/disable (the |
528 | + whole section is disabled, so no need for delta) |
529 | + + (is upstream) CVE-2017-11185 patches |
530 | + + (is upstream) FTBFS upstream fix for changed include files |
531 | + + (is upstream) debian/patches/increase-bliss-test-timeout.patch: Under |
532 | + QEMU/KVM autopkgtest the bliss test takes longer than the default |
533 | + + (in Debian) add now built (since 5.5.1) mgf1 plugin to |
534 | + libstrongswan-extra-plugins. |
535 | + + (in Debian) d/strongswan-starter.install: install stroke apparmor profile |
536 | + + (this was enabled as part of the former delta, squash changes to no-up) |
537 | + d/rules: Disable duplicheck. |
538 | + + (not needed) Relocate plugins test-vectors from extra-plugins to |
539 | + libstrongswan |
540 | + - d/libstrongswan-extra-plugins.install: Remove plugins/conffiles |
541 | + - d/libstrongswan.install: Add plugins/confiles |
542 | + - d/control: move package descriptions and add required breaks/replaces |
543 | + + (not needed) Relocate plugins ccm from extra-plugins to libstrongswan |
544 | + - d/libstrongswan-extra-plugins.install: Remove plugins/conffiles |
545 | + - d/libstrongswan.install: Add plugins/confiles |
546 | + - d/control: move package descriptions and add required breaks/replaces |
547 | + + (while using it requires special kernel, it does not hurt to be |
548 | + available in the package) Remove ha plugin |
549 | + - d/libcharon-extra-plugins.install: Stop installing ha (so, conf) |
550 | + - d/rules: Do not enable ha plugin |
551 | + - d/control: Drop listing the ha plugin in the package description |
552 | + |
553 | + -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Wed, 29 Nov 2017 15:55:18 +0100 |
554 | + |
555 | strongswan (5.6.1-2) unstable; urgency=medium |
556 | |
557 | * move counters plugin from -starter to -libcharon. closes: #882431 |
558 | @@ -179,6 +693,213 @@ strongswan (5.5.2-1) experimental; urgency=medium |
559 | |
560 | -- Yves-Alexis Perez <corsac@debian.org> Fri, 19 May 2017 11:32:00 +0200 |
561 | |
562 | +strongswan (5.5.1-4ubuntu3) bionic; urgency=medium |
563 | + |
564 | + * Fix Artful FTBFS due to newer glibc (LP: #1724859) |
565 | + - d/p/utils-Include-stdint.h.patch: upstream fix for changed include |
566 | + files. |
567 | + |
568 | + -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Thu, 19 Oct 2017 15:18:52 +0200 |
569 | + |
570 | +strongswan (5.5.1-4ubuntu2) artful; urgency=medium |
571 | + |
572 | + * SECURITY UPDATE: Fix RSA signature verification |
573 | + - debian/patches/CVE-2017-11185.patch: does some |
574 | + verifications in order to avoid null-point dereference |
575 | + in src/libstrongswan/gmp/gmp_rsa_public_key.c |
576 | + - CVE-2017-11185 |
577 | + |
578 | + -- Leonidas S. Barbosa <leo.barbosa@canonical.com> Tue, 15 Aug 2017 14:49:49 -0300 |
579 | + |
580 | +strongswan (5.5.1-4ubuntu1) artful; urgency=medium |
581 | + |
582 | + * Merge from Debian to pick up latest security changes (CVE-2017-9022, |
583 | + CVE-2017-9023). |
584 | + * Remaining Changes: |
585 | + + Update init/service handling |
586 | + - d/rules: Change init/systemd program name to strongswan |
587 | + - d/strongswan-starter.strongswan.service: Add new systemd file instead of |
588 | + patching upstream |
589 | + - d/strongswan-starter.links: Removed, use Ubuntu systemd file instead of |
590 | + linking to upstream |
591 | + - d/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call. |
592 | + - d/strongswan-starter.prerm: Stop strongswan service on package |
593 | + removal (as opposed to using the old init.d script). |
594 | + + Clean up d/strongswan-starter.postinst: |
595 | + - Removed section about runlevel changes |
596 | + - Adapted service restart section for Upstart (kept to be Trusty |
597 | + backportable). |
598 | + - Remove old symlinks to init.d files is necessary. |
599 | + - Removed further out-dated code |
600 | + - Removed entire section on opportunistic encryption - this was never in |
601 | + strongSwan. |
602 | + + d/rules: Removed pieces on 'patching ipsec.conf' on build. |
603 | + + Mass enablement of extra plugins and features to allow a user to use |
604 | + strongswan for a variety of use cases without having to rebuild. |
605 | + - d/control: Add required additional build-deps |
606 | + - d/rules: Enable features at configure stage |
607 | + - d/control: Mention addtionally enabled plugins |
608 | + - d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf) |
609 | + - d/libstrongswan.install: Add plugins (so, conf) |
610 | + + d/rules: Disable duplicheck as per |
611 | + https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718291#10 |
612 | + + Remove ha plugin (requires special kernel) |
613 | + - d/libcharon-extra-plugins.install: Stop installing ha (so, conf) |
614 | + - d/rules: Do not enable ha plugin |
615 | + - d/control: Drop listing the ha plugin in the package description |
616 | + + Add plugin kernel-libipsec to allow the use of strongswan in containers |
617 | + via this userspace implementation (please do note that this is still |
618 | + considered experimental by upstream). |
619 | + - d/libcharon-extra-plugins.install: Add kernel-libipsec components |
620 | + - d/control: List kernel-libipsec plugin at extra plugins description |
621 | + - d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As |
622 | + upstream recommends to not load kernel-libipsec by default. |
623 | + + Relocate tnc plugin |
624 | + - debian/libcharon-extra-plugins.install: Drop tnc from extra plugins |
625 | + - Add new subpackage for TNC in d/strongswan-tnc-* and d/control |
626 | + + d/strongswan-starter.install: Install pool feature, that useful due to |
627 | + having attr-sql plugin that is enabled now. |
628 | + + Relocate plugins test-vectors and ccm from extra-plugins to libstrongswan |
629 | + - d/libstrongswan-extra-plugins.install: Remove plugins/conffiles |
630 | + - d/libstrongswan.install: Add plugins/confiles |
631 | + - d/control: move package descriptions and add required breaks/replaces |
632 | + + d/libstrongswan.install: Reorder conf and .so alphabetically |
633 | + + d/libstrongswan.install: Add kernel-netlink configuration files |
634 | + + d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference. |
635 | + + debian/patches/increase-bliss-test-timeout.patch: Under QEMU/KVM |
636 | + autopkgtest the bliss test takes longer than the default (Upstream in |
637 | + 5.5.2 via issue 2204) |
638 | + + Complete the disabling of libfast; This was partially accepted in Debian, |
639 | + it is no more packaging medcli and medsrv, but still builds and |
640 | + mentions it. |
641 | + - d/rules: Add --disable-fast to avoid build time and dependencies |
642 | + - d/control: Remove medcli, medsrv from package description |
643 | + + Add now built (5.5.1 vs 5.3.5) mgf1 plugin to libstrongswan-extra-plugins. |
644 | + "only" to extra-plugins Mgf1 is not listed as default plugin at |
645 | + https://wiki.strongswan.org/projects/strongswan/wiki/Pluginlist. |
646 | + + Add now built (5.5.1 vs 5.3.5) libraries libtpmtss and nttfft to |
647 | + libstrongswan-extra-plugins. |
648 | + + Add missing mention of md4 plugin in d/control |
649 | + + Add rm_conffile for /etc/init.d/ipsec (transition from precies had |
650 | + missed that) |
651 | + + d/control, d/libcharon-{extras,standard}-plugins.install: Move charon |
652 | + plugins for the most common use cases from extra-plugins into a new |
653 | + standard-plugins package. This will allow those use cases without pulling |
654 | + in too much more plugins (a bit like the tnc package). Recommend that |
655 | + package from strongswan-libcharon. |
656 | + |
657 | + -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Wed, 31 May 2017 15:57:54 +0200 |
658 | + |
659 | +strongswan (5.5.1-3ubuntu1) artful; urgency=medium |
660 | + |
661 | + * Merge from Debian to pick up latest changes. Among others this includes: |
662 | + - a lot of the Delta we upstreamed to Debian (more discussions are ongoing |
663 | + but likely have to wait until Debian stretch was released) |
664 | + - enabling mediation support (LP: #1657413) |
665 | + * Remaining Changes: |
666 | + + Update init/service handling |
667 | + - d/rules: Change init/systemd program name to strongswan |
668 | + - d/strongswan-starter.strongswan.service: Add new systemd file instead of |
669 | + patching upstream |
670 | + - d/strongswan-starter.links: Removed, use Ubuntu systemd file instead of |
671 | + linking to upstream |
672 | + - d/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call. |
673 | + - d/strongswan-starter.prerm: Stop strongswan service on package |
674 | + removal (as opposed to using the old init.d script). |
675 | + + Clean up d/strongswan-starter.postinst: |
676 | + - Removed section about runlevel changes |
677 | + - Adapted service restart section for Upstart (kept to be Trusty |
678 | + backportable). |
679 | + - Remove old symlinks to init.d files is necessary. |
680 | + - Removed further out-dated code |
681 | + - Removed entire section on opportunistic encryption - this was never in |
682 | + strongSwan. |
683 | + + d/rules: Removed pieces on 'patching ipsec.conf' on build. |
684 | + + Mass enablement of extra plugins and features to allow a user to use |
685 | + strongswan for a variety of use cases without having to rebuild. |
686 | + - d/control: Add required additional build-deps |
687 | + - d/rules: Enable features at configure stage |
688 | + - d/control: Mention addtionally enabled plugins |
689 | + - d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf) |
690 | + - d/libstrongswan.install: Add plugins (so, conf) |
691 | + + d/rules: Disable duplicheck as per |
692 | + https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718291#10 |
693 | + + Remove ha plugin (requires special kernel) |
694 | + - d/libcharon-extra-plugins.install: Stop installing ha (so, conf) |
695 | + - d/rules: Do not enable ha plugin |
696 | + - d/control: Drop listing the ha plugin in the package description |
697 | + + Add plugin kernel-libipsec to allow the use of strongswan in containers |
698 | + via this userspace implementation (please do note that this is still |
699 | + considered experimental by upstream). |
700 | + - d/libcharon-extra-plugins.install: Add kernel-libipsec components |
701 | + - d/control: List kernel-libipsec plugin at extra plugins description |
702 | + - d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As |
703 | + upstream recommends to not load kernel-libipsec by default. |
704 | + + Relocate tnc plugin |
705 | + - debian/libcharon-extra-plugins.install: Drop tnc from extra plugins |
706 | + - Add new subpackage for TNC in d/strongswan-tnc-* and d/control |
707 | + + d/strongswan-starter.install: Install pool feature, that useful due to |
708 | + having attr-sql plugin that is enabled now. |
709 | + + Relocate plugins test-vectors and ccm from extra-plugins to libstrongswan |
710 | + - d/libstrongswan-extra-plugins.install: Remove plugins/conffiles |
711 | + - d/libstrongswan.install: Add plugins/confiles |
712 | + - d/control: move package descriptions and add required breaks/replaces |
713 | + + d/libstrongswan.install: Reorder conf and .so alphabetically |
714 | + + d/libstrongswan.install: Add kernel-netlink configuration files |
715 | + + d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference. |
716 | + + debian/patches/increase-bliss-test-timeout.patch: Under QEMU/KVM |
717 | + autopkgtest the bliss test takes longer than the default (Upstream in |
718 | + 5.5.2 via issue 2204) |
719 | + + Complete the disabling of libfast; This was partially accepted in Debian, |
720 | + it is no more packaging medcli and medsrv, but still builds and |
721 | + mentions it. |
722 | + - d/rules: Add --disable-fast to avoid build time and dependencies |
723 | + - d/control: Remove medcli, medsrv from package description |
724 | + + Add now built (5.5.1 vs 5.3.5) mgf1 plugin to libstrongswan-extra-plugins. |
725 | + "only" to extra-plugins Mgf1 is not listed as default plugin at |
726 | + https://wiki.strongswan.org/projects/strongswan/wiki/Pluginlist. |
727 | + + Add now built (5.5.1 vs 5.3.5) libraries libtpmtss and nttfft to |
728 | + libstrongswan-extra-plugins. |
729 | + + Add missing mention of md4 plugin in d/control |
730 | + + Add rm_conffile for /etc/init.d/ipsec (transition from precies had |
731 | + missed that) |
732 | + + d/control, d/libcharon-{extras,standard}-plugins.install: Move charon |
733 | + plugins for the most common use cases from extra-plugins into a new |
734 | + standard-plugins package. This will allow those use cases without pulling |
735 | + in too much more plugins (a bit like the tnc package). Recommend that |
736 | + package from strongswan-libcharon. |
737 | + * Dropped Changes: |
738 | + + Add and install apparmor profiles (in Debian) |
739 | + - d/rules: Install AppArmor profiles |
740 | + - d/control: Add dh-apparmor build-dep |
741 | + - d/usr.lib.ipsec.{charon, lookip, stroke}: Add latest AppArmor profiles |
742 | + for charon, lookip and stroke |
743 | + - d/libcharon-extra-plugins.install: Install profile for lookip |
744 | + - d/strongswan-charon.install: Install profile for charon |
745 | + - d/strongswan-starter.install: Install profile for stroke |
746 | + - Fix strongswan ipsec status issue with apparmor |
747 | + - Fix Dep8 tests for the now extra strongswan-pki package for pki |
748 | + - Fix Dep8 tests for the now extra strongswan-scepclient package |
749 | + + d/rules: Sorted and only one enable option per configure line (in |
750 | + Debian) |
751 | + + Add updated logcheck rules (in Debian) |
752 | + - debian/libstrongswan.strongswan.logcheck.*: Remove outdated files |
753 | + - debian/strongswan.logcheck: Add updated logcheck rules |
754 | + + Add updated DEP8 tests (in Debian) |
755 | + - d/tests/*: Add DEP8 tests |
756 | + - d/control: Enable autotestpkg |
757 | + + d/rules: do not strip for library integrity checking (After Discussion |
758 | + with Debian this isn't acceptable there, but at the same time it turned |
759 | + out the real use-case of this never uses this lib but instead third |
760 | + party checks of checksums for e.g. FIPS cert; so drop the Delta) |
761 | + - Use override_dh_strip to to avoid overwriting user build flags. |
762 | + - Add missing mention of libchecksum integrity test in d/control |
763 | + + d/rules: Set TESTS_REDUCED_KEYLENGTHS to one generate smallest key-lengths |
764 | + in tests to avoid issues in low entropy environments. (Debian has |
765 | + disabled !x86 tests for the same reason, one solution is enough) |
766 | + |
767 | + -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Thu, 04 May 2017 14:06:23 +0200 |
768 | + |
769 | strongswan (5.5.1-3) unstable; urgency=medium |
770 | |
771 | [ Christian Ehrhardt ] |
772 | @@ -212,6 +933,136 @@ strongswan (5.5.1-2) unstable; urgency=medium |
773 | |
774 | -- Yves-Alexis Perez <corsac@debian.org> Wed, 07 Dec 2016 08:34:52 +0100 |
775 | |
776 | +strongswan (5.5.1-1ubuntu2) zesty; urgency=medium |
777 | + |
778 | + * Update Maintainers which was missed while merging 5.5.1-1. |
779 | + |
780 | + -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 19 Dec 2016 16:02:40 +0100 |
781 | + |
782 | +strongswan (5.5.1-1ubuntu1) zesty; urgency=medium |
783 | + |
784 | + * Merge from Debian (complex delta, discussions and broken out changes can be |
785 | + found in the merge proposal linked from the merge bug LP: #1631198) |
786 | + * Remaining Changes: |
787 | + + d/rules: Enforcing DEB_BUILD_OPTIONS=nostrip for library integrity |
788 | + checking. |
789 | + + d/rules: Set TESTS_REDUCED_KEYLENGTHS to one generate smallest key-lengths |
790 | + in tests to avoid issues in low entropy environments. |
791 | + + Update init/service handling |
792 | + - d/rules: Change init/systemd program name to strongswan |
793 | + - d/strongswan-starter.strongswan.service: Add new systemd file instead of |
794 | + patching upstream |
795 | + - d/strongswan-starter.links: Removed, use Ubuntu systemd file instead of |
796 | + linking to upstream |
797 | + - d/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call. |
798 | + - d/strongswan-starter.prerm: Stop strongswan service on package |
799 | + removal (as opposed to using the old init.d script). |
800 | + + Clean up d/strongswan-starter.postinst: |
801 | + - Removed section about runlevel changes |
802 | + - Adapted service restart section for Upstart (kept to be Trusty |
803 | + backportable). |
804 | + - Remove old symlinks to init.d files is necessary. |
805 | + - Removed further out-dated code |
806 | + - Removed entire section on opportunistic encryption - this was never in |
807 | + strongSwan. |
808 | + + Add and install apparmor profiles |
809 | + - d/rules: Install AppArmor profiles |
810 | + - d/control: Add dh-apparmor build-dep |
811 | + - d/usr.lib.ipsec.{charon, lookip, stroke}: Add latest AppArmor profiles |
812 | + for charon, lookip and stroke |
813 | + - d/libcharon-extra-plugins.install: Install profile for lookip |
814 | + - d/strongswan-charon.install: Install profile for charon |
815 | + - d/strongswan-starter.install: Install profile for stroke |
816 | + + d/rules: Removed pieces on 'patching ipsec.conf' on build. |
817 | + + d/rules: Sorted and only one enable option per configure line |
818 | + + Mass enablement of extra plugins and features to allow a user to use |
819 | + strongswan for a variety of use cases without having to rebuild. |
820 | + - d/control: Add required additional build-deps |
821 | + - d/rules: Enable features at configure stage |
822 | + - d/control: Mention addtionally enabled plugins |
823 | + - d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf) |
824 | + - d/libstrongswan.install: Add plugins (so, conf) |
825 | + + d/rules: Disable duplicheck as per |
826 | + https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718291#10 |
827 | + + Remove ha plugin (requires special kernel) |
828 | + - d/libcharon-extra-plugins.install: Stop installing ha (so, conf) |
829 | + - d/rules: Do not enable ha plugin |
830 | + - d/control: Drop listing the ha plugin in the package description |
831 | + + Add plugin kernel-libipsec to allow the use of strongswan in containers |
832 | + via this userspace implementation (please do note that this is still |
833 | + considered experimental by upstream). |
834 | + - d/libcharon-extra-plugins.install: Add kernel-libipsec components |
835 | + - d/control: List kernel-libipsec plugin at extra plugins description |
836 | + - d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As |
837 | + upstream recommends to not load kernel-libipsec by default. |
838 | + + Relocate tnc plugin |
839 | + - debian/libcharon-extra-plugins.install: Drop tnc from extra plugins |
840 | + - Add new subpackage for TNC in d/strongswan-tnc-* and d/control |
841 | + + d/strongswan-starter.install: Install pool feature, that useful due to |
842 | + having attr-sql plugin that is enabled now. |
843 | + + Relocate plugins test-vectors and ccm from extra-plugins to libstrongswan |
844 | + - d/libstrongswan-extra-plugins.install: Remove plugins |
845 | + - d/libstrongswan.install: Add plugins |
846 | + + d/libstrongswan.install: Reorder conf and .so alphabetically |
847 | + + d/libstrongswan.install: Add kernel-netlink configuration files |
848 | + + d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference. |
849 | + + Add updated logcheck rules |
850 | + - debian/libstrongswan.strongswan.logcheck.*: Remove outdated files |
851 | + - debian/strongswan.logcheck: Add updated logcheck rules |
852 | + + Add updated DEP8 tests |
853 | + - d/tests/*: Add DEP8 tests |
854 | + - d/control: Enable autotestpkg |
855 | + + debian/patches/increase-bliss-test-timeout.patch: Under QEMU/KVM |
856 | + autopkgtest the bliss test takes longer than the default |
857 | + + Complete the disabling of libfast |
858 | + - Note: This was partially accepted in Debian, it is no more |
859 | + packaging medcli and medsrv, but still builds and mentions it |
860 | + - d/rules: Add --disable-fast to avoid build time and dependencies |
861 | + - d/control: Remove medcli, medsrv from package description |
862 | + * Dropped Changes: |
863 | + + Adding build-dep to iptables-dev (no change, was only in Changelog) |
864 | + + Dropping of build deps libfcgi-dev, clearsilver-dev (in Debian) |
865 | + + Adding strongswan-plugin-* virtual packages for dist-upgrade (no |
866 | + upgrade path left needing them) |
867 | + + Most of "disabling libfast" (Debian dropped it from package content) |
868 | + + Transition for ipsec service (no upgrade path left) |
869 | + + Reverted part of the cleanup to d/strongswan-starter.postinst as using |
870 | + service should rather use invoke-rc.d (so it is a partial revert of our |
871 | + delta) |
872 | + + Transition handling (breaks/replaces) from per-plugin packages to the |
873 | + three grouped plugin packages (no upgrade path left) |
874 | + + debian/strongswan-starter.dirs: Don't touch /etc/init.d. (while "correct" |
875 | + it is effectively a no-op still, so not worth the delta) |
876 | + + Lower dpkg-dev to 1.16.1 from 1.16.2 to enable backporting to Precise |
877 | + (no more needed) |
878 | + + d/rules: Remove configure option --enable-unit-test (unit tests run by |
879 | + default) |
880 | + * Added Changes: |
881 | + + Fix strongswan ipsec status issue with apparmor (LP: #1587886) |
882 | + + d/control, d/libstrongswan.install, d/libstrongswan-extra-plugins: Fixup |
883 | + the relocation of the ccm plugin which missed to move the conffiles. |
884 | + + Complete move of test-vectors (was missing in d/control) |
885 | + + Add now built (5.5.1 vs 5.3.5) mgf1 plugin to libstrongswan-extra-plugins. |
886 | + "only" to extra-plugins Mgf1 is not listed as default plugin at |
887 | + https://wiki.strongswan.org/projects/strongswan/wiki/Pluginlist. |
888 | + + Add now built (5.5.1 vs 5.3.5) libraries libtpmtss and nttfft to |
889 | + libstrongswan-extra-plugins. |
890 | + + Add missing mention of md4 plugin in d/control |
891 | + + Add missing mention of libchecksum integrity test in d/control |
892 | + + Add rm_conffile for /etc/init.d/ipsec (transition from precies had |
893 | + missed that) |
894 | + + Use override_dh_strip to to fix library integrity checking instead of |
895 | + DEB_BUILD_OPTION to avoid overwriting user build flags. |
896 | + + d/control, d/libcharon-{extras,standard}-plugins.install: Move charon |
897 | + plugins for the most common use cases from extra-plugins into a new |
898 | + standard-plugins package. This will allow those use cases without pulling |
899 | + in too much more plugins (a bit like the tnc package). Recommend that |
900 | + package from strongswan-libcharon (LP: #1640826). |
901 | + + Fix Dep8 tests for the now extra strongswan-pki package for pki |
902 | + + Fix Dep8 tests for the now extra strongswan-scepclient package |
903 | + |
904 | + -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 07 Nov 2016 16:16:41 +0100 |
905 | + |
906 | strongswan (5.5.1-1) unstable; urgency=medium |
907 | |
908 | * New upstream bugfix release. |
909 | @@ -328,6 +1179,177 @@ strongswan (5.3.5-2) unstable; urgency=medium |
910 | |
911 | -- Yves-Alexis Perez <corsac@debian.org> Mon, 14 Mar 2016 23:53:34 +0100 |
912 | |
913 | +strongswan (5.3.5-1ubuntu4) yakkety; urgency=medium |
914 | + |
915 | + * Build-depend on libjson-c-dev instead of libjson0-dev. |
916 | + * Rebuild against libjson-c3. |
917 | + |
918 | + -- Graham Inggs <ginggs@ubuntu.com> Fri, 29 Apr 2016 19:04:22 +0200 |
919 | + |
920 | +strongswan (5.3.5-1ubuntu3) xenial; urgency=medium |
921 | + |
922 | + * Rebuild against libmysqlclient20. |
923 | + |
924 | + -- Robie Basak <robie.basak@ubuntu.com> Tue, 05 Apr 2016 13:02:48 +0000 |
925 | + |
926 | +strongswan (5.3.5-1ubuntu2) xenial; urgency=medium |
927 | + |
928 | + * debian/tests/plugins: rdrand may or may not be loaded, depending on the |
929 | + cpu features. |
930 | + |
931 | + -- Iain Lane <iain@orangesquash.org.uk> Mon, 22 Feb 2016 17:13:01 +0000 |
932 | + |
933 | +strongswan (5.3.5-1ubuntu1) xenial; urgency=medium |
934 | + |
935 | + * debian/{rules,control,libstrongswan-extra-plugins.install} |
936 | + Enable bliss plugin |
937 | + * debian/{rules,control,libstrongswan-extra-plugins.install} |
938 | + Enable chapoly plugin |
939 | + * debian/patches/dont-load-kernel-libipsec-plugin-by-default.patch |
940 | + Upstream suggests to not load this plugin by default as it has |
941 | + some limitations. |
942 | + https://wiki.strongswan.org/projects/strongswan/wiki/Kernel-libipsec |
943 | + * debian/patches/increase-bliss-test-timeout.patch |
944 | + Under QEMU/KVM for autopkgtest bliss test takes a bit longer then default |
945 | + * Update Apparmor profiles |
946 | + - usr.lib.ipsec.charon |
947 | + - add capability audit_write for xauth-pam (LP: #1470277) |
948 | + - add capability dac_override (needed by agent plugin) |
949 | + - allow priv dropping (LP: #1333655) |
950 | + - allow caching CRLs (LP: #1505222) |
951 | + - allow rw access to /dev/net/tun for kernel-libipsec (LP: #1309594) |
952 | + - usr.lib.ipsec.stroke |
953 | + - allow priv dropping (LP: #1333655) |
954 | + - add local include |
955 | + - usr.lib.ipsec.lookip |
956 | + - add local include |
957 | + * Merge from Debian, which includes fixes for all previous CVEs |
958 | + Fixes (LP: #1330504, #1451091, #1448870, #1470277) |
959 | + Remaining changes: |
960 | + * debian/control |
961 | + - Lower dpkg-dev to 1.16.1 from 1.16.2 to enable backporting to Precise |
962 | + - Update Maintainer for Ubuntu |
963 | + - Add build-deps |
964 | + - dh-apparmor |
965 | + - iptables-dev |
966 | + - libjson0-dev |
967 | + - libldns-dev |
968 | + - libmysqlclient-dev |
969 | + - libpcsclite-dev |
970 | + - libsoup2.4-dev |
971 | + - libtspi-dev |
972 | + - libunbound-dev |
973 | + - Drop build-deps |
974 | + - libfcgi-dev |
975 | + - clearsilver-dev |
976 | + - Create virtual packages for all strongswan-plugin-* for dist-upgrade |
977 | + - Set XS-Testsuite: autopkgtest |
978 | + * debian/rules: |
979 | + - Enforcing DEB_BUILD_OPTIONS=nostrip for library integrity checking. |
980 | + - Set TESTS_REDUCED_KEYLENGTHS to one generate smallest key-lengths in |
981 | + tests. |
982 | + - Change init/systemd program name to strongswan |
983 | + - Install AppArmor profiles |
984 | + - Removed pieces on 'patching ipsec.conf' on build. |
985 | + - Enablement of features per Ubuntu current config suggested from |
986 | + upstream recommendation |
987 | + - Unpack and sort enabled features to one-per-line |
988 | + - Disable duplicheck as per |
989 | + https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718291#10 |
990 | + - Disable libfast (--disable-fast): |
991 | + Requires dropping medsrv, medcli plugins which depend on libfast |
992 | + - Add configure options |
993 | + --with-tss=trousers |
994 | + - Remove configure options: |
995 | + --enable-ha (requires special kernel) |
996 | + --enable-unit-test (unit tests run by default) |
997 | + - Drop logcheck install |
998 | + * debian/tests/* |
999 | + - Add DEP8 test for strongswan service and plugins |
1000 | + * debian/strongswan-starter.strongswan.service |
1001 | + - Add new systemd file instead of patching upstream |
1002 | + * debian/strongswan-starter.links |
1003 | + - removed, use Ubuntu systemd file instead of linking to upstream |
1004 | + * debian/usr.lib.ipsec.{charon, lookip, stroke} |
1005 | + - added AppArmor profiles for charon, lookip and stroke |
1006 | + * debian/libcharon-extra-plugins.install |
1007 | + - Add plugins |
1008 | + - kernel-libipsec.{so, lib, conf, apparmor} |
1009 | + - Remove plugins |
1010 | + - libstrongswan-ha.so |
1011 | + - Relocate plugins |
1012 | + - libstrongswan-tnc-tnccs.so (strongswan-tnc-base.install) |
1013 | + * debian/libstrongswan-extra-plugins.install |
1014 | + - Add plugins (so, lib, conf) |
1015 | + - acert |
1016 | + - attr-sql |
1017 | + - coupling |
1018 | + - dnscert |
1019 | + - fips-prf |
1020 | + - gmp |
1021 | + - ipseckey |
1022 | + - load-tester |
1023 | + - mysql |
1024 | + - ntru |
1025 | + - radattr |
1026 | + - soup |
1027 | + - sqlite |
1028 | + - sql |
1029 | + - systime-fix |
1030 | + - unbound |
1031 | + - whitelist |
1032 | + - Relocate plugins (so, lib, conf) |
1033 | + - ccm (libstrongswan.install) |
1034 | + - test-vectors (libstrongswan.install) |
1035 | + * debian/libstrongswan.install |
1036 | + - Sort sections |
1037 | + - Add plugins (so, lib, conf) |
1038 | + - libchecksum |
1039 | + - ccm |
1040 | + - eap-identity |
1041 | + - md4 |
1042 | + - test-vectors |
1043 | + * debian/strongswan-charon.install |
1044 | + - Add AppArmor profile for charon |
1045 | + * debian/strongswan-starter.install |
1046 | + - Add tools, manpages, conf |
1047 | + - openac |
1048 | + - pool |
1049 | + - _updown_espmark |
1050 | + - Add AppArmor profile for stroke |
1051 | + * debian/strongswan-tnc-base.install |
1052 | + - Add new subpackage for TNC |
1053 | + - remove non-existent (dropped in 5.2.1) libpts library files |
1054 | + * debian/strongswan-tnc-client.install |
1055 | + - Add new subpackage for TNC |
1056 | + * debian/strongswan-tnc-ifmap.install |
1057 | + - Add new subpackage for TNC |
1058 | + * debian/strongswan-tnc-pdp.install |
1059 | + - Add new subpackage for TNC |
1060 | + * debian/strongswan-tnc-server.install |
1061 | + - Add new subpackage for TNC |
1062 | + * debian/strongswan-starter.postinit: |
1063 | + - Removed section about runlevel changes, it's almost 2014. |
1064 | + - Adapted service restart section for Upstart. |
1065 | + - Remove old symlinks to init.d files is necessary. |
1066 | + * debian/strongswan-starter.dirs: Don't touch /etc/init.d. |
1067 | + * debian/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call. |
1068 | + * debian/strongswan-starter.prerm: Stop strongswan service on package |
1069 | + removal (as opposed to using the old init.d script). |
1070 | + * debian/libstrongswan.strongswan.logcheck combined into debian/strongswan.logcheck |
1071 | + - logcheck patterns updated to be helpful |
1072 | + * debian/strongswan-starter.postinst: Removed further out-dated code and |
1073 | + entire section on opportunistic encryption - this was never in strongSwan. |
1074 | + * debian/ipsec.secrets.proto: Removed ipsec.secrets.inc reference. |
1075 | + Drop changes: |
1076 | + * debian/control |
1077 | + - Per-plugin package breakup: Reducing packaging delta from Debian |
1078 | + - Don't build dhcp, farp subpackages: Reduce packging delta from Debian |
1079 | + * debian/watch: Already exists in Debian merge |
1080 | + * debian/upstream/signing-key.asc: Upstream has newer version. |
1081 | + |
1082 | + -- Ryan Harper <ryan.harper@canonical.com> Fri, 12 Feb 2016 11:24:53 -0600 |
1083 | + |
1084 | strongswan (5.3.5-1) unstable; urgency=medium |
1085 | |
1086 | * New upstream bugfix release. |
1087 | @@ -600,6 +1622,210 @@ strongswan (5.1.2-1) unstable; urgency=medium |
1088 | |
1089 | -- Yves-Alexis Perez <corsac@debian.org> Wed, 12 Mar 2014 11:22:38 +0100 |
1090 | |
1091 | +strongswan (5.1.2-0ubuntu8) xenial; urgency=medium |
1092 | + |
1093 | + * Import FTBFS for s390x from Debian 5.1.2-3 upload. (LP: #1521240) |
1094 | + |
1095 | + -- Dimitri John Ledkov <xnox@ubuntu.com> Mon, 30 Nov 2015 15:46:06 +0000 |
1096 | + |
1097 | +strongswan (5.1.2-0ubuntu7) xenial; urgency=medium |
1098 | + |
1099 | + * SECURITY UPDATE: authentication bypass in eap-mschapv2 plugin |
1100 | + - debian/patches/CVE-2015-8023.patch: only succeed authentication if |
1101 | + MSK was established in |
1102 | + src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c. |
1103 | + - CVE-2015-8023 |
1104 | + * debian/patches/disable_ntru_test.patch: disable test causing FTBFS |
1105 | + until regression is properly investigated. |
1106 | + |
1107 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 19 Nov 2015 14:00:17 -0500 |
1108 | + |
1109 | +strongswan (5.1.2-0ubuntu6) wily; urgency=medium |
1110 | + |
1111 | + * SECURITY UPDATE: user credential disclosure to rogue servers |
1112 | + - debian/patches/CVE-2015-4171.patch: enforce remote authentication |
1113 | + config before proceeding with own authentication in |
1114 | + src/libcharon/sa/ikev2/tasks/ike_auth.c. |
1115 | + - CVE-2015-4171 |
1116 | + * debian/rules: don't FTBFS from unused service file |
1117 | + |
1118 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 08 Jun 2015 12:50:38 -0400 |
1119 | + |
1120 | +strongswan (5.1.2-0ubuntu5) vivid; urgency=medium |
1121 | + |
1122 | + * Add a systemd unit corresponding to strongswan-starter.strongswan.upstart. |
1123 | + |
1124 | + -- Martin Pitt <martin.pitt@ubuntu.com> Fri, 16 Jan 2015 08:27:54 +0100 |
1125 | + |
1126 | +strongswan (5.1.2-0ubuntu4) vivid; urgency=medium |
1127 | + |
1128 | + * SECURITY UPDATE: denial of service via DH group 1025 |
1129 | + - debian/patches/CVE-2014-9221.patch: define MODP_CUSTOM outside of |
1130 | + IKE DH range in src/libstrongswan/crypto/diffie_hellman.c, |
1131 | + src/libstrongswan/crypto/diffie_hellman.h. |
1132 | + - CVE-2014-9221 |
1133 | + |
1134 | + -- Tyler Hicks <tyhicks@canonical.com> Mon, 05 Jan 2015 08:25:29 -0500 |
1135 | + |
1136 | +strongswan (5.1.2-0ubuntu3) utopic; urgency=low |
1137 | + |
1138 | + * Added "libgcrypt20-dev | libgcrypt11-dev" to build dependencies to fix |
1139 | + build. |
1140 | + |
1141 | + -- Jonathan Davies <jonathan.davies@canonical.com> Wed, 15 Oct 2014 16:49:18 +0000 |
1142 | + |
1143 | +strongswan (5.1.2-0ubuntu2) trusty; urgency=medium |
1144 | + |
1145 | + * SECURITY UPDATE: remote authentication bypass |
1146 | + - debian/patches/CVE-2014-2338.patch: reject CREATE_CHILD_SA exchange |
1147 | + on unestablished IKE_SAs in src/libcharon/sa/ikev2/task_manager_v2.c. |
1148 | + - CVE-2014-2338 |
1149 | + |
1150 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 14 Apr 2014 11:24:34 -0400 |
1151 | + |
1152 | +strongswan (5.1.2-0ubuntu1) trusty; urgency=low |
1153 | + |
1154 | + * New upstream release. |
1155 | + |
1156 | + -- Jonathan Davies <jonathan.davies@canonical.com> Sat, 01 Mar 2014 08:53:17 +0000 |
1157 | + |
1158 | +strongswan (5.1.2~rc2-0ubuntu2) trusty; urgency=low |
1159 | + |
1160 | + * debian/ipsec.secrets.proto: Removed ipsec.secrets.inc reference. |
1161 | + * debian/usr.lib.ipsec.charon: Allow read access to /run/charon. |
1162 | + |
1163 | + -- Jonathan Davies <jonathan.davies@canonical.com> Wed, 19 Feb 2014 13:07:16 +0000 |
1164 | + |
1165 | +strongswan (5.1.2~rc2-0ubuntu1) trusty; urgency=low |
1166 | + |
1167 | + * New upstream release candidate. |
1168 | + |
1169 | + -- Jonathan Davies <jonathan.davies@canonical.com> Wed, 19 Feb 2014 12:59:21 +0000 |
1170 | + |
1171 | +strongswan (5.1.2~rc1-0ubuntu4) trusty; urgency=medium |
1172 | + |
1173 | + * debian/strongswan-tnc-*.install: Fixed files so libraries go into correct |
1174 | + packages. |
1175 | + * debian/usr.lib.ipsec.stroke: Allow access to strongswan.d directories. |
1176 | + |
1177 | + -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 17 Feb 2014 18:12:38 +0000 |
1178 | + |
1179 | +strongswan (5.1.2~rc1-0ubuntu3) trusty; urgency=low |
1180 | + |
1181 | + * debian/rules: Exclude rdrand.conf in dh_install's --fail-missing. |
1182 | + |
1183 | + -- Jonathan Davies <jonathan.davies@canonical.com> Sat, 15 Feb 2014 15:46:46 +0000 |
1184 | + |
1185 | +strongswan (5.1.2~rc1-0ubuntu2) trusty; urgency=low |
1186 | + |
1187 | + * debian/libstrongswan.install: Moved rdrand plugin configuration to rules |
1188 | + as it's only useful on amd64. |
1189 | + * debian/watch: Added opts=pgpsigurlmangle option. |
1190 | + * debian/upstream/signing-key.asc: Added key: 0xB34DBA77. |
1191 | + |
1192 | + -- Jonathan Davies <jonathan.davies@canonical.com> Sat, 15 Feb 2014 15:32:10 +0000 |
1193 | + |
1194 | +strongswan (5.1.2~rc1-0ubuntu1) trusty; urgency=medium |
1195 | + |
1196 | + * New upstream release candidate. |
1197 | + * debian/*.install - include new configuration files for plugins in |
1198 | + appropiate packages. |
1199 | + |
1200 | + -- Jonathan Davies <jonathan.davies@canonical.com> Sat, 15 Feb 2014 15:03:14 +0000 |
1201 | + |
1202 | +strongswan (5.1.2~dr3+git20130120-0ubuntu3) trusty; urgency=low |
1203 | + |
1204 | + * debian/control: |
1205 | + - Added Breaks/Replaces for all library files which have been moved |
1206 | + about (LP: #1278176). |
1207 | + - Removed build-dependency on check and added one on dh-apparmor. |
1208 | + * debian/strongswan-starter.postinst: Removed further out-dated code and |
1209 | + entire section on opportunistic encryption - this was never in strongSwan. |
1210 | + * debian/rules: Removed pieces on 'patching ipsec.conf' on build. |
1211 | + |
1212 | + -- Jonathan Davies <jonathan.davies@canonical.com> Sun, 09 Feb 2014 23:53:23 +0000 |
1213 | + |
1214 | +strongswan (5.1.2~dr3+git20130120-0ubuntu2) trusty; urgency=low |
1215 | + |
1216 | + * debian/control: Fixed references to plugin-fips-prf. |
1217 | + |
1218 | + -- Jonathan Davies <jonathan.davies@canonical.com> Wed, 22 Jan 2014 11:22:14 +0000 |
1219 | + |
1220 | +strongswan (5.1.2~dr3+git20130120-0ubuntu1) trusty; urgency=low |
1221 | + |
1222 | + * Upstream Git snapshot for build fixes with regards to entropy. |
1223 | + * debian/rules: |
1224 | + - Enforcing DEB_BUILD_OPTIONS=nostrip for library integrity checking. |
1225 | + - Set TESTS_REDUCED_KEYLENGTHS to one generate smallest key-lengths in |
1226 | + tests. |
1227 | + |
1228 | + -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 20 Jan 2014 19:00:59 +0000 |
1229 | + |
1230 | +strongswan (5.1.2~dr3-0ubuntu1) trusty; urgency=low |
1231 | + |
1232 | + * New upstream developer release. |
1233 | + * Made changes to packaging per upstream suggestions. |
1234 | + - Dropped medcli and medsrv packages - not recommended by upstream at this |
1235 | + time. |
1236 | + - Dropped ha plugin - needs special kernel. |
1237 | + - Improved all package descriptions in general. |
1238 | + - Drop build-dep on clearsilver-dev and libfcgi-dev - no longer needed. |
1239 | + - Removed debian/*logcheck* files - not relevant to strongSwan. |
1240 | + - Split dhcp and farp packages into sub-packages. |
1241 | + - Build kernel-libipsec, ntru, systime-fix, and xauth-noauth plugins. |
1242 | + - Changes to TNC-related packages. |
1243 | + * Created AppArmor profiles for lookip and stroke. |
1244 | + |
1245 | + -- Jonathan Davies <jonathan.davies@canonical.com> Wed, 15 Jan 2014 22:52:53 +0000 |
1246 | + |
1247 | +strongswan (5.1.2~dr2+git20130106-0ubuntu2) trusty; urgency=low |
1248 | + |
1249 | + * libstrongswan.install: Removed lingering unit-tester.so reference. |
1250 | + |
1251 | + -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 06 Jan 2014 20:29:59 +0000 |
1252 | + |
1253 | +strongswan (5.1.2~dr2+git20130106-0ubuntu1) trusty; urgency=low |
1254 | + |
1255 | + * Git snapshot of commit 94e10f15e51ead788d9947e966878ebfdc95b7ce. |
1256 | + Incorporates upstream fixes for: |
1257 | + - Integrity testing. |
1258 | + - Unit test failures on little endian systems. |
1259 | + * Dropped debian/patches/02_test_asn1_fix_32bit_time_test.patch - fixed |
1260 | + upstream. |
1261 | + * debian/rules: |
1262 | + - Stop using CK_TIMEOUT_MULTIPLIER. |
1263 | + - Stop enabling the test suite only on non-powerpc arches (it runs |
1264 | + anyway). |
1265 | + |
1266 | + -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 06 Jan 2014 20:17:20 +0000 |
1267 | + |
1268 | +strongswan (5.1.2~dr2-0ubuntu3) trusty; urgency=low |
1269 | + |
1270 | + * debian/control: Reinstate missing comma in dependencies. |
1271 | + |
1272 | + -- Jonathan Davies <jonathan.davies@canonical.com> Fri, 03 Jan 2014 05:39:13 +0000 |
1273 | + |
1274 | +strongswan (5.1.2~dr2-0ubuntu2) trusty; urgency=low |
1275 | + |
1276 | + * Added debian/patches/02_test_asn1_fix_32bit_time_test.patch - fixes issue |
1277 | + where test for >2038 tests on 32-bit platforms is broken. |
1278 | + - Reported upstream: https://wiki.strongswan.org/issues/477 |
1279 | + * debian/control: Added strongswan-plugin-ntru to strongswan-ike Suggests. |
1280 | + |
1281 | + -- Jonathan Davies <jonathan.davies@canonical.com> Fri, 03 Jan 2014 05:02:32 +0000 |
1282 | + |
1283 | +strongswan (5.1.2~dr2-0ubuntu1) trusty; urgency=low |
1284 | + |
1285 | + * New upstream developer release. |
1286 | + * debian/rules: Configure with: --enable-af-alg, --enable-ntru, --enable-soup, |
1287 | + and --enable-unity. |
1288 | + * debian/control: |
1289 | + - New plugin packages created for the above |
1290 | + - Split fips-prf into its own package. |
1291 | + - Added build-dependency on libsoup2.4-dev. |
1292 | + |
1293 | + -- Jonathan Davies <jonathan.davies@canonical.com> Thu, 02 Jan 2014 17:37:33 +0000 |
1294 | + |
1295 | strongswan (5.1.1-3) unstable; urgency=low |
1296 | |
1297 | * Upload to unstable. |
1298 | @@ -691,6 +1917,192 @@ strongswan (5.1.1-1) unstable; urgency=low |
1299 | |
1300 | -- Yves-Alexis Perez <corsac@debian.org> Fri, 24 Jan 2014 21:22:32 +0100 |
1301 | |
1302 | +strongswan (5.1.1-0ubuntu17) trusty; urgency=low |
1303 | + |
1304 | + * debian/control: |
1305 | + - Make strongswan-ike depend on iproute2. |
1306 | + - Added xauth plugin dependency on strongswan-plugin-eap-gtc. |
1307 | + - Created strongswan-libfast package. |
1308 | + |
1309 | + -- Jonathan Davies <jonathan.davies@canonical.com> Wed, 01 Jan 2014 17:04:45 +0000 |
1310 | + |
1311 | +strongswan (5.1.1-0ubuntu16) trusty; urgency=low |
1312 | + |
1313 | + * debian/control: |
1314 | + - Further splitting of plugins into subpackages (such as all EAP plugins |
1315 | + to their own packages). |
1316 | + - Added libpcsclite-dev to build-dependencies. |
1317 | + * debian/rules: |
1318 | + - Sort configure options in alphabetical order. |
1319 | + - Added configure option of --enable-eap-aka-3gpp2, --enable-eap-dynamic, |
1320 | + --enable-eap-sim-file, --enable-eap-sim-pcsc, |
1321 | + --enable-eap-simaka-pseudonym, --enable-eap-simaka-reauth and |
1322 | + --enable-eap-simaka-sql. |
1323 | + - Don't exclude medsrv from install. |
1324 | + * Moved eap-identity.so to libstrongswan package as it's used by all the |
1325 | + other EAP plugins. |
1326 | + |
1327 | + -- Jonathan Davies <jonathan.davies@canonical.com> Tue, 31 Dec 2013 21:25:50 +0000 |
1328 | + |
1329 | +strongswan (5.1.1-0ubuntu15) trusty; urgency=low |
1330 | + |
1331 | + * debian/control: |
1332 | + - Split plugins from libstrongswan package into modular subpackages. |
1333 | + - Added libmysqlclient-dev to build-dependencies. |
1334 | + - strongswan-ike: Set to depend on either strongswan-plugins-openssl or |
1335 | + strongswan-plugins-gcrypt. |
1336 | + - strongswan-ike: All other plugins added to Suggests. |
1337 | + - Created two new TNC packages: strongswan-tnc-ifmap and |
1338 | + strongswan-tnc-pdp and added to tnc-imcvs Suggests. |
1339 | + * debian/rules: Added to CONFIGUREARGS: --enable-certexpire, |
1340 | + --enable-error-notify, --enable-mysql, --enable-load-tester, |
1341 | + --enable-radattr, --enable-tnc-pdp, and --enable-whitelist. |
1342 | + * debian/strongswan-ike.install: Moved eap-identity.so to -tnc-imcvs package. |
1343 | + |
1344 | + -- Jonathan Davies <jonathan.davies@canonical.com> Tue, 31 Dec 2013 16:15:32 +0000 |
1345 | + |
1346 | +strongswan (5.1.1-0ubuntu14) trusty; urgency=low |
1347 | + |
1348 | + * debian/rules: |
1349 | + - CK_TIMEOUT_MULTIPLIER back down to 6. |
1350 | + - Disable unit tests on powerpc. |
1351 | + |
1352 | + -- Jonathan Davies <jonathan.davies@canonical.com> Tue, 31 Dec 2013 07:39:48 +0000 |
1353 | + |
1354 | +strongswan (5.1.1-0ubuntu13) trusty; urgency=low |
1355 | + |
1356 | + * debian/rules: CK_TIMEOUT_MULTIPLIER to 10 as just powerppc is being stubborn. |
1357 | + |
1358 | + -- Jonathan Davies <jonathan.davies@canonical.com> Tue, 31 Dec 2013 07:23:42 +0000 |
1359 | + |
1360 | +strongswan (5.1.1-0ubuntu12) trusty; urgency=low |
1361 | + |
1362 | + * debian/rules: Bring CK_TIMEOUT_MULTIPLIER up to 6 to fix powerppc and |
1363 | + armhf. |
1364 | + |
1365 | + -- Jonathan Davies <jonathan.davies@canonical.com> Tue, 31 Dec 2013 07:03:40 +0000 |
1366 | + |
1367 | +strongswan (5.1.1-0ubuntu11) trusty; urgency=low |
1368 | + |
1369 | + * 02_increase-test_rsa_generate-timeout.patch: Removed - only fixed build on |
1370 | + one extra arch. |
1371 | + * debian/rules: Set CK_TIMEOUT_MULTIPLIER to 4. |
1372 | + |
1373 | + -- Jonathan Davies <jonathan.davies@canonical.com> Tue, 31 Dec 2013 06:51:47 +0000 |
1374 | + |
1375 | +strongswan (5.1.1-0ubuntu10) trusty; urgency=low |
1376 | + |
1377 | + * debian/patches: Added patch 02_increase-test_rsa_generate-timeout.patch - |
1378 | + - Increases RSA key generate test timeout to 30 seconds so that it doesn't |
1379 | + fail on armhf, arm64, and powerppc. |
1380 | + * Contrary to what the last changelog entry says, we are still running |
1381 | + strongswan as root (with AppArmor protection). |
1382 | + |
1383 | + -- Jonathan Davies <jonathan.davies@canonical.com> Tue, 31 Dec 2013 06:06:47 +0000 |
1384 | + |
1385 | +strongswan (5.1.1-0ubuntu9) trusty; urgency=low |
1386 | + |
1387 | + * debian/rules: Added to configure options: |
1388 | + - --enable-tnc-ifmap: enable TNC IF-MAP module. |
1389 | + - --enable-duplicheck: enable duplicheck plugin. |
1390 | + - --enable-imv-swid, --enable-imc-swid: Added. |
1391 | + - Run strongswan as it's own user. |
1392 | + * debian/strongswan-starter.install: Install duplicheck. |
1393 | + * debian/strongswan-tnc-imcvs.install: Install swidtags. |
1394 | + |
1395 | + -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 30 Dec 2013 19:33:27 +0000 |
1396 | + |
1397 | +strongswan (5.1.1-0ubuntu8) trusty; urgency=low |
1398 | + |
1399 | + * debian/rules: Added to configure options: |
1400 | + - --enable-unit-tests: check unit testing on build. |
1401 | + - --enable-unbound: for validating DNS lookups. |
1402 | + - --enable-dnscert: for DNSCERT peer authentication. |
1403 | + - --enable-ipseckey: for IPSEC key authentication. |
1404 | + - --enable-lookip: for LookIP functionality. |
1405 | + - --enable-coupling: certificate coupling functionality. |
1406 | + * debian/control: Added check, libldns-dev, libunbound-dev to |
1407 | + build-dependencies. |
1408 | + * debian/libstrongswan.install: Install new plugin .so's. |
1409 | + * debian/strongswan-starter.install: Added lookip. |
1410 | + |
1411 | + -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 30 Dec 2013 17:52:07 +0000 |
1412 | + |
1413 | +strongswan (5.1.1-0ubuntu7) trusty; urgency=low |
1414 | + |
1415 | + * strongswan-starter.install: Moved pt-tls-client to tnc-imcvs (to prevent |
1416 | + the former from depending on the latter). |
1417 | + |
1418 | + -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 30 Dec 2013 17:30:19 +0000 |
1419 | + |
1420 | +strongswan (5.1.1-0ubuntu6) trusty; urgency=low |
1421 | + |
1422 | + * debian/strongswan-starter.prerm: Stop strongswan service on package |
1423 | + removal (as opposed to using the old init.d script). |
1424 | + |
1425 | + -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 30 Dec 2013 17:22:10 +0000 |
1426 | + |
1427 | +strongswan (5.1.1-0ubuntu5) trusty; urgency=low |
1428 | + |
1429 | + * debian/rules: |
1430 | + - CONFIGUREARGS: Merged Debian and RPM options. |
1431 | + - Brings in TNC functionality. |
1432 | + * debian/control: |
1433 | + - Added build-dependency on libtspi-dev. |
1434 | + - Created strongswan-tnc-imcvs binary package for TNC components. |
1435 | + - Added strongswan-tnc-imcvs to libstrongswan's Suggests. |
1436 | + * debian/libstrongswan.install: |
1437 | + - Included newly built MD4 and SQLite libraries. |
1438 | + - Removed 'tnc' references (moved to TNC package). |
1439 | + * debian/strongswan-tnc-imcvs.install: Created - handle new TNC libraries and |
1440 | + binaries. |
1441 | + * debian/usr.lib.ipsec.charon: Allow access to TNC modules. |
1442 | + |
1443 | + -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 30 Dec 2013 14:05:43 +0000 |
1444 | + |
1445 | +strongswan (5.1.1-0ubuntu4) trusty; urgency=low |
1446 | + |
1447 | + * debian/usr.lib.ipsec.charon: Added - AppArmor profile for charon. |
1448 | + * debian/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call. |
1449 | + * debian/control: strongswan-ike - Stop depending on ipsec-tools. |
1450 | + |
1451 | + -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 30 Dec 2013 05:35:17 +0000 |
1452 | + |
1453 | +strongswan (5.1.1-0ubuntu3) trusty; urgency=low |
1454 | + |
1455 | + * strongswan-starter.strongswan.upstart - Only start strongSwan when a |
1456 | + network connection is available. |
1457 | + * debian/control: Downgrade build-dep version of dpkg-dev from 1.16.2 to |
1458 | + 1.16.1 - to make precise backporting easier. |
1459 | + |
1460 | + -- Jonathan Davies <jonathan.davies@canonical.com> Thu, 12 Dec 2013 10:43:15 +0000 |
1461 | + |
1462 | +strongswan (5.1.1-0ubuntu2) trusty; urgency=low |
1463 | + |
1464 | + * strongswan-starter.strongswan.upstart - Created Upstart job for |
1465 | + strongSwan. |
1466 | + * debian/rules: Set dh_installinit to install above file. |
1467 | + * debian/strongswan-starter.postinit: |
1468 | + - Removed section about runlevel changes, it's almost 2014. |
1469 | + - Adapted service restart section for Upstart. |
1470 | + - Remove old symlinks to init.d files is necessary. |
1471 | + * debian/strongswan-starter.dirs: Don't touch /etc/init.d. |
1472 | + |
1473 | + -- Jonathan Davies <jonathan.davies@canonical.com> Wed, 11 Dec 2013 23:10:28 +0000 |
1474 | + |
1475 | +strongswan (5.1.1-0ubuntu1) trusty; urgency=low |
1476 | + |
1477 | + * New upstream release. |
1478 | + * Removed: debian/patches/CVE-2013-6075, CVE-2013-6076.patch - upsteamed. |
1479 | + * debian/control: Updated Standards-Version to 3.9.5 and applied |
1480 | + XSBC-Original-Maintainer policy. |
1481 | + * strongswan-starter.install: |
1482 | + - pki tool is now in /usr/bin. |
1483 | + - Install pt-tls-client. |
1484 | + - Install manpages (LP: #1206263). |
1485 | + |
1486 | + -- Jonathan Davies <jpds@ubuntu.com> Sun, 01 Dec 2013 17:43:59 +0000 |
1487 | + |
1488 | strongswan (5.1.0-3) unstable; urgency=high |
1489 | |
1490 | * urgency=high for the security fixes. |
1491 | diff --git a/debian/control b/debian/control |
1492 | index 44a2f85..2fdf03a 100644 |
1493 | --- a/debian/control |
1494 | +++ b/debian/control |
1495 | @@ -1,7 +1,8 @@ |
1496 | Source: strongswan |
1497 | Section: net |
1498 | Priority: optional |
1499 | -Maintainer: strongSwan Maintainers <pkg-swan-devel@lists.alioth.debian.org> |
1500 | +Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com> |
1501 | +XSBC-Original-Maintainer: strongSwan Maintainers <pkg-swan-devel@lists.alioth.debian.org> |
1502 | Uploaders: Yves-Alexis Perez <corsac@debian.org> |
1503 | Standards-Version: 4.3.0 |
1504 | Vcs-Browser: https://salsa.debian.org/debian/strongswan |
1505 | @@ -18,14 +19,21 @@ Build-Depends: bison, |
1506 | libcurl4-openssl-dev | libcurl3-dev | libcurl2-dev, |
1507 | libgcrypt20-dev | libgcrypt11-dev, |
1508 | libgmp3-dev, |
1509 | + libjson-c-dev, |
1510 | libkrb5-dev, |
1511 | libldap2-dev, |
1512 | + libldns-dev, |
1513 | + libmysqlclient-dev, |
1514 | libnm-dev [linux-any], |
1515 | libpam0g-dev, |
1516 | + libpcsclite-dev, |
1517 | + libsoup2.4-dev, |
1518 | libsqlite3-dev, |
1519 | libssl-dev (>= 0.9.8), |
1520 | libsystemd-dev [linux-any], |
1521 | libtool, |
1522 | + libtspi-dev, |
1523 | + libunbound-dev, |
1524 | libxml2-dev, |
1525 | pkg-config, |
1526 | po-debconf, |
1527 | @@ -66,7 +74,9 @@ Description: strongSwan utility and crypto library |
1528 | - fips-prf (PRF specified by FIPS, used by EAP-SIM/AKA algorithms) |
1529 | - gmp (RSA/DH crypto backend based on libgmp) |
1530 | - hmac (HMAC wrapper using various hashers) |
1531 | + - md4 (MD4 hasher software implementation) |
1532 | - md5 (MD5 hasher software implementation) |
1533 | + - mgf1 (Mask Generation Functions based on the SHA-1, SHA-256 and SHA-512) |
1534 | - nonce (Default nonce generation plugin) |
1535 | - pem (PEM encoding/decoding routines) |
1536 | - pgp (PGP encoding/decoding routines) |
1537 | @@ -90,9 +100,6 @@ Description: strongSwan utility and crypto library |
1538 | - kernel-pfroute [kfreebsd] (Networking kernel interface using PF_ROUTE) |
1539 | - resolve (Writes name servers received via IKE to a resolv.conf file or |
1540 | installs them via resolvconf(8)) |
1541 | - . |
1542 | - Also included is the libtpmtss library adding support for TPM plugin |
1543 | - (https://wiki.strongswan.org/projects/strongswan/wiki/TpmPlugin) |
1544 | |
1545 | Package: libstrongswan-standard-plugins |
1546 | Architecture: any |
1547 | @@ -129,30 +136,110 @@ Description: strongSwan utility and crypto library (extra plugins) |
1548 | cryptographic library. |
1549 | . |
1550 | Included plugins are: |
1551 | + - acert (Support of X.509 attribute certificates (since 5.1.3)) |
1552 | - af-alg [linux] (AF_ALG Linux crypto API interface, provides |
1553 | ciphers/hashers/hmac/xcbc) |
1554 | + - attr-sql (provide IKE attributes read from a database to peers) |
1555 | + - bliss (Bimodal Lattice Signature Scheme (BLISS) post-quantum computer |
1556 | + signature scheme) |
1557 | - ccm (CCM cipher mode wrapper) |
1558 | + - chapoly (ChaCha20/Poly1305 AEAD implementation) |
1559 | - cmac (CMAC cipher mode wrapper) |
1560 | - ctr (CTR cipher mode wrapper) |
1561 | + - coupling (Permanent peer certificate coupling) |
1562 | - curl (libcurl based HTTP/FTP fetcher) |
1563 | - curve25519 (support for Diffie-Hellman group 31 using Curve25519 and |
1564 | support for the Ed25519 digital signature algorithm for IKEv2) |
1565 | + - dnscert (authentication via CERT RRs protected by DNSSEC) |
1566 | - gcrypt (Crypto backend based on libgcrypt, provides |
1567 | RSA/DH/ciphers/hashers/rng) |
1568 | + - ipseckey (authentication via IPSECKEY RRs protected by DNSSEC) |
1569 | - ldap (LDAP fetching plugin based on libldap) |
1570 | + - load-tester (perform IKE load tests against self or gateway) |
1571 | + - mysql (database backend) |
1572 | + - ntru (key exchanged based on post-quantum computer NTRU) |
1573 | + - nttfft (Number Theoretic Transform via the FFT algorithm) |
1574 | - padlock (VIA padlock crypto backend, provides AES128/SHA1) |
1575 | - pkcs11 (PKCS#11 smartcard backend) |
1576 | + - radattr (inject and process custom RADIUS attributes as IKEv2 client) |
1577 | + - sql (SQL configuration and creds engine) |
1578 | + - sqlite (SQLite database backend) |
1579 | + - soup (libsoup based HTTP fetcher) |
1580 | - rdrand (High quality / high performance random source using the Intel |
1581 | rdrand instruction found on Ivy Bridge processors) |
1582 | - test-vectors (Set of test vectors for various algorithms) |
1583 | + - unbound (DNSSEC enabled resolver using libunbound) |
1584 | + - whitelist (peer verification against a whitelist) |
1585 | + . |
1586 | + Also included is the libtpmtss library adding support for TPM plugin |
1587 | + (https://wiki.strongswan.org/projects/strongswan/wiki/TpmPlugin) |
1588 | + |
1589 | +Package: libcharon-standard-plugins |
1590 | +Architecture: any |
1591 | +Depends: libstrongswan (= ${binary:Version}), |
1592 | + ${misc:Depends}, |
1593 | + ${shlibs:Depends} |
1594 | +Breaks: libcharon-extra-plugins (<< 5.5.1-1ubuntu1~) |
1595 | +Replaces: libcharon-extra-plugins (<< 5.5.1-1ubuntu1~) |
1596 | +Description: strongSwan charon library (standard plugins) |
1597 | + The strongSwan VPN suite uses the native IPsec stack in the standard |
1598 | + Linux kernel. It supports both the IKEv1 and IKEv2 protocols. |
1599 | + . |
1600 | + This package provides standard plugins for the charon library: |
1601 | + - eap-mschapv2 (EAP-MSCHAPv2 protocol handler using passwords/NT hashes) |
1602 | + - xauth-generic (Generic XAuth backend that provides passwords from |
1603 | + ipsec.secrets and other credential sets) |
1604 | + |
1605 | +# Transition back from strongswan-tnc-* being in extra packages |
1606 | +# Can be dropped after 20.04 |
1607 | +Package: strongswan-tnc-ifmap |
1608 | +Depends: libcharon-extra-plugins (= ${source:Version}), ${misc:Depends} |
1609 | +Architecture: all |
1610 | +Priority: optional |
1611 | +Section: oldlibs |
1612 | +Description: transitional package |
1613 | + This is a transitional package. It can safely be removed. |
1614 | + |
1615 | +Package: strongswan-tnc-base |
1616 | +Depends: libcharon-extra-plugins (= ${source:Version}), ${misc:Depends} |
1617 | +Architecture: all |
1618 | +Priority: optional |
1619 | +Section: oldlibs |
1620 | +Description: transitional package |
1621 | + This is a transitional package. It can safely be removed. |
1622 | + |
1623 | +Package: strongswan-tnc-client |
1624 | +Depends: libcharon-extra-plugins (= ${source:Version}), ${misc:Depends} |
1625 | +Architecture: all |
1626 | +Priority: optional |
1627 | +Section: oldlibs |
1628 | +Description: transitional package |
1629 | + This is a transitional package. It can safely be removed. |
1630 | + |
1631 | +Package: strongswan-tnc-server |
1632 | +Depends: libcharon-extra-plugins (= ${source:Version}), ${misc:Depends} |
1633 | +Architecture: all |
1634 | +Priority: optional |
1635 | +Section: oldlibs |
1636 | +Description: transitional package |
1637 | + This is a transitional package. It can safely be removed. |
1638 | + |
1639 | +Package: strongswan-tnc-pdp |
1640 | +Depends: libcharon-extra-plugins (= ${source:Version}), ${misc:Depends} |
1641 | +Architecture: all |
1642 | +Priority: optional |
1643 | +Section: oldlibs |
1644 | +Description: transitional package |
1645 | + This is a transitional package. It can safely be removed. |
1646 | |
1647 | Package: libcharon-extra-plugins |
1648 | Architecture: any |
1649 | Depends: libstrongswan (= ${binary:Version}), |
1650 | ${misc:Depends}, |
1651 | ${shlibs:Depends} |
1652 | -Breaks: libstrongswan (<= 5.1.1-1), strongswan-ike (<= 5.1.1-1) |
1653 | -Replaces: libstrongswan (<= 5.1.1-1), strongswan-ike (<= 5.1.1-1) |
1654 | +Breaks: libstrongswan (<= 5.1.1-1), strongswan-ike (<= 5.1.1-1), strongswan-tnc-ifmap (<< 5.7.2-1ubuntu1), strongswan-tnc-base (<< 5.7.2-1ubuntu1), strongswan-tnc-client (<< 5.7.2-1ubuntu1), strongswan-tnc-server (<< 5.7.2-1ubuntu1), strongswan-tnc-pdp (<< 5.7.2-1ubuntu1) |
1655 | +Replaces: libstrongswan (<= 5.1.1-1), strongswan-ike (<= 5.1.1-1), strongswan-tnc-ifmap (<< 5.7.2-1ubuntu1), strongswan-tnc-base (<< 5.7.2-1ubuntu1), strongswan-tnc-client (<< 5.7.2-1ubuntu1), strongswan-tnc-server (<< 5.7.2-1ubuntu1), strongswan-tnc-pdp (<< 5.7.2-1ubuntu1) |
1656 | +Provides: strongswan-tnc-base |
1657 | Description: strongSwan charon library (extra plugins) |
1658 | The strongSwan VPN suite uses the native IPsec stack in the standard |
1659 | Linux kernel. It supports both the IKEv1 and IKEv2 protocols. |
1660 | @@ -160,13 +247,13 @@ Description: strongSwan charon library (extra plugins) |
1661 | This package provides extra plugins for the charon library: |
1662 | - addrblock (Narrow traffic selectors to RFC 3779 address blocks in X.509 |
1663 | certificates) |
1664 | + - dhcp (Forwarding of DHCP requests for virtual IPs to DHCP server) |
1665 | - certexpire (Export expiration dates of used certificates) |
1666 | - eap-aka (Generic EAP-AKA protocol handler using different backends) |
1667 | - eap-gtc (EAP-GTC protocol handler authenticating with XAuth backends) |
1668 | - eap-identity (EAP-Identity identity exchange algorithm, to use with other |
1669 | EAP protocols) |
1670 | - eap-md5 (EAP-MD5 protocol handler using passwords) |
1671 | - - eap-mschapv2 (EAP-MSCHAPv2 protocol handler using passwords/NT hashes) |
1672 | - eap-radius (EAP server proxy plugin forwarding EAP conversations to a |
1673 | RADIUS server) |
1674 | - eap-tls (EAP-TLS protocol handler, to authenticate with certificates in |
1675 | @@ -174,17 +261,25 @@ Description: strongSwan charon library (extra plugins) |
1676 | - eap-tnc (EAP-TNC protocol handler, Trusted Network Connect in a TLS tunnel) |
1677 | - eap-ttls (EAP-TTLS protocol handler, wraps other EAP methods securely) |
1678 | - error-notify (Notification about errors via UNIX socket) |
1679 | + - farp (fake ARP responses for requests to virtual IP address) |
1680 | - ha (High-Availability clustering) |
1681 | + - kernel-libipsec (Userspace IPsec Backend with TUN devices) |
1682 | - led (Let Linux LED subsystem LEDs blink on IKE activity) |
1683 | - lookip (Virtual IP lookup facility using a UNIX socket) |
1684 | - - medcli (Web interface based mediation client interface) |
1685 | - - medsrv (Web interface based mediation server interface) |
1686 | - tnc (Trusted Network Connect) |
1687 | - unity (Cisco Unity extensions for IKEv1) |
1688 | - xauth-eap (XAuth backend that uses EAP methods to verify passwords) |
1689 | - - xauth-generic (Generic XAuth backend that provides passwords from |
1690 | - ipsec.secrets and other credential sets) |
1691 | - xauth-pam (XAuth backend that uses PAM modules to verify passwords) |
1692 | + - eap-aka-3gpp2 (EAP-AKA backend implementing standard 3GPP2 algorithm in software) |
1693 | + - eap-dynamic (EAP proxy plugin that dynamically selects an EAP method requested/supported by the client (since 5.0.1)) |
1694 | + - eap-peap (EAP-PEAP protocol handler, wraps other EAP methods securely) |
1695 | + - eap-sim (Generic EAP-SIM protocol handler using different backends) |
1696 | + - eap-sim-file (EAP-SIM backend reading triplets from a file) |
1697 | + - eap-sim-pcsc (EAP-SIM backend based on a PC/SC smartcard reader) |
1698 | + - eap-simaka-pseudonym (EAP-SIM/AKA in-memory pseudonym identity database) |
1699 | + - eap-simaka-reauth (EAP-SIM/AKA in-memory reauthentication identity database) |
1700 | + - eap-simaka-sql (EAP-SIM/AKA backend reading triplets/quintuplets from a SQL database) |
1701 | + - xauth-noauth (XAuth backend that does not do any authentication (since 5.0.3)) |
1702 | |
1703 | Package: strongswan-starter |
1704 | Architecture: any |
1705 | @@ -210,6 +305,7 @@ Depends: libstrongswan (= ${binary:Version}), |
1706 | ${shlibs:Depends} |
1707 | Breaks: strongswan-starter (<= 5.6.1-2) |
1708 | Replaces: strongswan-starter (<= 5.6.1-2) |
1709 | +Recommends: libcharon-standard-plugins |
1710 | Suggests: libcharon-extra-plugins |
1711 | Description: strongSwan charon library |
1712 | The strongSwan VPN suite uses the native IPsec stack in the standard |
1713 | diff --git a/debian/ipsec.secrets.proto b/debian/ipsec.secrets.proto |
1714 | index dfa6dde..309e3fc 100644 |
1715 | --- a/debian/ipsec.secrets.proto |
1716 | +++ b/debian/ipsec.secrets.proto |
1717 | @@ -3,6 +3,3 @@ |
1718 | # RSA private key for this host, authenticating it to any other host |
1719 | # which knows the public part. |
1720 | |
1721 | -# this file is managed with debconf and will contain the automatically created private key |
1722 | -include /var/lib/strongswan/ipsec.secrets.inc |
1723 | - |
1724 | diff --git a/debian/libcharon-extra-plugins.install b/debian/libcharon-extra-plugins.install |
1725 | index 1b0cbca..c7b0a66 100644 |
1726 | --- a/debian/libcharon-extra-plugins.install |
1727 | +++ b/debian/libcharon-extra-plugins.install |
1728 | @@ -1,46 +1,104 @@ |
1729 | # libcharon plugins |
1730 | usr/lib/ipsec/plugins/libstrongswan-addrblock.so |
1731 | usr/lib/ipsec/plugins/libstrongswan-certexpire.so |
1732 | -usr/lib/ipsec/plugins/libstrongswan-eap*.so |
1733 | +usr/lib/ipsec/plugins/libstrongswan-eap-aka-3gpp2.so |
1734 | +usr/lib/ipsec/plugins/libstrongswan-eap-aka.so |
1735 | +usr/lib/ipsec/plugins/libstrongswan-eap-dynamic.so |
1736 | +usr/lib/ipsec/plugins/libstrongswan-eap-gtc.so |
1737 | +usr/lib/ipsec/plugins/libstrongswan-eap-identity.so |
1738 | +usr/lib/ipsec/plugins/libstrongswan-eap-md5.so |
1739 | +usr/lib/ipsec/plugins/libstrongswan-eap-peap.so |
1740 | +usr/lib/ipsec/plugins/libstrongswan-eap-radius.so |
1741 | +usr/lib/ipsec/plugins/libstrongswan-eap-sim-file.so |
1742 | +usr/lib/ipsec/plugins/libstrongswan-eap-sim-pcsc.so |
1743 | +usr/lib/ipsec/plugins/libstrongswan-eap-sim.so |
1744 | +usr/lib/ipsec/plugins/libstrongswan-eap-simaka-pseudonym.so |
1745 | +usr/lib/ipsec/plugins/libstrongswan-eap-simaka-reauth.so |
1746 | +usr/lib/ipsec/plugins/libstrongswan-eap-simaka-sql.so |
1747 | +usr/lib/ipsec/plugins/libstrongswan-eap-tls.so |
1748 | +usr/lib/ipsec/plugins/libstrongswan-eap-tnc.so |
1749 | +usr/lib/ipsec/plugins/libstrongswan-eap-ttls.so |
1750 | usr/lib/ipsec/plugins/libstrongswan-error-notify.so |
1751 | usr/lib/ipsec/plugins/libstrongswan-ha.so |
1752 | +usr/lib/ipsec/plugins/libstrongswan-kernel-libipsec.so |
1753 | usr/lib/ipsec/plugins/libstrongswan-led.so |
1754 | usr/lib/ipsec/plugins/libstrongswan-lookip.so |
1755 | #usr/lib/ipsec/plugins/libstrongswan-medsrv.so |
1756 | #usr/lib/ipsec/plugins/libstrongswan-medcli.so |
1757 | usr/lib/ipsec/plugins/libstrongswan-tnc-tnccs.so |
1758 | usr/lib/ipsec/plugins/libstrongswan-unity.so |
1759 | -usr/lib/ipsec/plugins/libstrongswan-xauth-*.so |
1760 | +usr/lib/ipsec/plugins/libstrongswan-xauth-eap.so |
1761 | +usr/lib/ipsec/plugins/libstrongswan-xauth-noauth.so |
1762 | +usr/lib/ipsec/plugins/libstrongswan-xauth-pam.so |
1763 | # standard configuration files |
1764 | usr/share/strongswan/templates/config/plugins/addrblock.conf |
1765 | usr/share/strongswan/templates/config/plugins/certexpire.conf |
1766 | -usr/share/strongswan/templates/config/plugins/eap-*.conf |
1767 | +usr/share/strongswan/templates/config/plugins/eap-aka-3gpp2.conf |
1768 | +usr/share/strongswan/templates/config/plugins/eap-aka.conf |
1769 | +usr/share/strongswan/templates/config/plugins/eap-dynamic.conf |
1770 | +usr/share/strongswan/templates/config/plugins/eap-gtc.conf |
1771 | +usr/share/strongswan/templates/config/plugins/eap-identity.conf |
1772 | +usr/share/strongswan/templates/config/plugins/eap-md5.conf |
1773 | +usr/share/strongswan/templates/config/plugins/eap-peap.conf |
1774 | +usr/share/strongswan/templates/config/plugins/eap-radius.conf |
1775 | +usr/share/strongswan/templates/config/plugins/eap-sim-file.conf |
1776 | +usr/share/strongswan/templates/config/plugins/eap-sim-pcsc.conf |
1777 | +usr/share/strongswan/templates/config/plugins/eap-sim.conf |
1778 | +usr/share/strongswan/templates/config/plugins/eap-simaka-pseudonym.conf |
1779 | +usr/share/strongswan/templates/config/plugins/eap-simaka-reauth.conf |
1780 | +usr/share/strongswan/templates/config/plugins/eap-simaka-sql.conf |
1781 | +usr/share/strongswan/templates/config/plugins/eap-tls.conf |
1782 | +usr/share/strongswan/templates/config/plugins/eap-tnc.conf |
1783 | +usr/share/strongswan/templates/config/plugins/eap-ttls.conf |
1784 | usr/share/strongswan/templates/config/plugins/error-notify.conf |
1785 | usr/share/strongswan/templates/config/plugins/ha.conf |
1786 | +usr/share/strongswan/templates/config/plugins/kernel-libipsec.conf |
1787 | usr/share/strongswan/templates/config/plugins/led.conf |
1788 | usr/share/strongswan/templates/config/plugins/lookip.conf |
1789 | #usr/share/strongswan/templates/config/plugins/medsrv.conf |
1790 | #usr/share/strongswan/templates/config/plugins/medcli.conf |
1791 | usr/share/strongswan/templates/config/plugins/tnc-tnccs.conf |
1792 | usr/share/strongswan/templates/config/plugins/unity.conf |
1793 | -usr/share/strongswan/templates/config/plugins/xauth-*.conf |
1794 | +usr/share/strongswan/templates/config/plugins/xauth-eap.conf |
1795 | +usr/share/strongswan/templates/config/plugins/xauth-noauth.conf |
1796 | +usr/share/strongswan/templates/config/plugins/xauth-pam.conf |
1797 | usr/share/strongswan/templates/config/strongswan.d/tnc.conf |
1798 | etc/strongswan.d/tnc.conf |
1799 | etc/strongswan.d/charon/addrblock.conf |
1800 | etc/strongswan.d/charon/certexpire.conf |
1801 | -etc/strongswan.d/charon/eap-*.conf |
1802 | +etc/strongswan.d/charon/eap-aka-3gpp2.conf |
1803 | +etc/strongswan.d/charon/eap-aka.conf |
1804 | +etc/strongswan.d/charon/eap-dynamic.conf |
1805 | +etc/strongswan.d/charon/eap-gtc.conf |
1806 | +etc/strongswan.d/charon/eap-identity.conf |
1807 | +etc/strongswan.d/charon/eap-md5.conf |
1808 | +etc/strongswan.d/charon/eap-peap.conf |
1809 | +etc/strongswan.d/charon/eap-radius.conf |
1810 | +etc/strongswan.d/charon/eap-sim-file.conf |
1811 | +etc/strongswan.d/charon/eap-sim-pcsc.conf |
1812 | +etc/strongswan.d/charon/eap-sim.conf |
1813 | +etc/strongswan.d/charon/eap-simaka-pseudonym.conf |
1814 | +etc/strongswan.d/charon/eap-simaka-reauth.conf |
1815 | +etc/strongswan.d/charon/eap-simaka-sql.conf |
1816 | +etc/strongswan.d/charon/eap-tls.conf |
1817 | +etc/strongswan.d/charon/eap-tnc.conf |
1818 | +etc/strongswan.d/charon/eap-ttls.conf |
1819 | etc/strongswan.d/charon/error-notify.conf |
1820 | etc/strongswan.d/charon/ha.conf |
1821 | +etc/strongswan.d/charon/kernel-libipsec.conf |
1822 | etc/strongswan.d/charon/led.conf |
1823 | etc/strongswan.d/charon/lookip.conf |
1824 | #etc/strongswan.d/charon/medsrv.conf |
1825 | #etc/strongswan.d/charon/medcli.conf |
1826 | etc/strongswan.d/charon/tnc-tnccs.conf |
1827 | etc/strongswan.d/charon/unity.conf |
1828 | -etc/strongswan.d/charon/xauth-*.conf |
1829 | +etc/strongswan.d/charon/xauth-eap.conf |
1830 | +etc/strongswan.d/charon/xauth-noauth.conf |
1831 | +etc/strongswan.d/charon/xauth-pam.conf |
1832 | debian/usr.lib.ipsec.lookip /etc/apparmor.d/ |
1833 | # support libs |
1834 | #usr/lib/ipsec/libfast.so* |
1835 | +usr/lib/ipsec/libipsec.so* |
1836 | usr/lib/ipsec/libpttls.so* |
1837 | usr/lib/ipsec/libradius.so* |
1838 | usr/lib/ipsec/libsimaka.so* |
1839 | @@ -52,3 +110,48 @@ usr/lib/ipsec/error-notify |
1840 | usr/lib/ipsec/lookip |
1841 | # manpages |
1842 | usr/share/man/man1/pt-tls-client.1 |
1843 | +# Further TNC plugin files |
1844 | +etc/strongswan.d/attest.conf |
1845 | +etc/strongswan.d/charon/tnc-ifmap.conf |
1846 | +etc/strongswan.d/charon/tnc-imc.conf |
1847 | +etc/strongswan.d/charon/tnc-imv.conf |
1848 | +etc/strongswan.d/charon/tnc-pdp.conf |
1849 | +etc/strongswan.d/charon/tnc-tnccs.conf |
1850 | +etc/strongswan.d/charon/tnccs-11.conf |
1851 | +etc/strongswan.d/charon/tnccs-20.conf |
1852 | +etc/strongswan.d/charon/tnccs-dynamic.conf |
1853 | +etc/strongswan.d/imcv.conf |
1854 | +etc/strongswan.d/sec-updater.conf |
1855 | +etc/strongswan.d/tnc.conf |
1856 | +usr/lib/ipsec/_imv_policy |
1857 | +usr/lib/ipsec/attest |
1858 | +usr/lib/ipsec/imcvs/imc-*.so |
1859 | +usr/lib/ipsec/imcvs/imv-*.so |
1860 | +usr/lib/ipsec/imv_policy_manager |
1861 | +usr/lib/ipsec/libimcv.* |
1862 | +usr/lib/ipsec/libtnccs.so* |
1863 | +usr/lib/ipsec/plugins/libstrongswan-tnc-ifmap.so |
1864 | +usr/lib/ipsec/plugins/libstrongswan-tnc-imc.so |
1865 | +usr/lib/ipsec/plugins/libstrongswan-tnc-imv.so |
1866 | +usr/lib/ipsec/plugins/libstrongswan-tnc-pdp.so |
1867 | +usr/lib/ipsec/plugins/libstrongswan-tnc-tnccs.so |
1868 | +usr/lib/ipsec/plugins/libstrongswan-tnccs-*.so |
1869 | +usr/sbin/sec-updater |
1870 | +usr/sbin/sw-collector |
1871 | +usr/share/man/man8/sec-updater.8 |
1872 | +usr/share/man/man8/sw-collector.8 |
1873 | +usr/share/strongswan/swidtag/strongswan.org__strongSwan-*.swidtag |
1874 | +usr/share/strongswan/templates/config/plugins/tnc-ifmap.conf |
1875 | +usr/share/strongswan/templates/config/plugins/tnc-imc.conf |
1876 | +usr/share/strongswan/templates/config/plugins/tnc-imv.conf |
1877 | +usr/share/strongswan/templates/config/plugins/tnc-pdp.conf |
1878 | +usr/share/strongswan/templates/config/plugins/tnc-tnccs.conf |
1879 | +usr/share/strongswan/templates/config/plugins/tnccs-11.conf |
1880 | +usr/share/strongswan/templates/config/plugins/tnccs-20.conf |
1881 | +usr/share/strongswan/templates/config/plugins/tnccs-dynamic.conf |
1882 | +usr/share/strongswan/templates/config/strongswan.d/attest.conf |
1883 | +usr/share/strongswan/templates/config/strongswan.d/imcv.conf |
1884 | +usr/share/strongswan/templates/config/strongswan.d/sec-updater.conf |
1885 | +usr/share/strongswan/templates/config/strongswan.d/tnc.conf |
1886 | +usr/share/strongswan/templates/database/imv/*.sql |
1887 | +usr/share/strongswan/templates/database/sw-collector/sw_collector_tables.sql |
1888 | diff --git a/debian/libcharon-standard-plugins.install b/debian/libcharon-standard-plugins.install |
1889 | new file mode 100644 |
1890 | index 0000000..25e580c |
1891 | --- /dev/null |
1892 | +++ b/debian/libcharon-standard-plugins.install |
1893 | @@ -0,0 +1,19 @@ |
1894 | +# most commonly used libcharon plugins |
1895 | +# 1) eap-mschapv2 is required on the client side to connect to VPN |
1896 | +# concentrators configured for Windows 7+ and modern OSX/iOS using IKEv2. |
1897 | +# In such scenario, the VPN concentrator identifies itself with a public |
1898 | +# key and asks the client to authenticate with MSCHAPv2. |
1899 | +# 2) xauth-generic is required on the client side to connect to VPN |
1900 | +# concentrators configured for Android and older OSX/iOS using IKEv1 and |
1901 | +# XAUTH. In such scenario, the VPN concentrator identifies itself with a |
1902 | +# public key or a shared secret and asks the client to authenticate with a |
1903 | +# XAUTH password. |
1904 | +# plugins |
1905 | +usr/lib/ipsec/plugins/libstrongswan-eap-mschapv2.so |
1906 | +usr/lib/ipsec/plugins/libstrongswan-xauth-generic.so |
1907 | +# config templates |
1908 | +usr/share/strongswan/templates/config/plugins/eap-mschapv2.conf |
1909 | +usr/share/strongswan/templates/config/plugins/xauth-generic.conf |
1910 | +# configuration files |
1911 | +etc/strongswan.d/charon/eap-mschapv2.conf |
1912 | +etc/strongswan.d/charon/xauth-generic.conf |
1913 | diff --git a/debian/libstrongswan-extra-plugins.install b/debian/libstrongswan-extra-plugins.install |
1914 | index 2846e21..0f25a59 100644 |
1915 | --- a/debian/libstrongswan-extra-plugins.install |
1916 | +++ b/debian/libstrongswan-extra-plugins.install |
1917 | @@ -1,40 +1,94 @@ |
1918 | # Tool for TPM PCR extension |
1919 | usr/bin/tpm_extendpcr |
1920 | # libstrongswan plugins |
1921 | +usr/lib/ipsec/plugins/libstrongswan-acert.so |
1922 | +usr/lib/ipsec/plugins/libstrongswan-attr-sql.so |
1923 | +usr/lib/ipsec/plugins/libstrongswan-bliss.so |
1924 | usr/lib/ipsec/plugins/libstrongswan-ccm.so |
1925 | usr/lib/ipsec/plugins/libstrongswan-chapoly.so |
1926 | usr/lib/ipsec/plugins/libstrongswan-cmac.so |
1927 | +usr/lib/ipsec/plugins/libstrongswan-coupling.so |
1928 | usr/lib/ipsec/plugins/libstrongswan-ctr.so |
1929 | usr/lib/ipsec/plugins/libstrongswan-curl.so |
1930 | usr/lib/ipsec/plugins/libstrongswan-curve25519.so |
1931 | +usr/lib/ipsec/plugins/libstrongswan-dnscert.so |
1932 | usr/lib/ipsec/plugins/libstrongswan-gcrypt.so |
1933 | +usr/lib/ipsec/plugins/libstrongswan-ipseckey.so |
1934 | usr/lib/ipsec/plugins/libstrongswan-ldap.so |
1935 | +usr/lib/ipsec/plugins/libstrongswan-load-tester.so |
1936 | +usr/lib/ipsec/plugins/libstrongswan-mysql.so |
1937 | +usr/lib/ipsec/plugins/libstrongswan-ntru.so |
1938 | usr/lib/ipsec/plugins/libstrongswan-pkcs11.so |
1939 | +usr/lib/ipsec/plugins/libstrongswan-radattr.so |
1940 | +usr/lib/ipsec/plugins/libstrongswan-soup.so |
1941 | +usr/lib/ipsec/plugins/libstrongswan-sqlite.so |
1942 | +usr/lib/ipsec/plugins/libstrongswan-sql.so |
1943 | +usr/lib/ipsec/plugins/libstrongswan-systime-fix.so |
1944 | usr/lib/ipsec/plugins/libstrongswan-test-vectors.so |
1945 | usr/lib/ipsec/plugins/libstrongswan-tpm.so |
1946 | +usr/lib/ipsec/plugins/libstrongswan-unbound.so |
1947 | +usr/lib/ipsec/plugins/libstrongswan-whitelist.so |
1948 | # default configuration files |
1949 | +usr/share/strongswan/templates/config/plugins/acert.conf |
1950 | +usr/share/strongswan/templates/config/plugins/attr-sql.conf |
1951 | +usr/share/strongswan/templates/config/plugins/bliss.conf |
1952 | usr/share/strongswan/templates/config/plugins/ccm.conf |
1953 | usr/share/strongswan/templates/config/plugins/cmac.conf |
1954 | usr/share/strongswan/templates/config/plugins/chapoly.conf |
1955 | +usr/share/strongswan/templates/config/plugins/coupling.conf |
1956 | usr/share/strongswan/templates/config/plugins/ctr.conf |
1957 | usr/share/strongswan/templates/config/plugins/curl.conf |
1958 | usr/share/strongswan/templates/config/plugins/curve25519.conf |
1959 | +usr/share/strongswan/templates/config/plugins/dnscert.conf |
1960 | usr/share/strongswan/templates/config/plugins/gcrypt.conf |
1961 | +usr/share/strongswan/templates/config/plugins/ipseckey.conf |
1962 | usr/share/strongswan/templates/config/plugins/ldap.conf |
1963 | +usr/share/strongswan/templates/config/plugins/load-tester.conf |
1964 | +usr/share/strongswan/templates/config/plugins/mysql.conf |
1965 | +usr/share/strongswan/templates/config/plugins/ntru.conf |
1966 | usr/share/strongswan/templates/config/plugins/pkcs11.conf |
1967 | +usr/share/strongswan/templates/config/plugins/radattr.conf |
1968 | +usr/share/strongswan/templates/config/plugins/soup.conf |
1969 | +usr/share/strongswan/templates/config/plugins/sql.conf |
1970 | +usr/share/strongswan/templates/config/plugins/sqlite.conf |
1971 | +usr/share/strongswan/templates/config/plugins/systime-fix.conf |
1972 | usr/share/strongswan/templates/config/plugins/test-vectors.conf |
1973 | usr/share/strongswan/templates/config/plugins/tpm.conf |
1974 | +usr/share/strongswan/templates/config/plugins/unbound.conf |
1975 | +usr/share/strongswan/templates/config/plugins/whitelist.conf |
1976 | +usr/share/strongswan/templates/database/sql/mysql.sql |
1977 | +usr/share/strongswan/templates/database/sql/sqlite.sql |
1978 | +etc/strongswan.d/charon/acert.conf |
1979 | +etc/strongswan.d/charon/attr-sql.conf |
1980 | +etc/strongswan.d/charon/bliss.conf |
1981 | etc/strongswan.d/charon/ccm.conf |
1982 | etc/strongswan.d/charon/chapoly.conf |
1983 | etc/strongswan.d/charon/cmac.conf |
1984 | +etc/strongswan.d/charon/coupling.conf |
1985 | etc/strongswan.d/charon/ctr.conf |
1986 | etc/strongswan.d/charon/curl.conf |
1987 | etc/strongswan.d/charon/curve25519.conf |
1988 | +etc/strongswan.d/charon/dnscert.conf |
1989 | etc/strongswan.d/charon/gcrypt.conf |
1990 | +etc/strongswan.d/charon/ipseckey.conf |
1991 | etc/strongswan.d/charon/ldap.conf |
1992 | +etc/strongswan.d/charon/load-tester.conf |
1993 | +etc/strongswan.d/charon/mysql.conf |
1994 | +etc/strongswan.d/charon/ntru.conf |
1995 | etc/strongswan.d/charon/pkcs11.conf |
1996 | +etc/strongswan.d/charon/radattr.conf |
1997 | +etc/strongswan.d/charon/soup.conf |
1998 | +etc/strongswan.d/charon/sql.conf |
1999 | +etc/strongswan.d/charon/sqlite.conf |
2000 | +etc/strongswan.d/charon/systime-fix.conf |
2001 | etc/strongswan.d/charon/test-vectors.conf |
2002 | etc/strongswan.d/charon/tpm.conf |
2003 | # TPM libs |
2004 | usr/lib/ipsec/libtpmtss.so.* |
2005 | usr/lib/ipsec/libtpmtss.so |
2006 | +etc/strongswan.d/charon/unbound.conf |
2007 | +etc/strongswan.d/charon/whitelist.conf |
2008 | +usr/lib/ipsec/load-tester |
2009 | +usr/lib/ipsec/whitelist |
2010 | +# Number Theoretic Transform via FFT libs |
2011 | +usr/lib/ipsec/libnttfft.so* |
2012 | diff --git a/debian/libstrongswan.install b/debian/libstrongswan.install |
2013 | index 072ff7e..a86c3af 100644 |
2014 | --- a/debian/libstrongswan.install |
2015 | +++ b/debian/libstrongswan.install |
2016 | @@ -6,6 +6,7 @@ usr/lib/ipsec/plugins/libstrongswan-dnskey.so |
2017 | usr/lib/ipsec/plugins/libstrongswan-fips-prf.so |
2018 | usr/lib/ipsec/plugins/libstrongswan-gmp.so |
2019 | usr/lib/ipsec/plugins/libstrongswan-hmac.so |
2020 | +usr/lib/ipsec/plugins/libstrongswan-md4.so |
2021 | usr/lib/ipsec/plugins/libstrongswan-md5.so |
2022 | usr/lib/ipsec/plugins/libstrongswan-mgf1.so |
2023 | usr/lib/ipsec/plugins/libstrongswan-nonce.so |
2024 | @@ -31,6 +32,8 @@ usr/share/strongswan/templates/config/plugins/dnskey.conf |
2025 | usr/share/strongswan/templates/config/plugins/fips-prf.conf |
2026 | usr/share/strongswan/templates/config/plugins/gmp.conf |
2027 | usr/share/strongswan/templates/config/plugins/hmac.conf |
2028 | +usr/share/strongswan/templates/config/plugins/kernel-netlink.conf |
2029 | +usr/share/strongswan/templates/config/plugins/md4.conf |
2030 | usr/share/strongswan/templates/config/plugins/md5.conf |
2031 | usr/share/strongswan/templates/config/plugins/mgf1.conf |
2032 | usr/share/strongswan/templates/config/plugins/nonce.conf |
2033 | @@ -55,6 +58,8 @@ etc/strongswan.d/charon/dnskey.conf |
2034 | etc/strongswan.d/charon/fips-prf.conf |
2035 | etc/strongswan.d/charon/gmp.conf |
2036 | etc/strongswan.d/charon/hmac.conf |
2037 | +etc/strongswan.d/charon/kernel-netlink.conf |
2038 | +etc/strongswan.d/charon/md4.conf |
2039 | etc/strongswan.d/charon/md5.conf |
2040 | etc/strongswan.d/charon/mgf1.conf |
2041 | etc/strongswan.d/charon/nonce.conf |
2042 | diff --git a/debian/patches/dont-load-kernel-libipsec-plugin-by-default.patch b/debian/patches/dont-load-kernel-libipsec-plugin-by-default.patch |
2043 | new file mode 100644 |
2044 | index 0000000..004b50b |
2045 | --- /dev/null |
2046 | +++ b/debian/patches/dont-load-kernel-libipsec-plugin-by-default.patch |
2047 | @@ -0,0 +1,11 @@ |
2048 | +--- a/conf/plugins/kernel-libipsec.conf |
2049 | ++++ b/conf/plugins/kernel-libipsec.conf |
2050 | +@@ -5,7 +5,7 @@ |
2051 | + |
2052 | + # Whether to load the plugin. Can also be an integer to increase the |
2053 | + # priority of this plugin. |
2054 | +- load = yes |
2055 | ++ load = no |
2056 | + |
2057 | + } |
2058 | + |
2059 | diff --git a/debian/patches/series b/debian/patches/series |
2060 | index fde45f5..c72895f 100644 |
2061 | --- a/debian/patches/series |
2062 | +++ b/debian/patches/series |
2063 | @@ -2,3 +2,4 @@ |
2064 | 02_disable-bypass-lan.patch |
2065 | 03_systemd-service.patch |
2066 | 04_disable-libtls-tests.patch |
2067 | +dont-load-kernel-libipsec-plugin-by-default.patch |
2068 | diff --git a/debian/rules b/debian/rules |
2069 | index ca02a06..5faee99 100755 |
2070 | --- a/debian/rules |
2071 | +++ b/debian/rules |
2072 | @@ -4,21 +4,36 @@ export DEB_LDFLAGS_MAINT_APPEND=-Wl,--as-needed -Wl,-O1 |
2073 | export DEB_BUILD_MAINT_OPTIONS=hardening=+all |
2074 | |
2075 | CONFIGUREARGS := --libdir=/usr/lib --libexecdir=/usr/lib \ |
2076 | + --enable-tss-trousers \ |
2077 | + --enable-acert \ |
2078 | --enable-addrblock \ |
2079 | --enable-agent \ |
2080 | --enable-bypass-lan \ |
2081 | + --enable-attr-sql \ |
2082 | + --enable-bliss \ |
2083 | --enable-ccm \ |
2084 | --enable-certexpire \ |
2085 | --enable-chapoly \ |
2086 | --enable-cmd \ |
2087 | + --enable-coupling \ |
2088 | --enable-ctr \ |
2089 | --enable-curl \ |
2090 | + --enable-dnscert \ |
2091 | --enable-eap-aka \ |
2092 | + --enable-eap-aka-3gpp2 \ |
2093 | + --enable-eap-dynamic \ |
2094 | --enable-eap-gtc \ |
2095 | --enable-eap-identity \ |
2096 | --enable-eap-md5 \ |
2097 | --enable-eap-mschapv2 \ |
2098 | + --enable-eap-peap \ |
2099 | --enable-eap-radius \ |
2100 | + --enable-eap-sim \ |
2101 | + --enable-eap-simaka-pseudonym \ |
2102 | + --enable-eap-simaka-reauth \ |
2103 | + --enable-eap-simaka-sql \ |
2104 | + --enable-eap-sim-file \ |
2105 | + --enable-eap-sim-pcsc \ |
2106 | --enable-eap-tls \ |
2107 | --enable-eap-tnc \ |
2108 | --enable-eap-ttls \ |
2109 | @@ -26,18 +41,51 @@ CONFIGUREARGS := --libdir=/usr/lib --libexecdir=/usr/lib \ |
2110 | --enable-gcm \ |
2111 | --enable-gcrypt \ |
2112 | --enable-ha \ |
2113 | + --enable-imc-attestation \ |
2114 | + --enable-imc-os \ |
2115 | + --enable-imc-scanner \ |
2116 | + --enable-imc-swima \ |
2117 | + --enable-imc-test \ |
2118 | + --enable-imv-attestation \ |
2119 | + --enable-imv-os \ |
2120 | + --enable-imv-scanner \ |
2121 | + --enable-imv-swima \ |
2122 | + --enable-imv-test \ |
2123 | + --enable-ipseckey \ |
2124 | + --enable-kernel-libipsec \ |
2125 | --enable-ldap \ |
2126 | --enable-led \ |
2127 | + --enable-load-tester \ |
2128 | --enable-lookip \ |
2129 | --enable-mediation \ |
2130 | + --enable-md4 \ |
2131 | + --enable-mysql \ |
2132 | + --enable-ntru \ |
2133 | --enable-openssl \ |
2134 | --enable-pkcs11 \ |
2135 | + --enable-radattr \ |
2136 | + --enable-soup \ |
2137 | + --enable-sql \ |
2138 | + --enable-sqlite \ |
2139 | + --enable-systime-fix \ |
2140 | --enable-test-vectors \ |
2141 | --enable-tpm \ |
2142 | + --enable-tnccs-11 \ |
2143 | + --enable-tnccs-20 \ |
2144 | + --enable-tnccs-dynamic \ |
2145 | + --enable-tnc-ifmap \ |
2146 | + --enable-tnc-imc \ |
2147 | + --enable-tnc-imv \ |
2148 | + --enable-tnc-pdp \ |
2149 | + --enable-unbound \ |
2150 | --enable-unity \ |
2151 | + --enable-whitelist \ |
2152 | --enable-xauth-eap \ |
2153 | + --enable-xauth-generic \ |
2154 | + --enable-xauth-noauth \ |
2155 | --enable-xauth-pam \ |
2156 | --disable-blowfish \ |
2157 | + --disable-fast \ |
2158 | --disable-des # BSD-Young license |
2159 | #--with-user=strongswan --with-group=nogroup |
2160 | # --enable-kernel-pfkey --enable-kernel-klips \ |
2161 | @@ -191,12 +239,6 @@ endif |
2162 | |
2163 | # add additional files not covered by upstream makefile... |
2164 | install --mode=0600 $(CURDIR)/debian/ipsec.secrets.proto $(CURDIR)/debian/strongswan-starter/etc/ipsec.secrets |
2165 | - # also "patch" ipsec.conf to include the debconf-managed file |
2166 | - echo >> $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf |
2167 | - echo "include /var/lib/strongswan/ipsec.conf.inc" >> $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf |
2168 | - # and to enable both IKEv1 and IKEv2 by default |
2169 | - sed -r 's/^[ \t]+# *charonstart=(yes|no) */\tcharonstart=yes/' < $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf > $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf.tmp |
2170 | - mv $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf.tmp $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf |
2171 | |
2172 | # set permissions on ipsec.secrets and private key directories |
2173 | chmod 600 $(CURDIR)/debian/strongswan-starter/etc/ipsec.secrets |
2174 | diff --git a/debian/strongswan-starter.install b/debian/strongswan-starter.install |
2175 | index 9a4c0d1..b5250dc 100644 |
2176 | --- a/debian/strongswan-starter.install |
2177 | +++ b/debian/strongswan-starter.install |
2178 | @@ -16,3 +16,7 @@ usr/lib/ipsec/plugins/libstrongswan-stroke.so |
2179 | usr/share/strongswan/templates/config/plugins/stroke.conf |
2180 | etc/strongswan.d/charon/stroke.conf |
2181 | debian/usr.lib.ipsec.stroke /etc/apparmor.d/ |
2182 | +#pool |
2183 | +usr/lib/ipsec/pool |
2184 | +usr/share/strongswan/templates/config/strongswan.d/pool.conf |
2185 | +etc/strongswan.d/pool.conf |
2186 | diff --git a/debian/strongswan-starter.postinst b/debian/strongswan-starter.postinst |
2187 | index 9e4d7b1..9b7c734 100644 |
2188 | --- a/debian/strongswan-starter.postinst |
2189 | +++ b/debian/strongswan-starter.postinst |
2190 | @@ -220,63 +220,6 @@ case "$1" in |
2191 | db_set strongswan/install_x509_certificate false |
2192 | fi |
2193 | |
2194 | - # lets see if we are already using dependency based booting or the correct runlevel parameters |
2195 | - if ! ( [ "`find /etc/init.d/ -name '.depend.*'`" ] || [ "$runlevels" = "0K841K842S163S164S165S166K84" ] ); then |
2196 | - db_fset strongswan/runlevel_changes seen false |
2197 | - db_input high strongswan/runlevel_changes || true |
2198 | - db_go |
2199 | - |
2200 | - # if the admin did not change the runlevels which got installed by older packages we can modify them |
2201 | - if [ "$runlevels" = "0K346K34SS41" ] || [ "$runlevels" = "0K301K302S153S154S155S156K30" ] || [ "$runlevels" = "0K191K192S213S214S215S216K19" ]; then |
2202 | - update-rc.d -f ipsec remove |
2203 | - fi |
2204 | - |
2205 | - update-rc.d ipsec defaults 16 84 > /dev/null |
2206 | - fi |
2207 | - |
2208 | - db_get strongswan/enable-oe |
2209 | - if [ "$RET" != "true" ]; then |
2210 | - echo -n "Disabling opportunistic encryption (OE) in config file ... " |
2211 | - if [ -e $CONF_FILE ] && egrep -q "include /etc/ipsec.d/examples/no_oe.conf$" $CONF_FILE; then |
2212 | - # also update to new-style config |
2213 | - sed 's/.*include \/etc\/ipsec.d\/examples\/no_oe.conf/#include \/etc\/ipsec.d\/examples\/oe.conf/' < $CONF_FILE > $CONF_FILE.tmp |
2214 | - mv $CONF_FILE.tmp $CONF_FILE |
2215 | - echo -n "converted old config line to new format" |
2216 | - fi |
2217 | - if [ -e $CONF_FILE ] && egrep -q "^include /etc/ipsec.d/examples/oe.conf$" $CONF_FILE; then |
2218 | - sed 's/include \/etc\/ipsec.d\/examples\/oe.conf/#include \/etc\/ipsec.d\/examples\/oe.conf/' < $CONF_FILE > $CONF_FILE.tmp |
2219 | - mv $CONF_FILE.tmp $CONF_FILE |
2220 | - echo "done" |
2221 | - elif [ ! -e $CONF_FILE ]; then |
2222 | - echo "#include /etc/ipsec.d/examples/oe.conf" > $CONF_FILE |
2223 | - else |
2224 | - echo "already disabled" |
2225 | - fi |
2226 | - else |
2227 | - echo -n "Enabling opportunistic encryption (OE) in config file ... " |
2228 | - if [ -e $CONF_FILE ] && egrep -q "include /etc/ipsec.d/examples/no_oe.conf$" $CONF_FILE; then |
2229 | - # also update to new-style config |
2230 | - sed 's/.*include \/etc\/ipsec.d\/examples\/no_oe.conf/include \/etc\/ipsec.d\/examples\/oe.conf/' < $CONF_FILE > $CONF_FILE.tmp |
2231 | - mv $CONF_FILE.tmp $CONF_FILE |
2232 | - echo -n "converted old config line to new format" |
2233 | - fi |
2234 | - if [ -e $CONF_FILE ] && egrep -q "^include /etc/ipsec.d/examples/oe.conf$" $CONF_FILE; then |
2235 | - echo "already enabled" |
2236 | - elif [ -e $CONF_FILE ] && egrep -q "^#.*include /etc/ipsec.d/examples/oe.conf$" $CONF_FILE; then |
2237 | - sed 's/#.*include \/etc\/ipsec.d\/examples\/oe.conf/include \/etc\/ipsec.d\/examples\/oe.conf/' < $CONF_FILE > $CONF_FILE.tmp |
2238 | - mv $CONF_FILE.tmp $CONF_FILE |
2239 | - echo "done" |
2240 | - elif [ ! -e $CONF_FILE ]; then |
2241 | - echo "include /etc/ipsec.d/examples/oe.conf" > $CONF_FILE |
2242 | - else |
2243 | - cat <<EOF >> $CONF_FILE |
2244 | -#Enable Opportunistic Encryption |
2245 | -include /etc/ipsec.d/examples/oe.conf |
2246 | -EOF |
2247 | - echo "done" |
2248 | - fi |
2249 | - fi |
2250 | - |
2251 | # disabled for now, until we can solve the don't-edit-conffiles issue |
2252 | #db_get strongswan/ikev1 |
2253 | #if [ "$RET" != "true" ]; then |
2254 | diff --git a/debian/usr.lib.ipsec.charon b/debian/usr.lib.ipsec.charon |
2255 | index de110d8..58bfbcd 100644 |
2256 | --- a/debian/usr.lib.ipsec.charon |
2257 | +++ b/debian/usr.lib.ipsec.charon |
2258 | @@ -19,6 +19,7 @@ |
2259 | #include <abstractions/authentication> |
2260 | #include <abstractions/openssl> |
2261 | #include <abstractions/p11-kit> |
2262 | + #include <abstractions/mysql> |
2263 | |
2264 | capability ipc_lock, |
2265 | capability net_admin, |
2266 | @@ -28,6 +29,7 @@ |
2267 | capability chown, |
2268 | capability setgid, |
2269 | capability setuid, |
2270 | + capability setpcap, |
2271 | |
2272 | # libcharon-extra-plugins: xauth-pam |
2273 | capability audit_write, |
2274 | @@ -68,6 +70,16 @@ |
2275 | |
2276 | /var/lib/strongswan/* r, |
2277 | |
2278 | + /{,var/}run/systemd/notify w, |
2279 | + |
2280 | + # allow self to read file descriptors (LP #1786250) |
2281 | + # restrict to our own process-ID as per apparmor vars |
2282 | + @{PROC}/@{pid}/fd/ r, |
2283 | + |
2284 | + # for using the ha plugin (LP: #1773956) |
2285 | + @{PROC}/@{pid}/net/ipt_CLUSTERIP/ r, |
2286 | + @{PROC}/@{pid}/net/ipt_CLUSTERIP/* rw, |
2287 | + |
2288 | # Site-specific additions and overrides. See local/README for details. |
2289 | #include <local/usr.lib.ipsec.charon> |
2290 | } |
2291 | diff --git a/debian/usr.lib.ipsec.lookip b/debian/usr.lib.ipsec.lookip |
2292 | index de10433..614cda8 100644 |
2293 | --- a/debian/usr.lib.ipsec.lookip |
2294 | +++ b/debian/usr.lib.ipsec.lookip |
2295 | @@ -15,6 +15,8 @@ |
2296 | /usr/lib/ipsec/lookip { |
2297 | #include <abstractions/base> |
2298 | |
2299 | + /usr/lib/ipsec/lookip rmix, |
2300 | + |
2301 | /run/charon.lkp rw, |
2302 | |
2303 | # Site-specific additions and overrides. See local/README for details. |
2304 | diff --git a/debian/usr.lib.ipsec.stroke b/debian/usr.lib.ipsec.stroke |
2305 | index 9d20ee7..af9cdcc 100644 |
2306 | --- a/debian/usr.lib.ipsec.stroke |
2307 | +++ b/debian/usr.lib.ipsec.stroke |
2308 | @@ -17,6 +17,8 @@ |
2309 | |
2310 | capability dac_override, |
2311 | |
2312 | + /usr/lib/ipsec/stroke rmix, |
2313 | + |
2314 | /etc/strongswan.conf r, |
2315 | /etc/strongswan.d/ r, |
2316 | /etc/strongswan.d/** r, |
2317 | diff --git a/debian/usr.sbin.charon-systemd b/debian/usr.sbin.charon-systemd |
2318 | index 0540b89..92de81c 100644 |
2319 | --- a/debian/usr.sbin.charon-systemd |
2320 | +++ b/debian/usr.sbin.charon-systemd |
2321 | @@ -19,6 +19,7 @@ |
2322 | #include <abstractions/authentication> |
2323 | #include <abstractions/openssl> |
2324 | #include <abstractions/p11-kit> |
2325 | + #include <abstractions/mysql> |
2326 | |
2327 | capability ipc_lock, |
2328 | capability net_admin, |
2329 | @@ -28,6 +29,7 @@ |
2330 | capability chown, |
2331 | capability setgid, |
2332 | capability setuid, |
2333 | + capability setpcap, |
2334 | |
2335 | # libcharon-extra-plugins: xauth-pam |
2336 | capability audit_write, |
2337 | @@ -60,7 +62,7 @@ |
2338 | /run/charon.* rw, |
2339 | /run/pcscd/pcscd.comm rw, |
2340 | |
2341 | - /usr/lib/ipsec/charon rmix, |
2342 | + /usr/sbin/charon-systemd rmix, |
2343 | /usr/lib/ipsec/imcvs/ r, |
2344 | /usr/lib/ipsec/imcvs/** rm, |
2345 | |
2346 | @@ -70,6 +72,14 @@ |
2347 | |
2348 | /{,var/}run/systemd/notify w, |
2349 | |
2350 | + # allow self to read file descriptors (LP #1786250) |
2351 | + # restrict to our own process-ID as per apparmor vars |
2352 | + @{PROC}/@{pid}/fd/ r, |
2353 | + |
2354 | + # for using the ha plugin (LP: #1773956) |
2355 | + @{PROC}/@{pid}/net/ipt_CLUSTERIP/ r, |
2356 | + @{PROC}/@{pid}/net/ipt_CLUSTERIP/* rw, |
2357 | + |
2358 | # Site-specific additions and overrides. See local/README for details. |
2359 | #include <local/usr.sbin.charon-systemd> |
2360 | } |
2361 | diff --git a/debian/usr.sbin.swanctl b/debian/usr.sbin.swanctl |
2362 | index 627f5c0..276c359 100644 |
2363 | --- a/debian/usr.sbin.swanctl |
2364 | +++ b/debian/usr.sbin.swanctl |
2365 | @@ -1,6 +1,6 @@ |
2366 | #include <tunables/global> |
2367 | |
2368 | -/usr/sbin/swanctl { |
2369 | +/usr/sbin/swanctl flags=(attach_disconnected) { |
2370 | #include <abstractions/base> |
2371 | |
2372 | # Allow /etc/swanctl/x509ca/ files to symlink to system-wide ca-certificates |
2373 | @@ -21,6 +21,12 @@ |
2374 | # Allow communication with VICI plugin UNIX domain socket |
2375 | /run/charon.vici rw, |
2376 | |
2377 | + # for af-alg plugin |
2378 | + network alg seqpacket, |
2379 | + |
2380 | + # Allow reading own binary |
2381 | + /usr/sbin/swanctl r, |
2382 | + |
2383 | # As of 5.5.2, swanctl unnecessarily loads plugins by default, even though no |
2384 | # plugins are actually used by swanctl. The following can be removed if |
2385 | # plugin loading is disabled. |
PPA: https:/ /launchpad. net/~paelzer/ +archive/ ubuntu/ eoan-merge- strongswan- 5.7.2-1
Note: Once re-built with all the package re-locations (to be better mergeable with Debian) I'll do some upgrade tests, but the actual MP can already be reviewed.