Merge ~paelzer/ubuntu/+source/strongswan:merge-5.8.2-focal into ubuntu/+source/strongswan:debian/sid
- Git
- lp:~paelzer/ubuntu/+source/strongswan
- merge-5.8.2-focal
- Merge into debian/sid
Status: | Merged | ||||
---|---|---|---|---|---|
Merge reported by: | Christian Ehrhardt | ||||
Merged at revision: | 0191ec297c354a9d4a04ae0e1b8b4d5c71a4ec44 | ||||
Proposed branch: | ~paelzer/ubuntu/+source/strongswan:merge-5.8.2-focal | ||||
Merge into: | ubuntu/+source/strongswan:debian/sid | ||||
Diff against target: |
1733 lines (+1581/-5) 2 files modified
debian/changelog (+1520/-0) debian/control (+61/-5) |
||||
Related bugs: |
|
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Bryce Harrington (community) | Approve | ||
git-ubuntu developers | Pending | ||
Canonical Server packageset reviewers | Pending | ||
Review via email: mp+378566@code.launchpad.net |
This proposal supersedes a proposal from 2020-02-05.
Commit message
Description of the change
Christian Ehrhardt (paelzer) wrote : Posted in a previous version of this proposal | # |
Christian Ehrhardt (paelzer) wrote : | # |
Resubmitted the MP against debian/sid for better LP delta visualization
Christian Ehrhardt (paelzer) wrote : | # |
For now blocked on
https:/
I filed Ubuntu bug
https:/
Once unblocked it should build and test rather straight forward ...
- d2e25d3... by Christian Ehrhardt
-
d/control: build-depend on libiptc-dev to avoid FTBFS (LP: #1861975)
This is needed due to changes in regard to Debian bug 947176 and 939243
and can later be dropped again.Signed-off-by: Christian Ehrhardt <email address hidden>
- 0191ec2... by Christian Ehrhardt
-
changelog: build-depend on libiptc-dev to avoid FTBFS (LP: #1861975)
Signed-off-by: Christian Ehrhardt <email address hidden>
Christian Ehrhardt (paelzer) wrote : | # |
I was able to understand more of the issue and fix the FTBFS on the strongswan side as part of the merge. No more blocked ....
Christian Ehrhardt (paelzer) wrote : | # |
All tests good except i386 (might need overrides but ok)
https:/
Christian Ehrhardt (paelzer) wrote : | # |
Local QRT tests good as well
Got:
Ran 4 tests in 5.150s
Ran 4 tests in 5.179s
Bryce Harrington (bryce) wrote : | # |
Approved for landing the merge, a couple notes below.
* Changelog:
- [√] old content and logical tag match as expected
- [√] changelog entry correct version and targeted codename
- [√] changelog entries correct
- [√] update-maintainer has been run
* Actual changes:
- [√] no upstream changes to consider
+ Debian is at 5.8.2-1 in unstable and unstable-debug
- [-] no further upstream version to consider
- [√] debian changes look safe
* Old Delta:
- [-] dropped changes are ok to be dropped
- [√] nothing else to drop
- [√] changes forwarded upstream/debian (if appropriate)
* New Delta:
- [√] no new patches added
- [-] patches match what was proposed upstream
- [-] patches correctly included in debian/
- [-] patches have correct DEP3 metadata
* Build/Test:
- [√] build is ok
- [√] verified PPA package installs/uninstalls
- [√] autopkgtest against the PPA package passes
- [√] sanity checks test fine
+ systemd service had a warning (see below), but still PASS so maybe that was expected?
Can you provide an explanation in a comment the bug report, LP: #1861975, as to what the next steps will be? I.e. is libiptc's addition temporary until there is a better fix, or...? It's not critical this is done, and it certainly shouldn't delay the merge, but mainly I just want to make sure it's clear for future maintainers what they'd need to do going forward.
I verified the build was ok in the PPA. I tried git ubuntu build and debuild to run on this in my lxc checkout, but unsuccessfully unfortunately; I'm wondering if the dependency changes confused apt. I can give more details if you think this is worth exploring, but I'm ok trusting the PPA build, and my autopkgtest results.
autopkgtest [18:44:02]: test plugins: [------
Unit strongswan.service could not be found.
invoke-rc.d: initscript strongswan, action "status" failed.
autopkgtest [18:44:03]: test plugins: -------
autopkgtest [18:44:03]: test plugins: - - - - - - - - - - results - - - - - - - - - -
plugins PASS
autopkgtest [18:44:03]: @@@@@@@
admin-strongswa
admin-strongswa
daemon PASS
plugins PASS
Christian Ehrhardt (paelzer) wrote : | # |
Thanks for the review - I added a comment to the libiptc related commit.
TL;DR can be dropped in the next merge from Debian.
I only built sbuild and in PPA and both worked.
Lets hope your build issues are not a real thing due to other changes in the archive.
For the sake of being on the safe side I re-pushed a new build to the PPA, but that build fine as well so let me upload it.
To ssh://git.
* [new tag] upload/
Uploading to ubuntu (via ftp to upload.ubuntu.com):
Uploading strongswan_
Uploading strongswan_
Uploading strongswan_
Uploading strongswan_
Uploading strongswan_
Successfully uploaded packages.
Christian Ehrhardt (paelzer) wrote : | # |
https:/
Preview Diff
1 | diff --git a/debian/changelog b/debian/changelog |
2 | index da6dc86..c1b10db 100644 |
3 | --- a/debian/changelog |
4 | +++ b/debian/changelog |
5 | @@ -1,3 +1,22 @@ |
6 | +strongswan (5.8.2-1ubuntu1) focal; urgency=medium |
7 | + |
8 | + * Merge with Debian unstable (LP: #1861971). Remaining changes: |
9 | + - d/control: Transition from strongswan-tnc-* being in extra packages |
10 | + to libcharon-extra-plugins (drop after 20.04) |
11 | + - d/control: Transition from former Ubuntu only libcharon-standard-plugins |
12 | + to common libcharon-extauth-plugins (drop after 20.04) |
13 | + - d/control: strongswan-starter hard-depends on strongswan-charon, |
14 | + therefore bump the dependency from Recommends to Depends. At the same |
15 | + time avoid a circular dependency by dropping |
16 | + strongswan-charon->strongswan-starter from Depends to Recommends as the |
17 | + binaries can work without the services but not vice versa. |
18 | + * Added Changes |
19 | + - d/control: build-depend on libiptc-dev to avoid FTBFS (LP: #1861975) |
20 | + This is needed due to changes in regard to Debian bug 947176 and 939243 |
21 | + and can later be dropped again. |
22 | + |
23 | + -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Wed, 05 Feb 2020 08:28:30 +0100 |
24 | + |
25 | strongswan (5.8.2-1) unstable; urgency=medium |
26 | |
27 | [ Jean-Michel Vourgère ] |
28 | @@ -14,6 +33,83 @@ strongswan (5.8.2-1) unstable; urgency=medium |
29 | |
30 | -- Yves-Alexis Perez <corsac@debian.org> Wed, 01 Jan 2020 14:35:46 +0100 |
31 | |
32 | +strongswan (5.8.1-1ubuntu1) focal; urgency=medium |
33 | + |
34 | + * Merge with Debian unstable (LP: #1852579). Remaining changes: |
35 | + - d/control: Transition from strongswan-tnc-* being in extra packages |
36 | + to libcharon-extra-plugins |
37 | + * Added Changes: |
38 | + - d/control: Transition from former Ubuntu only libcharon-standard-plugins |
39 | + to common libcharon-extauth-plugins (drop after 20.04) |
40 | + - d/control: strongswan-starter hard-depends on strongswan-charon, |
41 | + therefore bump the dependency from Recommends to Depends. At the same |
42 | + time avoid a circular dependency by dropping |
43 | + strongswan-charon->strongswan-starter from Depends to Recommends as the |
44 | + binaries can work without the services but not vice versa. |
45 | + * Dropped Changes (now in Debian): |
46 | + - Clean up d/strongswan-starter.postinst: section about runlevel changes |
47 | + - Clean up d/strongswan-starter.postinst: Removed entire section on |
48 | + opportunistic encryption disabling - this was never in strongSwan and |
49 | + won't be see upstream issue #2160. |
50 | + - d/rules: Removed patching ipsec.conf on build (not using the |
51 | + debconf-managed config.) |
52 | + - d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was |
53 | + used for debconf-managed include of private key). |
54 | + - Add plugin kernel-libipsec to allow the use of strongswan in containers |
55 | + via this userspace implementation (please do note that this is still |
56 | + considered experimental by upstream). |
57 | + + d/libcharon-extra-plugins.install: Add kernel-libipsec components |
58 | + + d/control: List kernel-libipsec plugin at extra plugins description |
59 | + + d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As |
60 | + upstream recommends to not load kernel-libipsec by default. |
61 | + - d/control: Mention mgf1 plugin which is in libstrongswan now |
62 | + - Complete the disabling of libfast; This was partially accepted in Debian, |
63 | + it is no more packaging medcli and medsrv, but still builds and |
64 | + mentions it. |
65 | + + d/rules: Add --disable-fast to avoid build time and dependencies |
66 | + + d/control: Remove medcli, medsrv from package description |
67 | + - Add now built (since 5.5.1) libraries libtpmtss and nttfft to |
68 | + libstrongswan-extra-plugins (no deps from default plugins). |
69 | + - d/control, d/libcharon-{extras,standard}-plugins.install: Move charon |
70 | + plugins for the most common use cases from extra-plugins into a new |
71 | + standard-plugins package. This will allow those use cases without pulling |
72 | + in too much more plugins (a bit like the tnc package). Recommend that |
73 | + package from strongswan-libcharon. |
74 | + - d/usr.lib.ipsec.charon: allow reading of own FDs (LP 1786250) |
75 | + - d/usr.sbin.charon-systemd: allow CLUSTERIP for ha plugin (LP 1773956) |
76 | + - executables need to be able to read map and execute themselves otherwise |
77 | + execution in some environments e.g. containers is blocked (LP 1780534) |
78 | + + d/usr.lib.ipsec.stroke: add rmix permission to stroke binary |
79 | + + d/usr.lib.ipsec.lookip: add rmix permission to lookip binary |
80 | + - d/usr.lib.ipsec.charon, d/usr.sbin.charon-systemd: resync apparmor |
81 | + profiles of both ways to start charon (LP 1807664) |
82 | + - d/usr.sbin.swanctl: add apparmor rule for af-alg plugin (LP 1807962) |
83 | + - We fixed up tpmtss and nttfft in the past, but tpmtss is now packaged in |
84 | + Debian so this part was be dropped. Two changes remain |
85 | + - d/control: fix the mentioning of tpmtss in d/control |
86 | + - apparmor fixes for container and root usage (LP 1826238) |
87 | + + d/usr.sbin.swanctl: allow reading own binary |
88 | + + d/usr.sbin.charon-systemd: allow accessing the binary |
89 | + + d/usr.sbin.swanctl: add attach_disconnected to work inside containers |
90 | + + d/usr.lib.ipsec.charon, d/usr.sbin.charon-systemd: add CAP_SETPCAP |
91 | + to apparmor to allow dropping caps |
92 | + * Dropped Changes (too uncommon to support by default) |
93 | + - d/libstrongswan.install: Add kernel-netlink configuration files |
94 | + - d/usr.sbin.charon-systemd: allow to contact mysql for sql and |
95 | + attr-sql plugins (LP 1766240) - no more needed as itisn't enabled. |
96 | + - Mass enablement of extra plugins and features to allow a user to use |
97 | + strongswan for a variety of extra use cases without having to rebuild. |
98 | + + d/control: Add required additional build-deps |
99 | + + d/control: Mention addtionally enabled plugins |
100 | + + d/rules: Enable features at configure stage |
101 | + + d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf) |
102 | + + d/libstrongswan.install: Add plugins (so, conf) |
103 | + + d/strongswan-starter.install: Install pool feature, which is useful |
104 | + since we now have attr-sql plugin enabled it. |
105 | + - Enable additional TNC plugins and add them to libcharon-extra-plugins |
106 | + |
107 | + -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Thu, 14 Nov 2019 15:00:15 +0100 |
108 | + |
109 | strongswan (5.8.1-1) unstable; urgency=medium |
110 | |
111 | * d/rules: disable http and stream tests under CI |
112 | @@ -83,6 +179,99 @@ strongswan (5.8.0-1) unstable; urgency=medium |
113 | |
114 | -- Yves-Alexis Perez <corsac@debian.org> Mon, 26 Aug 2019 12:58:23 +0200 |
115 | |
116 | +strongswan (5.7.2-1ubuntu3) eoan; urgency=medium |
117 | + |
118 | + * No change rebuild for libmysqlclient21. |
119 | + |
120 | + -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Thu, 15 Aug 2019 09:34:34 +0200 |
121 | + |
122 | +strongswan (5.7.2-1ubuntu2) eoan; urgency=medium |
123 | + |
124 | + * Rebuild against new libjson-c4. |
125 | + |
126 | + -- Gianfranco Costamagna <locutusofborg@debian.org> Mon, 01 Jul 2019 10:53:07 +0200 |
127 | + |
128 | +strongswan (5.7.2-1ubuntu1) eoan; urgency=medium |
129 | + |
130 | + [ Christian Ehrhardt ] |
131 | + * Merge with Debian unstable. Remaining changes: |
132 | + - Clean up d/strongswan-starter.postinst: section about runlevel changes |
133 | + - Clean up d/strongswan-starter.postinst: Removed entire section on |
134 | + opportunistic encryption disabling - this was never in strongSwan and |
135 | + won't be see upstream issue #2160. |
136 | + - d/rules: Removed patching ipsec.conf on build (not using the |
137 | + debconf-managed config.) |
138 | + - d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was |
139 | + used for debconf-managed include of private key). |
140 | + - Mass enablement of extra plugins and features to allow a user to use |
141 | + strongswan for a variety of extra use cases without having to rebuild. |
142 | + + d/control: Add required additional build-deps |
143 | + + d/control: Mention addtionally enabled plugins |
144 | + + d/rules: Enable features at configure stage |
145 | + + d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf) |
146 | + + d/libstrongswan.install: Add plugins (so, conf) |
147 | + + d/strongswan-starter.install: Install pool feature, which is useful |
148 | + since we now have attr-sql plugin enabled it. |
149 | + - Add plugin kernel-libipsec to allow the use of strongswan in containers |
150 | + via this userspace implementation (please do note that this is still |
151 | + considered experimental by upstream). |
152 | + + d/libcharon-extra-plugins.install: Add kernel-libipsec components |
153 | + + d/control: List kernel-libipsec plugin at extra plugins description |
154 | + + d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As |
155 | + upstream recommends to not load kernel-libipsec by default. |
156 | + - d/libstrongswan.install: Add kernel-netlink configuration files |
157 | + - Complete the disabling of libfast; This was partially accepted in Debian, |
158 | + it is no more packaging medcli and medsrv, but still builds and |
159 | + mentions it. |
160 | + + d/rules: Add --disable-fast to avoid build time and dependencies |
161 | + + d/control: Remove medcli, medsrv from package description |
162 | + - d/control: Mention mgf1 plugin which is in libstrongswan now |
163 | + - Add now built (since 5.5.1) libraries libtpmtss and nttfft to |
164 | + libstrongswan-extra-plugins (no deps from default plugins). |
165 | + - d/control, d/libcharon-{extras,standard}-plugins.install: Move charon |
166 | + plugins for the most common use cases from extra-plugins into a new |
167 | + standard-plugins package. This will allow those use cases without pulling |
168 | + in too much more plugins (a bit like the tnc package). Recommend that |
169 | + package from strongswan-libcharon. |
170 | + - d/usr.sbin.charon-systemd: allow to contact mysql for sql and |
171 | + attr-sql plugins (LP #1766240) |
172 | + - d/usr.lib.ipsec.charon: allow reading of own FDs (LP #1786250) |
173 | + - d/usr.sbin.charon-systemd: allow CLUSTERIP for ha plugin (LP: 1773956) |
174 | + - executables need to be able to read map and execute themselves otherwise |
175 | + execution in some environments e.g. containers is blocked (LP: 1780534) |
176 | + + d/usr.lib.ipsec.stroke: add rmix permission to stroke binary |
177 | + + d/usr.lib.ipsec.lookip: add rmix permission to lookip binary |
178 | + - d/usr.lib.ipsec.charon, d/usr.sbin.charon-systemd: resync apparmor |
179 | + profiles of both ways to start charon (LP: 1807664) |
180 | + - d/usr.sbin.swanctl: add apparmor rule for af-alg plugin (LP: 1807962) |
181 | + * Dropped changes |
182 | + - d/p/lp1795813-mysql-Don-t-release-the-connection-if-transactions-a.patch: |
183 | + fix SIGSEGV when using mysql plugin (LP: 1795813) |
184 | + [upstream in 5.7.2] |
185 | + - d/libstrongswan.install: Reorder conf and .so alphabetically |
186 | + [was a non functional change, dropped to avoid merge noise] |
187 | + - Relocate tnc plugin |
188 | + [TNC is back at libcharon-extra-plugins as it is in Debian] |
189 | + * Added changes: |
190 | + - We fixed up tpmtss and nttfft in the past, but tpmtss is now packaged in |
191 | + Debian so this part was be dropped. Two changes remain |
192 | + - d/control: fix the mentioning of tpmtss in d/control |
193 | + - add nttfft (can be merged with the mass enablement change later) |
194 | + - Transitional packages to go back from strongswan-tnc-* being in extra |
195 | + packages to be part of libcharon-extra-plugins. |
196 | + [can be dropped after 20.04] |
197 | + |
198 | + [ Simon Deziel ] |
199 | + * Added changes: |
200 | + - apparmor fixes for container and root usage (LP: #1826238) |
201 | + + d/usr.sbin.swanctl: allow reading own binary |
202 | + + d/usr.sbin.charon-systemd: allow accessing the binary |
203 | + + d/usr.sbin.swanctl: add attach_disconnected to work inside containers |
204 | + + d/usr.lib.ipsec.charon, d/usr.sbin.charon-systemd: add CAP_SETPCAP |
205 | + to apparmor to allow dropping caps |
206 | + |
207 | + -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Fri, 26 Apr 2019 11:31:17 +0200 |
208 | + |
209 | strongswan (5.7.2-1) unstable; urgency=medium |
210 | |
211 | * d/control: remove Rene from Uploaders, thanks! |
212 | @@ -101,6 +290,86 @@ strongswan (5.7.2-1) unstable; urgency=medium |
213 | |
214 | -- Yves-Alexis Perez <corsac@debian.org> Wed, 02 Jan 2019 13:02:11 +0100 |
215 | |
216 | +strongswan (5.7.1-1ubuntu2) disco; urgency=medium |
217 | + |
218 | + * d/usr.sbin.charon-systemd: fix rule for CLUSTERIP to match effective |
219 | + path (LP: #1773956) |
220 | + * d/usr.lib.ipsec.charon, d/usr.sbin.charon-systemd: resync apparmor |
221 | + profiles of both ways to start charon (LP: #1807664) |
222 | + * d/usr.sbin.swanctl: add apparmor rule for af-alg plugin (LP: #1807962) |
223 | + |
224 | + -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 10 Dec 2018 08:30:01 +0100 |
225 | + |
226 | +strongswan (5.7.1-1ubuntu1) disco; urgency=medium |
227 | + |
228 | + * Merge with Debian unstable (LP: #1806401). Remaining changes: |
229 | + - Clean up d/strongswan-starter.postinst: section about runlevel changes |
230 | + - Clean up d/strongswan-starter.postinst: Removed entire section on |
231 | + opportunistic encryption disabling - this was never in strongSwan and |
232 | + won't be see upstream issue #2160. |
233 | + - d/rules: Removed patching ipsec.conf on build (not using the |
234 | + debconf-managed config.) |
235 | + - d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was |
236 | + used for debconf-managed include of private key). |
237 | + - Mass enablement of extra plugins and features to allow a user to use |
238 | + strongswan for a variety of extra use cases without having to rebuild. |
239 | + + d/control: Add required additional build-deps |
240 | + + d/control: Mention addtionally enabled plugins |
241 | + + d/rules: Enable features at configure stage |
242 | + + d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf) |
243 | + + d/libstrongswan.install: Add plugins (so, conf) |
244 | + - d/strongswan-starter.install: Install pool feature, which is useful since |
245 | + we have attr-sql plugin enabled as well using it. |
246 | + - Add plugin kernel-libipsec to allow the use of strongswan in containers |
247 | + via this userspace implementation (please do note that this is still |
248 | + considered experimental by upstream). |
249 | + + d/libcharon-extra-plugins.install: Add kernel-libipsec components |
250 | + + d/control: List kernel-libipsec plugin at extra plugins description |
251 | + + d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As |
252 | + upstream recommends to not load kernel-libipsec by default. |
253 | + - Relocate tnc plugin |
254 | + + debian/libcharon-extra-plugins.install: Drop tnc from extra plugins |
255 | + + Add new subpackage for TNC in d/strongswan-tnc-* and d/control |
256 | + - d/libstrongswan.install: Reorder conf and .so alphabetically |
257 | + - d/libstrongswan.install: Add kernel-netlink configuration files |
258 | + - Complete the disabling of libfast; This was partially accepted in Debian, |
259 | + it is no more packaging medcli and medsrv, but still builds and |
260 | + mentions it. |
261 | + + d/rules: Add --disable-fast to avoid build time and dependencies |
262 | + + d/control: Remove medcli, medsrv from package description |
263 | + - d/control: Mention mgf1 plugin which is in libstrongswan now |
264 | + - Add now built (since 5.5.1) libraries libtpmtss and nttfft to |
265 | + libstrongswan-extra-plugins (no deps from default plugins). |
266 | + - d/control, d/libcharon-{extras,standard}-plugins.install: Move charon |
267 | + plugins for the most common use cases from extra-plugins into a new |
268 | + standard-plugins package. This will allow those use cases without pulling |
269 | + in too much more plugins (a bit like the tnc package). Recommend that |
270 | + package from strongswan-libcharon. |
271 | + - d/usr.sbin.charon-systemd: allow to contact mysql for sql and |
272 | + attr-sql plugins (LP #1766240) |
273 | + - d/usr.lib.ipsec.charon: allow reading of own FDs (LP #1786250) |
274 | + * Added Changes: |
275 | + - d/p/lp1795813-mysql-Don-t-release-the-connection-if-transactions-a.patch: |
276 | + fix SIGSEGV when using mysql plugin (LP: #1795813) |
277 | + - d/usr.sbin.charon-systemd: allow CLUSTERIP for ha plugin (LP: #1773956) |
278 | + - executables need to be able to read map and execute themselves otherwise |
279 | + execution in some environments e.g. containers is blocked (LP: #1780534) |
280 | + + d/usr.lib.ipsec.stroke: add rmix permission to stroke binary |
281 | + + d/usr.lib.ipsec.lookip: add rmix permission to lookip binary |
282 | + - adapt "mass enablement of extra plugins" to match 5.7.x changes |
283 | + + d/rules: use new options for swima instead of swid |
284 | + + d/strongswan-tnc-server.install: add new sec updater tool |
285 | + + d/strongswan-tnc-client.install: add new sw-collector tool |
286 | + * Dropped (in Debian now): |
287 | + - SECURITY UPDATE: Insufficient input validation in gmp plugin |
288 | + (CVE-2018-17540) |
289 | + - SECURITY UPDATE: Insufficient input validation in gmp plugin |
290 | + (CVE-2018-16151 CVE-2018-16152) |
291 | + - d/usr.lib.ipsec.charon, d/usr/sbin/charon-systemd: Add support for |
292 | + usr-merge, thanks to Christian Ehrhardt. LP #1784023 |
293 | + |
294 | + -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 03 Dec 2018 15:18:31 +0100 |
295 | + |
296 | strongswan (5.7.1-1) unstable; urgency=medium |
297 | |
298 | [ Ondřej Nový ] |
299 | @@ -131,6 +400,96 @@ strongswan (5.7.0-1) unstable; urgency=medium |
300 | |
301 | -- Yves-Alexis Perez <corsac@debian.org> Mon, 24 Sep 2018 16:36:28 +0200 |
302 | |
303 | +strongswan (5.6.3-1ubuntu5) disco; urgency=medium |
304 | + |
305 | + * No-change rebuild against libunbound8 |
306 | + |
307 | + -- Steve Langasek <steve.langasek@ubuntu.com> Sun, 11 Nov 2018 09:01:53 +0000 |
308 | + |
309 | +strongswan (5.6.3-1ubuntu4) cosmic; urgency=medium |
310 | + |
311 | + * d/usr.lib.ipsec.charon: allow reading of own FDs (LP: #1786250) |
312 | + Thanks to Matt Callaghan. |
313 | + |
314 | + -- Andreas Hasenack <andreas@canonical.com> Thu, 04 Oct 2018 10:34:01 -0300 |
315 | + |
316 | +strongswan (5.6.3-1ubuntu3) cosmic; urgency=medium |
317 | + |
318 | + * SECURITY UPDATE: Insufficient input validation in gmp plugin |
319 | + - debian/patches/strongswan-4.4.0-5.7.0_gmp-pkcs1-overflow.patch: fix |
320 | + buffer overflow with very small RSA keys in |
321 | + src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c. |
322 | + - CVE-2018-17540 |
323 | + |
324 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 01 Oct 2018 13:23:59 -0400 |
325 | + |
326 | +strongswan (5.6.3-1ubuntu2) cosmic; urgency=medium |
327 | + |
328 | + * SECURITY UPDATE: Insufficient input validation in gmp plugin |
329 | + - debian/patches/strongswan-5.6.1-5.6.3_gmp-pkcs1-verify.patch: don't |
330 | + parse PKCS1 v1.5 RSA signatures to verify them in |
331 | + src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c, |
332 | + src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c. |
333 | + - CVE-2018-16151 |
334 | + - CVE-2018-16152 |
335 | + |
336 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 25 Sep 2018 10:16:15 -0400 |
337 | + |
338 | +strongswan (5.6.3-1ubuntu1) cosmic; urgency=medium |
339 | + |
340 | + * Merge with Debian unstable. Remaining changes: |
341 | + - Clean up d/strongswan-starter.postinst: section about runlevel changes |
342 | + - Clean up d/strongswan-starter.postinst: Removed entire section on |
343 | + opportunistic encryption disabling - this was never in strongSwan and |
344 | + won't be see upstream issue #2160. |
345 | + - d/rules: Removed patching ipsec.conf on build (not using the |
346 | + debconf-managed config.) |
347 | + - d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was |
348 | + used for debconf-managed include of private key). |
349 | + - Mass enablement of extra plugins and features to allow a user to use |
350 | + strongswan for a variety of extra use cases without having to rebuild. |
351 | + + d/control: Add required additional build-deps |
352 | + + d/control: Mention addtionally enabled plugins |
353 | + + d/rules: Enable features at configure stage |
354 | + + d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf) |
355 | + + d/libstrongswan.install: Add plugins (so, conf) |
356 | + - d/strongswan-starter.install: Install pool feature, which is useful since |
357 | + we have attr-sql plugin enabled as well using it. |
358 | + - Add plugin kernel-libipsec to allow the use of strongswan in containers |
359 | + via this userspace implementation (please do note that this is still |
360 | + considered experimental by upstream). |
361 | + + d/libcharon-extra-plugins.install: Add kernel-libipsec components |
362 | + + d/control: List kernel-libipsec plugin at extra plugins description |
363 | + + d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As |
364 | + upstream recommends to not load kernel-libipsec by default. |
365 | + - Relocate tnc plugin |
366 | + + debian/libcharon-extra-plugins.install: Drop tnc from extra plugins |
367 | + + Add new subpackage for TNC in d/strongswan-tnc-* and d/control |
368 | + - d/libstrongswan.install: Reorder conf and .so alphabetically |
369 | + - d/libstrongswan.install: Add kernel-netlink configuration files |
370 | + - Complete the disabling of libfast; This was partially accepted in Debian, |
371 | + it is no more packaging medcli and medsrv, but still builds and |
372 | + mentions it. |
373 | + + d/rules: Add --disable-fast to avoid build time and dependencies |
374 | + + d/control: Remove medcli, medsrv from package description |
375 | + - d/control: Mention mgf1 plugin which is in libstrongswan now |
376 | + - Add now built (since 5.5.1) libraries libtpmtss and nttfft to |
377 | + libstrongswan-extra-plugins (no deps from default plugins). |
378 | + - d/control, d/libcharon-{extras,standard}-plugins.install: Move charon |
379 | + plugins for the most common use cases from extra-plugins into a new |
380 | + standard-plugins package. This will allow those use cases without pulling |
381 | + in too much more plugins (a bit like the tnc package). Recommend that |
382 | + package from strongswan-libcharon. |
383 | + - d/usr.sbin.charon-systemd: allow to contact mysql for sql and |
384 | + attr-sql plugins (LP #1766240) |
385 | + - d/usr.lib.ipsec.charon, d/usr/sbin/charon-systemd: Add support for |
386 | + usr-merge, thanks to Christian Ehrhardt. LP #1784023 |
387 | + * Dropped: |
388 | + - d/usr.sbin.charon-systemd: allow systemd notifications (LP: #1765652) |
389 | + [Fixed in 5.6.3-1] |
390 | + |
391 | + -- Andreas Hasenack <andreas@canonical.com> Thu, 23 Aug 2018 13:05:11 -0300 |
392 | + |
393 | strongswan (5.6.3-1) unstable; urgency=medium |
394 | |
395 | * New upstream version 5.6.2 |
396 | @@ -146,6 +505,78 @@ strongswan (5.6.3-1) unstable; urgency=medium |
397 | |
398 | -- Yves-Alexis Perez <corsac@debian.org> Mon, 04 Jun 2018 10:23:22 +0200 |
399 | |
400 | +strongswan (5.6.2-2ubuntu2) cosmic; urgency=medium |
401 | + |
402 | + * Add support for usr-merge, thanks to Christian Ehrhardt. LP: #1784023 |
403 | + |
404 | + -- Dimitri John Ledkov <xnox@ubuntu.com> Tue, 21 Aug 2018 00:42:38 +0100 |
405 | + |
406 | +strongswan (5.6.2-2ubuntu1) cosmic; urgency=medium |
407 | + |
408 | + * Merge with Debian unstable, closes LP: #1773814 and LP: #1772705. |
409 | + Remaining changes: |
410 | + + Clean up d/strongswan-starter.postinst: section about runlevel changes |
411 | + + Clean up d/strongswan-starter.postinst: Removed entire section on |
412 | + opportunistic encryption disabling - this was never in strongSwan and |
413 | + won't be see upstream issue #2160. |
414 | + + d/rules: Removed patching ipsec.conf on build (not using the |
415 | + debconf-managed config.) |
416 | + + d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was |
417 | + used for debconf-managed include of private key). |
418 | + + Mass enablement of extra plugins and features to allow a user to use |
419 | + strongswan for a variety of extra use cases without having to rebuild. |
420 | + - d/control: Add required additional build-deps |
421 | + - d/control: Mention addtionally enabled plugins |
422 | + - d/rules: Enable features at configure stage |
423 | + - d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf) |
424 | + - d/libstrongswan.install: Add plugins (so, conf) |
425 | + + d/strongswan-starter.install: Install pool feature, which is useful since |
426 | + we have attr-sql plugin enabled as well using it. |
427 | + + Add plugin kernel-libipsec to allow the use of strongswan in containers |
428 | + via this userspace implementation (please do note that this is still |
429 | + considered experimental by upstream). |
430 | + - d/libcharon-extra-plugins.install: Add kernel-libipsec components |
431 | + - d/control: List kernel-libipsec plugin at extra plugins description |
432 | + - d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As |
433 | + upstream recommends to not load kernel-libipsec by default. |
434 | + + Relocate tnc plugin |
435 | + - debian/libcharon-extra-plugins.install: Drop tnc from extra plugins |
436 | + - Add new subpackage for TNC in d/strongswan-tnc-* and d/control |
437 | + + d/libstrongswan.install: Reorder conf and .so alphabetically |
438 | + + d/libstrongswan.install: Add kernel-netlink configuration files |
439 | + + Complete the disabling of libfast; This was partially accepted in Debian, |
440 | + it is no more packaging medcli and medsrv, but still builds and |
441 | + mentions it. |
442 | + - d/rules: Add --disable-fast to avoid build time and dependencies |
443 | + - d/control: Remove medcli, medsrv from package description |
444 | + + d/control: Mention mgf1 plugin which is in libstrongswan now |
445 | + + Add now built (since 5.5.1) libraries libtpmtss and nttfft to |
446 | + libstrongswan-extra-plugins (no deps from default plugins). |
447 | + + d/control, d/libcharon-{extras,standard}-plugins.install: Move charon |
448 | + plugins for the most common use cases from extra-plugins into a new |
449 | + standard-plugins package. This will allow those use cases without pulling |
450 | + in too much more plugins (a bit like the tnc package). Recommend that |
451 | + package from strongswan-libcharon. |
452 | + * Dropped Changes (no more needed after 18.04) |
453 | + + Add rm_conffile for /etc/init.d/ipsec (transition from precies had |
454 | + missed that, droppable after 18.04) |
455 | + + d/control: bump breaks/replaces from libstrongswan-extra-plugins to |
456 | + libstrongswan as we dropped relocating ccm and test-vectors. |
457 | + (droppable >18.04). |
458 | + + d/control: add breaks/replace from libstrongswan to |
459 | + libstrongswan-extra-plugins for the move of mgf1 to libstrongswan. |
460 | + (droppable >18.04). |
461 | + + d/control: bump breaks/replaces for the move of the updown plugin |
462 | + (Missed Changelog entry on last merge) |
463 | + + d/control: fix dependencies of strongswan-libcharon due to the move |
464 | + the updown plugin (droppable >18.04). |
465 | + * Added Changes: |
466 | + + d/usr.sbin.charon-systemd: allow to contact mysql for sql and |
467 | + attr-sql plugins (LP: #1766240) |
468 | + + d/usr.sbin.charon-systemd: allow systemd notifications (LP: #1765652) |
469 | + |
470 | + -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Tue, 29 May 2018 08:21:42 +0200 |
471 | + |
472 | strongswan (5.6.2-2) unstable; urgency=medium |
473 | |
474 | * charon-nm: Fix building list of DNS/MDNS servers with libnm |
475 | @@ -156,6 +587,74 @@ strongswan (5.6.2-2) unstable; urgency=medium |
476 | |
477 | -- Yves-Alexis Perez <corsac@debian.org> Fri, 13 Apr 2018 13:46:04 +0200 |
478 | |
479 | +strongswan (5.6.2-1ubuntu2) bionic; urgency=medium |
480 | + |
481 | + * d/control: fix dependencies of strongswan-libcharon due to the move |
482 | + the updown plugin. |
483 | + |
484 | + -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Tue, 20 Mar 2018 07:37:29 +0100 |
485 | + |
486 | +strongswan (5.6.2-1ubuntu1) bionic; urgency=medium |
487 | + |
488 | + * Merge with Debian unstable (LP: #1753018). Remaining changes: |
489 | + + Clean up d/strongswan-starter.postinst: section about runlevel changes |
490 | + + Clean up d/strongswan-starter.postinst: Removed entire section on |
491 | + opportunistic encryption disabling - this was never in strongSwan and |
492 | + won't be see upstream issue #2160. |
493 | + + Ubuntu is not using the debconf triggered private key generation |
494 | + - d/rules: Removed patching ipsec.conf on build (not using the |
495 | + debconf-managed config.) |
496 | + - d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was |
497 | + used for debconf-managed include of private key). |
498 | + + Mass enablement of extra plugins and features to allow a user to use |
499 | + strongswan for a variety of extra use cases without having to rebuild. |
500 | + - d/control: Add required additional build-deps |
501 | + - d/control: Mention addtionally enabled plugins |
502 | + - d/rules: Enable features at configure stage |
503 | + - d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf) |
504 | + - d/libstrongswan.install: Add plugins (so, conf) |
505 | + + d/strongswan-starter.install: Install pool feature, which is useful since |
506 | + we have attr-sql plugin enabled as well using it. |
507 | + + Add plugin kernel-libipsec to allow the use of strongswan in containers |
508 | + via this userspace implementation (please do note that this is still |
509 | + considered experimental by upstream). |
510 | + - d/libcharon-extra-plugins.install: Add kernel-libipsec components |
511 | + - d/control: List kernel-libipsec plugin at extra plugins description |
512 | + - d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As |
513 | + upstream recommends to not load kernel-libipsec by default. |
514 | + + Relocate tnc plugin |
515 | + - debian/libcharon-extra-plugins.install: Drop tnc from extra plugins |
516 | + - Add new subpackage for TNC in d/strongswan-tnc-* and d/control |
517 | + + d/libstrongswan.install: Reorder conf and .so alphabetically |
518 | + + d/libstrongswan.install: Add kernel-netlink configuration files |
519 | + + Complete the disabling of libfast; This was partially accepted in Debian, |
520 | + it is no more packaging medcli and medsrv, but still builds and |
521 | + mentions it. |
522 | + - d/rules: Add --disable-fast to avoid build time and dependencies |
523 | + - d/control: Remove medcli, medsrv from package description |
524 | + + d/control: Mention mgf1 plugin which is in libstrongswan now |
525 | + + Add now built (since 5.5.1) libraries libtpmtss and nttfft to |
526 | + libstrongswan-extra-plugins (no deps from default plugins). |
527 | + + Add rm_conffile for /etc/init.d/ipsec (transition from precies had |
528 | + missed that, droppable after 18.04) |
529 | + + d/control, d/libcharon-{extras,standard}-plugins.install: Move charon |
530 | + plugins for the most common use cases from extra-plugins into a new |
531 | + standard-plugins package. This will allow those use cases without pulling |
532 | + in too much more plugins (a bit like the tnc package). Recommend that |
533 | + package from strongswan-libcharon. |
534 | + + d/control: bump breaks/replaces from libstrongswan-extra-plugins to |
535 | + libstrongswan as we dropped relocating ccm and test-vectors. |
536 | + (droppable >18.04). |
537 | + + d/control: add breaks/replace from libstrongswan to |
538 | + libstrongswan-extra-plugins for the move of mgf1 to libstrongswan. |
539 | + (droppable >18.04). |
540 | + * Added Changes: |
541 | + + d/control: bump breaks/replaces from strongswan-libcharon to strongswan- |
542 | + starter as we followed Debian to move the updown plugin but need to |
543 | + match Ubuntu versions (Droppable >18.04). |
544 | + |
545 | + -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Fri, 16 Mar 2018 11:08:47 +0100 |
546 | + |
547 | strongswan (5.6.2-1) unstable; urgency=medium |
548 | |
549 | * d/NEWS: add information about disabled algorithms (closes: #883072) |
550 | @@ -178,6 +677,129 @@ strongswan (5.6.1-3) unstable; urgency=medium |
551 | |
552 | -- Yves-Alexis Perez <corsac@debian.org> Sun, 17 Dec 2017 16:40:39 +0100 |
553 | |
554 | +strongswan (5.6.1-2ubuntu4) bionic; urgency=medium |
555 | + |
556 | + * SECURITY UPDATE: DoS via crafted RSASSA-PSS signature |
557 | + - debian/patches/CVE-2018-6459.patch: Properly handle MGF1 algorithm |
558 | + identifier without parameters in |
559 | + src/libstrongswan/credentials/keys/signature_params.c. |
560 | + - CVE-2018-6459 |
561 | + |
562 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 07 Mar 2018 14:52:02 +0100 |
563 | + |
564 | +strongswan (5.6.1-2ubuntu3) bionic; urgency=medium |
565 | + |
566 | + * No-change rebuild against libcurl4 |
567 | + |
568 | + -- Steve Langasek <steve.langasek@ubuntu.com> Wed, 28 Feb 2018 08:52:09 +0000 |
569 | + |
570 | +strongswan (5.6.1-2ubuntu2) bionic; urgency=high |
571 | + |
572 | + * No change rebuild against openssl1.1. |
573 | + |
574 | + -- Dimitri John Ledkov <xnox@ubuntu.com> Mon, 12 Feb 2018 16:00:24 +0000 |
575 | + |
576 | +strongswan (5.6.1-2ubuntu1) bionic; urgency=medium |
577 | + |
578 | + * Merge with Debian unstable (LP: #1717343). |
579 | + Also fixes and issue with multiple psk's (LP: #1734207). Remaining changes: |
580 | + + Clean up d/strongswan-starter.postinst: section about runlevel changes |
581 | + + Clean up d/strongswan-starter.postinst: Removed entire section on |
582 | + opportunistic encryption disabling - this was never in strongSwan and |
583 | + won't be see upstream issue #2160. |
584 | + + Ubuntu is not using the debconf triggered private key generation |
585 | + - d/rules: Removed patching ipsec.conf on build (not using the |
586 | + debconf-managed config.) |
587 | + - d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was |
588 | + used for debconf-managed include of private key). |
589 | + + Mass enablement of extra plugins and features to allow a user to use |
590 | + strongswan for a variety of extra use cases without having to rebuild. |
591 | + - d/control: Add required additional build-deps |
592 | + - d/control: Mention addtionally enabled plugins |
593 | + - d/rules: Enable features at configure stage |
594 | + - d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf) |
595 | + - d/libstrongswan.install: Add plugins (so, conf) |
596 | + + d/strongswan-starter.install: Install pool feature, which is useful since |
597 | + we have attr-sql plugin enabled as well using it. |
598 | + + Add plugin kernel-libipsec to allow the use of strongswan in containers |
599 | + via this userspace implementation (please do note that this is still |
600 | + considered experimental by upstream). |
601 | + - d/libcharon-extra-plugins.install: Add kernel-libipsec components |
602 | + - d/control: List kernel-libipsec plugin at extra plugins description |
603 | + - d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As |
604 | + upstream recommends to not load kernel-libipsec by default. |
605 | + + Relocate tnc plugin |
606 | + - debian/libcharon-extra-plugins.install: Drop tnc from extra plugins |
607 | + - Add new subpackage for TNC in d/strongswan-tnc-* and d/control |
608 | + + d/libstrongswan.install: Reorder conf and .so alphabetically |
609 | + + d/libstrongswan.install: Add kernel-netlink configuration files |
610 | + + Complete the disabling of libfast; This was partially accepted in Debian, |
611 | + it is no more packaging medcli and medsrv, but still builds and |
612 | + mentions it. |
613 | + - d/rules: Add --disable-fast to avoid build time and dependencies |
614 | + - d/control: Remove medcli, medsrv from package description |
615 | + + d/control: Mention mgf1 plugin which is in libstrongswan now |
616 | + + Add now built (since 5.5.1) libraries libtpmtss and nttfft to |
617 | + libstrongswan-extra-plugins (no deps from default plugins). |
618 | + + Add rm_conffile for /etc/init.d/ipsec (transition from precies had |
619 | + missed that, droppable after 18.04) |
620 | + + d/control, d/libcharon-{extras,standard}-plugins.install: Move charon |
621 | + plugins for the most common use cases from extra-plugins into a new |
622 | + standard-plugins package. This will allow those use cases without pulling |
623 | + in too much more plugins (a bit like the tnc package). Recommend that |
624 | + package from strongswan-libcharon. |
625 | + * Added changes: |
626 | + + d/strongswan-tnc-client.install (relocate tnc) swidtag creation changed |
627 | + in 5.6 |
628 | + + d/strongswan-tnc-server.install (relocate tnc) pacman no more needed |
629 | + + d/control: bump breaks/replaces from libstrongswan-extra-plugins to |
630 | + libstrongswan as we dropped relocating ccm and test-vectors. |
631 | + (droppable >18.04). |
632 | + - d/control: add breaks/replace from libstrongswan to |
633 | + libstrongswan-extra-plugins for the move of mgf1 to libstrongswan. |
634 | + (droppable >18.04). |
635 | + * Dropped changes: |
636 | + + Update init/service handling (debian default matches Ubuntu past now) |
637 | + Dropping this fixes (LP: #1734886) |
638 | + - d/rules: Change init/systemd program name to strongswan |
639 | + - d/strongswan-starter.strongswan.service: Add new systemd file instead of |
640 | + patching upstream |
641 | + - d/strongswan-starter.links: Removed, use Ubuntu systemd file instead of |
642 | + linking to upstream |
643 | + + d/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call |
644 | + (this is a never failing no-op for us, no need for Delta). |
645 | + + d/strongswan-starter.prerm: Stop strongswan service on package removal |
646 | + (ipsec now maps to strongswan service, so this works as-is). |
647 | + + Clean up d/strongswan-starter.postinst: rename service ipsec to |
648 | + strongswan (ipsec now maps to strongswan service, so this works as-is) |
649 | + + Clean up d/strongswan-starter.postinst: daemon enable/disable (the |
650 | + whole section is disabled, so no need for delta) |
651 | + + (is upstream) CVE-2017-11185 patches |
652 | + + (is upstream) FTBFS upstream fix for changed include files |
653 | + + (is upstream) debian/patches/increase-bliss-test-timeout.patch: Under |
654 | + QEMU/KVM autopkgtest the bliss test takes longer than the default |
655 | + + (in Debian) add now built (since 5.5.1) mgf1 plugin to |
656 | + libstrongswan-extra-plugins. |
657 | + + (in Debian) d/strongswan-starter.install: install stroke apparmor profile |
658 | + + (this was enabled as part of the former delta, squash changes to no-up) |
659 | + d/rules: Disable duplicheck. |
660 | + + (not needed) Relocate plugins test-vectors from extra-plugins to |
661 | + libstrongswan |
662 | + - d/libstrongswan-extra-plugins.install: Remove plugins/conffiles |
663 | + - d/libstrongswan.install: Add plugins/confiles |
664 | + - d/control: move package descriptions and add required breaks/replaces |
665 | + + (not needed) Relocate plugins ccm from extra-plugins to libstrongswan |
666 | + - d/libstrongswan-extra-plugins.install: Remove plugins/conffiles |
667 | + - d/libstrongswan.install: Add plugins/confiles |
668 | + - d/control: move package descriptions and add required breaks/replaces |
669 | + + (while using it requires special kernel, it does not hurt to be |
670 | + available in the package) Remove ha plugin |
671 | + - d/libcharon-extra-plugins.install: Stop installing ha (so, conf) |
672 | + - d/rules: Do not enable ha plugin |
673 | + - d/control: Drop listing the ha plugin in the package description |
674 | + |
675 | + -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Wed, 29 Nov 2017 15:55:18 +0100 |
676 | + |
677 | strongswan (5.6.1-2) unstable; urgency=medium |
678 | |
679 | * move counters plugin from -starter to -libcharon. closes: #882431 |
680 | @@ -264,6 +886,213 @@ strongswan (5.5.2-1) experimental; urgency=medium |
681 | |
682 | -- Yves-Alexis Perez <corsac@debian.org> Fri, 19 May 2017 11:32:00 +0200 |
683 | |
684 | +strongswan (5.5.1-4ubuntu3) bionic; urgency=medium |
685 | + |
686 | + * Fix Artful FTBFS due to newer glibc (LP: #1724859) |
687 | + - d/p/utils-Include-stdint.h.patch: upstream fix for changed include |
688 | + files. |
689 | + |
690 | + -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Thu, 19 Oct 2017 15:18:52 +0200 |
691 | + |
692 | +strongswan (5.5.1-4ubuntu2) artful; urgency=medium |
693 | + |
694 | + * SECURITY UPDATE: Fix RSA signature verification |
695 | + - debian/patches/CVE-2017-11185.patch: does some |
696 | + verifications in order to avoid null-point dereference |
697 | + in src/libstrongswan/gmp/gmp_rsa_public_key.c |
698 | + - CVE-2017-11185 |
699 | + |
700 | + -- Leonidas S. Barbosa <leo.barbosa@canonical.com> Tue, 15 Aug 2017 14:49:49 -0300 |
701 | + |
702 | +strongswan (5.5.1-4ubuntu1) artful; urgency=medium |
703 | + |
704 | + * Merge from Debian to pick up latest security changes (CVE-2017-9022, |
705 | + CVE-2017-9023). |
706 | + * Remaining Changes: |
707 | + + Update init/service handling |
708 | + - d/rules: Change init/systemd program name to strongswan |
709 | + - d/strongswan-starter.strongswan.service: Add new systemd file instead of |
710 | + patching upstream |
711 | + - d/strongswan-starter.links: Removed, use Ubuntu systemd file instead of |
712 | + linking to upstream |
713 | + - d/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call. |
714 | + - d/strongswan-starter.prerm: Stop strongswan service on package |
715 | + removal (as opposed to using the old init.d script). |
716 | + + Clean up d/strongswan-starter.postinst: |
717 | + - Removed section about runlevel changes |
718 | + - Adapted service restart section for Upstart (kept to be Trusty |
719 | + backportable). |
720 | + - Remove old symlinks to init.d files is necessary. |
721 | + - Removed further out-dated code |
722 | + - Removed entire section on opportunistic encryption - this was never in |
723 | + strongSwan. |
724 | + + d/rules: Removed pieces on 'patching ipsec.conf' on build. |
725 | + + Mass enablement of extra plugins and features to allow a user to use |
726 | + strongswan for a variety of use cases without having to rebuild. |
727 | + - d/control: Add required additional build-deps |
728 | + - d/rules: Enable features at configure stage |
729 | + - d/control: Mention addtionally enabled plugins |
730 | + - d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf) |
731 | + - d/libstrongswan.install: Add plugins (so, conf) |
732 | + + d/rules: Disable duplicheck as per |
733 | + https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718291#10 |
734 | + + Remove ha plugin (requires special kernel) |
735 | + - d/libcharon-extra-plugins.install: Stop installing ha (so, conf) |
736 | + - d/rules: Do not enable ha plugin |
737 | + - d/control: Drop listing the ha plugin in the package description |
738 | + + Add plugin kernel-libipsec to allow the use of strongswan in containers |
739 | + via this userspace implementation (please do note that this is still |
740 | + considered experimental by upstream). |
741 | + - d/libcharon-extra-plugins.install: Add kernel-libipsec components |
742 | + - d/control: List kernel-libipsec plugin at extra plugins description |
743 | + - d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As |
744 | + upstream recommends to not load kernel-libipsec by default. |
745 | + + Relocate tnc plugin |
746 | + - debian/libcharon-extra-plugins.install: Drop tnc from extra plugins |
747 | + - Add new subpackage for TNC in d/strongswan-tnc-* and d/control |
748 | + + d/strongswan-starter.install: Install pool feature, that useful due to |
749 | + having attr-sql plugin that is enabled now. |
750 | + + Relocate plugins test-vectors and ccm from extra-plugins to libstrongswan |
751 | + - d/libstrongswan-extra-plugins.install: Remove plugins/conffiles |
752 | + - d/libstrongswan.install: Add plugins/confiles |
753 | + - d/control: move package descriptions and add required breaks/replaces |
754 | + + d/libstrongswan.install: Reorder conf and .so alphabetically |
755 | + + d/libstrongswan.install: Add kernel-netlink configuration files |
756 | + + d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference. |
757 | + + debian/patches/increase-bliss-test-timeout.patch: Under QEMU/KVM |
758 | + autopkgtest the bliss test takes longer than the default (Upstream in |
759 | + 5.5.2 via issue 2204) |
760 | + + Complete the disabling of libfast; This was partially accepted in Debian, |
761 | + it is no more packaging medcli and medsrv, but still builds and |
762 | + mentions it. |
763 | + - d/rules: Add --disable-fast to avoid build time and dependencies |
764 | + - d/control: Remove medcli, medsrv from package description |
765 | + + Add now built (5.5.1 vs 5.3.5) mgf1 plugin to libstrongswan-extra-plugins. |
766 | + "only" to extra-plugins Mgf1 is not listed as default plugin at |
767 | + https://wiki.strongswan.org/projects/strongswan/wiki/Pluginlist. |
768 | + + Add now built (5.5.1 vs 5.3.5) libraries libtpmtss and nttfft to |
769 | + libstrongswan-extra-plugins. |
770 | + + Add missing mention of md4 plugin in d/control |
771 | + + Add rm_conffile for /etc/init.d/ipsec (transition from precies had |
772 | + missed that) |
773 | + + d/control, d/libcharon-{extras,standard}-plugins.install: Move charon |
774 | + plugins for the most common use cases from extra-plugins into a new |
775 | + standard-plugins package. This will allow those use cases without pulling |
776 | + in too much more plugins (a bit like the tnc package). Recommend that |
777 | + package from strongswan-libcharon. |
778 | + |
779 | + -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Wed, 31 May 2017 15:57:54 +0200 |
780 | + |
781 | +strongswan (5.5.1-3ubuntu1) artful; urgency=medium |
782 | + |
783 | + * Merge from Debian to pick up latest changes. Among others this includes: |
784 | + - a lot of the Delta we upstreamed to Debian (more discussions are ongoing |
785 | + but likely have to wait until Debian stretch was released) |
786 | + - enabling mediation support (LP: #1657413) |
787 | + * Remaining Changes: |
788 | + + Update init/service handling |
789 | + - d/rules: Change init/systemd program name to strongswan |
790 | + - d/strongswan-starter.strongswan.service: Add new systemd file instead of |
791 | + patching upstream |
792 | + - d/strongswan-starter.links: Removed, use Ubuntu systemd file instead of |
793 | + linking to upstream |
794 | + - d/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call. |
795 | + - d/strongswan-starter.prerm: Stop strongswan service on package |
796 | + removal (as opposed to using the old init.d script). |
797 | + + Clean up d/strongswan-starter.postinst: |
798 | + - Removed section about runlevel changes |
799 | + - Adapted service restart section for Upstart (kept to be Trusty |
800 | + backportable). |
801 | + - Remove old symlinks to init.d files is necessary. |
802 | + - Removed further out-dated code |
803 | + - Removed entire section on opportunistic encryption - this was never in |
804 | + strongSwan. |
805 | + + d/rules: Removed pieces on 'patching ipsec.conf' on build. |
806 | + + Mass enablement of extra plugins and features to allow a user to use |
807 | + strongswan for a variety of use cases without having to rebuild. |
808 | + - d/control: Add required additional build-deps |
809 | + - d/rules: Enable features at configure stage |
810 | + - d/control: Mention addtionally enabled plugins |
811 | + - d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf) |
812 | + - d/libstrongswan.install: Add plugins (so, conf) |
813 | + + d/rules: Disable duplicheck as per |
814 | + https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718291#10 |
815 | + + Remove ha plugin (requires special kernel) |
816 | + - d/libcharon-extra-plugins.install: Stop installing ha (so, conf) |
817 | + - d/rules: Do not enable ha plugin |
818 | + - d/control: Drop listing the ha plugin in the package description |
819 | + + Add plugin kernel-libipsec to allow the use of strongswan in containers |
820 | + via this userspace implementation (please do note that this is still |
821 | + considered experimental by upstream). |
822 | + - d/libcharon-extra-plugins.install: Add kernel-libipsec components |
823 | + - d/control: List kernel-libipsec plugin at extra plugins description |
824 | + - d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As |
825 | + upstream recommends to not load kernel-libipsec by default. |
826 | + + Relocate tnc plugin |
827 | + - debian/libcharon-extra-plugins.install: Drop tnc from extra plugins |
828 | + - Add new subpackage for TNC in d/strongswan-tnc-* and d/control |
829 | + + d/strongswan-starter.install: Install pool feature, that useful due to |
830 | + having attr-sql plugin that is enabled now. |
831 | + + Relocate plugins test-vectors and ccm from extra-plugins to libstrongswan |
832 | + - d/libstrongswan-extra-plugins.install: Remove plugins/conffiles |
833 | + - d/libstrongswan.install: Add plugins/confiles |
834 | + - d/control: move package descriptions and add required breaks/replaces |
835 | + + d/libstrongswan.install: Reorder conf and .so alphabetically |
836 | + + d/libstrongswan.install: Add kernel-netlink configuration files |
837 | + + d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference. |
838 | + + debian/patches/increase-bliss-test-timeout.patch: Under QEMU/KVM |
839 | + autopkgtest the bliss test takes longer than the default (Upstream in |
840 | + 5.5.2 via issue 2204) |
841 | + + Complete the disabling of libfast; This was partially accepted in Debian, |
842 | + it is no more packaging medcli and medsrv, but still builds and |
843 | + mentions it. |
844 | + - d/rules: Add --disable-fast to avoid build time and dependencies |
845 | + - d/control: Remove medcli, medsrv from package description |
846 | + + Add now built (5.5.1 vs 5.3.5) mgf1 plugin to libstrongswan-extra-plugins. |
847 | + "only" to extra-plugins Mgf1 is not listed as default plugin at |
848 | + https://wiki.strongswan.org/projects/strongswan/wiki/Pluginlist. |
849 | + + Add now built (5.5.1 vs 5.3.5) libraries libtpmtss and nttfft to |
850 | + libstrongswan-extra-plugins. |
851 | + + Add missing mention of md4 plugin in d/control |
852 | + + Add rm_conffile for /etc/init.d/ipsec (transition from precies had |
853 | + missed that) |
854 | + + d/control, d/libcharon-{extras,standard}-plugins.install: Move charon |
855 | + plugins for the most common use cases from extra-plugins into a new |
856 | + standard-plugins package. This will allow those use cases without pulling |
857 | + in too much more plugins (a bit like the tnc package). Recommend that |
858 | + package from strongswan-libcharon. |
859 | + * Dropped Changes: |
860 | + + Add and install apparmor profiles (in Debian) |
861 | + - d/rules: Install AppArmor profiles |
862 | + - d/control: Add dh-apparmor build-dep |
863 | + - d/usr.lib.ipsec.{charon, lookip, stroke}: Add latest AppArmor profiles |
864 | + for charon, lookip and stroke |
865 | + - d/libcharon-extra-plugins.install: Install profile for lookip |
866 | + - d/strongswan-charon.install: Install profile for charon |
867 | + - d/strongswan-starter.install: Install profile for stroke |
868 | + - Fix strongswan ipsec status issue with apparmor |
869 | + - Fix Dep8 tests for the now extra strongswan-pki package for pki |
870 | + - Fix Dep8 tests for the now extra strongswan-scepclient package |
871 | + + d/rules: Sorted and only one enable option per configure line (in |
872 | + Debian) |
873 | + + Add updated logcheck rules (in Debian) |
874 | + - debian/libstrongswan.strongswan.logcheck.*: Remove outdated files |
875 | + - debian/strongswan.logcheck: Add updated logcheck rules |
876 | + + Add updated DEP8 tests (in Debian) |
877 | + - d/tests/*: Add DEP8 tests |
878 | + - d/control: Enable autotestpkg |
879 | + + d/rules: do not strip for library integrity checking (After Discussion |
880 | + with Debian this isn't acceptable there, but at the same time it turned |
881 | + out the real use-case of this never uses this lib but instead third |
882 | + party checks of checksums for e.g. FIPS cert; so drop the Delta) |
883 | + - Use override_dh_strip to to avoid overwriting user build flags. |
884 | + - Add missing mention of libchecksum integrity test in d/control |
885 | + + d/rules: Set TESTS_REDUCED_KEYLENGTHS to one generate smallest key-lengths |
886 | + in tests to avoid issues in low entropy environments. (Debian has |
887 | + disabled !x86 tests for the same reason, one solution is enough) |
888 | + |
889 | + -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Thu, 04 May 2017 14:06:23 +0200 |
890 | + |
891 | strongswan (5.5.1-3) unstable; urgency=medium |
892 | |
893 | [ Christian Ehrhardt ] |
894 | @@ -297,6 +1126,136 @@ strongswan (5.5.1-2) unstable; urgency=medium |
895 | |
896 | -- Yves-Alexis Perez <corsac@debian.org> Wed, 07 Dec 2016 08:34:52 +0100 |
897 | |
898 | +strongswan (5.5.1-1ubuntu2) zesty; urgency=medium |
899 | + |
900 | + * Update Maintainers which was missed while merging 5.5.1-1. |
901 | + |
902 | + -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 19 Dec 2016 16:02:40 +0100 |
903 | + |
904 | +strongswan (5.5.1-1ubuntu1) zesty; urgency=medium |
905 | + |
906 | + * Merge from Debian (complex delta, discussions and broken out changes can be |
907 | + found in the merge proposal linked from the merge bug LP: #1631198) |
908 | + * Remaining Changes: |
909 | + + d/rules: Enforcing DEB_BUILD_OPTIONS=nostrip for library integrity |
910 | + checking. |
911 | + + d/rules: Set TESTS_REDUCED_KEYLENGTHS to one generate smallest key-lengths |
912 | + in tests to avoid issues in low entropy environments. |
913 | + + Update init/service handling |
914 | + - d/rules: Change init/systemd program name to strongswan |
915 | + - d/strongswan-starter.strongswan.service: Add new systemd file instead of |
916 | + patching upstream |
917 | + - d/strongswan-starter.links: Removed, use Ubuntu systemd file instead of |
918 | + linking to upstream |
919 | + - d/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call. |
920 | + - d/strongswan-starter.prerm: Stop strongswan service on package |
921 | + removal (as opposed to using the old init.d script). |
922 | + + Clean up d/strongswan-starter.postinst: |
923 | + - Removed section about runlevel changes |
924 | + - Adapted service restart section for Upstart (kept to be Trusty |
925 | + backportable). |
926 | + - Remove old symlinks to init.d files is necessary. |
927 | + - Removed further out-dated code |
928 | + - Removed entire section on opportunistic encryption - this was never in |
929 | + strongSwan. |
930 | + + Add and install apparmor profiles |
931 | + - d/rules: Install AppArmor profiles |
932 | + - d/control: Add dh-apparmor build-dep |
933 | + - d/usr.lib.ipsec.{charon, lookip, stroke}: Add latest AppArmor profiles |
934 | + for charon, lookip and stroke |
935 | + - d/libcharon-extra-plugins.install: Install profile for lookip |
936 | + - d/strongswan-charon.install: Install profile for charon |
937 | + - d/strongswan-starter.install: Install profile for stroke |
938 | + + d/rules: Removed pieces on 'patching ipsec.conf' on build. |
939 | + + d/rules: Sorted and only one enable option per configure line |
940 | + + Mass enablement of extra plugins and features to allow a user to use |
941 | + strongswan for a variety of use cases without having to rebuild. |
942 | + - d/control: Add required additional build-deps |
943 | + - d/rules: Enable features at configure stage |
944 | + - d/control: Mention addtionally enabled plugins |
945 | + - d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf) |
946 | + - d/libstrongswan.install: Add plugins (so, conf) |
947 | + + d/rules: Disable duplicheck as per |
948 | + https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718291#10 |
949 | + + Remove ha plugin (requires special kernel) |
950 | + - d/libcharon-extra-plugins.install: Stop installing ha (so, conf) |
951 | + - d/rules: Do not enable ha plugin |
952 | + - d/control: Drop listing the ha plugin in the package description |
953 | + + Add plugin kernel-libipsec to allow the use of strongswan in containers |
954 | + via this userspace implementation (please do note that this is still |
955 | + considered experimental by upstream). |
956 | + - d/libcharon-extra-plugins.install: Add kernel-libipsec components |
957 | + - d/control: List kernel-libipsec plugin at extra plugins description |
958 | + - d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As |
959 | + upstream recommends to not load kernel-libipsec by default. |
960 | + + Relocate tnc plugin |
961 | + - debian/libcharon-extra-plugins.install: Drop tnc from extra plugins |
962 | + - Add new subpackage for TNC in d/strongswan-tnc-* and d/control |
963 | + + d/strongswan-starter.install: Install pool feature, that useful due to |
964 | + having attr-sql plugin that is enabled now. |
965 | + + Relocate plugins test-vectors and ccm from extra-plugins to libstrongswan |
966 | + - d/libstrongswan-extra-plugins.install: Remove plugins |
967 | + - d/libstrongswan.install: Add plugins |
968 | + + d/libstrongswan.install: Reorder conf and .so alphabetically |
969 | + + d/libstrongswan.install: Add kernel-netlink configuration files |
970 | + + d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference. |
971 | + + Add updated logcheck rules |
972 | + - debian/libstrongswan.strongswan.logcheck.*: Remove outdated files |
973 | + - debian/strongswan.logcheck: Add updated logcheck rules |
974 | + + Add updated DEP8 tests |
975 | + - d/tests/*: Add DEP8 tests |
976 | + - d/control: Enable autotestpkg |
977 | + + debian/patches/increase-bliss-test-timeout.patch: Under QEMU/KVM |
978 | + autopkgtest the bliss test takes longer than the default |
979 | + + Complete the disabling of libfast |
980 | + - Note: This was partially accepted in Debian, it is no more |
981 | + packaging medcli and medsrv, but still builds and mentions it |
982 | + - d/rules: Add --disable-fast to avoid build time and dependencies |
983 | + - d/control: Remove medcli, medsrv from package description |
984 | + * Dropped Changes: |
985 | + + Adding build-dep to iptables-dev (no change, was only in Changelog) |
986 | + + Dropping of build deps libfcgi-dev, clearsilver-dev (in Debian) |
987 | + + Adding strongswan-plugin-* virtual packages for dist-upgrade (no |
988 | + upgrade path left needing them) |
989 | + + Most of "disabling libfast" (Debian dropped it from package content) |
990 | + + Transition for ipsec service (no upgrade path left) |
991 | + + Reverted part of the cleanup to d/strongswan-starter.postinst as using |
992 | + service should rather use invoke-rc.d (so it is a partial revert of our |
993 | + delta) |
994 | + + Transition handling (breaks/replaces) from per-plugin packages to the |
995 | + three grouped plugin packages (no upgrade path left) |
996 | + + debian/strongswan-starter.dirs: Don't touch /etc/init.d. (while "correct" |
997 | + it is effectively a no-op still, so not worth the delta) |
998 | + + Lower dpkg-dev to 1.16.1 from 1.16.2 to enable backporting to Precise |
999 | + (no more needed) |
1000 | + + d/rules: Remove configure option --enable-unit-test (unit tests run by |
1001 | + default) |
1002 | + * Added Changes: |
1003 | + + Fix strongswan ipsec status issue with apparmor (LP: #1587886) |
1004 | + + d/control, d/libstrongswan.install, d/libstrongswan-extra-plugins: Fixup |
1005 | + the relocation of the ccm plugin which missed to move the conffiles. |
1006 | + + Complete move of test-vectors (was missing in d/control) |
1007 | + + Add now built (5.5.1 vs 5.3.5) mgf1 plugin to libstrongswan-extra-plugins. |
1008 | + "only" to extra-plugins Mgf1 is not listed as default plugin at |
1009 | + https://wiki.strongswan.org/projects/strongswan/wiki/Pluginlist. |
1010 | + + Add now built (5.5.1 vs 5.3.5) libraries libtpmtss and nttfft to |
1011 | + libstrongswan-extra-plugins. |
1012 | + + Add missing mention of md4 plugin in d/control |
1013 | + + Add missing mention of libchecksum integrity test in d/control |
1014 | + + Add rm_conffile for /etc/init.d/ipsec (transition from precies had |
1015 | + missed that) |
1016 | + + Use override_dh_strip to to fix library integrity checking instead of |
1017 | + DEB_BUILD_OPTION to avoid overwriting user build flags. |
1018 | + + d/control, d/libcharon-{extras,standard}-plugins.install: Move charon |
1019 | + plugins for the most common use cases from extra-plugins into a new |
1020 | + standard-plugins package. This will allow those use cases without pulling |
1021 | + in too much more plugins (a bit like the tnc package). Recommend that |
1022 | + package from strongswan-libcharon (LP: #1640826). |
1023 | + + Fix Dep8 tests for the now extra strongswan-pki package for pki |
1024 | + + Fix Dep8 tests for the now extra strongswan-scepclient package |
1025 | + |
1026 | + -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 07 Nov 2016 16:16:41 +0100 |
1027 | + |
1028 | strongswan (5.5.1-1) unstable; urgency=medium |
1029 | |
1030 | * New upstream bugfix release. |
1031 | @@ -413,6 +1372,177 @@ strongswan (5.3.5-2) unstable; urgency=medium |
1032 | |
1033 | -- Yves-Alexis Perez <corsac@debian.org> Mon, 14 Mar 2016 23:53:34 +0100 |
1034 | |
1035 | +strongswan (5.3.5-1ubuntu4) yakkety; urgency=medium |
1036 | + |
1037 | + * Build-depend on libjson-c-dev instead of libjson0-dev. |
1038 | + * Rebuild against libjson-c3. |
1039 | + |
1040 | + -- Graham Inggs <ginggs@ubuntu.com> Fri, 29 Apr 2016 19:04:22 +0200 |
1041 | + |
1042 | +strongswan (5.3.5-1ubuntu3) xenial; urgency=medium |
1043 | + |
1044 | + * Rebuild against libmysqlclient20. |
1045 | + |
1046 | + -- Robie Basak <robie.basak@ubuntu.com> Tue, 05 Apr 2016 13:02:48 +0000 |
1047 | + |
1048 | +strongswan (5.3.5-1ubuntu2) xenial; urgency=medium |
1049 | + |
1050 | + * debian/tests/plugins: rdrand may or may not be loaded, depending on the |
1051 | + cpu features. |
1052 | + |
1053 | + -- Iain Lane <iain@orangesquash.org.uk> Mon, 22 Feb 2016 17:13:01 +0000 |
1054 | + |
1055 | +strongswan (5.3.5-1ubuntu1) xenial; urgency=medium |
1056 | + |
1057 | + * debian/{rules,control,libstrongswan-extra-plugins.install} |
1058 | + Enable bliss plugin |
1059 | + * debian/{rules,control,libstrongswan-extra-plugins.install} |
1060 | + Enable chapoly plugin |
1061 | + * debian/patches/dont-load-kernel-libipsec-plugin-by-default.patch |
1062 | + Upstream suggests to not load this plugin by default as it has |
1063 | + some limitations. |
1064 | + https://wiki.strongswan.org/projects/strongswan/wiki/Kernel-libipsec |
1065 | + * debian/patches/increase-bliss-test-timeout.patch |
1066 | + Under QEMU/KVM for autopkgtest bliss test takes a bit longer then default |
1067 | + * Update Apparmor profiles |
1068 | + - usr.lib.ipsec.charon |
1069 | + - add capability audit_write for xauth-pam (LP: #1470277) |
1070 | + - add capability dac_override (needed by agent plugin) |
1071 | + - allow priv dropping (LP: #1333655) |
1072 | + - allow caching CRLs (LP: #1505222) |
1073 | + - allow rw access to /dev/net/tun for kernel-libipsec (LP: #1309594) |
1074 | + - usr.lib.ipsec.stroke |
1075 | + - allow priv dropping (LP: #1333655) |
1076 | + - add local include |
1077 | + - usr.lib.ipsec.lookip |
1078 | + - add local include |
1079 | + * Merge from Debian, which includes fixes for all previous CVEs |
1080 | + Fixes (LP: #1330504, #1451091, #1448870, #1470277) |
1081 | + Remaining changes: |
1082 | + * debian/control |
1083 | + - Lower dpkg-dev to 1.16.1 from 1.16.2 to enable backporting to Precise |
1084 | + - Update Maintainer for Ubuntu |
1085 | + - Add build-deps |
1086 | + - dh-apparmor |
1087 | + - iptables-dev |
1088 | + - libjson0-dev |
1089 | + - libldns-dev |
1090 | + - libmysqlclient-dev |
1091 | + - libpcsclite-dev |
1092 | + - libsoup2.4-dev |
1093 | + - libtspi-dev |
1094 | + - libunbound-dev |
1095 | + - Drop build-deps |
1096 | + - libfcgi-dev |
1097 | + - clearsilver-dev |
1098 | + - Create virtual packages for all strongswan-plugin-* for dist-upgrade |
1099 | + - Set XS-Testsuite: autopkgtest |
1100 | + * debian/rules: |
1101 | + - Enforcing DEB_BUILD_OPTIONS=nostrip for library integrity checking. |
1102 | + - Set TESTS_REDUCED_KEYLENGTHS to one generate smallest key-lengths in |
1103 | + tests. |
1104 | + - Change init/systemd program name to strongswan |
1105 | + - Install AppArmor profiles |
1106 | + - Removed pieces on 'patching ipsec.conf' on build. |
1107 | + - Enablement of features per Ubuntu current config suggested from |
1108 | + upstream recommendation |
1109 | + - Unpack and sort enabled features to one-per-line |
1110 | + - Disable duplicheck as per |
1111 | + https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718291#10 |
1112 | + - Disable libfast (--disable-fast): |
1113 | + Requires dropping medsrv, medcli plugins which depend on libfast |
1114 | + - Add configure options |
1115 | + --with-tss=trousers |
1116 | + - Remove configure options: |
1117 | + --enable-ha (requires special kernel) |
1118 | + --enable-unit-test (unit tests run by default) |
1119 | + - Drop logcheck install |
1120 | + * debian/tests/* |
1121 | + - Add DEP8 test for strongswan service and plugins |
1122 | + * debian/strongswan-starter.strongswan.service |
1123 | + - Add new systemd file instead of patching upstream |
1124 | + * debian/strongswan-starter.links |
1125 | + - removed, use Ubuntu systemd file instead of linking to upstream |
1126 | + * debian/usr.lib.ipsec.{charon, lookip, stroke} |
1127 | + - added AppArmor profiles for charon, lookip and stroke |
1128 | + * debian/libcharon-extra-plugins.install |
1129 | + - Add plugins |
1130 | + - kernel-libipsec.{so, lib, conf, apparmor} |
1131 | + - Remove plugins |
1132 | + - libstrongswan-ha.so |
1133 | + - Relocate plugins |
1134 | + - libstrongswan-tnc-tnccs.so (strongswan-tnc-base.install) |
1135 | + * debian/libstrongswan-extra-plugins.install |
1136 | + - Add plugins (so, lib, conf) |
1137 | + - acert |
1138 | + - attr-sql |
1139 | + - coupling |
1140 | + - dnscert |
1141 | + - fips-prf |
1142 | + - gmp |
1143 | + - ipseckey |
1144 | + - load-tester |
1145 | + - mysql |
1146 | + - ntru |
1147 | + - radattr |
1148 | + - soup |
1149 | + - sqlite |
1150 | + - sql |
1151 | + - systime-fix |
1152 | + - unbound |
1153 | + - whitelist |
1154 | + - Relocate plugins (so, lib, conf) |
1155 | + - ccm (libstrongswan.install) |
1156 | + - test-vectors (libstrongswan.install) |
1157 | + * debian/libstrongswan.install |
1158 | + - Sort sections |
1159 | + - Add plugins (so, lib, conf) |
1160 | + - libchecksum |
1161 | + - ccm |
1162 | + - eap-identity |
1163 | + - md4 |
1164 | + - test-vectors |
1165 | + * debian/strongswan-charon.install |
1166 | + - Add AppArmor profile for charon |
1167 | + * debian/strongswan-starter.install |
1168 | + - Add tools, manpages, conf |
1169 | + - openac |
1170 | + - pool |
1171 | + - _updown_espmark |
1172 | + - Add AppArmor profile for stroke |
1173 | + * debian/strongswan-tnc-base.install |
1174 | + - Add new subpackage for TNC |
1175 | + - remove non-existent (dropped in 5.2.1) libpts library files |
1176 | + * debian/strongswan-tnc-client.install |
1177 | + - Add new subpackage for TNC |
1178 | + * debian/strongswan-tnc-ifmap.install |
1179 | + - Add new subpackage for TNC |
1180 | + * debian/strongswan-tnc-pdp.install |
1181 | + - Add new subpackage for TNC |
1182 | + * debian/strongswan-tnc-server.install |
1183 | + - Add new subpackage for TNC |
1184 | + * debian/strongswan-starter.postinit: |
1185 | + - Removed section about runlevel changes, it's almost 2014. |
1186 | + - Adapted service restart section for Upstart. |
1187 | + - Remove old symlinks to init.d files is necessary. |
1188 | + * debian/strongswan-starter.dirs: Don't touch /etc/init.d. |
1189 | + * debian/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call. |
1190 | + * debian/strongswan-starter.prerm: Stop strongswan service on package |
1191 | + removal (as opposed to using the old init.d script). |
1192 | + * debian/libstrongswan.strongswan.logcheck combined into debian/strongswan.logcheck |
1193 | + - logcheck patterns updated to be helpful |
1194 | + * debian/strongswan-starter.postinst: Removed further out-dated code and |
1195 | + entire section on opportunistic encryption - this was never in strongSwan. |
1196 | + * debian/ipsec.secrets.proto: Removed ipsec.secrets.inc reference. |
1197 | + Drop changes: |
1198 | + * debian/control |
1199 | + - Per-plugin package breakup: Reducing packaging delta from Debian |
1200 | + - Don't build dhcp, farp subpackages: Reduce packging delta from Debian |
1201 | + * debian/watch: Already exists in Debian merge |
1202 | + * debian/upstream/signing-key.asc: Upstream has newer version. |
1203 | + |
1204 | + -- Ryan Harper <ryan.harper@canonical.com> Fri, 12 Feb 2016 11:24:53 -0600 |
1205 | + |
1206 | strongswan (5.3.5-1) unstable; urgency=medium |
1207 | |
1208 | * New upstream bugfix release. |
1209 | @@ -685,6 +1815,210 @@ strongswan (5.1.2-1) unstable; urgency=medium |
1210 | |
1211 | -- Yves-Alexis Perez <corsac@debian.org> Wed, 12 Mar 2014 11:22:38 +0100 |
1212 | |
1213 | +strongswan (5.1.2-0ubuntu8) xenial; urgency=medium |
1214 | + |
1215 | + * Import FTBFS for s390x from Debian 5.1.2-3 upload. (LP: #1521240) |
1216 | + |
1217 | + -- Dimitri John Ledkov <xnox@ubuntu.com> Mon, 30 Nov 2015 15:46:06 +0000 |
1218 | + |
1219 | +strongswan (5.1.2-0ubuntu7) xenial; urgency=medium |
1220 | + |
1221 | + * SECURITY UPDATE: authentication bypass in eap-mschapv2 plugin |
1222 | + - debian/patches/CVE-2015-8023.patch: only succeed authentication if |
1223 | + MSK was established in |
1224 | + src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c. |
1225 | + - CVE-2015-8023 |
1226 | + * debian/patches/disable_ntru_test.patch: disable test causing FTBFS |
1227 | + until regression is properly investigated. |
1228 | + |
1229 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 19 Nov 2015 14:00:17 -0500 |
1230 | + |
1231 | +strongswan (5.1.2-0ubuntu6) wily; urgency=medium |
1232 | + |
1233 | + * SECURITY UPDATE: user credential disclosure to rogue servers |
1234 | + - debian/patches/CVE-2015-4171.patch: enforce remote authentication |
1235 | + config before proceeding with own authentication in |
1236 | + src/libcharon/sa/ikev2/tasks/ike_auth.c. |
1237 | + - CVE-2015-4171 |
1238 | + * debian/rules: don't FTBFS from unused service file |
1239 | + |
1240 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 08 Jun 2015 12:50:38 -0400 |
1241 | + |
1242 | +strongswan (5.1.2-0ubuntu5) vivid; urgency=medium |
1243 | + |
1244 | + * Add a systemd unit corresponding to strongswan-starter.strongswan.upstart. |
1245 | + |
1246 | + -- Martin Pitt <martin.pitt@ubuntu.com> Fri, 16 Jan 2015 08:27:54 +0100 |
1247 | + |
1248 | +strongswan (5.1.2-0ubuntu4) vivid; urgency=medium |
1249 | + |
1250 | + * SECURITY UPDATE: denial of service via DH group 1025 |
1251 | + - debian/patches/CVE-2014-9221.patch: define MODP_CUSTOM outside of |
1252 | + IKE DH range in src/libstrongswan/crypto/diffie_hellman.c, |
1253 | + src/libstrongswan/crypto/diffie_hellman.h. |
1254 | + - CVE-2014-9221 |
1255 | + |
1256 | + -- Tyler Hicks <tyhicks@canonical.com> Mon, 05 Jan 2015 08:25:29 -0500 |
1257 | + |
1258 | +strongswan (5.1.2-0ubuntu3) utopic; urgency=low |
1259 | + |
1260 | + * Added "libgcrypt20-dev | libgcrypt11-dev" to build dependencies to fix |
1261 | + build. |
1262 | + |
1263 | + -- Jonathan Davies <jonathan.davies@canonical.com> Wed, 15 Oct 2014 16:49:18 +0000 |
1264 | + |
1265 | +strongswan (5.1.2-0ubuntu2) trusty; urgency=medium |
1266 | + |
1267 | + * SECURITY UPDATE: remote authentication bypass |
1268 | + - debian/patches/CVE-2014-2338.patch: reject CREATE_CHILD_SA exchange |
1269 | + on unestablished IKE_SAs in src/libcharon/sa/ikev2/task_manager_v2.c. |
1270 | + - CVE-2014-2338 |
1271 | + |
1272 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 14 Apr 2014 11:24:34 -0400 |
1273 | + |
1274 | +strongswan (5.1.2-0ubuntu1) trusty; urgency=low |
1275 | + |
1276 | + * New upstream release. |
1277 | + |
1278 | + -- Jonathan Davies <jonathan.davies@canonical.com> Sat, 01 Mar 2014 08:53:17 +0000 |
1279 | + |
1280 | +strongswan (5.1.2~rc2-0ubuntu2) trusty; urgency=low |
1281 | + |
1282 | + * debian/ipsec.secrets.proto: Removed ipsec.secrets.inc reference. |
1283 | + * debian/usr.lib.ipsec.charon: Allow read access to /run/charon. |
1284 | + |
1285 | + -- Jonathan Davies <jonathan.davies@canonical.com> Wed, 19 Feb 2014 13:07:16 +0000 |
1286 | + |
1287 | +strongswan (5.1.2~rc2-0ubuntu1) trusty; urgency=low |
1288 | + |
1289 | + * New upstream release candidate. |
1290 | + |
1291 | + -- Jonathan Davies <jonathan.davies@canonical.com> Wed, 19 Feb 2014 12:59:21 +0000 |
1292 | + |
1293 | +strongswan (5.1.2~rc1-0ubuntu4) trusty; urgency=medium |
1294 | + |
1295 | + * debian/strongswan-tnc-*.install: Fixed files so libraries go into correct |
1296 | + packages. |
1297 | + * debian/usr.lib.ipsec.stroke: Allow access to strongswan.d directories. |
1298 | + |
1299 | + -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 17 Feb 2014 18:12:38 +0000 |
1300 | + |
1301 | +strongswan (5.1.2~rc1-0ubuntu3) trusty; urgency=low |
1302 | + |
1303 | + * debian/rules: Exclude rdrand.conf in dh_install's --fail-missing. |
1304 | + |
1305 | + -- Jonathan Davies <jonathan.davies@canonical.com> Sat, 15 Feb 2014 15:46:46 +0000 |
1306 | + |
1307 | +strongswan (5.1.2~rc1-0ubuntu2) trusty; urgency=low |
1308 | + |
1309 | + * debian/libstrongswan.install: Moved rdrand plugin configuration to rules |
1310 | + as it's only useful on amd64. |
1311 | + * debian/watch: Added opts=pgpsigurlmangle option. |
1312 | + * debian/upstream/signing-key.asc: Added key: 0xB34DBA77. |
1313 | + |
1314 | + -- Jonathan Davies <jonathan.davies@canonical.com> Sat, 15 Feb 2014 15:32:10 +0000 |
1315 | + |
1316 | +strongswan (5.1.2~rc1-0ubuntu1) trusty; urgency=medium |
1317 | + |
1318 | + * New upstream release candidate. |
1319 | + * debian/*.install - include new configuration files for plugins in |
1320 | + appropiate packages. |
1321 | + |
1322 | + -- Jonathan Davies <jonathan.davies@canonical.com> Sat, 15 Feb 2014 15:03:14 +0000 |
1323 | + |
1324 | +strongswan (5.1.2~dr3+git20130120-0ubuntu3) trusty; urgency=low |
1325 | + |
1326 | + * debian/control: |
1327 | + - Added Breaks/Replaces for all library files which have been moved |
1328 | + about (LP: #1278176). |
1329 | + - Removed build-dependency on check and added one on dh-apparmor. |
1330 | + * debian/strongswan-starter.postinst: Removed further out-dated code and |
1331 | + entire section on opportunistic encryption - this was never in strongSwan. |
1332 | + * debian/rules: Removed pieces on 'patching ipsec.conf' on build. |
1333 | + |
1334 | + -- Jonathan Davies <jonathan.davies@canonical.com> Sun, 09 Feb 2014 23:53:23 +0000 |
1335 | + |
1336 | +strongswan (5.1.2~dr3+git20130120-0ubuntu2) trusty; urgency=low |
1337 | + |
1338 | + * debian/control: Fixed references to plugin-fips-prf. |
1339 | + |
1340 | + -- Jonathan Davies <jonathan.davies@canonical.com> Wed, 22 Jan 2014 11:22:14 +0000 |
1341 | + |
1342 | +strongswan (5.1.2~dr3+git20130120-0ubuntu1) trusty; urgency=low |
1343 | + |
1344 | + * Upstream Git snapshot for build fixes with regards to entropy. |
1345 | + * debian/rules: |
1346 | + - Enforcing DEB_BUILD_OPTIONS=nostrip for library integrity checking. |
1347 | + - Set TESTS_REDUCED_KEYLENGTHS to one generate smallest key-lengths in |
1348 | + tests. |
1349 | + |
1350 | + -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 20 Jan 2014 19:00:59 +0000 |
1351 | + |
1352 | +strongswan (5.1.2~dr3-0ubuntu1) trusty; urgency=low |
1353 | + |
1354 | + * New upstream developer release. |
1355 | + * Made changes to packaging per upstream suggestions. |
1356 | + - Dropped medcli and medsrv packages - not recommended by upstream at this |
1357 | + time. |
1358 | + - Dropped ha plugin - needs special kernel. |
1359 | + - Improved all package descriptions in general. |
1360 | + - Drop build-dep on clearsilver-dev and libfcgi-dev - no longer needed. |
1361 | + - Removed debian/*logcheck* files - not relevant to strongSwan. |
1362 | + - Split dhcp and farp packages into sub-packages. |
1363 | + - Build kernel-libipsec, ntru, systime-fix, and xauth-noauth plugins. |
1364 | + - Changes to TNC-related packages. |
1365 | + * Created AppArmor profiles for lookip and stroke. |
1366 | + |
1367 | + -- Jonathan Davies <jonathan.davies@canonical.com> Wed, 15 Jan 2014 22:52:53 +0000 |
1368 | + |
1369 | +strongswan (5.1.2~dr2+git20130106-0ubuntu2) trusty; urgency=low |
1370 | + |
1371 | + * libstrongswan.install: Removed lingering unit-tester.so reference. |
1372 | + |
1373 | + -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 06 Jan 2014 20:29:59 +0000 |
1374 | + |
1375 | +strongswan (5.1.2~dr2+git20130106-0ubuntu1) trusty; urgency=low |
1376 | + |
1377 | + * Git snapshot of commit 94e10f15e51ead788d9947e966878ebfdc95b7ce. |
1378 | + Incorporates upstream fixes for: |
1379 | + - Integrity testing. |
1380 | + - Unit test failures on little endian systems. |
1381 | + * Dropped debian/patches/02_test_asn1_fix_32bit_time_test.patch - fixed |
1382 | + upstream. |
1383 | + * debian/rules: |
1384 | + - Stop using CK_TIMEOUT_MULTIPLIER. |
1385 | + - Stop enabling the test suite only on non-powerpc arches (it runs |
1386 | + anyway). |
1387 | + |
1388 | + -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 06 Jan 2014 20:17:20 +0000 |
1389 | + |
1390 | +strongswan (5.1.2~dr2-0ubuntu3) trusty; urgency=low |
1391 | + |
1392 | + * debian/control: Reinstate missing comma in dependencies. |
1393 | + |
1394 | + -- Jonathan Davies <jonathan.davies@canonical.com> Fri, 03 Jan 2014 05:39:13 +0000 |
1395 | + |
1396 | +strongswan (5.1.2~dr2-0ubuntu2) trusty; urgency=low |
1397 | + |
1398 | + * Added debian/patches/02_test_asn1_fix_32bit_time_test.patch - fixes issue |
1399 | + where test for >2038 tests on 32-bit platforms is broken. |
1400 | + - Reported upstream: https://wiki.strongswan.org/issues/477 |
1401 | + * debian/control: Added strongswan-plugin-ntru to strongswan-ike Suggests. |
1402 | + |
1403 | + -- Jonathan Davies <jonathan.davies@canonical.com> Fri, 03 Jan 2014 05:02:32 +0000 |
1404 | + |
1405 | +strongswan (5.1.2~dr2-0ubuntu1) trusty; urgency=low |
1406 | + |
1407 | + * New upstream developer release. |
1408 | + * debian/rules: Configure with: --enable-af-alg, --enable-ntru, --enable-soup, |
1409 | + and --enable-unity. |
1410 | + * debian/control: |
1411 | + - New plugin packages created for the above |
1412 | + - Split fips-prf into its own package. |
1413 | + - Added build-dependency on libsoup2.4-dev. |
1414 | + |
1415 | + -- Jonathan Davies <jonathan.davies@canonical.com> Thu, 02 Jan 2014 17:37:33 +0000 |
1416 | + |
1417 | strongswan (5.1.1-3) unstable; urgency=low |
1418 | |
1419 | * Upload to unstable. |
1420 | @@ -776,6 +2110,192 @@ strongswan (5.1.1-1) unstable; urgency=low |
1421 | |
1422 | -- Yves-Alexis Perez <corsac@debian.org> Fri, 24 Jan 2014 21:22:32 +0100 |
1423 | |
1424 | +strongswan (5.1.1-0ubuntu17) trusty; urgency=low |
1425 | + |
1426 | + * debian/control: |
1427 | + - Make strongswan-ike depend on iproute2. |
1428 | + - Added xauth plugin dependency on strongswan-plugin-eap-gtc. |
1429 | + - Created strongswan-libfast package. |
1430 | + |
1431 | + -- Jonathan Davies <jonathan.davies@canonical.com> Wed, 01 Jan 2014 17:04:45 +0000 |
1432 | + |
1433 | +strongswan (5.1.1-0ubuntu16) trusty; urgency=low |
1434 | + |
1435 | + * debian/control: |
1436 | + - Further splitting of plugins into subpackages (such as all EAP plugins |
1437 | + to their own packages). |
1438 | + - Added libpcsclite-dev to build-dependencies. |
1439 | + * debian/rules: |
1440 | + - Sort configure options in alphabetical order. |
1441 | + - Added configure option of --enable-eap-aka-3gpp2, --enable-eap-dynamic, |
1442 | + --enable-eap-sim-file, --enable-eap-sim-pcsc, |
1443 | + --enable-eap-simaka-pseudonym, --enable-eap-simaka-reauth and |
1444 | + --enable-eap-simaka-sql. |
1445 | + - Don't exclude medsrv from install. |
1446 | + * Moved eap-identity.so to libstrongswan package as it's used by all the |
1447 | + other EAP plugins. |
1448 | + |
1449 | + -- Jonathan Davies <jonathan.davies@canonical.com> Tue, 31 Dec 2013 21:25:50 +0000 |
1450 | + |
1451 | +strongswan (5.1.1-0ubuntu15) trusty; urgency=low |
1452 | + |
1453 | + * debian/control: |
1454 | + - Split plugins from libstrongswan package into modular subpackages. |
1455 | + - Added libmysqlclient-dev to build-dependencies. |
1456 | + - strongswan-ike: Set to depend on either strongswan-plugins-openssl or |
1457 | + strongswan-plugins-gcrypt. |
1458 | + - strongswan-ike: All other plugins added to Suggests. |
1459 | + - Created two new TNC packages: strongswan-tnc-ifmap and |
1460 | + strongswan-tnc-pdp and added to tnc-imcvs Suggests. |
1461 | + * debian/rules: Added to CONFIGUREARGS: --enable-certexpire, |
1462 | + --enable-error-notify, --enable-mysql, --enable-load-tester, |
1463 | + --enable-radattr, --enable-tnc-pdp, and --enable-whitelist. |
1464 | + * debian/strongswan-ike.install: Moved eap-identity.so to -tnc-imcvs package. |
1465 | + |
1466 | + -- Jonathan Davies <jonathan.davies@canonical.com> Tue, 31 Dec 2013 16:15:32 +0000 |
1467 | + |
1468 | +strongswan (5.1.1-0ubuntu14) trusty; urgency=low |
1469 | + |
1470 | + * debian/rules: |
1471 | + - CK_TIMEOUT_MULTIPLIER back down to 6. |
1472 | + - Disable unit tests on powerpc. |
1473 | + |
1474 | + -- Jonathan Davies <jonathan.davies@canonical.com> Tue, 31 Dec 2013 07:39:48 +0000 |
1475 | + |
1476 | +strongswan (5.1.1-0ubuntu13) trusty; urgency=low |
1477 | + |
1478 | + * debian/rules: CK_TIMEOUT_MULTIPLIER to 10 as just powerppc is being stubborn. |
1479 | + |
1480 | + -- Jonathan Davies <jonathan.davies@canonical.com> Tue, 31 Dec 2013 07:23:42 +0000 |
1481 | + |
1482 | +strongswan (5.1.1-0ubuntu12) trusty; urgency=low |
1483 | + |
1484 | + * debian/rules: Bring CK_TIMEOUT_MULTIPLIER up to 6 to fix powerppc and |
1485 | + armhf. |
1486 | + |
1487 | + -- Jonathan Davies <jonathan.davies@canonical.com> Tue, 31 Dec 2013 07:03:40 +0000 |
1488 | + |
1489 | +strongswan (5.1.1-0ubuntu11) trusty; urgency=low |
1490 | + |
1491 | + * 02_increase-test_rsa_generate-timeout.patch: Removed - only fixed build on |
1492 | + one extra arch. |
1493 | + * debian/rules: Set CK_TIMEOUT_MULTIPLIER to 4. |
1494 | + |
1495 | + -- Jonathan Davies <jonathan.davies@canonical.com> Tue, 31 Dec 2013 06:51:47 +0000 |
1496 | + |
1497 | +strongswan (5.1.1-0ubuntu10) trusty; urgency=low |
1498 | + |
1499 | + * debian/patches: Added patch 02_increase-test_rsa_generate-timeout.patch - |
1500 | + - Increases RSA key generate test timeout to 30 seconds so that it doesn't |
1501 | + fail on armhf, arm64, and powerppc. |
1502 | + * Contrary to what the last changelog entry says, we are still running |
1503 | + strongswan as root (with AppArmor protection). |
1504 | + |
1505 | + -- Jonathan Davies <jonathan.davies@canonical.com> Tue, 31 Dec 2013 06:06:47 +0000 |
1506 | + |
1507 | +strongswan (5.1.1-0ubuntu9) trusty; urgency=low |
1508 | + |
1509 | + * debian/rules: Added to configure options: |
1510 | + - --enable-tnc-ifmap: enable TNC IF-MAP module. |
1511 | + - --enable-duplicheck: enable duplicheck plugin. |
1512 | + - --enable-imv-swid, --enable-imc-swid: Added. |
1513 | + - Run strongswan as it's own user. |
1514 | + * debian/strongswan-starter.install: Install duplicheck. |
1515 | + * debian/strongswan-tnc-imcvs.install: Install swidtags. |
1516 | + |
1517 | + -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 30 Dec 2013 19:33:27 +0000 |
1518 | + |
1519 | +strongswan (5.1.1-0ubuntu8) trusty; urgency=low |
1520 | + |
1521 | + * debian/rules: Added to configure options: |
1522 | + - --enable-unit-tests: check unit testing on build. |
1523 | + - --enable-unbound: for validating DNS lookups. |
1524 | + - --enable-dnscert: for DNSCERT peer authentication. |
1525 | + - --enable-ipseckey: for IPSEC key authentication. |
1526 | + - --enable-lookip: for LookIP functionality. |
1527 | + - --enable-coupling: certificate coupling functionality. |
1528 | + * debian/control: Added check, libldns-dev, libunbound-dev to |
1529 | + build-dependencies. |
1530 | + * debian/libstrongswan.install: Install new plugin .so's. |
1531 | + * debian/strongswan-starter.install: Added lookip. |
1532 | + |
1533 | + -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 30 Dec 2013 17:52:07 +0000 |
1534 | + |
1535 | +strongswan (5.1.1-0ubuntu7) trusty; urgency=low |
1536 | + |
1537 | + * strongswan-starter.install: Moved pt-tls-client to tnc-imcvs (to prevent |
1538 | + the former from depending on the latter). |
1539 | + |
1540 | + -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 30 Dec 2013 17:30:19 +0000 |
1541 | + |
1542 | +strongswan (5.1.1-0ubuntu6) trusty; urgency=low |
1543 | + |
1544 | + * debian/strongswan-starter.prerm: Stop strongswan service on package |
1545 | + removal (as opposed to using the old init.d script). |
1546 | + |
1547 | + -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 30 Dec 2013 17:22:10 +0000 |
1548 | + |
1549 | +strongswan (5.1.1-0ubuntu5) trusty; urgency=low |
1550 | + |
1551 | + * debian/rules: |
1552 | + - CONFIGUREARGS: Merged Debian and RPM options. |
1553 | + - Brings in TNC functionality. |
1554 | + * debian/control: |
1555 | + - Added build-dependency on libtspi-dev. |
1556 | + - Created strongswan-tnc-imcvs binary package for TNC components. |
1557 | + - Added strongswan-tnc-imcvs to libstrongswan's Suggests. |
1558 | + * debian/libstrongswan.install: |
1559 | + - Included newly built MD4 and SQLite libraries. |
1560 | + - Removed 'tnc' references (moved to TNC package). |
1561 | + * debian/strongswan-tnc-imcvs.install: Created - handle new TNC libraries and |
1562 | + binaries. |
1563 | + * debian/usr.lib.ipsec.charon: Allow access to TNC modules. |
1564 | + |
1565 | + -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 30 Dec 2013 14:05:43 +0000 |
1566 | + |
1567 | +strongswan (5.1.1-0ubuntu4) trusty; urgency=low |
1568 | + |
1569 | + * debian/usr.lib.ipsec.charon: Added - AppArmor profile for charon. |
1570 | + * debian/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call. |
1571 | + * debian/control: strongswan-ike - Stop depending on ipsec-tools. |
1572 | + |
1573 | + -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 30 Dec 2013 05:35:17 +0000 |
1574 | + |
1575 | +strongswan (5.1.1-0ubuntu3) trusty; urgency=low |
1576 | + |
1577 | + * strongswan-starter.strongswan.upstart - Only start strongSwan when a |
1578 | + network connection is available. |
1579 | + * debian/control: Downgrade build-dep version of dpkg-dev from 1.16.2 to |
1580 | + 1.16.1 - to make precise backporting easier. |
1581 | + |
1582 | + -- Jonathan Davies <jonathan.davies@canonical.com> Thu, 12 Dec 2013 10:43:15 +0000 |
1583 | + |
1584 | +strongswan (5.1.1-0ubuntu2) trusty; urgency=low |
1585 | + |
1586 | + * strongswan-starter.strongswan.upstart - Created Upstart job for |
1587 | + strongSwan. |
1588 | + * debian/rules: Set dh_installinit to install above file. |
1589 | + * debian/strongswan-starter.postinit: |
1590 | + - Removed section about runlevel changes, it's almost 2014. |
1591 | + - Adapted service restart section for Upstart. |
1592 | + - Remove old symlinks to init.d files is necessary. |
1593 | + * debian/strongswan-starter.dirs: Don't touch /etc/init.d. |
1594 | + |
1595 | + -- Jonathan Davies <jonathan.davies@canonical.com> Wed, 11 Dec 2013 23:10:28 +0000 |
1596 | + |
1597 | +strongswan (5.1.1-0ubuntu1) trusty; urgency=low |
1598 | + |
1599 | + * New upstream release. |
1600 | + * Removed: debian/patches/CVE-2013-6075, CVE-2013-6076.patch - upsteamed. |
1601 | + * debian/control: Updated Standards-Version to 3.9.5 and applied |
1602 | + XSBC-Original-Maintainer policy. |
1603 | + * strongswan-starter.install: |
1604 | + - pki tool is now in /usr/bin. |
1605 | + - Install pt-tls-client. |
1606 | + - Install manpages (LP: #1206263). |
1607 | + |
1608 | + -- Jonathan Davies <jpds@ubuntu.com> Sun, 01 Dec 2013 17:43:59 +0000 |
1609 | + |
1610 | strongswan (5.1.0-3) unstable; urgency=high |
1611 | |
1612 | * urgency=high for the security fixes. |
1613 | diff --git a/debian/control b/debian/control |
1614 | index 20c45c4..5cd92c7 100644 |
1615 | --- a/debian/control |
1616 | +++ b/debian/control |
1617 | @@ -1,7 +1,8 @@ |
1618 | Source: strongswan |
1619 | Section: net |
1620 | Priority: optional |
1621 | -Maintainer: strongSwan Maintainers <pkg-swan-devel@lists.alioth.debian.org> |
1622 | +Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com> |
1623 | +XSBC-Original-Maintainer: strongSwan Maintainers <pkg-swan-devel@lists.alioth.debian.org> |
1624 | Uploaders: Yves-Alexis Perez <corsac@debian.org> |
1625 | Standards-Version: 4.4.1 |
1626 | Vcs-Browser: https://salsa.debian.org/debian/strongswan |
1627 | @@ -15,6 +16,7 @@ Build-Depends: bison, |
1628 | gperf, |
1629 | libip4tc-dev [linux-any], |
1630 | libip6tc-dev [linux-any], |
1631 | + libiptc-dev [linux-any], |
1632 | libcap-dev [linux-any], |
1633 | libcurl4-openssl-dev | libcurl3-dev | libcurl2-dev, |
1634 | libgcrypt20-dev | libgcrypt11-dev, |
1635 | @@ -150,8 +152,8 @@ Architecture: any |
1636 | Depends: libstrongswan (= ${binary:Version}), |
1637 | ${misc:Depends}, |
1638 | ${shlibs:Depends} |
1639 | -Breaks: libcharon-extra-plugins (<< 5.8.0-2~) |
1640 | -Replaces: libcharon-extra-plugins (<< 5.8.0-2~) |
1641 | +Breaks: libcharon-extra-plugins (<< 5.8.0-2~), libcharon-standard-plugins (<< 5.8.1-1ubuntu1~) |
1642 | +Replaces: libcharon-extra-plugins (<< 5.8.0-2~), libcharon-standard-plugins (<< 5.8.1-1ubuntu1~) |
1643 | Description: strongSwan charon library (extended authentication plugins) |
1644 | The strongSwan VPN suite uses the native IPsec stack in the standard |
1645 | Linux kernel. It supports both the IKEv1 and IKEv2 protocols. |
1646 | @@ -170,11 +172,65 @@ Description: strongSwan charon library (extended authentication plugins) |
1647 | These are the "not always, but still more commonly used" plugins, for further |
1648 | needs even more plugins can be found in the package libcharon-extra-plugins. |
1649 | |
1650 | +# Transition from former Ubuntu only libcharon-standard-plugins to common libcharon-extauth-plugins |
1651 | +Package: libcharon-standard-plugins |
1652 | +Depends: libcharon-extauth-plugins (= ${source:Version}), ${misc:Depends} |
1653 | +Architecture: all |
1654 | +Priority: optional |
1655 | +Section: oldlibs |
1656 | +Description: transitional package |
1657 | + This is a transitional package. It can safely be removed. |
1658 | + |
1659 | +# Transition back from strongswan-tnc-* being in extra packages |
1660 | +# Can be dropped after 20.04 |
1661 | +Package: strongswan-tnc-ifmap |
1662 | +Depends: libcharon-extra-plugins (= ${source:Version}), ${misc:Depends} |
1663 | +Architecture: all |
1664 | +Priority: optional |
1665 | +Section: oldlibs |
1666 | +Description: transitional package |
1667 | + This is a transitional package. It can safely be removed. |
1668 | + |
1669 | +Package: strongswan-tnc-base |
1670 | +Depends: libcharon-extra-plugins (= ${source:Version}), ${misc:Depends} |
1671 | +Architecture: all |
1672 | +Priority: optional |
1673 | +Section: oldlibs |
1674 | +Description: transitional package |
1675 | + This is a transitional package. It can safely be removed. |
1676 | + |
1677 | +Package: strongswan-tnc-client |
1678 | +Depends: libcharon-extra-plugins (= ${source:Version}), ${misc:Depends} |
1679 | +Architecture: all |
1680 | +Priority: optional |
1681 | +Section: oldlibs |
1682 | +Description: transitional package |
1683 | + This is a transitional package. It can safely be removed. |
1684 | + |
1685 | +Package: strongswan-tnc-server |
1686 | +Depends: libcharon-extra-plugins (= ${source:Version}), ${misc:Depends} |
1687 | +Architecture: all |
1688 | +Priority: optional |
1689 | +Section: oldlibs |
1690 | +Description: transitional package |
1691 | + This is a transitional package. It can safely be removed. |
1692 | + |
1693 | +Package: strongswan-tnc-pdp |
1694 | +Depends: libcharon-extra-plugins (= ${source:Version}), ${misc:Depends} |
1695 | +Architecture: all |
1696 | +Priority: optional |
1697 | +Section: oldlibs |
1698 | +Description: transitional package |
1699 | + This is a transitional package. It can safely be removed. |
1700 | + |
1701 | Package: libcharon-extra-plugins |
1702 | Architecture: any |
1703 | Depends: libstrongswan (= ${binary:Version}), |
1704 | ${misc:Depends}, |
1705 | ${shlibs:Depends} |
1706 | +Breaks: strongswan-tnc-ifmap (<< 5.7.2-1ubuntu1), strongswan-tnc-base (<< 5.7.2-1ubuntu1), strongswan-tnc-client (<< 5.7.2-1ubuntu1), strongswan-tnc-server (<< 5.7.2-1ubuntu1), strongswan-tnc-pdp (<< 5.7.2-1ubuntu1) |
1707 | +Replaces: strongswan-tnc-ifmap (<< 5.7.2-1ubuntu1), strongswan-tnc-base (<< 5.7.2-1ubuntu1), strongswan-tnc-client (<< 5.7.2-1ubuntu1), strongswan-tnc-server (<< 5.7.2-1ubuntu1), strongswan-tnc-pdp (<< 5.7.2-1ubuntu1) |
1708 | +Provides: strongswan-tnc-base |
1709 | Description: strongSwan charon library (extra plugins) |
1710 | The strongSwan VPN suite uses the native IPsec stack in the standard |
1711 | Linux kernel. It supports both the IKEv1 and IKEv2 protocols. |
1712 | @@ -210,9 +266,9 @@ Pre-Depends: ${misc:Pre-Depends} |
1713 | Depends: adduser, |
1714 | libstrongswan (= ${binary:Version}), |
1715 | lsb-base (>= 3.0-6), |
1716 | + strongswan-charon, |
1717 | ${misc:Depends}, |
1718 | ${shlibs:Depends} |
1719 | -Recommends: strongswan-charon |
1720 | Conflicts: openswan |
1721 | Description: strongSwan daemon starter and configuration file parser |
1722 | The strongSwan VPN suite uses the native IPsec stack in the standard |
1723 | @@ -251,9 +307,9 @@ Architecture: any |
1724 | Pre-Depends: debconf | debconf-2.0 |
1725 | Depends: iproute2 [linux-any] | iproute [linux-any], |
1726 | libstrongswan (= ${binary:Version}), |
1727 | - strongswan-starter, |
1728 | ${misc:Depends}, |
1729 | ${shlibs:Depends} |
1730 | +Recommends: strongswan-starter, |
1731 | Provides: ike-server |
1732 | Description: strongSwan Internet Key Exchange daemon |
1733 | The strongSwan VPN suite uses the native IPsec stack in the standard |
PPA: https:/ /launchpad. net/~ci- train-ppa- service/ +archive/ ubuntu/ 3914 /bileto. ubuntu. com/#/ticket/ 3914 /bugs.launchpad .net/ubuntu/ +source/ strongswan/ +bug/1861971
Ticket: https:/
Bug: https:/
Many fixes in upstream and Debain that are nice to get for 20.04
One change is the addition of DRBG which is in libstronswanplu ging.
That packages is in main so lets be extra careful, but it does not add a new dependency:
root@d10-sid:~# ldd /usr/lib/ ipsec/plugins/ libstrongswan- drbg.so
linux- vdso.so. 1 (0x00007ffe8903 3000) 64-linux- gnu/libc. so.6 (0x00007f9d00b7 9000)
/lib64/ ld-linux- x86-64. so.2 (0x00007f9d00d5 1000)
libc.so.6 => /lib/x86_
Note: This package is affected by the empty-directory -issue but I have the old meregs and can quickly recover the history.
Usual tags pushed to help review: logical/ 5.8.1-1ubuntu1 -> lp1861971/ logical/ 5.8.1-1ubuntu1 new/debian -> lp1861971/ new/debian old/debian -> lp1861971/ old/debian old/ubuntu -> lp1861971/ old/ubuntu reconstruct/ 5.8.1-1ubuntu1 -> lp1861971/ reconstruct/ 5.8.1-1ubuntu1 split/5. 8.1-1ubuntu1 -> lp1861971/ split/5. 8.1-1ubuntu1
* [new tag] lp1861971/
* [new tag] lp1861971/
* [new tag] lp1861971/
* [new tag] lp1861971/
* [new tag] lp1861971/
* [new tag] lp1861971/
Finally, look and embrace how small and reasonable the strongswan delta has become :-)