Ubuntu
strongswan package

Merge ~paelzer/ubuntu/+source/strongswan:merge-5.8.2-focal into ubuntu/+source/strongswan:debian/sid

  1. Git
  2. lp:~paelzer/ubuntu/+source/strongswan
  3. merge-5.8.2-focal
  4. Merge into debian/sid
Proposed by Christian Ehrhardt 
Status: Merged
Merge reported by: Christian Ehrhardt 
Merged at revision: 0191ec297c354a9d4a04ae0e1b8b4d5c71a4ec44
Proposed branch: ~paelzer/ubuntu/+source/strongswan:merge-5.8.2-focal
Merge into: ubuntu/+source/strongswan:debian/sid
Diff against target: 1733 lines (+1581/-5)
2 files modified
debian/changelog (+1520/-0)
debian/control (+61/-5)
Reviewer Review Type Date Requested Status
Bryce Harrington (community) Approve
git-ubuntu developers Pending
Canonical Server packageset reviewers Pending
Review via email: mp+378566@code.launchpad.net

This proposal supersedes a proposal from 2020-02-05.

To post a comment you must log in.
Revision history for this message
Christian Ehrhardt  (paelzer) wrote : Posted in a previous version of this proposal

PPA: https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/3914
Ticket: https://bileto.ubuntu.com/#/ticket/3914
Bug: https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1861971

Many fixes in upstream and Debain that are nice to get for 20.04

One change is the addition of DRBG which is in libstronswanpluging.
That packages is in main so lets be extra careful, but it does not add a new dependency:

root@d10-sid:~# ldd /usr/lib/ipsec/plugins/libstrongswan-drbg.so
        linux-vdso.so.1 (0x00007ffe89033000)
        libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f9d00b79000)
        /lib64/ld-linux-x86-64.so.2 (0x00007f9d00d51000)

Note: This package is affected by the empty-directory-issue but I have the old meregs and can quickly recover the history.

Usual tags pushed to help review:
 * [new tag] lp1861971/logical/5.8.1-1ubuntu1 -> lp1861971/logical/5.8.1-1ubuntu1
 * [new tag] lp1861971/new/debian -> lp1861971/new/debian
 * [new tag] lp1861971/old/debian -> lp1861971/old/debian
 * [new tag] lp1861971/old/ubuntu -> lp1861971/old/ubuntu
 * [new tag] lp1861971/reconstruct/5.8.1-1ubuntu1 -> lp1861971/reconstruct/5.8.1-1ubuntu1
 * [new tag] lp1861971/split/5.8.1-1ubuntu1 -> lp1861971/split/5.8.1-1ubuntu1

Finally, look and embrace how small and reasonable the strongswan delta has become :-)

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Resubmitted the MP against debian/sid for better LP delta visualization

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

For now blocked on
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947176

I filed Ubuntu bug
https://bugs.launchpad.net/debian/+source/iptables/+bug/1861975

Once unblocked it should build and test rather straight forward ...

~paelzer/ubuntu/+source/strongswan:merge-5.8.2-focal updated
d2e25d3... by Christian Ehrhardt 

d/control: build-depend on libiptc-dev to avoid FTBFS (LP: #1861975)

This is needed due to changes in regard to Debian bug 947176 and 939243
and can later be dropped again.

Signed-off-by: Christian Ehrhardt <email address hidden>

0191ec2... by Christian Ehrhardt 

changelog: build-depend on libiptc-dev to avoid FTBFS (LP: #1861975)

Signed-off-by: Christian Ehrhardt <email address hidden>

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

I was able to understand more of the issue and fix the FTBFS on the strongswan side as part of the merge. No more blocked ....

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

All tests good except i386 (might need overrides but ok)
https://bileto.ubuntu.com/excuses/3914/focal.html

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Local QRT tests good as well
Got:
Ran 4 tests in 5.150s
Ran 4 tests in 5.179s

Revision history for this message
Bryce Harrington (bryce) wrote :

Approved for landing the merge, a couple notes below.

* Changelog:
  - [√] old content and logical tag match as expected
  - [√] changelog entry correct version and targeted codename
  - [√] changelog entries correct
  - [√] update-maintainer has been run

* Actual changes:
  - [√] no upstream changes to consider
    + Debian is at 5.8.2-1 in unstable and unstable-debug
  - [-] no further upstream version to consider
  - [√] debian changes look safe

* Old Delta:
  - [-] dropped changes are ok to be dropped
  - [√] nothing else to drop
  - [√] changes forwarded upstream/debian (if appropriate)

* New Delta:
  - [√] no new patches added
  - [-] patches match what was proposed upstream
  - [-] patches correctly included in debian/patches/series
  - [-] patches have correct DEP3 metadata

* Build/Test:
  - [√] build is ok
  - [√] verified PPA package installs/uninstalls
  - [√] autopkgtest against the PPA package passes
  - [√] sanity checks test fine
    + systemd service had a warning (see below), but still PASS so maybe that was expected?

Can you provide an explanation in a comment the bug report, LP: #1861975, as to what the next steps will be? I.e. is libiptc's addition temporary until there is a better fix, or...? It's not critical this is done, and it certainly shouldn't delay the merge, but mainly I just want to make sure it's clear for future maintainers what they'd need to do going forward.

I verified the build was ok in the PPA. I tried git ubuntu build and debuild to run on this in my lxc checkout, but unsuccessfully unfortunately; I'm wondering if the dependency changes confused apt. I can give more details if you think this is worth exploring, but I'm ok trusting the PPA build, and my autopkgtest results.

autopkgtest [18:44:02]: test plugins: [-----------------------
Unit strongswan.service could not be found.
invoke-rc.d: initscript strongswan, action "status" failed.
autopkgtest [18:44:03]: test plugins: -----------------------]
autopkgtest [18:44:03]: test plugins: - - - - - - - - - - results - - - - - - - - - -
plugins PASS
autopkgtest [18:44:03]: @@@@@@@@@@@@@@@@@@@@ summary
admin-strongswan-charon PASS
admin-strongswan-starter PASS
daemon PASS
plugins PASS

review: Approve
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Thanks for the review - I added a comment to the libiptc related commit.
TL;DR can be dropped in the next merge from Debian.

I only built sbuild and in PPA and both worked.
Lets hope your build issues are not a real thing due to other changes in the archive.
For the sake of being on the safe side I re-pushed a new build to the PPA, but that build fine as well so let me upload it.

To ssh://git.launchpad.net/~usd-import-team/ubuntu/+source/strongswan
 * [new tag] upload/5.8.2-1ubuntu1 -> upload/5.8.2-1ubuntu1

Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading strongswan_5.8.2-1ubuntu1.dsc: done.
  Uploading strongswan_5.8.2.orig.tar.bz2: done.
  Uploading strongswan_5.8.2-1ubuntu1.debian.tar.xz: done.
  Uploading strongswan_5.8.2-1ubuntu1_source.buildinfo: done.
  Uploading strongswan_5.8.2-1ubuntu1_source.changes: done.
Successfully uploaded packages.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

https://launchpad.net/ubuntu/+source/strongswan/5.8.2-1ubuntu1 started to build => merged

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index da6dc86..c1b10db 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,22 @@
6+strongswan (5.8.2-1ubuntu1) focal; urgency=medium
7+
8+ * Merge with Debian unstable (LP: #1861971). Remaining changes:
9+ - d/control: Transition from strongswan-tnc-* being in extra packages
10+ to libcharon-extra-plugins (drop after 20.04)
11+ - d/control: Transition from former Ubuntu only libcharon-standard-plugins
12+ to common libcharon-extauth-plugins (drop after 20.04)
13+ - d/control: strongswan-starter hard-depends on strongswan-charon,
14+ therefore bump the dependency from Recommends to Depends. At the same
15+ time avoid a circular dependency by dropping
16+ strongswan-charon->strongswan-starter from Depends to Recommends as the
17+ binaries can work without the services but not vice versa.
18+ * Added Changes
19+ - d/control: build-depend on libiptc-dev to avoid FTBFS (LP: #1861975)
20+ This is needed due to changes in regard to Debian bug 947176 and 939243
21+ and can later be dropped again.
22+
23+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Wed, 05 Feb 2020 08:28:30 +0100
24+
25 strongswan (5.8.2-1) unstable; urgency=medium
26
27 [ Jean-Michel Vourgère ]
28@@ -14,6 +33,83 @@ strongswan (5.8.2-1) unstable; urgency=medium
29
30 -- Yves-Alexis Perez <corsac@debian.org> Wed, 01 Jan 2020 14:35:46 +0100
31
32+strongswan (5.8.1-1ubuntu1) focal; urgency=medium
33+
34+ * Merge with Debian unstable (LP: #1852579). Remaining changes:
35+ - d/control: Transition from strongswan-tnc-* being in extra packages
36+ to libcharon-extra-plugins
37+ * Added Changes:
38+ - d/control: Transition from former Ubuntu only libcharon-standard-plugins
39+ to common libcharon-extauth-plugins (drop after 20.04)
40+ - d/control: strongswan-starter hard-depends on strongswan-charon,
41+ therefore bump the dependency from Recommends to Depends. At the same
42+ time avoid a circular dependency by dropping
43+ strongswan-charon->strongswan-starter from Depends to Recommends as the
44+ binaries can work without the services but not vice versa.
45+ * Dropped Changes (now in Debian):
46+ - Clean up d/strongswan-starter.postinst: section about runlevel changes
47+ - Clean up d/strongswan-starter.postinst: Removed entire section on
48+ opportunistic encryption disabling - this was never in strongSwan and
49+ won't be see upstream issue #2160.
50+ - d/rules: Removed patching ipsec.conf on build (not using the
51+ debconf-managed config.)
52+ - d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was
53+ used for debconf-managed include of private key).
54+ - Add plugin kernel-libipsec to allow the use of strongswan in containers
55+ via this userspace implementation (please do note that this is still
56+ considered experimental by upstream).
57+ + d/libcharon-extra-plugins.install: Add kernel-libipsec components
58+ + d/control: List kernel-libipsec plugin at extra plugins description
59+ + d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
60+ upstream recommends to not load kernel-libipsec by default.
61+ - d/control: Mention mgf1 plugin which is in libstrongswan now
62+ - Complete the disabling of libfast; This was partially accepted in Debian,
63+ it is no more packaging medcli and medsrv, but still builds and
64+ mentions it.
65+ + d/rules: Add --disable-fast to avoid build time and dependencies
66+ + d/control: Remove medcli, medsrv from package description
67+ - Add now built (since 5.5.1) libraries libtpmtss and nttfft to
68+ libstrongswan-extra-plugins (no deps from default plugins).
69+ - d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
70+ plugins for the most common use cases from extra-plugins into a new
71+ standard-plugins package. This will allow those use cases without pulling
72+ in too much more plugins (a bit like the tnc package). Recommend that
73+ package from strongswan-libcharon.
74+ - d/usr.lib.ipsec.charon: allow reading of own FDs (LP 1786250)
75+ - d/usr.sbin.charon-systemd: allow CLUSTERIP for ha plugin (LP 1773956)
76+ - executables need to be able to read map and execute themselves otherwise
77+ execution in some environments e.g. containers is blocked (LP 1780534)
78+ + d/usr.lib.ipsec.stroke: add rmix permission to stroke binary
79+ + d/usr.lib.ipsec.lookip: add rmix permission to lookip binary
80+ - d/usr.lib.ipsec.charon, d/usr.sbin.charon-systemd: resync apparmor
81+ profiles of both ways to start charon (LP 1807664)
82+ - d/usr.sbin.swanctl: add apparmor rule for af-alg plugin (LP 1807962)
83+ - We fixed up tpmtss and nttfft in the past, but tpmtss is now packaged in
84+ Debian so this part was be dropped. Two changes remain
85+ - d/control: fix the mentioning of tpmtss in d/control
86+ - apparmor fixes for container and root usage (LP 1826238)
87+ + d/usr.sbin.swanctl: allow reading own binary
88+ + d/usr.sbin.charon-systemd: allow accessing the binary
89+ + d/usr.sbin.swanctl: add attach_disconnected to work inside containers
90+ + d/usr.lib.ipsec.charon, d/usr.sbin.charon-systemd: add CAP_SETPCAP
91+ to apparmor to allow dropping caps
92+ * Dropped Changes (too uncommon to support by default)
93+ - d/libstrongswan.install: Add kernel-netlink configuration files
94+ - d/usr.sbin.charon-systemd: allow to contact mysql for sql and
95+ attr-sql plugins (LP 1766240) - no more needed as itisn't enabled.
96+ - Mass enablement of extra plugins and features to allow a user to use
97+ strongswan for a variety of extra use cases without having to rebuild.
98+ + d/control: Add required additional build-deps
99+ + d/control: Mention addtionally enabled plugins
100+ + d/rules: Enable features at configure stage
101+ + d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
102+ + d/libstrongswan.install: Add plugins (so, conf)
103+ + d/strongswan-starter.install: Install pool feature, which is useful
104+ since we now have attr-sql plugin enabled it.
105+ - Enable additional TNC plugins and add them to libcharon-extra-plugins
106+
107+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Thu, 14 Nov 2019 15:00:15 +0100
108+
109 strongswan (5.8.1-1) unstable; urgency=medium
110
111 * d/rules: disable http and stream tests under CI
112@@ -83,6 +179,99 @@ strongswan (5.8.0-1) unstable; urgency=medium
113
114 -- Yves-Alexis Perez <corsac@debian.org> Mon, 26 Aug 2019 12:58:23 +0200
115
116+strongswan (5.7.2-1ubuntu3) eoan; urgency=medium
117+
118+ * No change rebuild for libmysqlclient21.
119+
120+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Thu, 15 Aug 2019 09:34:34 +0200
121+
122+strongswan (5.7.2-1ubuntu2) eoan; urgency=medium
123+
124+ * Rebuild against new libjson-c4.
125+
126+ -- Gianfranco Costamagna <locutusofborg@debian.org> Mon, 01 Jul 2019 10:53:07 +0200
127+
128+strongswan (5.7.2-1ubuntu1) eoan; urgency=medium
129+
130+ [ Christian Ehrhardt ]
131+ * Merge with Debian unstable. Remaining changes:
132+ - Clean up d/strongswan-starter.postinst: section about runlevel changes
133+ - Clean up d/strongswan-starter.postinst: Removed entire section on
134+ opportunistic encryption disabling - this was never in strongSwan and
135+ won't be see upstream issue #2160.
136+ - d/rules: Removed patching ipsec.conf on build (not using the
137+ debconf-managed config.)
138+ - d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was
139+ used for debconf-managed include of private key).
140+ - Mass enablement of extra plugins and features to allow a user to use
141+ strongswan for a variety of extra use cases without having to rebuild.
142+ + d/control: Add required additional build-deps
143+ + d/control: Mention addtionally enabled plugins
144+ + d/rules: Enable features at configure stage
145+ + d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
146+ + d/libstrongswan.install: Add plugins (so, conf)
147+ + d/strongswan-starter.install: Install pool feature, which is useful
148+ since we now have attr-sql plugin enabled it.
149+ - Add plugin kernel-libipsec to allow the use of strongswan in containers
150+ via this userspace implementation (please do note that this is still
151+ considered experimental by upstream).
152+ + d/libcharon-extra-plugins.install: Add kernel-libipsec components
153+ + d/control: List kernel-libipsec plugin at extra plugins description
154+ + d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
155+ upstream recommends to not load kernel-libipsec by default.
156+ - d/libstrongswan.install: Add kernel-netlink configuration files
157+ - Complete the disabling of libfast; This was partially accepted in Debian,
158+ it is no more packaging medcli and medsrv, but still builds and
159+ mentions it.
160+ + d/rules: Add --disable-fast to avoid build time and dependencies
161+ + d/control: Remove medcli, medsrv from package description
162+ - d/control: Mention mgf1 plugin which is in libstrongswan now
163+ - Add now built (since 5.5.1) libraries libtpmtss and nttfft to
164+ libstrongswan-extra-plugins (no deps from default plugins).
165+ - d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
166+ plugins for the most common use cases from extra-plugins into a new
167+ standard-plugins package. This will allow those use cases without pulling
168+ in too much more plugins (a bit like the tnc package). Recommend that
169+ package from strongswan-libcharon.
170+ - d/usr.sbin.charon-systemd: allow to contact mysql for sql and
171+ attr-sql plugins (LP #1766240)
172+ - d/usr.lib.ipsec.charon: allow reading of own FDs (LP #1786250)
173+ - d/usr.sbin.charon-systemd: allow CLUSTERIP for ha plugin (LP: 1773956)
174+ - executables need to be able to read map and execute themselves otherwise
175+ execution in some environments e.g. containers is blocked (LP: 1780534)
176+ + d/usr.lib.ipsec.stroke: add rmix permission to stroke binary
177+ + d/usr.lib.ipsec.lookip: add rmix permission to lookip binary
178+ - d/usr.lib.ipsec.charon, d/usr.sbin.charon-systemd: resync apparmor
179+ profiles of both ways to start charon (LP: 1807664)
180+ - d/usr.sbin.swanctl: add apparmor rule for af-alg plugin (LP: 1807962)
181+ * Dropped changes
182+ - d/p/lp1795813-mysql-Don-t-release-the-connection-if-transactions-a.patch:
183+ fix SIGSEGV when using mysql plugin (LP: 1795813)
184+ [upstream in 5.7.2]
185+ - d/libstrongswan.install: Reorder conf and .so alphabetically
186+ [was a non functional change, dropped to avoid merge noise]
187+ - Relocate tnc plugin
188+ [TNC is back at libcharon-extra-plugins as it is in Debian]
189+ * Added changes:
190+ - We fixed up tpmtss and nttfft in the past, but tpmtss is now packaged in
191+ Debian so this part was be dropped. Two changes remain
192+ - d/control: fix the mentioning of tpmtss in d/control
193+ - add nttfft (can be merged with the mass enablement change later)
194+ - Transitional packages to go back from strongswan-tnc-* being in extra
195+ packages to be part of libcharon-extra-plugins.
196+ [can be dropped after 20.04]
197+
198+ [ Simon Deziel ]
199+ * Added changes:
200+ - apparmor fixes for container and root usage (LP: #1826238)
201+ + d/usr.sbin.swanctl: allow reading own binary
202+ + d/usr.sbin.charon-systemd: allow accessing the binary
203+ + d/usr.sbin.swanctl: add attach_disconnected to work inside containers
204+ + d/usr.lib.ipsec.charon, d/usr.sbin.charon-systemd: add CAP_SETPCAP
205+ to apparmor to allow dropping caps
206+
207+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Fri, 26 Apr 2019 11:31:17 +0200
208+
209 strongswan (5.7.2-1) unstable; urgency=medium
210
211 * d/control: remove Rene from Uploaders, thanks!
212@@ -101,6 +290,86 @@ strongswan (5.7.2-1) unstable; urgency=medium
213
214 -- Yves-Alexis Perez <corsac@debian.org> Wed, 02 Jan 2019 13:02:11 +0100
215
216+strongswan (5.7.1-1ubuntu2) disco; urgency=medium
217+
218+ * d/usr.sbin.charon-systemd: fix rule for CLUSTERIP to match effective
219+ path (LP: #1773956)
220+ * d/usr.lib.ipsec.charon, d/usr.sbin.charon-systemd: resync apparmor
221+ profiles of both ways to start charon (LP: #1807664)
222+ * d/usr.sbin.swanctl: add apparmor rule for af-alg plugin (LP: #1807962)
223+
224+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 10 Dec 2018 08:30:01 +0100
225+
226+strongswan (5.7.1-1ubuntu1) disco; urgency=medium
227+
228+ * Merge with Debian unstable (LP: #1806401). Remaining changes:
229+ - Clean up d/strongswan-starter.postinst: section about runlevel changes
230+ - Clean up d/strongswan-starter.postinst: Removed entire section on
231+ opportunistic encryption disabling - this was never in strongSwan and
232+ won't be see upstream issue #2160.
233+ - d/rules: Removed patching ipsec.conf on build (not using the
234+ debconf-managed config.)
235+ - d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was
236+ used for debconf-managed include of private key).
237+ - Mass enablement of extra plugins and features to allow a user to use
238+ strongswan for a variety of extra use cases without having to rebuild.
239+ + d/control: Add required additional build-deps
240+ + d/control: Mention addtionally enabled plugins
241+ + d/rules: Enable features at configure stage
242+ + d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
243+ + d/libstrongswan.install: Add plugins (so, conf)
244+ - d/strongswan-starter.install: Install pool feature, which is useful since
245+ we have attr-sql plugin enabled as well using it.
246+ - Add plugin kernel-libipsec to allow the use of strongswan in containers
247+ via this userspace implementation (please do note that this is still
248+ considered experimental by upstream).
249+ + d/libcharon-extra-plugins.install: Add kernel-libipsec components
250+ + d/control: List kernel-libipsec plugin at extra plugins description
251+ + d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
252+ upstream recommends to not load kernel-libipsec by default.
253+ - Relocate tnc plugin
254+ + debian/libcharon-extra-plugins.install: Drop tnc from extra plugins
255+ + Add new subpackage for TNC in d/strongswan-tnc-* and d/control
256+ - d/libstrongswan.install: Reorder conf and .so alphabetically
257+ - d/libstrongswan.install: Add kernel-netlink configuration files
258+ - Complete the disabling of libfast; This was partially accepted in Debian,
259+ it is no more packaging medcli and medsrv, but still builds and
260+ mentions it.
261+ + d/rules: Add --disable-fast to avoid build time and dependencies
262+ + d/control: Remove medcli, medsrv from package description
263+ - d/control: Mention mgf1 plugin which is in libstrongswan now
264+ - Add now built (since 5.5.1) libraries libtpmtss and nttfft to
265+ libstrongswan-extra-plugins (no deps from default plugins).
266+ - d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
267+ plugins for the most common use cases from extra-plugins into a new
268+ standard-plugins package. This will allow those use cases without pulling
269+ in too much more plugins (a bit like the tnc package). Recommend that
270+ package from strongswan-libcharon.
271+ - d/usr.sbin.charon-systemd: allow to contact mysql for sql and
272+ attr-sql plugins (LP #1766240)
273+ - d/usr.lib.ipsec.charon: allow reading of own FDs (LP #1786250)
274+ * Added Changes:
275+ - d/p/lp1795813-mysql-Don-t-release-the-connection-if-transactions-a.patch:
276+ fix SIGSEGV when using mysql plugin (LP: #1795813)
277+ - d/usr.sbin.charon-systemd: allow CLUSTERIP for ha plugin (LP: #1773956)
278+ - executables need to be able to read map and execute themselves otherwise
279+ execution in some environments e.g. containers is blocked (LP: #1780534)
280+ + d/usr.lib.ipsec.stroke: add rmix permission to stroke binary
281+ + d/usr.lib.ipsec.lookip: add rmix permission to lookip binary
282+ - adapt "mass enablement of extra plugins" to match 5.7.x changes
283+ + d/rules: use new options for swima instead of swid
284+ + d/strongswan-tnc-server.install: add new sec updater tool
285+ + d/strongswan-tnc-client.install: add new sw-collector tool
286+ * Dropped (in Debian now):
287+ - SECURITY UPDATE: Insufficient input validation in gmp plugin
288+ (CVE-2018-17540)
289+ - SECURITY UPDATE: Insufficient input validation in gmp plugin
290+ (CVE-2018-16151 CVE-2018-16152)
291+ - d/usr.lib.ipsec.charon, d/usr/sbin/charon-systemd: Add support for
292+ usr-merge, thanks to Christian Ehrhardt. LP #1784023
293+
294+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 03 Dec 2018 15:18:31 +0100
295+
296 strongswan (5.7.1-1) unstable; urgency=medium
297
298 [ Ondřej Nový ]
299@@ -131,6 +400,96 @@ strongswan (5.7.0-1) unstable; urgency=medium
300
301 -- Yves-Alexis Perez <corsac@debian.org> Mon, 24 Sep 2018 16:36:28 +0200
302
303+strongswan (5.6.3-1ubuntu5) disco; urgency=medium
304+
305+ * No-change rebuild against libunbound8
306+
307+ -- Steve Langasek <steve.langasek@ubuntu.com> Sun, 11 Nov 2018 09:01:53 +0000
308+
309+strongswan (5.6.3-1ubuntu4) cosmic; urgency=medium
310+
311+ * d/usr.lib.ipsec.charon: allow reading of own FDs (LP: #1786250)
312+ Thanks to Matt Callaghan.
313+
314+ -- Andreas Hasenack <andreas@canonical.com> Thu, 04 Oct 2018 10:34:01 -0300
315+
316+strongswan (5.6.3-1ubuntu3) cosmic; urgency=medium
317+
318+ * SECURITY UPDATE: Insufficient input validation in gmp plugin
319+ - debian/patches/strongswan-4.4.0-5.7.0_gmp-pkcs1-overflow.patch: fix
320+ buffer overflow with very small RSA keys in
321+ src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c.
322+ - CVE-2018-17540
323+
324+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 01 Oct 2018 13:23:59 -0400
325+
326+strongswan (5.6.3-1ubuntu2) cosmic; urgency=medium
327+
328+ * SECURITY UPDATE: Insufficient input validation in gmp plugin
329+ - debian/patches/strongswan-5.6.1-5.6.3_gmp-pkcs1-verify.patch: don't
330+ parse PKCS1 v1.5 RSA signatures to verify them in
331+ src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c,
332+ src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c.
333+ - CVE-2018-16151
334+ - CVE-2018-16152
335+
336+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 25 Sep 2018 10:16:15 -0400
337+
338+strongswan (5.6.3-1ubuntu1) cosmic; urgency=medium
339+
340+ * Merge with Debian unstable. Remaining changes:
341+ - Clean up d/strongswan-starter.postinst: section about runlevel changes
342+ - Clean up d/strongswan-starter.postinst: Removed entire section on
343+ opportunistic encryption disabling - this was never in strongSwan and
344+ won't be see upstream issue #2160.
345+ - d/rules: Removed patching ipsec.conf on build (not using the
346+ debconf-managed config.)
347+ - d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was
348+ used for debconf-managed include of private key).
349+ - Mass enablement of extra plugins and features to allow a user to use
350+ strongswan for a variety of extra use cases without having to rebuild.
351+ + d/control: Add required additional build-deps
352+ + d/control: Mention addtionally enabled plugins
353+ + d/rules: Enable features at configure stage
354+ + d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
355+ + d/libstrongswan.install: Add plugins (so, conf)
356+ - d/strongswan-starter.install: Install pool feature, which is useful since
357+ we have attr-sql plugin enabled as well using it.
358+ - Add plugin kernel-libipsec to allow the use of strongswan in containers
359+ via this userspace implementation (please do note that this is still
360+ considered experimental by upstream).
361+ + d/libcharon-extra-plugins.install: Add kernel-libipsec components
362+ + d/control: List kernel-libipsec plugin at extra plugins description
363+ + d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
364+ upstream recommends to not load kernel-libipsec by default.
365+ - Relocate tnc plugin
366+ + debian/libcharon-extra-plugins.install: Drop tnc from extra plugins
367+ + Add new subpackage for TNC in d/strongswan-tnc-* and d/control
368+ - d/libstrongswan.install: Reorder conf and .so alphabetically
369+ - d/libstrongswan.install: Add kernel-netlink configuration files
370+ - Complete the disabling of libfast; This was partially accepted in Debian,
371+ it is no more packaging medcli and medsrv, but still builds and
372+ mentions it.
373+ + d/rules: Add --disable-fast to avoid build time and dependencies
374+ + d/control: Remove medcli, medsrv from package description
375+ - d/control: Mention mgf1 plugin which is in libstrongswan now
376+ - Add now built (since 5.5.1) libraries libtpmtss and nttfft to
377+ libstrongswan-extra-plugins (no deps from default plugins).
378+ - d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
379+ plugins for the most common use cases from extra-plugins into a new
380+ standard-plugins package. This will allow those use cases without pulling
381+ in too much more plugins (a bit like the tnc package). Recommend that
382+ package from strongswan-libcharon.
383+ - d/usr.sbin.charon-systemd: allow to contact mysql for sql and
384+ attr-sql plugins (LP #1766240)
385+ - d/usr.lib.ipsec.charon, d/usr/sbin/charon-systemd: Add support for
386+ usr-merge, thanks to Christian Ehrhardt. LP #1784023
387+ * Dropped:
388+ - d/usr.sbin.charon-systemd: allow systemd notifications (LP: #1765652)
389+ [Fixed in 5.6.3-1]
390+
391+ -- Andreas Hasenack <andreas@canonical.com> Thu, 23 Aug 2018 13:05:11 -0300
392+
393 strongswan (5.6.3-1) unstable; urgency=medium
394
395 * New upstream version 5.6.2
396@@ -146,6 +505,78 @@ strongswan (5.6.3-1) unstable; urgency=medium
397
398 -- Yves-Alexis Perez <corsac@debian.org> Mon, 04 Jun 2018 10:23:22 +0200
399
400+strongswan (5.6.2-2ubuntu2) cosmic; urgency=medium
401+
402+ * Add support for usr-merge, thanks to Christian Ehrhardt. LP: #1784023
403+
404+ -- Dimitri John Ledkov <xnox@ubuntu.com> Tue, 21 Aug 2018 00:42:38 +0100
405+
406+strongswan (5.6.2-2ubuntu1) cosmic; urgency=medium
407+
408+ * Merge with Debian unstable, closes LP: #1773814 and LP: #1772705.
409+ Remaining changes:
410+ + Clean up d/strongswan-starter.postinst: section about runlevel changes
411+ + Clean up d/strongswan-starter.postinst: Removed entire section on
412+ opportunistic encryption disabling - this was never in strongSwan and
413+ won't be see upstream issue #2160.
414+ + d/rules: Removed patching ipsec.conf on build (not using the
415+ debconf-managed config.)
416+ + d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was
417+ used for debconf-managed include of private key).
418+ + Mass enablement of extra plugins and features to allow a user to use
419+ strongswan for a variety of extra use cases without having to rebuild.
420+ - d/control: Add required additional build-deps
421+ - d/control: Mention addtionally enabled plugins
422+ - d/rules: Enable features at configure stage
423+ - d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
424+ - d/libstrongswan.install: Add plugins (so, conf)
425+ + d/strongswan-starter.install: Install pool feature, which is useful since
426+ we have attr-sql plugin enabled as well using it.
427+ + Add plugin kernel-libipsec to allow the use of strongswan in containers
428+ via this userspace implementation (please do note that this is still
429+ considered experimental by upstream).
430+ - d/libcharon-extra-plugins.install: Add kernel-libipsec components
431+ - d/control: List kernel-libipsec plugin at extra plugins description
432+ - d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
433+ upstream recommends to not load kernel-libipsec by default.
434+ + Relocate tnc plugin
435+ - debian/libcharon-extra-plugins.install: Drop tnc from extra plugins
436+ - Add new subpackage for TNC in d/strongswan-tnc-* and d/control
437+ + d/libstrongswan.install: Reorder conf and .so alphabetically
438+ + d/libstrongswan.install: Add kernel-netlink configuration files
439+ + Complete the disabling of libfast; This was partially accepted in Debian,
440+ it is no more packaging medcli and medsrv, but still builds and
441+ mentions it.
442+ - d/rules: Add --disable-fast to avoid build time and dependencies
443+ - d/control: Remove medcli, medsrv from package description
444+ + d/control: Mention mgf1 plugin which is in libstrongswan now
445+ + Add now built (since 5.5.1) libraries libtpmtss and nttfft to
446+ libstrongswan-extra-plugins (no deps from default plugins).
447+ + d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
448+ plugins for the most common use cases from extra-plugins into a new
449+ standard-plugins package. This will allow those use cases without pulling
450+ in too much more plugins (a bit like the tnc package). Recommend that
451+ package from strongswan-libcharon.
452+ * Dropped Changes (no more needed after 18.04)
453+ + Add rm_conffile for /etc/init.d/ipsec (transition from precies had
454+ missed that, droppable after 18.04)
455+ + d/control: bump breaks/replaces from libstrongswan-extra-plugins to
456+ libstrongswan as we dropped relocating ccm and test-vectors.
457+ (droppable >18.04).
458+ + d/control: add breaks/replace from libstrongswan to
459+ libstrongswan-extra-plugins for the move of mgf1 to libstrongswan.
460+ (droppable >18.04).
461+ + d/control: bump breaks/replaces for the move of the updown plugin
462+ (Missed Changelog entry on last merge)
463+ + d/control: fix dependencies of strongswan-libcharon due to the move
464+ the updown plugin (droppable >18.04).
465+ * Added Changes:
466+ + d/usr.sbin.charon-systemd: allow to contact mysql for sql and
467+ attr-sql plugins (LP: #1766240)
468+ + d/usr.sbin.charon-systemd: allow systemd notifications (LP: #1765652)
469+
470+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Tue, 29 May 2018 08:21:42 +0200
471+
472 strongswan (5.6.2-2) unstable; urgency=medium
473
474 * charon-nm: Fix building list of DNS/MDNS servers with libnm
475@@ -156,6 +587,74 @@ strongswan (5.6.2-2) unstable; urgency=medium
476
477 -- Yves-Alexis Perez <corsac@debian.org> Fri, 13 Apr 2018 13:46:04 +0200
478
479+strongswan (5.6.2-1ubuntu2) bionic; urgency=medium
480+
481+ * d/control: fix dependencies of strongswan-libcharon due to the move
482+ the updown plugin.
483+
484+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Tue, 20 Mar 2018 07:37:29 +0100
485+
486+strongswan (5.6.2-1ubuntu1) bionic; urgency=medium
487+
488+ * Merge with Debian unstable (LP: #1753018). Remaining changes:
489+ + Clean up d/strongswan-starter.postinst: section about runlevel changes
490+ + Clean up d/strongswan-starter.postinst: Removed entire section on
491+ opportunistic encryption disabling - this was never in strongSwan and
492+ won't be see upstream issue #2160.
493+ + Ubuntu is not using the debconf triggered private key generation
494+ - d/rules: Removed patching ipsec.conf on build (not using the
495+ debconf-managed config.)
496+ - d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was
497+ used for debconf-managed include of private key).
498+ + Mass enablement of extra plugins and features to allow a user to use
499+ strongswan for a variety of extra use cases without having to rebuild.
500+ - d/control: Add required additional build-deps
501+ - d/control: Mention addtionally enabled plugins
502+ - d/rules: Enable features at configure stage
503+ - d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
504+ - d/libstrongswan.install: Add plugins (so, conf)
505+ + d/strongswan-starter.install: Install pool feature, which is useful since
506+ we have attr-sql plugin enabled as well using it.
507+ + Add plugin kernel-libipsec to allow the use of strongswan in containers
508+ via this userspace implementation (please do note that this is still
509+ considered experimental by upstream).
510+ - d/libcharon-extra-plugins.install: Add kernel-libipsec components
511+ - d/control: List kernel-libipsec plugin at extra plugins description
512+ - d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
513+ upstream recommends to not load kernel-libipsec by default.
514+ + Relocate tnc plugin
515+ - debian/libcharon-extra-plugins.install: Drop tnc from extra plugins
516+ - Add new subpackage for TNC in d/strongswan-tnc-* and d/control
517+ + d/libstrongswan.install: Reorder conf and .so alphabetically
518+ + d/libstrongswan.install: Add kernel-netlink configuration files
519+ + Complete the disabling of libfast; This was partially accepted in Debian,
520+ it is no more packaging medcli and medsrv, but still builds and
521+ mentions it.
522+ - d/rules: Add --disable-fast to avoid build time and dependencies
523+ - d/control: Remove medcli, medsrv from package description
524+ + d/control: Mention mgf1 plugin which is in libstrongswan now
525+ + Add now built (since 5.5.1) libraries libtpmtss and nttfft to
526+ libstrongswan-extra-plugins (no deps from default plugins).
527+ + Add rm_conffile for /etc/init.d/ipsec (transition from precies had
528+ missed that, droppable after 18.04)
529+ + d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
530+ plugins for the most common use cases from extra-plugins into a new
531+ standard-plugins package. This will allow those use cases without pulling
532+ in too much more plugins (a bit like the tnc package). Recommend that
533+ package from strongswan-libcharon.
534+ + d/control: bump breaks/replaces from libstrongswan-extra-plugins to
535+ libstrongswan as we dropped relocating ccm and test-vectors.
536+ (droppable >18.04).
537+ + d/control: add breaks/replace from libstrongswan to
538+ libstrongswan-extra-plugins for the move of mgf1 to libstrongswan.
539+ (droppable >18.04).
540+ * Added Changes:
541+ + d/control: bump breaks/replaces from strongswan-libcharon to strongswan-
542+ starter as we followed Debian to move the updown plugin but need to
543+ match Ubuntu versions (Droppable >18.04).
544+
545+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Fri, 16 Mar 2018 11:08:47 +0100
546+
547 strongswan (5.6.2-1) unstable; urgency=medium
548
549 * d/NEWS: add information about disabled algorithms (closes: #883072)
550@@ -178,6 +677,129 @@ strongswan (5.6.1-3) unstable; urgency=medium
551
552 -- Yves-Alexis Perez <corsac@debian.org> Sun, 17 Dec 2017 16:40:39 +0100
553
554+strongswan (5.6.1-2ubuntu4) bionic; urgency=medium
555+
556+ * SECURITY UPDATE: DoS via crafted RSASSA-PSS signature
557+ - debian/patches/CVE-2018-6459.patch: Properly handle MGF1 algorithm
558+ identifier without parameters in
559+ src/libstrongswan/credentials/keys/signature_params.c.
560+ - CVE-2018-6459
561+
562+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 07 Mar 2018 14:52:02 +0100
563+
564+strongswan (5.6.1-2ubuntu3) bionic; urgency=medium
565+
566+ * No-change rebuild against libcurl4
567+
568+ -- Steve Langasek <steve.langasek@ubuntu.com> Wed, 28 Feb 2018 08:52:09 +0000
569+
570+strongswan (5.6.1-2ubuntu2) bionic; urgency=high
571+
572+ * No change rebuild against openssl1.1.
573+
574+ -- Dimitri John Ledkov <xnox@ubuntu.com> Mon, 12 Feb 2018 16:00:24 +0000
575+
576+strongswan (5.6.1-2ubuntu1) bionic; urgency=medium
577+
578+ * Merge with Debian unstable (LP: #1717343).
579+ Also fixes and issue with multiple psk's (LP: #1734207). Remaining changes:
580+ + Clean up d/strongswan-starter.postinst: section about runlevel changes
581+ + Clean up d/strongswan-starter.postinst: Removed entire section on
582+ opportunistic encryption disabling - this was never in strongSwan and
583+ won't be see upstream issue #2160.
584+ + Ubuntu is not using the debconf triggered private key generation
585+ - d/rules: Removed patching ipsec.conf on build (not using the
586+ debconf-managed config.)
587+ - d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was
588+ used for debconf-managed include of private key).
589+ + Mass enablement of extra plugins and features to allow a user to use
590+ strongswan for a variety of extra use cases without having to rebuild.
591+ - d/control: Add required additional build-deps
592+ - d/control: Mention addtionally enabled plugins
593+ - d/rules: Enable features at configure stage
594+ - d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
595+ - d/libstrongswan.install: Add plugins (so, conf)
596+ + d/strongswan-starter.install: Install pool feature, which is useful since
597+ we have attr-sql plugin enabled as well using it.
598+ + Add plugin kernel-libipsec to allow the use of strongswan in containers
599+ via this userspace implementation (please do note that this is still
600+ considered experimental by upstream).
601+ - d/libcharon-extra-plugins.install: Add kernel-libipsec components
602+ - d/control: List kernel-libipsec plugin at extra plugins description
603+ - d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
604+ upstream recommends to not load kernel-libipsec by default.
605+ + Relocate tnc plugin
606+ - debian/libcharon-extra-plugins.install: Drop tnc from extra plugins
607+ - Add new subpackage for TNC in d/strongswan-tnc-* and d/control
608+ + d/libstrongswan.install: Reorder conf and .so alphabetically
609+ + d/libstrongswan.install: Add kernel-netlink configuration files
610+ + Complete the disabling of libfast; This was partially accepted in Debian,
611+ it is no more packaging medcli and medsrv, but still builds and
612+ mentions it.
613+ - d/rules: Add --disable-fast to avoid build time and dependencies
614+ - d/control: Remove medcli, medsrv from package description
615+ + d/control: Mention mgf1 plugin which is in libstrongswan now
616+ + Add now built (since 5.5.1) libraries libtpmtss and nttfft to
617+ libstrongswan-extra-plugins (no deps from default plugins).
618+ + Add rm_conffile for /etc/init.d/ipsec (transition from precies had
619+ missed that, droppable after 18.04)
620+ + d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
621+ plugins for the most common use cases from extra-plugins into a new
622+ standard-plugins package. This will allow those use cases without pulling
623+ in too much more plugins (a bit like the tnc package). Recommend that
624+ package from strongswan-libcharon.
625+ * Added changes:
626+ + d/strongswan-tnc-client.install (relocate tnc) swidtag creation changed
627+ in 5.6
628+ + d/strongswan-tnc-server.install (relocate tnc) pacman no more needed
629+ + d/control: bump breaks/replaces from libstrongswan-extra-plugins to
630+ libstrongswan as we dropped relocating ccm and test-vectors.
631+ (droppable >18.04).
632+ - d/control: add breaks/replace from libstrongswan to
633+ libstrongswan-extra-plugins for the move of mgf1 to libstrongswan.
634+ (droppable >18.04).
635+ * Dropped changes:
636+ + Update init/service handling (debian default matches Ubuntu past now)
637+ Dropping this fixes (LP: #1734886)
638+ - d/rules: Change init/systemd program name to strongswan
639+ - d/strongswan-starter.strongswan.service: Add new systemd file instead of
640+ patching upstream
641+ - d/strongswan-starter.links: Removed, use Ubuntu systemd file instead of
642+ linking to upstream
643+ + d/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call
644+ (this is a never failing no-op for us, no need for Delta).
645+ + d/strongswan-starter.prerm: Stop strongswan service on package removal
646+ (ipsec now maps to strongswan service, so this works as-is).
647+ + Clean up d/strongswan-starter.postinst: rename service ipsec to
648+ strongswan (ipsec now maps to strongswan service, so this works as-is)
649+ + Clean up d/strongswan-starter.postinst: daemon enable/disable (the
650+ whole section is disabled, so no need for delta)
651+ + (is upstream) CVE-2017-11185 patches
652+ + (is upstream) FTBFS upstream fix for changed include files
653+ + (is upstream) debian/patches/increase-bliss-test-timeout.patch: Under
654+ QEMU/KVM autopkgtest the bliss test takes longer than the default
655+ + (in Debian) add now built (since 5.5.1) mgf1 plugin to
656+ libstrongswan-extra-plugins.
657+ + (in Debian) d/strongswan-starter.install: install stroke apparmor profile
658+ + (this was enabled as part of the former delta, squash changes to no-up)
659+ d/rules: Disable duplicheck.
660+ + (not needed) Relocate plugins test-vectors from extra-plugins to
661+ libstrongswan
662+ - d/libstrongswan-extra-plugins.install: Remove plugins/conffiles
663+ - d/libstrongswan.install: Add plugins/confiles
664+ - d/control: move package descriptions and add required breaks/replaces
665+ + (not needed) Relocate plugins ccm from extra-plugins to libstrongswan
666+ - d/libstrongswan-extra-plugins.install: Remove plugins/conffiles
667+ - d/libstrongswan.install: Add plugins/confiles
668+ - d/control: move package descriptions and add required breaks/replaces
669+ + (while using it requires special kernel, it does not hurt to be
670+ available in the package) Remove ha plugin
671+ - d/libcharon-extra-plugins.install: Stop installing ha (so, conf)
672+ - d/rules: Do not enable ha plugin
673+ - d/control: Drop listing the ha plugin in the package description
674+
675+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Wed, 29 Nov 2017 15:55:18 +0100
676+
677 strongswan (5.6.1-2) unstable; urgency=medium
678
679 * move counters plugin from -starter to -libcharon. closes: #882431
680@@ -264,6 +886,213 @@ strongswan (5.5.2-1) experimental; urgency=medium
681
682 -- Yves-Alexis Perez <corsac@debian.org> Fri, 19 May 2017 11:32:00 +0200
683
684+strongswan (5.5.1-4ubuntu3) bionic; urgency=medium
685+
686+ * Fix Artful FTBFS due to newer glibc (LP: #1724859)
687+ - d/p/utils-Include-stdint.h.patch: upstream fix for changed include
688+ files.
689+
690+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Thu, 19 Oct 2017 15:18:52 +0200
691+
692+strongswan (5.5.1-4ubuntu2) artful; urgency=medium
693+
694+ * SECURITY UPDATE: Fix RSA signature verification
695+ - debian/patches/CVE-2017-11185.patch: does some
696+ verifications in order to avoid null-point dereference
697+ in src/libstrongswan/gmp/gmp_rsa_public_key.c
698+ - CVE-2017-11185
699+
700+ -- Leonidas S. Barbosa <leo.barbosa@canonical.com> Tue, 15 Aug 2017 14:49:49 -0300
701+
702+strongswan (5.5.1-4ubuntu1) artful; urgency=medium
703+
704+ * Merge from Debian to pick up latest security changes (CVE-2017-9022,
705+ CVE-2017-9023).
706+ * Remaining Changes:
707+ + Update init/service handling
708+ - d/rules: Change init/systemd program name to strongswan
709+ - d/strongswan-starter.strongswan.service: Add new systemd file instead of
710+ patching upstream
711+ - d/strongswan-starter.links: Removed, use Ubuntu systemd file instead of
712+ linking to upstream
713+ - d/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call.
714+ - d/strongswan-starter.prerm: Stop strongswan service on package
715+ removal (as opposed to using the old init.d script).
716+ + Clean up d/strongswan-starter.postinst:
717+ - Removed section about runlevel changes
718+ - Adapted service restart section for Upstart (kept to be Trusty
719+ backportable).
720+ - Remove old symlinks to init.d files is necessary.
721+ - Removed further out-dated code
722+ - Removed entire section on opportunistic encryption - this was never in
723+ strongSwan.
724+ + d/rules: Removed pieces on 'patching ipsec.conf' on build.
725+ + Mass enablement of extra plugins and features to allow a user to use
726+ strongswan for a variety of use cases without having to rebuild.
727+ - d/control: Add required additional build-deps
728+ - d/rules: Enable features at configure stage
729+ - d/control: Mention addtionally enabled plugins
730+ - d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
731+ - d/libstrongswan.install: Add plugins (so, conf)
732+ + d/rules: Disable duplicheck as per
733+ https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718291#10
734+ + Remove ha plugin (requires special kernel)
735+ - d/libcharon-extra-plugins.install: Stop installing ha (so, conf)
736+ - d/rules: Do not enable ha plugin
737+ - d/control: Drop listing the ha plugin in the package description
738+ + Add plugin kernel-libipsec to allow the use of strongswan in containers
739+ via this userspace implementation (please do note that this is still
740+ considered experimental by upstream).
741+ - d/libcharon-extra-plugins.install: Add kernel-libipsec components
742+ - d/control: List kernel-libipsec plugin at extra plugins description
743+ - d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
744+ upstream recommends to not load kernel-libipsec by default.
745+ + Relocate tnc plugin
746+ - debian/libcharon-extra-plugins.install: Drop tnc from extra plugins
747+ - Add new subpackage for TNC in d/strongswan-tnc-* and d/control
748+ + d/strongswan-starter.install: Install pool feature, that useful due to
749+ having attr-sql plugin that is enabled now.
750+ + Relocate plugins test-vectors and ccm from extra-plugins to libstrongswan
751+ - d/libstrongswan-extra-plugins.install: Remove plugins/conffiles
752+ - d/libstrongswan.install: Add plugins/confiles
753+ - d/control: move package descriptions and add required breaks/replaces
754+ + d/libstrongswan.install: Reorder conf and .so alphabetically
755+ + d/libstrongswan.install: Add kernel-netlink configuration files
756+ + d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference.
757+ + debian/patches/increase-bliss-test-timeout.patch: Under QEMU/KVM
758+ autopkgtest the bliss test takes longer than the default (Upstream in
759+ 5.5.2 via issue 2204)
760+ + Complete the disabling of libfast; This was partially accepted in Debian,
761+ it is no more packaging medcli and medsrv, but still builds and
762+ mentions it.
763+ - d/rules: Add --disable-fast to avoid build time and dependencies
764+ - d/control: Remove medcli, medsrv from package description
765+ + Add now built (5.5.1 vs 5.3.5) mgf1 plugin to libstrongswan-extra-plugins.
766+ "only" to extra-plugins Mgf1 is not listed as default plugin at
767+ https://wiki.strongswan.org/projects/strongswan/wiki/Pluginlist.
768+ + Add now built (5.5.1 vs 5.3.5) libraries libtpmtss and nttfft to
769+ libstrongswan-extra-plugins.
770+ + Add missing mention of md4 plugin in d/control
771+ + Add rm_conffile for /etc/init.d/ipsec (transition from precies had
772+ missed that)
773+ + d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
774+ plugins for the most common use cases from extra-plugins into a new
775+ standard-plugins package. This will allow those use cases without pulling
776+ in too much more plugins (a bit like the tnc package). Recommend that
777+ package from strongswan-libcharon.
778+
779+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Wed, 31 May 2017 15:57:54 +0200
780+
781+strongswan (5.5.1-3ubuntu1) artful; urgency=medium
782+
783+ * Merge from Debian to pick up latest changes. Among others this includes:
784+ - a lot of the Delta we upstreamed to Debian (more discussions are ongoing
785+ but likely have to wait until Debian stretch was released)
786+ - enabling mediation support (LP: #1657413)
787+ * Remaining Changes:
788+ + Update init/service handling
789+ - d/rules: Change init/systemd program name to strongswan
790+ - d/strongswan-starter.strongswan.service: Add new systemd file instead of
791+ patching upstream
792+ - d/strongswan-starter.links: Removed, use Ubuntu systemd file instead of
793+ linking to upstream
794+ - d/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call.
795+ - d/strongswan-starter.prerm: Stop strongswan service on package
796+ removal (as opposed to using the old init.d script).
797+ + Clean up d/strongswan-starter.postinst:
798+ - Removed section about runlevel changes
799+ - Adapted service restart section for Upstart (kept to be Trusty
800+ backportable).
801+ - Remove old symlinks to init.d files is necessary.
802+ - Removed further out-dated code
803+ - Removed entire section on opportunistic encryption - this was never in
804+ strongSwan.
805+ + d/rules: Removed pieces on 'patching ipsec.conf' on build.
806+ + Mass enablement of extra plugins and features to allow a user to use
807+ strongswan for a variety of use cases without having to rebuild.
808+ - d/control: Add required additional build-deps
809+ - d/rules: Enable features at configure stage
810+ - d/control: Mention addtionally enabled plugins
811+ - d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
812+ - d/libstrongswan.install: Add plugins (so, conf)
813+ + d/rules: Disable duplicheck as per
814+ https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718291#10
815+ + Remove ha plugin (requires special kernel)
816+ - d/libcharon-extra-plugins.install: Stop installing ha (so, conf)
817+ - d/rules: Do not enable ha plugin
818+ - d/control: Drop listing the ha plugin in the package description
819+ + Add plugin kernel-libipsec to allow the use of strongswan in containers
820+ via this userspace implementation (please do note that this is still
821+ considered experimental by upstream).
822+ - d/libcharon-extra-plugins.install: Add kernel-libipsec components
823+ - d/control: List kernel-libipsec plugin at extra plugins description
824+ - d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
825+ upstream recommends to not load kernel-libipsec by default.
826+ + Relocate tnc plugin
827+ - debian/libcharon-extra-plugins.install: Drop tnc from extra plugins
828+ - Add new subpackage for TNC in d/strongswan-tnc-* and d/control
829+ + d/strongswan-starter.install: Install pool feature, that useful due to
830+ having attr-sql plugin that is enabled now.
831+ + Relocate plugins test-vectors and ccm from extra-plugins to libstrongswan
832+ - d/libstrongswan-extra-plugins.install: Remove plugins/conffiles
833+ - d/libstrongswan.install: Add plugins/confiles
834+ - d/control: move package descriptions and add required breaks/replaces
835+ + d/libstrongswan.install: Reorder conf and .so alphabetically
836+ + d/libstrongswan.install: Add kernel-netlink configuration files
837+ + d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference.
838+ + debian/patches/increase-bliss-test-timeout.patch: Under QEMU/KVM
839+ autopkgtest the bliss test takes longer than the default (Upstream in
840+ 5.5.2 via issue 2204)
841+ + Complete the disabling of libfast; This was partially accepted in Debian,
842+ it is no more packaging medcli and medsrv, but still builds and
843+ mentions it.
844+ - d/rules: Add --disable-fast to avoid build time and dependencies
845+ - d/control: Remove medcli, medsrv from package description
846+ + Add now built (5.5.1 vs 5.3.5) mgf1 plugin to libstrongswan-extra-plugins.
847+ "only" to extra-plugins Mgf1 is not listed as default plugin at
848+ https://wiki.strongswan.org/projects/strongswan/wiki/Pluginlist.
849+ + Add now built (5.5.1 vs 5.3.5) libraries libtpmtss and nttfft to
850+ libstrongswan-extra-plugins.
851+ + Add missing mention of md4 plugin in d/control
852+ + Add rm_conffile for /etc/init.d/ipsec (transition from precies had
853+ missed that)
854+ + d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
855+ plugins for the most common use cases from extra-plugins into a new
856+ standard-plugins package. This will allow those use cases without pulling
857+ in too much more plugins (a bit like the tnc package). Recommend that
858+ package from strongswan-libcharon.
859+ * Dropped Changes:
860+ + Add and install apparmor profiles (in Debian)
861+ - d/rules: Install AppArmor profiles
862+ - d/control: Add dh-apparmor build-dep
863+ - d/usr.lib.ipsec.{charon, lookip, stroke}: Add latest AppArmor profiles
864+ for charon, lookip and stroke
865+ - d/libcharon-extra-plugins.install: Install profile for lookip
866+ - d/strongswan-charon.install: Install profile for charon
867+ - d/strongswan-starter.install: Install profile for stroke
868+ - Fix strongswan ipsec status issue with apparmor
869+ - Fix Dep8 tests for the now extra strongswan-pki package for pki
870+ - Fix Dep8 tests for the now extra strongswan-scepclient package
871+ + d/rules: Sorted and only one enable option per configure line (in
872+ Debian)
873+ + Add updated logcheck rules (in Debian)
874+ - debian/libstrongswan.strongswan.logcheck.*: Remove outdated files
875+ - debian/strongswan.logcheck: Add updated logcheck rules
876+ + Add updated DEP8 tests (in Debian)
877+ - d/tests/*: Add DEP8 tests
878+ - d/control: Enable autotestpkg
879+ + d/rules: do not strip for library integrity checking (After Discussion
880+ with Debian this isn't acceptable there, but at the same time it turned
881+ out the real use-case of this never uses this lib but instead third
882+ party checks of checksums for e.g. FIPS cert; so drop the Delta)
883+ - Use override_dh_strip to to avoid overwriting user build flags.
884+ - Add missing mention of libchecksum integrity test in d/control
885+ + d/rules: Set TESTS_REDUCED_KEYLENGTHS to one generate smallest key-lengths
886+ in tests to avoid issues in low entropy environments. (Debian has
887+ disabled !x86 tests for the same reason, one solution is enough)
888+
889+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Thu, 04 May 2017 14:06:23 +0200
890+
891 strongswan (5.5.1-3) unstable; urgency=medium
892
893 [ Christian Ehrhardt ]
894@@ -297,6 +1126,136 @@ strongswan (5.5.1-2) unstable; urgency=medium
895
896 -- Yves-Alexis Perez <corsac@debian.org> Wed, 07 Dec 2016 08:34:52 +0100
897
898+strongswan (5.5.1-1ubuntu2) zesty; urgency=medium
899+
900+ * Update Maintainers which was missed while merging 5.5.1-1.
901+
902+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 19 Dec 2016 16:02:40 +0100
903+
904+strongswan (5.5.1-1ubuntu1) zesty; urgency=medium
905+
906+ * Merge from Debian (complex delta, discussions and broken out changes can be
907+ found in the merge proposal linked from the merge bug LP: #1631198)
908+ * Remaining Changes:
909+ + d/rules: Enforcing DEB_BUILD_OPTIONS=nostrip for library integrity
910+ checking.
911+ + d/rules: Set TESTS_REDUCED_KEYLENGTHS to one generate smallest key-lengths
912+ in tests to avoid issues in low entropy environments.
913+ + Update init/service handling
914+ - d/rules: Change init/systemd program name to strongswan
915+ - d/strongswan-starter.strongswan.service: Add new systemd file instead of
916+ patching upstream
917+ - d/strongswan-starter.links: Removed, use Ubuntu systemd file instead of
918+ linking to upstream
919+ - d/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call.
920+ - d/strongswan-starter.prerm: Stop strongswan service on package
921+ removal (as opposed to using the old init.d script).
922+ + Clean up d/strongswan-starter.postinst:
923+ - Removed section about runlevel changes
924+ - Adapted service restart section for Upstart (kept to be Trusty
925+ backportable).
926+ - Remove old symlinks to init.d files is necessary.
927+ - Removed further out-dated code
928+ - Removed entire section on opportunistic encryption - this was never in
929+ strongSwan.
930+ + Add and install apparmor profiles
931+ - d/rules: Install AppArmor profiles
932+ - d/control: Add dh-apparmor build-dep
933+ - d/usr.lib.ipsec.{charon, lookip, stroke}: Add latest AppArmor profiles
934+ for charon, lookip and stroke
935+ - d/libcharon-extra-plugins.install: Install profile for lookip
936+ - d/strongswan-charon.install: Install profile for charon
937+ - d/strongswan-starter.install: Install profile for stroke
938+ + d/rules: Removed pieces on 'patching ipsec.conf' on build.
939+ + d/rules: Sorted and only one enable option per configure line
940+ + Mass enablement of extra plugins and features to allow a user to use
941+ strongswan for a variety of use cases without having to rebuild.
942+ - d/control: Add required additional build-deps
943+ - d/rules: Enable features at configure stage
944+ - d/control: Mention addtionally enabled plugins
945+ - d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
946+ - d/libstrongswan.install: Add plugins (so, conf)
947+ + d/rules: Disable duplicheck as per
948+ https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718291#10
949+ + Remove ha plugin (requires special kernel)
950+ - d/libcharon-extra-plugins.install: Stop installing ha (so, conf)
951+ - d/rules: Do not enable ha plugin
952+ - d/control: Drop listing the ha plugin in the package description
953+ + Add plugin kernel-libipsec to allow the use of strongswan in containers
954+ via this userspace implementation (please do note that this is still
955+ considered experimental by upstream).
956+ - d/libcharon-extra-plugins.install: Add kernel-libipsec components
957+ - d/control: List kernel-libipsec plugin at extra plugins description
958+ - d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
959+ upstream recommends to not load kernel-libipsec by default.
960+ + Relocate tnc plugin
961+ - debian/libcharon-extra-plugins.install: Drop tnc from extra plugins
962+ - Add new subpackage for TNC in d/strongswan-tnc-* and d/control
963+ + d/strongswan-starter.install: Install pool feature, that useful due to
964+ having attr-sql plugin that is enabled now.
965+ + Relocate plugins test-vectors and ccm from extra-plugins to libstrongswan
966+ - d/libstrongswan-extra-plugins.install: Remove plugins
967+ - d/libstrongswan.install: Add plugins
968+ + d/libstrongswan.install: Reorder conf and .so alphabetically
969+ + d/libstrongswan.install: Add kernel-netlink configuration files
970+ + d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference.
971+ + Add updated logcheck rules
972+ - debian/libstrongswan.strongswan.logcheck.*: Remove outdated files
973+ - debian/strongswan.logcheck: Add updated logcheck rules
974+ + Add updated DEP8 tests
975+ - d/tests/*: Add DEP8 tests
976+ - d/control: Enable autotestpkg
977+ + debian/patches/increase-bliss-test-timeout.patch: Under QEMU/KVM
978+ autopkgtest the bliss test takes longer than the default
979+ + Complete the disabling of libfast
980+ - Note: This was partially accepted in Debian, it is no more
981+ packaging medcli and medsrv, but still builds and mentions it
982+ - d/rules: Add --disable-fast to avoid build time and dependencies
983+ - d/control: Remove medcli, medsrv from package description
984+ * Dropped Changes:
985+ + Adding build-dep to iptables-dev (no change, was only in Changelog)
986+ + Dropping of build deps libfcgi-dev, clearsilver-dev (in Debian)
987+ + Adding strongswan-plugin-* virtual packages for dist-upgrade (no
988+ upgrade path left needing them)
989+ + Most of "disabling libfast" (Debian dropped it from package content)
990+ + Transition for ipsec service (no upgrade path left)
991+ + Reverted part of the cleanup to d/strongswan-starter.postinst as using
992+ service should rather use invoke-rc.d (so it is a partial revert of our
993+ delta)
994+ + Transition handling (breaks/replaces) from per-plugin packages to the
995+ three grouped plugin packages (no upgrade path left)
996+ + debian/strongswan-starter.dirs: Don't touch /etc/init.d. (while "correct"
997+ it is effectively a no-op still, so not worth the delta)
998+ + Lower dpkg-dev to 1.16.1 from 1.16.2 to enable backporting to Precise
999+ (no more needed)
1000+ + d/rules: Remove configure option --enable-unit-test (unit tests run by
1001+ default)
1002+ * Added Changes:
1003+ + Fix strongswan ipsec status issue with apparmor (LP: #1587886)
1004+ + d/control, d/libstrongswan.install, d/libstrongswan-extra-plugins: Fixup
1005+ the relocation of the ccm plugin which missed to move the conffiles.
1006+ + Complete move of test-vectors (was missing in d/control)
1007+ + Add now built (5.5.1 vs 5.3.5) mgf1 plugin to libstrongswan-extra-plugins.
1008+ "only" to extra-plugins Mgf1 is not listed as default plugin at
1009+ https://wiki.strongswan.org/projects/strongswan/wiki/Pluginlist.
1010+ + Add now built (5.5.1 vs 5.3.5) libraries libtpmtss and nttfft to
1011+ libstrongswan-extra-plugins.
1012+ + Add missing mention of md4 plugin in d/control
1013+ + Add missing mention of libchecksum integrity test in d/control
1014+ + Add rm_conffile for /etc/init.d/ipsec (transition from precies had
1015+ missed that)
1016+ + Use override_dh_strip to to fix library integrity checking instead of
1017+ DEB_BUILD_OPTION to avoid overwriting user build flags.
1018+ + d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
1019+ plugins for the most common use cases from extra-plugins into a new
1020+ standard-plugins package. This will allow those use cases without pulling
1021+ in too much more plugins (a bit like the tnc package). Recommend that
1022+ package from strongswan-libcharon (LP: #1640826).
1023+ + Fix Dep8 tests for the now extra strongswan-pki package for pki
1024+ + Fix Dep8 tests for the now extra strongswan-scepclient package
1025+
1026+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 07 Nov 2016 16:16:41 +0100
1027+
1028 strongswan (5.5.1-1) unstable; urgency=medium
1029
1030 * New upstream bugfix release.
1031@@ -413,6 +1372,177 @@ strongswan (5.3.5-2) unstable; urgency=medium
1032
1033 -- Yves-Alexis Perez <corsac@debian.org> Mon, 14 Mar 2016 23:53:34 +0100
1034
1035+strongswan (5.3.5-1ubuntu4) yakkety; urgency=medium
1036+
1037+ * Build-depend on libjson-c-dev instead of libjson0-dev.
1038+ * Rebuild against libjson-c3.
1039+
1040+ -- Graham Inggs <ginggs@ubuntu.com> Fri, 29 Apr 2016 19:04:22 +0200
1041+
1042+strongswan (5.3.5-1ubuntu3) xenial; urgency=medium
1043+
1044+ * Rebuild against libmysqlclient20.
1045+
1046+ -- Robie Basak <robie.basak@ubuntu.com> Tue, 05 Apr 2016 13:02:48 +0000
1047+
1048+strongswan (5.3.5-1ubuntu2) xenial; urgency=medium
1049+
1050+ * debian/tests/plugins: rdrand may or may not be loaded, depending on the
1051+ cpu features.
1052+
1053+ -- Iain Lane <iain@orangesquash.org.uk> Mon, 22 Feb 2016 17:13:01 +0000
1054+
1055+strongswan (5.3.5-1ubuntu1) xenial; urgency=medium
1056+
1057+ * debian/{rules,control,libstrongswan-extra-plugins.install}
1058+ Enable bliss plugin
1059+ * debian/{rules,control,libstrongswan-extra-plugins.install}
1060+ Enable chapoly plugin
1061+ * debian/patches/dont-load-kernel-libipsec-plugin-by-default.patch
1062+ Upstream suggests to not load this plugin by default as it has
1063+ some limitations.
1064+ https://wiki.strongswan.org/projects/strongswan/wiki/Kernel-libipsec
1065+ * debian/patches/increase-bliss-test-timeout.patch
1066+ Under QEMU/KVM for autopkgtest bliss test takes a bit longer then default
1067+ * Update Apparmor profiles
1068+ - usr.lib.ipsec.charon
1069+ - add capability audit_write for xauth-pam (LP: #1470277)
1070+ - add capability dac_override (needed by agent plugin)
1071+ - allow priv dropping (LP: #1333655)
1072+ - allow caching CRLs (LP: #1505222)
1073+ - allow rw access to /dev/net/tun for kernel-libipsec (LP: #1309594)
1074+ - usr.lib.ipsec.stroke
1075+ - allow priv dropping (LP: #1333655)
1076+ - add local include
1077+ - usr.lib.ipsec.lookip
1078+ - add local include
1079+ * Merge from Debian, which includes fixes for all previous CVEs
1080+ Fixes (LP: #1330504, #1451091, #1448870, #1470277)
1081+ Remaining changes:
1082+ * debian/control
1083+ - Lower dpkg-dev to 1.16.1 from 1.16.2 to enable backporting to Precise
1084+ - Update Maintainer for Ubuntu
1085+ - Add build-deps
1086+ - dh-apparmor
1087+ - iptables-dev
1088+ - libjson0-dev
1089+ - libldns-dev
1090+ - libmysqlclient-dev
1091+ - libpcsclite-dev
1092+ - libsoup2.4-dev
1093+ - libtspi-dev
1094+ - libunbound-dev
1095+ - Drop build-deps
1096+ - libfcgi-dev
1097+ - clearsilver-dev
1098+ - Create virtual packages for all strongswan-plugin-* for dist-upgrade
1099+ - Set XS-Testsuite: autopkgtest
1100+ * debian/rules:
1101+ - Enforcing DEB_BUILD_OPTIONS=nostrip for library integrity checking.
1102+ - Set TESTS_REDUCED_KEYLENGTHS to one generate smallest key-lengths in
1103+ tests.
1104+ - Change init/systemd program name to strongswan
1105+ - Install AppArmor profiles
1106+ - Removed pieces on 'patching ipsec.conf' on build.
1107+ - Enablement of features per Ubuntu current config suggested from
1108+ upstream recommendation
1109+ - Unpack and sort enabled features to one-per-line
1110+ - Disable duplicheck as per
1111+ https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718291#10
1112+ - Disable libfast (--disable-fast):
1113+ Requires dropping medsrv, medcli plugins which depend on libfast
1114+ - Add configure options
1115+ --with-tss=trousers
1116+ - Remove configure options:
1117+ --enable-ha (requires special kernel)
1118+ --enable-unit-test (unit tests run by default)
1119+ - Drop logcheck install
1120+ * debian/tests/*
1121+ - Add DEP8 test for strongswan service and plugins
1122+ * debian/strongswan-starter.strongswan.service
1123+ - Add new systemd file instead of patching upstream
1124+ * debian/strongswan-starter.links
1125+ - removed, use Ubuntu systemd file instead of linking to upstream
1126+ * debian/usr.lib.ipsec.{charon, lookip, stroke}
1127+ - added AppArmor profiles for charon, lookip and stroke
1128+ * debian/libcharon-extra-plugins.install
1129+ - Add plugins
1130+ - kernel-libipsec.{so, lib, conf, apparmor}
1131+ - Remove plugins
1132+ - libstrongswan-ha.so
1133+ - Relocate plugins
1134+ - libstrongswan-tnc-tnccs.so (strongswan-tnc-base.install)
1135+ * debian/libstrongswan-extra-plugins.install
1136+ - Add plugins (so, lib, conf)
1137+ - acert
1138+ - attr-sql
1139+ - coupling
1140+ - dnscert
1141+ - fips-prf
1142+ - gmp
1143+ - ipseckey
1144+ - load-tester
1145+ - mysql
1146+ - ntru
1147+ - radattr
1148+ - soup
1149+ - sqlite
1150+ - sql
1151+ - systime-fix
1152+ - unbound
1153+ - whitelist
1154+ - Relocate plugins (so, lib, conf)
1155+ - ccm (libstrongswan.install)
1156+ - test-vectors (libstrongswan.install)
1157+ * debian/libstrongswan.install
1158+ - Sort sections
1159+ - Add plugins (so, lib, conf)
1160+ - libchecksum
1161+ - ccm
1162+ - eap-identity
1163+ - md4
1164+ - test-vectors
1165+ * debian/strongswan-charon.install
1166+ - Add AppArmor profile for charon
1167+ * debian/strongswan-starter.install
1168+ - Add tools, manpages, conf
1169+ - openac
1170+ - pool
1171+ - _updown_espmark
1172+ - Add AppArmor profile for stroke
1173+ * debian/strongswan-tnc-base.install
1174+ - Add new subpackage for TNC
1175+ - remove non-existent (dropped in 5.2.1) libpts library files
1176+ * debian/strongswan-tnc-client.install
1177+ - Add new subpackage for TNC
1178+ * debian/strongswan-tnc-ifmap.install
1179+ - Add new subpackage for TNC
1180+ * debian/strongswan-tnc-pdp.install
1181+ - Add new subpackage for TNC
1182+ * debian/strongswan-tnc-server.install
1183+ - Add new subpackage for TNC
1184+ * debian/strongswan-starter.postinit:
1185+ - Removed section about runlevel changes, it's almost 2014.
1186+ - Adapted service restart section for Upstart.
1187+ - Remove old symlinks to init.d files is necessary.
1188+ * debian/strongswan-starter.dirs: Don't touch /etc/init.d.
1189+ * debian/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call.
1190+ * debian/strongswan-starter.prerm: Stop strongswan service on package
1191+ removal (as opposed to using the old init.d script).
1192+ * debian/libstrongswan.strongswan.logcheck combined into debian/strongswan.logcheck
1193+ - logcheck patterns updated to be helpful
1194+ * debian/strongswan-starter.postinst: Removed further out-dated code and
1195+ entire section on opportunistic encryption - this was never in strongSwan.
1196+ * debian/ipsec.secrets.proto: Removed ipsec.secrets.inc reference.
1197+ Drop changes:
1198+ * debian/control
1199+ - Per-plugin package breakup: Reducing packaging delta from Debian
1200+ - Don't build dhcp, farp subpackages: Reduce packging delta from Debian
1201+ * debian/watch: Already exists in Debian merge
1202+ * debian/upstream/signing-key.asc: Upstream has newer version.
1203+
1204+ -- Ryan Harper <ryan.harper@canonical.com> Fri, 12 Feb 2016 11:24:53 -0600
1205+
1206 strongswan (5.3.5-1) unstable; urgency=medium
1207
1208 * New upstream bugfix release.
1209@@ -685,6 +1815,210 @@ strongswan (5.1.2-1) unstable; urgency=medium
1210
1211 -- Yves-Alexis Perez <corsac@debian.org> Wed, 12 Mar 2014 11:22:38 +0100
1212
1213+strongswan (5.1.2-0ubuntu8) xenial; urgency=medium
1214+
1215+ * Import FTBFS for s390x from Debian 5.1.2-3 upload. (LP: #1521240)
1216+
1217+ -- Dimitri John Ledkov <xnox@ubuntu.com> Mon, 30 Nov 2015 15:46:06 +0000
1218+
1219+strongswan (5.1.2-0ubuntu7) xenial; urgency=medium
1220+
1221+ * SECURITY UPDATE: authentication bypass in eap-mschapv2 plugin
1222+ - debian/patches/CVE-2015-8023.patch: only succeed authentication if
1223+ MSK was established in
1224+ src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c.
1225+ - CVE-2015-8023
1226+ * debian/patches/disable_ntru_test.patch: disable test causing FTBFS
1227+ until regression is properly investigated.
1228+
1229+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 19 Nov 2015 14:00:17 -0500
1230+
1231+strongswan (5.1.2-0ubuntu6) wily; urgency=medium
1232+
1233+ * SECURITY UPDATE: user credential disclosure to rogue servers
1234+ - debian/patches/CVE-2015-4171.patch: enforce remote authentication
1235+ config before proceeding with own authentication in
1236+ src/libcharon/sa/ikev2/tasks/ike_auth.c.
1237+ - CVE-2015-4171
1238+ * debian/rules: don't FTBFS from unused service file
1239+
1240+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 08 Jun 2015 12:50:38 -0400
1241+
1242+strongswan (5.1.2-0ubuntu5) vivid; urgency=medium
1243+
1244+ * Add a systemd unit corresponding to strongswan-starter.strongswan.upstart.
1245+
1246+ -- Martin Pitt <martin.pitt@ubuntu.com> Fri, 16 Jan 2015 08:27:54 +0100
1247+
1248+strongswan (5.1.2-0ubuntu4) vivid; urgency=medium
1249+
1250+ * SECURITY UPDATE: denial of service via DH group 1025
1251+ - debian/patches/CVE-2014-9221.patch: define MODP_CUSTOM outside of
1252+ IKE DH range in src/libstrongswan/crypto/diffie_hellman.c,
1253+ src/libstrongswan/crypto/diffie_hellman.h.
1254+ - CVE-2014-9221
1255+
1256+ -- Tyler Hicks <tyhicks@canonical.com> Mon, 05 Jan 2015 08:25:29 -0500
1257+
1258+strongswan (5.1.2-0ubuntu3) utopic; urgency=low
1259+
1260+ * Added "libgcrypt20-dev | libgcrypt11-dev" to build dependencies to fix
1261+ build.
1262+
1263+ -- Jonathan Davies <jonathan.davies@canonical.com> Wed, 15 Oct 2014 16:49:18 +0000
1264+
1265+strongswan (5.1.2-0ubuntu2) trusty; urgency=medium
1266+
1267+ * SECURITY UPDATE: remote authentication bypass
1268+ - debian/patches/CVE-2014-2338.patch: reject CREATE_CHILD_SA exchange
1269+ on unestablished IKE_SAs in src/libcharon/sa/ikev2/task_manager_v2.c.
1270+ - CVE-2014-2338
1271+
1272+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 14 Apr 2014 11:24:34 -0400
1273+
1274+strongswan (5.1.2-0ubuntu1) trusty; urgency=low
1275+
1276+ * New upstream release.
1277+
1278+ -- Jonathan Davies <jonathan.davies@canonical.com> Sat, 01 Mar 2014 08:53:17 +0000
1279+
1280+strongswan (5.1.2~rc2-0ubuntu2) trusty; urgency=low
1281+
1282+ * debian/ipsec.secrets.proto: Removed ipsec.secrets.inc reference.
1283+ * debian/usr.lib.ipsec.charon: Allow read access to /run/charon.
1284+
1285+ -- Jonathan Davies <jonathan.davies@canonical.com> Wed, 19 Feb 2014 13:07:16 +0000
1286+
1287+strongswan (5.1.2~rc2-0ubuntu1) trusty; urgency=low
1288+
1289+ * New upstream release candidate.
1290+
1291+ -- Jonathan Davies <jonathan.davies@canonical.com> Wed, 19 Feb 2014 12:59:21 +0000
1292+
1293+strongswan (5.1.2~rc1-0ubuntu4) trusty; urgency=medium
1294+
1295+ * debian/strongswan-tnc-*.install: Fixed files so libraries go into correct
1296+ packages.
1297+ * debian/usr.lib.ipsec.stroke: Allow access to strongswan.d directories.
1298+
1299+ -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 17 Feb 2014 18:12:38 +0000
1300+
1301+strongswan (5.1.2~rc1-0ubuntu3) trusty; urgency=low
1302+
1303+ * debian/rules: Exclude rdrand.conf in dh_install's --fail-missing.
1304+
1305+ -- Jonathan Davies <jonathan.davies@canonical.com> Sat, 15 Feb 2014 15:46:46 +0000
1306+
1307+strongswan (5.1.2~rc1-0ubuntu2) trusty; urgency=low
1308+
1309+ * debian/libstrongswan.install: Moved rdrand plugin configuration to rules
1310+ as it's only useful on amd64.
1311+ * debian/watch: Added opts=pgpsigurlmangle option.
1312+ * debian/upstream/signing-key.asc: Added key: 0xB34DBA77.
1313+
1314+ -- Jonathan Davies <jonathan.davies@canonical.com> Sat, 15 Feb 2014 15:32:10 +0000
1315+
1316+strongswan (5.1.2~rc1-0ubuntu1) trusty; urgency=medium
1317+
1318+ * New upstream release candidate.
1319+ * debian/*.install - include new configuration files for plugins in
1320+ appropiate packages.
1321+
1322+ -- Jonathan Davies <jonathan.davies@canonical.com> Sat, 15 Feb 2014 15:03:14 +0000
1323+
1324+strongswan (5.1.2~dr3+git20130120-0ubuntu3) trusty; urgency=low
1325+
1326+ * debian/control:
1327+ - Added Breaks/Replaces for all library files which have been moved
1328+ about (LP: #1278176).
1329+ - Removed build-dependency on check and added one on dh-apparmor.
1330+ * debian/strongswan-starter.postinst: Removed further out-dated code and
1331+ entire section on opportunistic encryption - this was never in strongSwan.
1332+ * debian/rules: Removed pieces on 'patching ipsec.conf' on build.
1333+
1334+ -- Jonathan Davies <jonathan.davies@canonical.com> Sun, 09 Feb 2014 23:53:23 +0000
1335+
1336+strongswan (5.1.2~dr3+git20130120-0ubuntu2) trusty; urgency=low
1337+
1338+ * debian/control: Fixed references to plugin-fips-prf.
1339+
1340+ -- Jonathan Davies <jonathan.davies@canonical.com> Wed, 22 Jan 2014 11:22:14 +0000
1341+
1342+strongswan (5.1.2~dr3+git20130120-0ubuntu1) trusty; urgency=low
1343+
1344+ * Upstream Git snapshot for build fixes with regards to entropy.
1345+ * debian/rules:
1346+ - Enforcing DEB_BUILD_OPTIONS=nostrip for library integrity checking.
1347+ - Set TESTS_REDUCED_KEYLENGTHS to one generate smallest key-lengths in
1348+ tests.
1349+
1350+ -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 20 Jan 2014 19:00:59 +0000
1351+
1352+strongswan (5.1.2~dr3-0ubuntu1) trusty; urgency=low
1353+
1354+ * New upstream developer release.
1355+ * Made changes to packaging per upstream suggestions.
1356+ - Dropped medcli and medsrv packages - not recommended by upstream at this
1357+ time.
1358+ - Dropped ha plugin - needs special kernel.
1359+ - Improved all package descriptions in general.
1360+ - Drop build-dep on clearsilver-dev and libfcgi-dev - no longer needed.
1361+ - Removed debian/*logcheck* files - not relevant to strongSwan.
1362+ - Split dhcp and farp packages into sub-packages.
1363+ - Build kernel-libipsec, ntru, systime-fix, and xauth-noauth plugins.
1364+ - Changes to TNC-related packages.
1365+ * Created AppArmor profiles for lookip and stroke.
1366+
1367+ -- Jonathan Davies <jonathan.davies@canonical.com> Wed, 15 Jan 2014 22:52:53 +0000
1368+
1369+strongswan (5.1.2~dr2+git20130106-0ubuntu2) trusty; urgency=low
1370+
1371+ * libstrongswan.install: Removed lingering unit-tester.so reference.
1372+
1373+ -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 06 Jan 2014 20:29:59 +0000
1374+
1375+strongswan (5.1.2~dr2+git20130106-0ubuntu1) trusty; urgency=low
1376+
1377+ * Git snapshot of commit 94e10f15e51ead788d9947e966878ebfdc95b7ce.
1378+ Incorporates upstream fixes for:
1379+ - Integrity testing.
1380+ - Unit test failures on little endian systems.
1381+ * Dropped debian/patches/02_test_asn1_fix_32bit_time_test.patch - fixed
1382+ upstream.
1383+ * debian/rules:
1384+ - Stop using CK_TIMEOUT_MULTIPLIER.
1385+ - Stop enabling the test suite only on non-powerpc arches (it runs
1386+ anyway).
1387+
1388+ -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 06 Jan 2014 20:17:20 +0000
1389+
1390+strongswan (5.1.2~dr2-0ubuntu3) trusty; urgency=low
1391+
1392+ * debian/control: Reinstate missing comma in dependencies.
1393+
1394+ -- Jonathan Davies <jonathan.davies@canonical.com> Fri, 03 Jan 2014 05:39:13 +0000
1395+
1396+strongswan (5.1.2~dr2-0ubuntu2) trusty; urgency=low
1397+
1398+ * Added debian/patches/02_test_asn1_fix_32bit_time_test.patch - fixes issue
1399+ where test for >2038 tests on 32-bit platforms is broken.
1400+ - Reported upstream: https://wiki.strongswan.org/issues/477
1401+ * debian/control: Added strongswan-plugin-ntru to strongswan-ike Suggests.
1402+
1403+ -- Jonathan Davies <jonathan.davies@canonical.com> Fri, 03 Jan 2014 05:02:32 +0000
1404+
1405+strongswan (5.1.2~dr2-0ubuntu1) trusty; urgency=low
1406+
1407+ * New upstream developer release.
1408+ * debian/rules: Configure with: --enable-af-alg, --enable-ntru, --enable-soup,
1409+ and --enable-unity.
1410+ * debian/control:
1411+ - New plugin packages created for the above
1412+ - Split fips-prf into its own package.
1413+ - Added build-dependency on libsoup2.4-dev.
1414+
1415+ -- Jonathan Davies <jonathan.davies@canonical.com> Thu, 02 Jan 2014 17:37:33 +0000
1416+
1417 strongswan (5.1.1-3) unstable; urgency=low
1418
1419 * Upload to unstable.
1420@@ -776,6 +2110,192 @@ strongswan (5.1.1-1) unstable; urgency=low
1421
1422 -- Yves-Alexis Perez <corsac@debian.org> Fri, 24 Jan 2014 21:22:32 +0100
1423
1424+strongswan (5.1.1-0ubuntu17) trusty; urgency=low
1425+
1426+ * debian/control:
1427+ - Make strongswan-ike depend on iproute2.
1428+ - Added xauth plugin dependency on strongswan-plugin-eap-gtc.
1429+ - Created strongswan-libfast package.
1430+
1431+ -- Jonathan Davies <jonathan.davies@canonical.com> Wed, 01 Jan 2014 17:04:45 +0000
1432+
1433+strongswan (5.1.1-0ubuntu16) trusty; urgency=low
1434+
1435+ * debian/control:
1436+ - Further splitting of plugins into subpackages (such as all EAP plugins
1437+ to their own packages).
1438+ - Added libpcsclite-dev to build-dependencies.
1439+ * debian/rules:
1440+ - Sort configure options in alphabetical order.
1441+ - Added configure option of --enable-eap-aka-3gpp2, --enable-eap-dynamic,
1442+ --enable-eap-sim-file, --enable-eap-sim-pcsc,
1443+ --enable-eap-simaka-pseudonym, --enable-eap-simaka-reauth and
1444+ --enable-eap-simaka-sql.
1445+ - Don't exclude medsrv from install.
1446+ * Moved eap-identity.so to libstrongswan package as it's used by all the
1447+ other EAP plugins.
1448+
1449+ -- Jonathan Davies <jonathan.davies@canonical.com> Tue, 31 Dec 2013 21:25:50 +0000
1450+
1451+strongswan (5.1.1-0ubuntu15) trusty; urgency=low
1452+
1453+ * debian/control:
1454+ - Split plugins from libstrongswan package into modular subpackages.
1455+ - Added libmysqlclient-dev to build-dependencies.
1456+ - strongswan-ike: Set to depend on either strongswan-plugins-openssl or
1457+ strongswan-plugins-gcrypt.
1458+ - strongswan-ike: All other plugins added to Suggests.
1459+ - Created two new TNC packages: strongswan-tnc-ifmap and
1460+ strongswan-tnc-pdp and added to tnc-imcvs Suggests.
1461+ * debian/rules: Added to CONFIGUREARGS: --enable-certexpire,
1462+ --enable-error-notify, --enable-mysql, --enable-load-tester,
1463+ --enable-radattr, --enable-tnc-pdp, and --enable-whitelist.
1464+ * debian/strongswan-ike.install: Moved eap-identity.so to -tnc-imcvs package.
1465+
1466+ -- Jonathan Davies <jonathan.davies@canonical.com> Tue, 31 Dec 2013 16:15:32 +0000
1467+
1468+strongswan (5.1.1-0ubuntu14) trusty; urgency=low
1469+
1470+ * debian/rules:
1471+ - CK_TIMEOUT_MULTIPLIER back down to 6.
1472+ - Disable unit tests on powerpc.
1473+
1474+ -- Jonathan Davies <jonathan.davies@canonical.com> Tue, 31 Dec 2013 07:39:48 +0000
1475+
1476+strongswan (5.1.1-0ubuntu13) trusty; urgency=low
1477+
1478+ * debian/rules: CK_TIMEOUT_MULTIPLIER to 10 as just powerppc is being stubborn.
1479+
1480+ -- Jonathan Davies <jonathan.davies@canonical.com> Tue, 31 Dec 2013 07:23:42 +0000
1481+
1482+strongswan (5.1.1-0ubuntu12) trusty; urgency=low
1483+
1484+ * debian/rules: Bring CK_TIMEOUT_MULTIPLIER up to 6 to fix powerppc and
1485+ armhf.
1486+
1487+ -- Jonathan Davies <jonathan.davies@canonical.com> Tue, 31 Dec 2013 07:03:40 +0000
1488+
1489+strongswan (5.1.1-0ubuntu11) trusty; urgency=low
1490+
1491+ * 02_increase-test_rsa_generate-timeout.patch: Removed - only fixed build on
1492+ one extra arch.
1493+ * debian/rules: Set CK_TIMEOUT_MULTIPLIER to 4.
1494+
1495+ -- Jonathan Davies <jonathan.davies@canonical.com> Tue, 31 Dec 2013 06:51:47 +0000
1496+
1497+strongswan (5.1.1-0ubuntu10) trusty; urgency=low
1498+
1499+ * debian/patches: Added patch 02_increase-test_rsa_generate-timeout.patch -
1500+ - Increases RSA key generate test timeout to 30 seconds so that it doesn't
1501+ fail on armhf, arm64, and powerppc.
1502+ * Contrary to what the last changelog entry says, we are still running
1503+ strongswan as root (with AppArmor protection).
1504+
1505+ -- Jonathan Davies <jonathan.davies@canonical.com> Tue, 31 Dec 2013 06:06:47 +0000
1506+
1507+strongswan (5.1.1-0ubuntu9) trusty; urgency=low
1508+
1509+ * debian/rules: Added to configure options:
1510+ - --enable-tnc-ifmap: enable TNC IF-MAP module.
1511+ - --enable-duplicheck: enable duplicheck plugin.
1512+ - --enable-imv-swid, --enable-imc-swid: Added.
1513+ - Run strongswan as it's own user.
1514+ * debian/strongswan-starter.install: Install duplicheck.
1515+ * debian/strongswan-tnc-imcvs.install: Install swidtags.
1516+
1517+ -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 30 Dec 2013 19:33:27 +0000
1518+
1519+strongswan (5.1.1-0ubuntu8) trusty; urgency=low
1520+
1521+ * debian/rules: Added to configure options:
1522+ - --enable-unit-tests: check unit testing on build.
1523+ - --enable-unbound: for validating DNS lookups.
1524+ - --enable-dnscert: for DNSCERT peer authentication.
1525+ - --enable-ipseckey: for IPSEC key authentication.
1526+ - --enable-lookip: for LookIP functionality.
1527+ - --enable-coupling: certificate coupling functionality.
1528+ * debian/control: Added check, libldns-dev, libunbound-dev to
1529+ build-dependencies.
1530+ * debian/libstrongswan.install: Install new plugin .so's.
1531+ * debian/strongswan-starter.install: Added lookip.
1532+
1533+ -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 30 Dec 2013 17:52:07 +0000
1534+
1535+strongswan (5.1.1-0ubuntu7) trusty; urgency=low
1536+
1537+ * strongswan-starter.install: Moved pt-tls-client to tnc-imcvs (to prevent
1538+ the former from depending on the latter).
1539+
1540+ -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 30 Dec 2013 17:30:19 +0000
1541+
1542+strongswan (5.1.1-0ubuntu6) trusty; urgency=low
1543+
1544+ * debian/strongswan-starter.prerm: Stop strongswan service on package
1545+ removal (as opposed to using the old init.d script).
1546+
1547+ -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 30 Dec 2013 17:22:10 +0000
1548+
1549+strongswan (5.1.1-0ubuntu5) trusty; urgency=low
1550+
1551+ * debian/rules:
1552+ - CONFIGUREARGS: Merged Debian and RPM options.
1553+ - Brings in TNC functionality.
1554+ * debian/control:
1555+ - Added build-dependency on libtspi-dev.
1556+ - Created strongswan-tnc-imcvs binary package for TNC components.
1557+ - Added strongswan-tnc-imcvs to libstrongswan's Suggests.
1558+ * debian/libstrongswan.install:
1559+ - Included newly built MD4 and SQLite libraries.
1560+ - Removed 'tnc' references (moved to TNC package).
1561+ * debian/strongswan-tnc-imcvs.install: Created - handle new TNC libraries and
1562+ binaries.
1563+ * debian/usr.lib.ipsec.charon: Allow access to TNC modules.
1564+
1565+ -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 30 Dec 2013 14:05:43 +0000
1566+
1567+strongswan (5.1.1-0ubuntu4) trusty; urgency=low
1568+
1569+ * debian/usr.lib.ipsec.charon: Added - AppArmor profile for charon.
1570+ * debian/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call.
1571+ * debian/control: strongswan-ike - Stop depending on ipsec-tools.
1572+
1573+ -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 30 Dec 2013 05:35:17 +0000
1574+
1575+strongswan (5.1.1-0ubuntu3) trusty; urgency=low
1576+
1577+ * strongswan-starter.strongswan.upstart - Only start strongSwan when a
1578+ network connection is available.
1579+ * debian/control: Downgrade build-dep version of dpkg-dev from 1.16.2 to
1580+ 1.16.1 - to make precise backporting easier.
1581+
1582+ -- Jonathan Davies <jonathan.davies@canonical.com> Thu, 12 Dec 2013 10:43:15 +0000
1583+
1584+strongswan (5.1.1-0ubuntu2) trusty; urgency=low
1585+
1586+ * strongswan-starter.strongswan.upstart - Created Upstart job for
1587+ strongSwan.
1588+ * debian/rules: Set dh_installinit to install above file.
1589+ * debian/strongswan-starter.postinit:
1590+ - Removed section about runlevel changes, it's almost 2014.
1591+ - Adapted service restart section for Upstart.
1592+ - Remove old symlinks to init.d files is necessary.
1593+ * debian/strongswan-starter.dirs: Don't touch /etc/init.d.
1594+
1595+ -- Jonathan Davies <jonathan.davies@canonical.com> Wed, 11 Dec 2013 23:10:28 +0000
1596+
1597+strongswan (5.1.1-0ubuntu1) trusty; urgency=low
1598+
1599+ * New upstream release.
1600+ * Removed: debian/patches/CVE-2013-6075, CVE-2013-6076.patch - upsteamed.
1601+ * debian/control: Updated Standards-Version to 3.9.5 and applied
1602+ XSBC-Original-Maintainer policy.
1603+ * strongswan-starter.install:
1604+ - pki tool is now in /usr/bin.
1605+ - Install pt-tls-client.
1606+ - Install manpages (LP: #1206263).
1607+
1608+ -- Jonathan Davies <jpds@ubuntu.com> Sun, 01 Dec 2013 17:43:59 +0000
1609+
1610 strongswan (5.1.0-3) unstable; urgency=high
1611
1612 * urgency=high for the security fixes.
1613diff --git a/debian/control b/debian/control
1614index 20c45c4..5cd92c7 100644
1615--- a/debian/control
1616+++ b/debian/control
1617@@ -1,7 +1,8 @@
1618 Source: strongswan
1619 Section: net
1620 Priority: optional
1621-Maintainer: strongSwan Maintainers <pkg-swan-devel@lists.alioth.debian.org>
1622+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
1623+XSBC-Original-Maintainer: strongSwan Maintainers <pkg-swan-devel@lists.alioth.debian.org>
1624 Uploaders: Yves-Alexis Perez <corsac@debian.org>
1625 Standards-Version: 4.4.1
1626 Vcs-Browser: https://salsa.debian.org/debian/strongswan
1627@@ -15,6 +16,7 @@ Build-Depends: bison,
1628 gperf,
1629 libip4tc-dev [linux-any],
1630 libip6tc-dev [linux-any],
1631+ libiptc-dev [linux-any],
1632 libcap-dev [linux-any],
1633 libcurl4-openssl-dev | libcurl3-dev | libcurl2-dev,
1634 libgcrypt20-dev | libgcrypt11-dev,
1635@@ -150,8 +152,8 @@ Architecture: any
1636 Depends: libstrongswan (= ${binary:Version}),
1637 ${misc:Depends},
1638 ${shlibs:Depends}
1639-Breaks: libcharon-extra-plugins (<< 5.8.0-2~)
1640-Replaces: libcharon-extra-plugins (<< 5.8.0-2~)
1641+Breaks: libcharon-extra-plugins (<< 5.8.0-2~), libcharon-standard-plugins (<< 5.8.1-1ubuntu1~)
1642+Replaces: libcharon-extra-plugins (<< 5.8.0-2~), libcharon-standard-plugins (<< 5.8.1-1ubuntu1~)
1643 Description: strongSwan charon library (extended authentication plugins)
1644 The strongSwan VPN suite uses the native IPsec stack in the standard
1645 Linux kernel. It supports both the IKEv1 and IKEv2 protocols.
1646@@ -170,11 +172,65 @@ Description: strongSwan charon library (extended authentication plugins)
1647 These are the "not always, but still more commonly used" plugins, for further
1648 needs even more plugins can be found in the package libcharon-extra-plugins.
1649
1650+# Transition from former Ubuntu only libcharon-standard-plugins to common libcharon-extauth-plugins
1651+Package: libcharon-standard-plugins
1652+Depends: libcharon-extauth-plugins (= ${source:Version}), ${misc:Depends}
1653+Architecture: all
1654+Priority: optional
1655+Section: oldlibs
1656+Description: transitional package
1657+ This is a transitional package. It can safely be removed.
1658+
1659+# Transition back from strongswan-tnc-* being in extra packages
1660+# Can be dropped after 20.04
1661+Package: strongswan-tnc-ifmap
1662+Depends: libcharon-extra-plugins (= ${source:Version}), ${misc:Depends}
1663+Architecture: all
1664+Priority: optional
1665+Section: oldlibs
1666+Description: transitional package
1667+ This is a transitional package. It can safely be removed.
1668+
1669+Package: strongswan-tnc-base
1670+Depends: libcharon-extra-plugins (= ${source:Version}), ${misc:Depends}
1671+Architecture: all
1672+Priority: optional
1673+Section: oldlibs
1674+Description: transitional package
1675+ This is a transitional package. It can safely be removed.
1676+
1677+Package: strongswan-tnc-client
1678+Depends: libcharon-extra-plugins (= ${source:Version}), ${misc:Depends}
1679+Architecture: all
1680+Priority: optional
1681+Section: oldlibs
1682+Description: transitional package
1683+ This is a transitional package. It can safely be removed.
1684+
1685+Package: strongswan-tnc-server
1686+Depends: libcharon-extra-plugins (= ${source:Version}), ${misc:Depends}
1687+Architecture: all
1688+Priority: optional
1689+Section: oldlibs
1690+Description: transitional package
1691+ This is a transitional package. It can safely be removed.
1692+
1693+Package: strongswan-tnc-pdp
1694+Depends: libcharon-extra-plugins (= ${source:Version}), ${misc:Depends}
1695+Architecture: all
1696+Priority: optional
1697+Section: oldlibs
1698+Description: transitional package
1699+ This is a transitional package. It can safely be removed.
1700+
1701 Package: libcharon-extra-plugins
1702 Architecture: any
1703 Depends: libstrongswan (= ${binary:Version}),
1704 ${misc:Depends},
1705 ${shlibs:Depends}
1706+Breaks: strongswan-tnc-ifmap (<< 5.7.2-1ubuntu1), strongswan-tnc-base (<< 5.7.2-1ubuntu1), strongswan-tnc-client (<< 5.7.2-1ubuntu1), strongswan-tnc-server (<< 5.7.2-1ubuntu1), strongswan-tnc-pdp (<< 5.7.2-1ubuntu1)
1707+Replaces: strongswan-tnc-ifmap (<< 5.7.2-1ubuntu1), strongswan-tnc-base (<< 5.7.2-1ubuntu1), strongswan-tnc-client (<< 5.7.2-1ubuntu1), strongswan-tnc-server (<< 5.7.2-1ubuntu1), strongswan-tnc-pdp (<< 5.7.2-1ubuntu1)
1708+Provides: strongswan-tnc-base
1709 Description: strongSwan charon library (extra plugins)
1710 The strongSwan VPN suite uses the native IPsec stack in the standard
1711 Linux kernel. It supports both the IKEv1 and IKEv2 protocols.
1712@@ -210,9 +266,9 @@ Pre-Depends: ${misc:Pre-Depends}
1713 Depends: adduser,
1714 libstrongswan (= ${binary:Version}),
1715 lsb-base (>= 3.0-6),
1716+ strongswan-charon,
1717 ${misc:Depends},
1718 ${shlibs:Depends}
1719-Recommends: strongswan-charon
1720 Conflicts: openswan
1721 Description: strongSwan daemon starter and configuration file parser
1722 The strongSwan VPN suite uses the native IPsec stack in the standard
1723@@ -251,9 +307,9 @@ Architecture: any
1724 Pre-Depends: debconf | debconf-2.0
1725 Depends: iproute2 [linux-any] | iproute [linux-any],
1726 libstrongswan (= ${binary:Version}),
1727- strongswan-starter,
1728 ${misc:Depends},
1729 ${shlibs:Depends}
1730+Recommends: strongswan-starter,
1731 Provides: ike-server
1732 Description: strongSwan Internet Key Exchange daemon
1733 The strongSwan VPN suite uses the native IPsec stack in the standard

Subscribers

People subscribed via source and target branches