Ubuntu
strongswan package

Merge ~paelzer/ubuntu/+source/strongswan:merge-5.8.2-focal into ubuntu/+source/strongswan:debian/sid

  1. Git
  2. lp:~paelzer/ubuntu/+source/strongswan
  3. merge-5.8.2-focal
  4. Merge into debian/sid
Proposed by Christian Ehrhardt 
Status: Merged
Merge reported by: Christian Ehrhardt 
Merged at revision: 0191ec297c354a9d4a04ae0e1b8b4d5c71a4ec44
Proposed branch: ~paelzer/ubuntu/+source/strongswan:merge-5.8.2-focal
Merge into: ubuntu/+source/strongswan:debian/sid
Diff against target: 1733 lines (+1581/-5)
2 files modified
debian/changelog (+1520/-0)
debian/control (+61/-5)
Reviewer Review Type Date Requested Status
Bryce Harrington (community) Approve
git-ubuntu developers Pending
Canonical Server packageset reviewers Pending
Review via email: mp+378566@code.launchpad.net

This proposal supersedes a proposal from 2020-02-05.

To post a comment you must log in.
Revision history for this message
Christian Ehrhardt  (paelzer) wrote : Posted in a previous version of this proposal

PPA: https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/3914
Ticket: https://bileto.ubuntu.com/#/ticket/3914
Bug: https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1861971

Many fixes in upstream and Debain that are nice to get for 20.04

One change is the addition of DRBG which is in libstronswanpluging.
That packages is in main so lets be extra careful, but it does not add a new dependency:

root@d10-sid:~# ldd /usr/lib/ipsec/plugins/libstrongswan-drbg.so
        linux-vdso.so.1 (0x00007ffe89033000)
        libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f9d00b79000)
        /lib64/ld-linux-x86-64.so.2 (0x00007f9d00d51000)

Note: This package is affected by the empty-directory-issue but I have the old meregs and can quickly recover the history.

Usual tags pushed to help review:
 * [new tag] lp1861971/logical/5.8.1-1ubuntu1 -> lp1861971/logical/5.8.1-1ubuntu1
 * [new tag] lp1861971/new/debian -> lp1861971/new/debian
 * [new tag] lp1861971/old/debian -> lp1861971/old/debian
 * [new tag] lp1861971/old/ubuntu -> lp1861971/old/ubuntu
 * [new tag] lp1861971/reconstruct/5.8.1-1ubuntu1 -> lp1861971/reconstruct/5.8.1-1ubuntu1
 * [new tag] lp1861971/split/5.8.1-1ubuntu1 -> lp1861971/split/5.8.1-1ubuntu1

Finally, look and embrace how small and reasonable the strongswan delta has become :-)

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Resubmitted the MP against debian/sid for better LP delta visualization

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

For now blocked on
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947176

I filed Ubuntu bug
https://bugs.launchpad.net/debian/+source/iptables/+bug/1861975

Once unblocked it should build and test rather straight forward ...

~paelzer/ubuntu/+source/strongswan:merge-5.8.2-focal updated
d2e25d3... by Christian Ehrhardt 

d/control: build-depend on libiptc-dev to avoid FTBFS (LP: #1861975)

This is needed due to changes in regard to Debian bug 947176 and 939243
and can later be dropped again.

Signed-off-by: Christian Ehrhardt <email address hidden>

0191ec2... by Christian Ehrhardt 

changelog: build-depend on libiptc-dev to avoid FTBFS (LP: #1861975)

Signed-off-by: Christian Ehrhardt <email address hidden>

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

I was able to understand more of the issue and fix the FTBFS on the strongswan side as part of the merge. No more blocked ....

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

All tests good except i386 (might need overrides but ok)
https://bileto.ubuntu.com/excuses/3914/focal.html

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Local QRT tests good as well
Got:
Ran 4 tests in 5.150s
Ran 4 tests in 5.179s

Revision history for this message
Bryce Harrington (bryce) wrote :

Approved for landing the merge, a couple notes below.

* Changelog:
  - [√] old content and logical tag match as expected
  - [√] changelog entry correct version and targeted codename
  - [√] changelog entries correct
  - [√] update-maintainer has been run

* Actual changes:
  - [√] no upstream changes to consider
    + Debian is at 5.8.2-1 in unstable and unstable-debug
  - [-] no further upstream version to consider
  - [√] debian changes look safe

* Old Delta:
  - [-] dropped changes are ok to be dropped
  - [√] nothing else to drop
  - [√] changes forwarded upstream/debian (if appropriate)

* New Delta:
  - [√] no new patches added
  - [-] patches match what was proposed upstream
  - [-] patches correctly included in debian/patches/series
  - [-] patches have correct DEP3 metadata

* Build/Test:
  - [√] build is ok
  - [√] verified PPA package installs/uninstalls
  - [√] autopkgtest against the PPA package passes
  - [√] sanity checks test fine
    + systemd service had a warning (see below), but still PASS so maybe that was expected?

Can you provide an explanation in a comment the bug report, LP: #1861975, as to what the next steps will be? I.e. is libiptc's addition temporary until there is a better fix, or...? It's not critical this is done, and it certainly shouldn't delay the merge, but mainly I just want to make sure it's clear for future maintainers what they'd need to do going forward.

I verified the build was ok in the PPA. I tried git ubuntu build and debuild to run on this in my lxc checkout, but unsuccessfully unfortunately; I'm wondering if the dependency changes confused apt. I can give more details if you think this is worth exploring, but I'm ok trusting the PPA build, and my autopkgtest results.

autopkgtest [18:44:02]: test plugins: [-----------------------
Unit strongswan.service could not be found.
invoke-rc.d: initscript strongswan, action "status" failed.
autopkgtest [18:44:03]: test plugins: -----------------------]
autopkgtest [18:44:03]: test plugins: - - - - - - - - - - results - - - - - - - - - -
plugins PASS
autopkgtest [18:44:03]: @@@@@@@@@@@@@@@@@@@@ summary
admin-strongswan-charon PASS
admin-strongswan-starter PASS
daemon PASS
plugins PASS

review: Approve
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Thanks for the review - I added a comment to the libiptc related commit.
TL;DR can be dropped in the next merge from Debian.

I only built sbuild and in PPA and both worked.
Lets hope your build issues are not a real thing due to other changes in the archive.
For the sake of being on the safe side I re-pushed a new build to the PPA, but that build fine as well so let me upload it.

To ssh://git.launchpad.net/~usd-import-team/ubuntu/+source/strongswan
 * [new tag] upload/5.8.2-1ubuntu1 -> upload/5.8.2-1ubuntu1

Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading strongswan_5.8.2-1ubuntu1.dsc: done.
  Uploading strongswan_5.8.2.orig.tar.bz2: done.
  Uploading strongswan_5.8.2-1ubuntu1.debian.tar.xz: done.
  Uploading strongswan_5.8.2-1ubuntu1_source.buildinfo: done.
  Uploading strongswan_5.8.2-1ubuntu1_source.changes: done.
Successfully uploaded packages.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

https://launchpad.net/ubuntu/+source/strongswan/5.8.2-1ubuntu1 started to build => merged

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/debian/changelog b/debian/changelog
index da6dc86..c1b10db 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,22 @@
1strongswan (5.8.2-1ubuntu1) focal; urgency=medium
2
3 * Merge with Debian unstable (LP: #1861971). Remaining changes:
4 - d/control: Transition from strongswan-tnc-* being in extra packages
5 to libcharon-extra-plugins (drop after 20.04)
6 - d/control: Transition from former Ubuntu only libcharon-standard-plugins
7 to common libcharon-extauth-plugins (drop after 20.04)
8 - d/control: strongswan-starter hard-depends on strongswan-charon,
9 therefore bump the dependency from Recommends to Depends. At the same
10 time avoid a circular dependency by dropping
11 strongswan-charon->strongswan-starter from Depends to Recommends as the
12 binaries can work without the services but not vice versa.
13 * Added Changes
14 - d/control: build-depend on libiptc-dev to avoid FTBFS (LP: #1861975)
15 This is needed due to changes in regard to Debian bug 947176 and 939243
16 and can later be dropped again.
17
18 -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Wed, 05 Feb 2020 08:28:30 +0100
19
1strongswan (5.8.2-1) unstable; urgency=medium20strongswan (5.8.2-1) unstable; urgency=medium
221
3 [ Jean-Michel Vourgère ]22 [ Jean-Michel Vourgère ]
@@ -14,6 +33,83 @@ strongswan (5.8.2-1) unstable; urgency=medium
1433
15 -- Yves-Alexis Perez <corsac@debian.org> Wed, 01 Jan 2020 14:35:46 +010034 -- Yves-Alexis Perez <corsac@debian.org> Wed, 01 Jan 2020 14:35:46 +0100
1635
36strongswan (5.8.1-1ubuntu1) focal; urgency=medium
37
38 * Merge with Debian unstable (LP: #1852579). Remaining changes:
39 - d/control: Transition from strongswan-tnc-* being in extra packages
40 to libcharon-extra-plugins
41 * Added Changes:
42 - d/control: Transition from former Ubuntu only libcharon-standard-plugins
43 to common libcharon-extauth-plugins (drop after 20.04)
44 - d/control: strongswan-starter hard-depends on strongswan-charon,
45 therefore bump the dependency from Recommends to Depends. At the same
46 time avoid a circular dependency by dropping
47 strongswan-charon->strongswan-starter from Depends to Recommends as the
48 binaries can work without the services but not vice versa.
49 * Dropped Changes (now in Debian):
50 - Clean up d/strongswan-starter.postinst: section about runlevel changes
51 - Clean up d/strongswan-starter.postinst: Removed entire section on
52 opportunistic encryption disabling - this was never in strongSwan and
53 won't be see upstream issue #2160.
54 - d/rules: Removed patching ipsec.conf on build (not using the
55 debconf-managed config.)
56 - d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was
57 used for debconf-managed include of private key).
58 - Add plugin kernel-libipsec to allow the use of strongswan in containers
59 via this userspace implementation (please do note that this is still
60 considered experimental by upstream).
61 + d/libcharon-extra-plugins.install: Add kernel-libipsec components
62 + d/control: List kernel-libipsec plugin at extra plugins description
63 + d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
64 upstream recommends to not load kernel-libipsec by default.
65 - d/control: Mention mgf1 plugin which is in libstrongswan now
66 - Complete the disabling of libfast; This was partially accepted in Debian,
67 it is no more packaging medcli and medsrv, but still builds and
68 mentions it.
69 + d/rules: Add --disable-fast to avoid build time and dependencies
70 + d/control: Remove medcli, medsrv from package description
71 - Add now built (since 5.5.1) libraries libtpmtss and nttfft to
72 libstrongswan-extra-plugins (no deps from default plugins).
73 - d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
74 plugins for the most common use cases from extra-plugins into a new
75 standard-plugins package. This will allow those use cases without pulling
76 in too much more plugins (a bit like the tnc package). Recommend that
77 package from strongswan-libcharon.
78 - d/usr.lib.ipsec.charon: allow reading of own FDs (LP 1786250)
79 - d/usr.sbin.charon-systemd: allow CLUSTERIP for ha plugin (LP 1773956)
80 - executables need to be able to read map and execute themselves otherwise
81 execution in some environments e.g. containers is blocked (LP 1780534)
82 + d/usr.lib.ipsec.stroke: add rmix permission to stroke binary
83 + d/usr.lib.ipsec.lookip: add rmix permission to lookip binary
84 - d/usr.lib.ipsec.charon, d/usr.sbin.charon-systemd: resync apparmor
85 profiles of both ways to start charon (LP 1807664)
86 - d/usr.sbin.swanctl: add apparmor rule for af-alg plugin (LP 1807962)
87 - We fixed up tpmtss and nttfft in the past, but tpmtss is now packaged in
88 Debian so this part was be dropped. Two changes remain
89 - d/control: fix the mentioning of tpmtss in d/control
90 - apparmor fixes for container and root usage (LP 1826238)
91 + d/usr.sbin.swanctl: allow reading own binary
92 + d/usr.sbin.charon-systemd: allow accessing the binary
93 + d/usr.sbin.swanctl: add attach_disconnected to work inside containers
94 + d/usr.lib.ipsec.charon, d/usr.sbin.charon-systemd: add CAP_SETPCAP
95 to apparmor to allow dropping caps
96 * Dropped Changes (too uncommon to support by default)
97 - d/libstrongswan.install: Add kernel-netlink configuration files
98 - d/usr.sbin.charon-systemd: allow to contact mysql for sql and
99 attr-sql plugins (LP 1766240) - no more needed as itisn't enabled.
100 - Mass enablement of extra plugins and features to allow a user to use
101 strongswan for a variety of extra use cases without having to rebuild.
102 + d/control: Add required additional build-deps
103 + d/control: Mention addtionally enabled plugins
104 + d/rules: Enable features at configure stage
105 + d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
106 + d/libstrongswan.install: Add plugins (so, conf)
107 + d/strongswan-starter.install: Install pool feature, which is useful
108 since we now have attr-sql plugin enabled it.
109 - Enable additional TNC plugins and add them to libcharon-extra-plugins
110
111 -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Thu, 14 Nov 2019 15:00:15 +0100
112
17strongswan (5.8.1-1) unstable; urgency=medium113strongswan (5.8.1-1) unstable; urgency=medium
18114
19 * d/rules: disable http and stream tests under CI115 * d/rules: disable http and stream tests under CI
@@ -83,6 +179,99 @@ strongswan (5.8.0-1) unstable; urgency=medium
83179
84 -- Yves-Alexis Perez <corsac@debian.org> Mon, 26 Aug 2019 12:58:23 +0200180 -- Yves-Alexis Perez <corsac@debian.org> Mon, 26 Aug 2019 12:58:23 +0200
85181
182strongswan (5.7.2-1ubuntu3) eoan; urgency=medium
183
184 * No change rebuild for libmysqlclient21.
185
186 -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Thu, 15 Aug 2019 09:34:34 +0200
187
188strongswan (5.7.2-1ubuntu2) eoan; urgency=medium
189
190 * Rebuild against new libjson-c4.
191
192 -- Gianfranco Costamagna <locutusofborg@debian.org> Mon, 01 Jul 2019 10:53:07 +0200
193
194strongswan (5.7.2-1ubuntu1) eoan; urgency=medium
195
196 [ Christian Ehrhardt ]
197 * Merge with Debian unstable. Remaining changes:
198 - Clean up d/strongswan-starter.postinst: section about runlevel changes
199 - Clean up d/strongswan-starter.postinst: Removed entire section on
200 opportunistic encryption disabling - this was never in strongSwan and
201 won't be see upstream issue #2160.
202 - d/rules: Removed patching ipsec.conf on build (not using the
203 debconf-managed config.)
204 - d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was
205 used for debconf-managed include of private key).
206 - Mass enablement of extra plugins and features to allow a user to use
207 strongswan for a variety of extra use cases without having to rebuild.
208 + d/control: Add required additional build-deps
209 + d/control: Mention addtionally enabled plugins
210 + d/rules: Enable features at configure stage
211 + d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
212 + d/libstrongswan.install: Add plugins (so, conf)
213 + d/strongswan-starter.install: Install pool feature, which is useful
214 since we now have attr-sql plugin enabled it.
215 - Add plugin kernel-libipsec to allow the use of strongswan in containers
216 via this userspace implementation (please do note that this is still
217 considered experimental by upstream).
218 + d/libcharon-extra-plugins.install: Add kernel-libipsec components
219 + d/control: List kernel-libipsec plugin at extra plugins description
220 + d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
221 upstream recommends to not load kernel-libipsec by default.
222 - d/libstrongswan.install: Add kernel-netlink configuration files
223 - Complete the disabling of libfast; This was partially accepted in Debian,
224 it is no more packaging medcli and medsrv, but still builds and
225 mentions it.
226 + d/rules: Add --disable-fast to avoid build time and dependencies
227 + d/control: Remove medcli, medsrv from package description
228 - d/control: Mention mgf1 plugin which is in libstrongswan now
229 - Add now built (since 5.5.1) libraries libtpmtss and nttfft to
230 libstrongswan-extra-plugins (no deps from default plugins).
231 - d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
232 plugins for the most common use cases from extra-plugins into a new
233 standard-plugins package. This will allow those use cases without pulling
234 in too much more plugins (a bit like the tnc package). Recommend that
235 package from strongswan-libcharon.
236 - d/usr.sbin.charon-systemd: allow to contact mysql for sql and
237 attr-sql plugins (LP #1766240)
238 - d/usr.lib.ipsec.charon: allow reading of own FDs (LP #1786250)
239 - d/usr.sbin.charon-systemd: allow CLUSTERIP for ha plugin (LP: 1773956)
240 - executables need to be able to read map and execute themselves otherwise
241 execution in some environments e.g. containers is blocked (LP: 1780534)
242 + d/usr.lib.ipsec.stroke: add rmix permission to stroke binary
243 + d/usr.lib.ipsec.lookip: add rmix permission to lookip binary
244 - d/usr.lib.ipsec.charon, d/usr.sbin.charon-systemd: resync apparmor
245 profiles of both ways to start charon (LP: 1807664)
246 - d/usr.sbin.swanctl: add apparmor rule for af-alg plugin (LP: 1807962)
247 * Dropped changes
248 - d/p/lp1795813-mysql-Don-t-release-the-connection-if-transactions-a.patch:
249 fix SIGSEGV when using mysql plugin (LP: 1795813)
250 [upstream in 5.7.2]
251 - d/libstrongswan.install: Reorder conf and .so alphabetically
252 [was a non functional change, dropped to avoid merge noise]
253 - Relocate tnc plugin
254 [TNC is back at libcharon-extra-plugins as it is in Debian]
255 * Added changes:
256 - We fixed up tpmtss and nttfft in the past, but tpmtss is now packaged in
257 Debian so this part was be dropped. Two changes remain
258 - d/control: fix the mentioning of tpmtss in d/control
259 - add nttfft (can be merged with the mass enablement change later)
260 - Transitional packages to go back from strongswan-tnc-* being in extra
261 packages to be part of libcharon-extra-plugins.
262 [can be dropped after 20.04]
263
264 [ Simon Deziel ]
265 * Added changes:
266 - apparmor fixes for container and root usage (LP: #1826238)
267 + d/usr.sbin.swanctl: allow reading own binary
268 + d/usr.sbin.charon-systemd: allow accessing the binary
269 + d/usr.sbin.swanctl: add attach_disconnected to work inside containers
270 + d/usr.lib.ipsec.charon, d/usr.sbin.charon-systemd: add CAP_SETPCAP
271 to apparmor to allow dropping caps
272
273 -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Fri, 26 Apr 2019 11:31:17 +0200
274
86strongswan (5.7.2-1) unstable; urgency=medium275strongswan (5.7.2-1) unstable; urgency=medium
87276
88 * d/control: remove Rene from Uploaders, thanks!277 * d/control: remove Rene from Uploaders, thanks!
@@ -101,6 +290,86 @@ strongswan (5.7.2-1) unstable; urgency=medium
101290
102 -- Yves-Alexis Perez <corsac@debian.org> Wed, 02 Jan 2019 13:02:11 +0100291 -- Yves-Alexis Perez <corsac@debian.org> Wed, 02 Jan 2019 13:02:11 +0100
103292
293strongswan (5.7.1-1ubuntu2) disco; urgency=medium
294
295 * d/usr.sbin.charon-systemd: fix rule for CLUSTERIP to match effective
296 path (LP: #1773956)
297 * d/usr.lib.ipsec.charon, d/usr.sbin.charon-systemd: resync apparmor
298 profiles of both ways to start charon (LP: #1807664)
299 * d/usr.sbin.swanctl: add apparmor rule for af-alg plugin (LP: #1807962)
300
301 -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 10 Dec 2018 08:30:01 +0100
302
303strongswan (5.7.1-1ubuntu1) disco; urgency=medium
304
305 * Merge with Debian unstable (LP: #1806401). Remaining changes:
306 - Clean up d/strongswan-starter.postinst: section about runlevel changes
307 - Clean up d/strongswan-starter.postinst: Removed entire section on
308 opportunistic encryption disabling - this was never in strongSwan and
309 won't be see upstream issue #2160.
310 - d/rules: Removed patching ipsec.conf on build (not using the
311 debconf-managed config.)
312 - d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was
313 used for debconf-managed include of private key).
314 - Mass enablement of extra plugins and features to allow a user to use
315 strongswan for a variety of extra use cases without having to rebuild.
316 + d/control: Add required additional build-deps
317 + d/control: Mention addtionally enabled plugins
318 + d/rules: Enable features at configure stage
319 + d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
320 + d/libstrongswan.install: Add plugins (so, conf)
321 - d/strongswan-starter.install: Install pool feature, which is useful since
322 we have attr-sql plugin enabled as well using it.
323 - Add plugin kernel-libipsec to allow the use of strongswan in containers
324 via this userspace implementation (please do note that this is still
325 considered experimental by upstream).
326 + d/libcharon-extra-plugins.install: Add kernel-libipsec components
327 + d/control: List kernel-libipsec plugin at extra plugins description
328 + d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
329 upstream recommends to not load kernel-libipsec by default.
330 - Relocate tnc plugin
331 + debian/libcharon-extra-plugins.install: Drop tnc from extra plugins
332 + Add new subpackage for TNC in d/strongswan-tnc-* and d/control
333 - d/libstrongswan.install: Reorder conf and .so alphabetically
334 - d/libstrongswan.install: Add kernel-netlink configuration files
335 - Complete the disabling of libfast; This was partially accepted in Debian,
336 it is no more packaging medcli and medsrv, but still builds and
337 mentions it.
338 + d/rules: Add --disable-fast to avoid build time and dependencies
339 + d/control: Remove medcli, medsrv from package description
340 - d/control: Mention mgf1 plugin which is in libstrongswan now
341 - Add now built (since 5.5.1) libraries libtpmtss and nttfft to
342 libstrongswan-extra-plugins (no deps from default plugins).
343 - d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
344 plugins for the most common use cases from extra-plugins into a new
345 standard-plugins package. This will allow those use cases without pulling
346 in too much more plugins (a bit like the tnc package). Recommend that
347 package from strongswan-libcharon.
348 - d/usr.sbin.charon-systemd: allow to contact mysql for sql and
349 attr-sql plugins (LP #1766240)
350 - d/usr.lib.ipsec.charon: allow reading of own FDs (LP #1786250)
351 * Added Changes:
352 - d/p/lp1795813-mysql-Don-t-release-the-connection-if-transactions-a.patch:
353 fix SIGSEGV when using mysql plugin (LP: #1795813)
354 - d/usr.sbin.charon-systemd: allow CLUSTERIP for ha plugin (LP: #1773956)
355 - executables need to be able to read map and execute themselves otherwise
356 execution in some environments e.g. containers is blocked (LP: #1780534)
357 + d/usr.lib.ipsec.stroke: add rmix permission to stroke binary
358 + d/usr.lib.ipsec.lookip: add rmix permission to lookip binary
359 - adapt "mass enablement of extra plugins" to match 5.7.x changes
360 + d/rules: use new options for swima instead of swid
361 + d/strongswan-tnc-server.install: add new sec updater tool
362 + d/strongswan-tnc-client.install: add new sw-collector tool
363 * Dropped (in Debian now):
364 - SECURITY UPDATE: Insufficient input validation in gmp plugin
365 (CVE-2018-17540)
366 - SECURITY UPDATE: Insufficient input validation in gmp plugin
367 (CVE-2018-16151 CVE-2018-16152)
368 - d/usr.lib.ipsec.charon, d/usr/sbin/charon-systemd: Add support for
369 usr-merge, thanks to Christian Ehrhardt. LP #1784023
370
371 -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 03 Dec 2018 15:18:31 +0100
372
104strongswan (5.7.1-1) unstable; urgency=medium373strongswan (5.7.1-1) unstable; urgency=medium
105374
106 [ Ondřej Nový ]375 [ Ondřej Nový ]
@@ -131,6 +400,96 @@ strongswan (5.7.0-1) unstable; urgency=medium
131400
132 -- Yves-Alexis Perez <corsac@debian.org> Mon, 24 Sep 2018 16:36:28 +0200401 -- Yves-Alexis Perez <corsac@debian.org> Mon, 24 Sep 2018 16:36:28 +0200
133402
403strongswan (5.6.3-1ubuntu5) disco; urgency=medium
404
405 * No-change rebuild against libunbound8
406
407 -- Steve Langasek <steve.langasek@ubuntu.com> Sun, 11 Nov 2018 09:01:53 +0000
408
409strongswan (5.6.3-1ubuntu4) cosmic; urgency=medium
410
411 * d/usr.lib.ipsec.charon: allow reading of own FDs (LP: #1786250)
412 Thanks to Matt Callaghan.
413
414 -- Andreas Hasenack <andreas@canonical.com> Thu, 04 Oct 2018 10:34:01 -0300
415
416strongswan (5.6.3-1ubuntu3) cosmic; urgency=medium
417
418 * SECURITY UPDATE: Insufficient input validation in gmp plugin
419 - debian/patches/strongswan-4.4.0-5.7.0_gmp-pkcs1-overflow.patch: fix
420 buffer overflow with very small RSA keys in
421 src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c.
422 - CVE-2018-17540
423
424 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 01 Oct 2018 13:23:59 -0400
425
426strongswan (5.6.3-1ubuntu2) cosmic; urgency=medium
427
428 * SECURITY UPDATE: Insufficient input validation in gmp plugin
429 - debian/patches/strongswan-5.6.1-5.6.3_gmp-pkcs1-verify.patch: don't
430 parse PKCS1 v1.5 RSA signatures to verify them in
431 src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c,
432 src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c.
433 - CVE-2018-16151
434 - CVE-2018-16152
435
436 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 25 Sep 2018 10:16:15 -0400
437
438strongswan (5.6.3-1ubuntu1) cosmic; urgency=medium
439
440 * Merge with Debian unstable. Remaining changes:
441 - Clean up d/strongswan-starter.postinst: section about runlevel changes
442 - Clean up d/strongswan-starter.postinst: Removed entire section on
443 opportunistic encryption disabling - this was never in strongSwan and
444 won't be see upstream issue #2160.
445 - d/rules: Removed patching ipsec.conf on build (not using the
446 debconf-managed config.)
447 - d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was
448 used for debconf-managed include of private key).
449 - Mass enablement of extra plugins and features to allow a user to use
450 strongswan for a variety of extra use cases without having to rebuild.
451 + d/control: Add required additional build-deps
452 + d/control: Mention addtionally enabled plugins
453 + d/rules: Enable features at configure stage
454 + d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
455 + d/libstrongswan.install: Add plugins (so, conf)
456 - d/strongswan-starter.install: Install pool feature, which is useful since
457 we have attr-sql plugin enabled as well using it.
458 - Add plugin kernel-libipsec to allow the use of strongswan in containers
459 via this userspace implementation (please do note that this is still
460 considered experimental by upstream).
461 + d/libcharon-extra-plugins.install: Add kernel-libipsec components
462 + d/control: List kernel-libipsec plugin at extra plugins description
463 + d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
464 upstream recommends to not load kernel-libipsec by default.
465 - Relocate tnc plugin
466 + debian/libcharon-extra-plugins.install: Drop tnc from extra plugins
467 + Add new subpackage for TNC in d/strongswan-tnc-* and d/control
468 - d/libstrongswan.install: Reorder conf and .so alphabetically
469 - d/libstrongswan.install: Add kernel-netlink configuration files
470 - Complete the disabling of libfast; This was partially accepted in Debian,
471 it is no more packaging medcli and medsrv, but still builds and
472 mentions it.
473 + d/rules: Add --disable-fast to avoid build time and dependencies
474 + d/control: Remove medcli, medsrv from package description
475 - d/control: Mention mgf1 plugin which is in libstrongswan now
476 - Add now built (since 5.5.1) libraries libtpmtss and nttfft to
477 libstrongswan-extra-plugins (no deps from default plugins).
478 - d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
479 plugins for the most common use cases from extra-plugins into a new
480 standard-plugins package. This will allow those use cases without pulling
481 in too much more plugins (a bit like the tnc package). Recommend that
482 package from strongswan-libcharon.
483 - d/usr.sbin.charon-systemd: allow to contact mysql for sql and
484 attr-sql plugins (LP #1766240)
485 - d/usr.lib.ipsec.charon, d/usr/sbin/charon-systemd: Add support for
486 usr-merge, thanks to Christian Ehrhardt. LP #1784023
487 * Dropped:
488 - d/usr.sbin.charon-systemd: allow systemd notifications (LP: #1765652)
489 [Fixed in 5.6.3-1]
490
491 -- Andreas Hasenack <andreas@canonical.com> Thu, 23 Aug 2018 13:05:11 -0300
492
134strongswan (5.6.3-1) unstable; urgency=medium493strongswan (5.6.3-1) unstable; urgency=medium
135494
136 * New upstream version 5.6.2495 * New upstream version 5.6.2
@@ -146,6 +505,78 @@ strongswan (5.6.3-1) unstable; urgency=medium
146505
147 -- Yves-Alexis Perez <corsac@debian.org> Mon, 04 Jun 2018 10:23:22 +0200506 -- Yves-Alexis Perez <corsac@debian.org> Mon, 04 Jun 2018 10:23:22 +0200
148507
508strongswan (5.6.2-2ubuntu2) cosmic; urgency=medium
509
510 * Add support for usr-merge, thanks to Christian Ehrhardt. LP: #1784023
511
512 -- Dimitri John Ledkov <xnox@ubuntu.com> Tue, 21 Aug 2018 00:42:38 +0100
513
514strongswan (5.6.2-2ubuntu1) cosmic; urgency=medium
515
516 * Merge with Debian unstable, closes LP: #1773814 and LP: #1772705.
517 Remaining changes:
518 + Clean up d/strongswan-starter.postinst: section about runlevel changes
519 + Clean up d/strongswan-starter.postinst: Removed entire section on
520 opportunistic encryption disabling - this was never in strongSwan and
521 won't be see upstream issue #2160.
522 + d/rules: Removed patching ipsec.conf on build (not using the
523 debconf-managed config.)
524 + d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was
525 used for debconf-managed include of private key).
526 + Mass enablement of extra plugins and features to allow a user to use
527 strongswan for a variety of extra use cases without having to rebuild.
528 - d/control: Add required additional build-deps
529 - d/control: Mention addtionally enabled plugins
530 - d/rules: Enable features at configure stage
531 - d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
532 - d/libstrongswan.install: Add plugins (so, conf)
533 + d/strongswan-starter.install: Install pool feature, which is useful since
534 we have attr-sql plugin enabled as well using it.
535 + Add plugin kernel-libipsec to allow the use of strongswan in containers
536 via this userspace implementation (please do note that this is still
537 considered experimental by upstream).
538 - d/libcharon-extra-plugins.install: Add kernel-libipsec components
539 - d/control: List kernel-libipsec plugin at extra plugins description
540 - d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
541 upstream recommends to not load kernel-libipsec by default.
542 + Relocate tnc plugin
543 - debian/libcharon-extra-plugins.install: Drop tnc from extra plugins
544 - Add new subpackage for TNC in d/strongswan-tnc-* and d/control
545 + d/libstrongswan.install: Reorder conf and .so alphabetically
546 + d/libstrongswan.install: Add kernel-netlink configuration files
547 + Complete the disabling of libfast; This was partially accepted in Debian,
548 it is no more packaging medcli and medsrv, but still builds and
549 mentions it.
550 - d/rules: Add --disable-fast to avoid build time and dependencies
551 - d/control: Remove medcli, medsrv from package description
552 + d/control: Mention mgf1 plugin which is in libstrongswan now
553 + Add now built (since 5.5.1) libraries libtpmtss and nttfft to
554 libstrongswan-extra-plugins (no deps from default plugins).
555 + d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
556 plugins for the most common use cases from extra-plugins into a new
557 standard-plugins package. This will allow those use cases without pulling
558 in too much more plugins (a bit like the tnc package). Recommend that
559 package from strongswan-libcharon.
560 * Dropped Changes (no more needed after 18.04)
561 + Add rm_conffile for /etc/init.d/ipsec (transition from precies had
562 missed that, droppable after 18.04)
563 + d/control: bump breaks/replaces from libstrongswan-extra-plugins to
564 libstrongswan as we dropped relocating ccm and test-vectors.
565 (droppable >18.04).
566 + d/control: add breaks/replace from libstrongswan to
567 libstrongswan-extra-plugins for the move of mgf1 to libstrongswan.
568 (droppable >18.04).
569 + d/control: bump breaks/replaces for the move of the updown plugin
570 (Missed Changelog entry on last merge)
571 + d/control: fix dependencies of strongswan-libcharon due to the move
572 the updown plugin (droppable >18.04).
573 * Added Changes:
574 + d/usr.sbin.charon-systemd: allow to contact mysql for sql and
575 attr-sql plugins (LP: #1766240)
576 + d/usr.sbin.charon-systemd: allow systemd notifications (LP: #1765652)
577
578 -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Tue, 29 May 2018 08:21:42 +0200
579
149strongswan (5.6.2-2) unstable; urgency=medium580strongswan (5.6.2-2) unstable; urgency=medium
150581
151 * charon-nm: Fix building list of DNS/MDNS servers with libnm582 * charon-nm: Fix building list of DNS/MDNS servers with libnm
@@ -156,6 +587,74 @@ strongswan (5.6.2-2) unstable; urgency=medium
156587
157 -- Yves-Alexis Perez <corsac@debian.org> Fri, 13 Apr 2018 13:46:04 +0200588 -- Yves-Alexis Perez <corsac@debian.org> Fri, 13 Apr 2018 13:46:04 +0200
158589
590strongswan (5.6.2-1ubuntu2) bionic; urgency=medium
591
592 * d/control: fix dependencies of strongswan-libcharon due to the move
593 the updown plugin.
594
595 -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Tue, 20 Mar 2018 07:37:29 +0100
596
597strongswan (5.6.2-1ubuntu1) bionic; urgency=medium
598
599 * Merge with Debian unstable (LP: #1753018). Remaining changes:
600 + Clean up d/strongswan-starter.postinst: section about runlevel changes
601 + Clean up d/strongswan-starter.postinst: Removed entire section on
602 opportunistic encryption disabling - this was never in strongSwan and
603 won't be see upstream issue #2160.
604 + Ubuntu is not using the debconf triggered private key generation
605 - d/rules: Removed patching ipsec.conf on build (not using the
606 debconf-managed config.)
607 - d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was
608 used for debconf-managed include of private key).
609 + Mass enablement of extra plugins and features to allow a user to use
610 strongswan for a variety of extra use cases without having to rebuild.
611 - d/control: Add required additional build-deps
612 - d/control: Mention addtionally enabled plugins
613 - d/rules: Enable features at configure stage
614 - d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
615 - d/libstrongswan.install: Add plugins (so, conf)
616 + d/strongswan-starter.install: Install pool feature, which is useful since
617 we have attr-sql plugin enabled as well using it.
618 + Add plugin kernel-libipsec to allow the use of strongswan in containers
619 via this userspace implementation (please do note that this is still
620 considered experimental by upstream).
621 - d/libcharon-extra-plugins.install: Add kernel-libipsec components
622 - d/control: List kernel-libipsec plugin at extra plugins description
623 - d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
624 upstream recommends to not load kernel-libipsec by default.
625 + Relocate tnc plugin
626 - debian/libcharon-extra-plugins.install: Drop tnc from extra plugins
627 - Add new subpackage for TNC in d/strongswan-tnc-* and d/control
628 + d/libstrongswan.install: Reorder conf and .so alphabetically
629 + d/libstrongswan.install: Add kernel-netlink configuration files
630 + Complete the disabling of libfast; This was partially accepted in Debian,
631 it is no more packaging medcli and medsrv, but still builds and
632 mentions it.
633 - d/rules: Add --disable-fast to avoid build time and dependencies
634 - d/control: Remove medcli, medsrv from package description
635 + d/control: Mention mgf1 plugin which is in libstrongswan now
636 + Add now built (since 5.5.1) libraries libtpmtss and nttfft to
637 libstrongswan-extra-plugins (no deps from default plugins).
638 + Add rm_conffile for /etc/init.d/ipsec (transition from precies had
639 missed that, droppable after 18.04)
640 + d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
641 plugins for the most common use cases from extra-plugins into a new
642 standard-plugins package. This will allow those use cases without pulling
643 in too much more plugins (a bit like the tnc package). Recommend that
644 package from strongswan-libcharon.
645 + d/control: bump breaks/replaces from libstrongswan-extra-plugins to
646 libstrongswan as we dropped relocating ccm and test-vectors.
647 (droppable >18.04).
648 + d/control: add breaks/replace from libstrongswan to
649 libstrongswan-extra-plugins for the move of mgf1 to libstrongswan.
650 (droppable >18.04).
651 * Added Changes:
652 + d/control: bump breaks/replaces from strongswan-libcharon to strongswan-
653 starter as we followed Debian to move the updown plugin but need to
654 match Ubuntu versions (Droppable >18.04).
655
656 -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Fri, 16 Mar 2018 11:08:47 +0100
657
159strongswan (5.6.2-1) unstable; urgency=medium658strongswan (5.6.2-1) unstable; urgency=medium
160659
161 * d/NEWS: add information about disabled algorithms (closes: #883072)660 * d/NEWS: add information about disabled algorithms (closes: #883072)
@@ -178,6 +677,129 @@ strongswan (5.6.1-3) unstable; urgency=medium
178677
179 -- Yves-Alexis Perez <corsac@debian.org> Sun, 17 Dec 2017 16:40:39 +0100678 -- Yves-Alexis Perez <corsac@debian.org> Sun, 17 Dec 2017 16:40:39 +0100
180679
680strongswan (5.6.1-2ubuntu4) bionic; urgency=medium
681
682 * SECURITY UPDATE: DoS via crafted RSASSA-PSS signature
683 - debian/patches/CVE-2018-6459.patch: Properly handle MGF1 algorithm
684 identifier without parameters in
685 src/libstrongswan/credentials/keys/signature_params.c.
686 - CVE-2018-6459
687
688 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 07 Mar 2018 14:52:02 +0100
689
690strongswan (5.6.1-2ubuntu3) bionic; urgency=medium
691
692 * No-change rebuild against libcurl4
693
694 -- Steve Langasek <steve.langasek@ubuntu.com> Wed, 28 Feb 2018 08:52:09 +0000
695
696strongswan (5.6.1-2ubuntu2) bionic; urgency=high
697
698 * No change rebuild against openssl1.1.
699
700 -- Dimitri John Ledkov <xnox@ubuntu.com> Mon, 12 Feb 2018 16:00:24 +0000
701
702strongswan (5.6.1-2ubuntu1) bionic; urgency=medium
703
704 * Merge with Debian unstable (LP: #1717343).
705 Also fixes and issue with multiple psk's (LP: #1734207). Remaining changes:
706 + Clean up d/strongswan-starter.postinst: section about runlevel changes
707 + Clean up d/strongswan-starter.postinst: Removed entire section on
708 opportunistic encryption disabling - this was never in strongSwan and
709 won't be see upstream issue #2160.
710 + Ubuntu is not using the debconf triggered private key generation
711 - d/rules: Removed patching ipsec.conf on build (not using the
712 debconf-managed config.)
713 - d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was
714 used for debconf-managed include of private key).
715 + Mass enablement of extra plugins and features to allow a user to use
716 strongswan for a variety of extra use cases without having to rebuild.
717 - d/control: Add required additional build-deps
718 - d/control: Mention addtionally enabled plugins
719 - d/rules: Enable features at configure stage
720 - d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
721 - d/libstrongswan.install: Add plugins (so, conf)
722 + d/strongswan-starter.install: Install pool feature, which is useful since
723 we have attr-sql plugin enabled as well using it.
724 + Add plugin kernel-libipsec to allow the use of strongswan in containers
725 via this userspace implementation (please do note that this is still
726 considered experimental by upstream).
727 - d/libcharon-extra-plugins.install: Add kernel-libipsec components
728 - d/control: List kernel-libipsec plugin at extra plugins description
729 - d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
730 upstream recommends to not load kernel-libipsec by default.
731 + Relocate tnc plugin
732 - debian/libcharon-extra-plugins.install: Drop tnc from extra plugins
733 - Add new subpackage for TNC in d/strongswan-tnc-* and d/control
734 + d/libstrongswan.install: Reorder conf and .so alphabetically
735 + d/libstrongswan.install: Add kernel-netlink configuration files
736 + Complete the disabling of libfast; This was partially accepted in Debian,
737 it is no more packaging medcli and medsrv, but still builds and
738 mentions it.
739 - d/rules: Add --disable-fast to avoid build time and dependencies
740 - d/control: Remove medcli, medsrv from package description
741 + d/control: Mention mgf1 plugin which is in libstrongswan now
742 + Add now built (since 5.5.1) libraries libtpmtss and nttfft to
743 libstrongswan-extra-plugins (no deps from default plugins).
744 + Add rm_conffile for /etc/init.d/ipsec (transition from precies had
745 missed that, droppable after 18.04)
746 + d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
747 plugins for the most common use cases from extra-plugins into a new
748 standard-plugins package. This will allow those use cases without pulling
749 in too much more plugins (a bit like the tnc package). Recommend that
750 package from strongswan-libcharon.
751 * Added changes:
752 + d/strongswan-tnc-client.install (relocate tnc) swidtag creation changed
753 in 5.6
754 + d/strongswan-tnc-server.install (relocate tnc) pacman no more needed
755 + d/control: bump breaks/replaces from libstrongswan-extra-plugins to
756 libstrongswan as we dropped relocating ccm and test-vectors.
757 (droppable >18.04).
758 - d/control: add breaks/replace from libstrongswan to
759 libstrongswan-extra-plugins for the move of mgf1 to libstrongswan.
760 (droppable >18.04).
761 * Dropped changes:
762 + Update init/service handling (debian default matches Ubuntu past now)
763 Dropping this fixes (LP: #1734886)
764 - d/rules: Change init/systemd program name to strongswan
765 - d/strongswan-starter.strongswan.service: Add new systemd file instead of
766 patching upstream
767 - d/strongswan-starter.links: Removed, use Ubuntu systemd file instead of
768 linking to upstream
769 + d/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call
770 (this is a never failing no-op for us, no need for Delta).
771 + d/strongswan-starter.prerm: Stop strongswan service on package removal
772 (ipsec now maps to strongswan service, so this works as-is).
773 + Clean up d/strongswan-starter.postinst: rename service ipsec to
774 strongswan (ipsec now maps to strongswan service, so this works as-is)
775 + Clean up d/strongswan-starter.postinst: daemon enable/disable (the
776 whole section is disabled, so no need for delta)
777 + (is upstream) CVE-2017-11185 patches
778 + (is upstream) FTBFS upstream fix for changed include files
779 + (is upstream) debian/patches/increase-bliss-test-timeout.patch: Under
780 QEMU/KVM autopkgtest the bliss test takes longer than the default
781 + (in Debian) add now built (since 5.5.1) mgf1 plugin to
782 libstrongswan-extra-plugins.
783 + (in Debian) d/strongswan-starter.install: install stroke apparmor profile
784 + (this was enabled as part of the former delta, squash changes to no-up)
785 d/rules: Disable duplicheck.
786 + (not needed) Relocate plugins test-vectors from extra-plugins to
787 libstrongswan
788 - d/libstrongswan-extra-plugins.install: Remove plugins/conffiles
789 - d/libstrongswan.install: Add plugins/confiles
790 - d/control: move package descriptions and add required breaks/replaces
791 + (not needed) Relocate plugins ccm from extra-plugins to libstrongswan
792 - d/libstrongswan-extra-plugins.install: Remove plugins/conffiles
793 - d/libstrongswan.install: Add plugins/confiles
794 - d/control: move package descriptions and add required breaks/replaces
795 + (while using it requires special kernel, it does not hurt to be
796 available in the package) Remove ha plugin
797 - d/libcharon-extra-plugins.install: Stop installing ha (so, conf)
798 - d/rules: Do not enable ha plugin
799 - d/control: Drop listing the ha plugin in the package description
800
801 -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Wed, 29 Nov 2017 15:55:18 +0100
802
181strongswan (5.6.1-2) unstable; urgency=medium803strongswan (5.6.1-2) unstable; urgency=medium
182804
183 * move counters plugin from -starter to -libcharon. closes: #882431805 * move counters plugin from -starter to -libcharon. closes: #882431
@@ -264,6 +886,213 @@ strongswan (5.5.2-1) experimental; urgency=medium
264886
265 -- Yves-Alexis Perez <corsac@debian.org> Fri, 19 May 2017 11:32:00 +0200887 -- Yves-Alexis Perez <corsac@debian.org> Fri, 19 May 2017 11:32:00 +0200
266888
889strongswan (5.5.1-4ubuntu3) bionic; urgency=medium
890
891 * Fix Artful FTBFS due to newer glibc (LP: #1724859)
892 - d/p/utils-Include-stdint.h.patch: upstream fix for changed include
893 files.
894
895 -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Thu, 19 Oct 2017 15:18:52 +0200
896
897strongswan (5.5.1-4ubuntu2) artful; urgency=medium
898
899 * SECURITY UPDATE: Fix RSA signature verification
900 - debian/patches/CVE-2017-11185.patch: does some
901 verifications in order to avoid null-point dereference
902 in src/libstrongswan/gmp/gmp_rsa_public_key.c
903 - CVE-2017-11185
904
905 -- Leonidas S. Barbosa <leo.barbosa@canonical.com> Tue, 15 Aug 2017 14:49:49 -0300
906
907strongswan (5.5.1-4ubuntu1) artful; urgency=medium
908
909 * Merge from Debian to pick up latest security changes (CVE-2017-9022,
910 CVE-2017-9023).
911 * Remaining Changes:
912 + Update init/service handling
913 - d/rules: Change init/systemd program name to strongswan
914 - d/strongswan-starter.strongswan.service: Add new systemd file instead of
915 patching upstream
916 - d/strongswan-starter.links: Removed, use Ubuntu systemd file instead of
917 linking to upstream
918 - d/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call.
919 - d/strongswan-starter.prerm: Stop strongswan service on package
920 removal (as opposed to using the old init.d script).
921 + Clean up d/strongswan-starter.postinst:
922 - Removed section about runlevel changes
923 - Adapted service restart section for Upstart (kept to be Trusty
924 backportable).
925 - Remove old symlinks to init.d files is necessary.
926 - Removed further out-dated code
927 - Removed entire section on opportunistic encryption - this was never in
928 strongSwan.
929 + d/rules: Removed pieces on 'patching ipsec.conf' on build.
930 + Mass enablement of extra plugins and features to allow a user to use
931 strongswan for a variety of use cases without having to rebuild.
932 - d/control: Add required additional build-deps
933 - d/rules: Enable features at configure stage
934 - d/control: Mention addtionally enabled plugins
935 - d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
936 - d/libstrongswan.install: Add plugins (so, conf)
937 + d/rules: Disable duplicheck as per
938 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718291#10
939 + Remove ha plugin (requires special kernel)
940 - d/libcharon-extra-plugins.install: Stop installing ha (so, conf)
941 - d/rules: Do not enable ha plugin
942 - d/control: Drop listing the ha plugin in the package description
943 + Add plugin kernel-libipsec to allow the use of strongswan in containers
944 via this userspace implementation (please do note that this is still
945 considered experimental by upstream).
946 - d/libcharon-extra-plugins.install: Add kernel-libipsec components
947 - d/control: List kernel-libipsec plugin at extra plugins description
948 - d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
949 upstream recommends to not load kernel-libipsec by default.
950 + Relocate tnc plugin
951 - debian/libcharon-extra-plugins.install: Drop tnc from extra plugins
952 - Add new subpackage for TNC in d/strongswan-tnc-* and d/control
953 + d/strongswan-starter.install: Install pool feature, that useful due to
954 having attr-sql plugin that is enabled now.
955 + Relocate plugins test-vectors and ccm from extra-plugins to libstrongswan
956 - d/libstrongswan-extra-plugins.install: Remove plugins/conffiles
957 - d/libstrongswan.install: Add plugins/confiles
958 - d/control: move package descriptions and add required breaks/replaces
959 + d/libstrongswan.install: Reorder conf and .so alphabetically
960 + d/libstrongswan.install: Add kernel-netlink configuration files
961 + d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference.
962 + debian/patches/increase-bliss-test-timeout.patch: Under QEMU/KVM
963 autopkgtest the bliss test takes longer than the default (Upstream in
964 5.5.2 via issue 2204)
965 + Complete the disabling of libfast; This was partially accepted in Debian,
966 it is no more packaging medcli and medsrv, but still builds and
967 mentions it.
968 - d/rules: Add --disable-fast to avoid build time and dependencies
969 - d/control: Remove medcli, medsrv from package description
970 + Add now built (5.5.1 vs 5.3.5) mgf1 plugin to libstrongswan-extra-plugins.
971 "only" to extra-plugins Mgf1 is not listed as default plugin at
972 https://wiki.strongswan.org/projects/strongswan/wiki/Pluginlist.
973 + Add now built (5.5.1 vs 5.3.5) libraries libtpmtss and nttfft to
974 libstrongswan-extra-plugins.
975 + Add missing mention of md4 plugin in d/control
976 + Add rm_conffile for /etc/init.d/ipsec (transition from precies had
977 missed that)
978 + d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
979 plugins for the most common use cases from extra-plugins into a new
980 standard-plugins package. This will allow those use cases without pulling
981 in too much more plugins (a bit like the tnc package). Recommend that
982 package from strongswan-libcharon.
983
984 -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Wed, 31 May 2017 15:57:54 +0200
985
986strongswan (5.5.1-3ubuntu1) artful; urgency=medium
987
988 * Merge from Debian to pick up latest changes. Among others this includes:
989 - a lot of the Delta we upstreamed to Debian (more discussions are ongoing
990 but likely have to wait until Debian stretch was released)
991 - enabling mediation support (LP: #1657413)
992 * Remaining Changes:
993 + Update init/service handling
994 - d/rules: Change init/systemd program name to strongswan
995 - d/strongswan-starter.strongswan.service: Add new systemd file instead of
996 patching upstream
997 - d/strongswan-starter.links: Removed, use Ubuntu systemd file instead of
998 linking to upstream
999 - d/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call.
1000 - d/strongswan-starter.prerm: Stop strongswan service on package
1001 removal (as opposed to using the old init.d script).
1002 + Clean up d/strongswan-starter.postinst:
1003 - Removed section about runlevel changes
1004 - Adapted service restart section for Upstart (kept to be Trusty
1005 backportable).
1006 - Remove old symlinks to init.d files is necessary.
1007 - Removed further out-dated code
1008 - Removed entire section on opportunistic encryption - this was never in
1009 strongSwan.
1010 + d/rules: Removed pieces on 'patching ipsec.conf' on build.
1011 + Mass enablement of extra plugins and features to allow a user to use
1012 strongswan for a variety of use cases without having to rebuild.
1013 - d/control: Add required additional build-deps
1014 - d/rules: Enable features at configure stage
1015 - d/control: Mention addtionally enabled plugins
1016 - d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
1017 - d/libstrongswan.install: Add plugins (so, conf)
1018 + d/rules: Disable duplicheck as per
1019 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718291#10
1020 + Remove ha plugin (requires special kernel)
1021 - d/libcharon-extra-plugins.install: Stop installing ha (so, conf)
1022 - d/rules: Do not enable ha plugin
1023 - d/control: Drop listing the ha plugin in the package description
1024 + Add plugin kernel-libipsec to allow the use of strongswan in containers
1025 via this userspace implementation (please do note that this is still
1026 considered experimental by upstream).
1027 - d/libcharon-extra-plugins.install: Add kernel-libipsec components
1028 - d/control: List kernel-libipsec plugin at extra plugins description
1029 - d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
1030 upstream recommends to not load kernel-libipsec by default.
1031 + Relocate tnc plugin
1032 - debian/libcharon-extra-plugins.install: Drop tnc from extra plugins
1033 - Add new subpackage for TNC in d/strongswan-tnc-* and d/control
1034 + d/strongswan-starter.install: Install pool feature, that useful due to
1035 having attr-sql plugin that is enabled now.
1036 + Relocate plugins test-vectors and ccm from extra-plugins to libstrongswan
1037 - d/libstrongswan-extra-plugins.install: Remove plugins/conffiles
1038 - d/libstrongswan.install: Add plugins/confiles
1039 - d/control: move package descriptions and add required breaks/replaces
1040 + d/libstrongswan.install: Reorder conf and .so alphabetically
1041 + d/libstrongswan.install: Add kernel-netlink configuration files
1042 + d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference.
1043 + debian/patches/increase-bliss-test-timeout.patch: Under QEMU/KVM
1044 autopkgtest the bliss test takes longer than the default (Upstream in
1045 5.5.2 via issue 2204)
1046 + Complete the disabling of libfast; This was partially accepted in Debian,
1047 it is no more packaging medcli and medsrv, but still builds and
1048 mentions it.
1049 - d/rules: Add --disable-fast to avoid build time and dependencies
1050 - d/control: Remove medcli, medsrv from package description
1051 + Add now built (5.5.1 vs 5.3.5) mgf1 plugin to libstrongswan-extra-plugins.
1052 "only" to extra-plugins Mgf1 is not listed as default plugin at
1053 https://wiki.strongswan.org/projects/strongswan/wiki/Pluginlist.
1054 + Add now built (5.5.1 vs 5.3.5) libraries libtpmtss and nttfft to
1055 libstrongswan-extra-plugins.
1056 + Add missing mention of md4 plugin in d/control
1057 + Add rm_conffile for /etc/init.d/ipsec (transition from precies had
1058 missed that)
1059 + d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
1060 plugins for the most common use cases from extra-plugins into a new
1061 standard-plugins package. This will allow those use cases without pulling
1062 in too much more plugins (a bit like the tnc package). Recommend that
1063 package from strongswan-libcharon.
1064 * Dropped Changes:
1065 + Add and install apparmor profiles (in Debian)
1066 - d/rules: Install AppArmor profiles
1067 - d/control: Add dh-apparmor build-dep
1068 - d/usr.lib.ipsec.{charon, lookip, stroke}: Add latest AppArmor profiles
1069 for charon, lookip and stroke
1070 - d/libcharon-extra-plugins.install: Install profile for lookip
1071 - d/strongswan-charon.install: Install profile for charon
1072 - d/strongswan-starter.install: Install profile for stroke
1073 - Fix strongswan ipsec status issue with apparmor
1074 - Fix Dep8 tests for the now extra strongswan-pki package for pki
1075 - Fix Dep8 tests for the now extra strongswan-scepclient package
1076 + d/rules: Sorted and only one enable option per configure line (in
1077 Debian)
1078 + Add updated logcheck rules (in Debian)
1079 - debian/libstrongswan.strongswan.logcheck.*: Remove outdated files
1080 - debian/strongswan.logcheck: Add updated logcheck rules
1081 + Add updated DEP8 tests (in Debian)
1082 - d/tests/*: Add DEP8 tests
1083 - d/control: Enable autotestpkg
1084 + d/rules: do not strip for library integrity checking (After Discussion
1085 with Debian this isn't acceptable there, but at the same time it turned
1086 out the real use-case of this never uses this lib but instead third
1087 party checks of checksums for e.g. FIPS cert; so drop the Delta)
1088 - Use override_dh_strip to to avoid overwriting user build flags.
1089 - Add missing mention of libchecksum integrity test in d/control
1090 + d/rules: Set TESTS_REDUCED_KEYLENGTHS to one generate smallest key-lengths
1091 in tests to avoid issues in low entropy environments. (Debian has
1092 disabled !x86 tests for the same reason, one solution is enough)
1093
1094 -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Thu, 04 May 2017 14:06:23 +0200
1095
267strongswan (5.5.1-3) unstable; urgency=medium1096strongswan (5.5.1-3) unstable; urgency=medium
2681097
269 [ Christian Ehrhardt ]1098 [ Christian Ehrhardt ]
@@ -297,6 +1126,136 @@ strongswan (5.5.1-2) unstable; urgency=medium
2971126
298 -- Yves-Alexis Perez <corsac@debian.org> Wed, 07 Dec 2016 08:34:52 +01001127 -- Yves-Alexis Perez <corsac@debian.org> Wed, 07 Dec 2016 08:34:52 +0100
2991128
1129strongswan (5.5.1-1ubuntu2) zesty; urgency=medium
1130
1131 * Update Maintainers which was missed while merging 5.5.1-1.
1132
1133 -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 19 Dec 2016 16:02:40 +0100
1134
1135strongswan (5.5.1-1ubuntu1) zesty; urgency=medium
1136
1137 * Merge from Debian (complex delta, discussions and broken out changes can be
1138 found in the merge proposal linked from the merge bug LP: #1631198)
1139 * Remaining Changes:
1140 + d/rules: Enforcing DEB_BUILD_OPTIONS=nostrip for library integrity
1141 checking.
1142 + d/rules: Set TESTS_REDUCED_KEYLENGTHS to one generate smallest key-lengths
1143 in tests to avoid issues in low entropy environments.
1144 + Update init/service handling
1145 - d/rules: Change init/systemd program name to strongswan
1146 - d/strongswan-starter.strongswan.service: Add new systemd file instead of
1147 patching upstream
1148 - d/strongswan-starter.links: Removed, use Ubuntu systemd file instead of
1149 linking to upstream
1150 - d/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call.
1151 - d/strongswan-starter.prerm: Stop strongswan service on package
1152 removal (as opposed to using the old init.d script).
1153 + Clean up d/strongswan-starter.postinst:
1154 - Removed section about runlevel changes
1155 - Adapted service restart section for Upstart (kept to be Trusty
1156 backportable).
1157 - Remove old symlinks to init.d files is necessary.
1158 - Removed further out-dated code
1159 - Removed entire section on opportunistic encryption - this was never in
1160 strongSwan.
1161 + Add and install apparmor profiles
1162 - d/rules: Install AppArmor profiles
1163 - d/control: Add dh-apparmor build-dep
1164 - d/usr.lib.ipsec.{charon, lookip, stroke}: Add latest AppArmor profiles
1165 for charon, lookip and stroke
1166 - d/libcharon-extra-plugins.install: Install profile for lookip
1167 - d/strongswan-charon.install: Install profile for charon
1168 - d/strongswan-starter.install: Install profile for stroke
1169 + d/rules: Removed pieces on 'patching ipsec.conf' on build.
1170 + d/rules: Sorted and only one enable option per configure line
1171 + Mass enablement of extra plugins and features to allow a user to use
1172 strongswan for a variety of use cases without having to rebuild.
1173 - d/control: Add required additional build-deps
1174 - d/rules: Enable features at configure stage
1175 - d/control: Mention addtionally enabled plugins
1176 - d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
1177 - d/libstrongswan.install: Add plugins (so, conf)
1178 + d/rules: Disable duplicheck as per
1179 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718291#10
1180 + Remove ha plugin (requires special kernel)
1181 - d/libcharon-extra-plugins.install: Stop installing ha (so, conf)
1182 - d/rules: Do not enable ha plugin
1183 - d/control: Drop listing the ha plugin in the package description
1184 + Add plugin kernel-libipsec to allow the use of strongswan in containers
1185 via this userspace implementation (please do note that this is still
1186 considered experimental by upstream).
1187 - d/libcharon-extra-plugins.install: Add kernel-libipsec components
1188 - d/control: List kernel-libipsec plugin at extra plugins description
1189 - d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
1190 upstream recommends to not load kernel-libipsec by default.
1191 + Relocate tnc plugin
1192 - debian/libcharon-extra-plugins.install: Drop tnc from extra plugins
1193 - Add new subpackage for TNC in d/strongswan-tnc-* and d/control
1194 + d/strongswan-starter.install: Install pool feature, that useful due to
1195 having attr-sql plugin that is enabled now.
1196 + Relocate plugins test-vectors and ccm from extra-plugins to libstrongswan
1197 - d/libstrongswan-extra-plugins.install: Remove plugins
1198 - d/libstrongswan.install: Add plugins
1199 + d/libstrongswan.install: Reorder conf and .so alphabetically
1200 + d/libstrongswan.install: Add kernel-netlink configuration files
1201 + d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference.
1202 + Add updated logcheck rules
1203 - debian/libstrongswan.strongswan.logcheck.*: Remove outdated files
1204 - debian/strongswan.logcheck: Add updated logcheck rules
1205 + Add updated DEP8 tests
1206 - d/tests/*: Add DEP8 tests
1207 - d/control: Enable autotestpkg
1208 + debian/patches/increase-bliss-test-timeout.patch: Under QEMU/KVM
1209 autopkgtest the bliss test takes longer than the default
1210 + Complete the disabling of libfast
1211 - Note: This was partially accepted in Debian, it is no more
1212 packaging medcli and medsrv, but still builds and mentions it
1213 - d/rules: Add --disable-fast to avoid build time and dependencies
1214 - d/control: Remove medcli, medsrv from package description
1215 * Dropped Changes:
1216 + Adding build-dep to iptables-dev (no change, was only in Changelog)
1217 + Dropping of build deps libfcgi-dev, clearsilver-dev (in Debian)
1218 + Adding strongswan-plugin-* virtual packages for dist-upgrade (no
1219 upgrade path left needing them)
1220 + Most of "disabling libfast" (Debian dropped it from package content)
1221 + Transition for ipsec service (no upgrade path left)
1222 + Reverted part of the cleanup to d/strongswan-starter.postinst as using
1223 service should rather use invoke-rc.d (so it is a partial revert of our
1224 delta)
1225 + Transition handling (breaks/replaces) from per-plugin packages to the
1226 three grouped plugin packages (no upgrade path left)
1227 + debian/strongswan-starter.dirs: Don't touch /etc/init.d. (while "correct"
1228 it is effectively a no-op still, so not worth the delta)
1229 + Lower dpkg-dev to 1.16.1 from 1.16.2 to enable backporting to Precise
1230 (no more needed)
1231 + d/rules: Remove configure option --enable-unit-test (unit tests run by
1232 default)
1233 * Added Changes:
1234 + Fix strongswan ipsec status issue with apparmor (LP: #1587886)
1235 + d/control, d/libstrongswan.install, d/libstrongswan-extra-plugins: Fixup
1236 the relocation of the ccm plugin which missed to move the conffiles.
1237 + Complete move of test-vectors (was missing in d/control)
1238 + Add now built (5.5.1 vs 5.3.5) mgf1 plugin to libstrongswan-extra-plugins.
1239 "only" to extra-plugins Mgf1 is not listed as default plugin at
1240 https://wiki.strongswan.org/projects/strongswan/wiki/Pluginlist.
1241 + Add now built (5.5.1 vs 5.3.5) libraries libtpmtss and nttfft to
1242 libstrongswan-extra-plugins.
1243 + Add missing mention of md4 plugin in d/control
1244 + Add missing mention of libchecksum integrity test in d/control
1245 + Add rm_conffile for /etc/init.d/ipsec (transition from precies had
1246 missed that)
1247 + Use override_dh_strip to to fix library integrity checking instead of
1248 DEB_BUILD_OPTION to avoid overwriting user build flags.
1249 + d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
1250 plugins for the most common use cases from extra-plugins into a new
1251 standard-plugins package. This will allow those use cases without pulling
1252 in too much more plugins (a bit like the tnc package). Recommend that
1253 package from strongswan-libcharon (LP: #1640826).
1254 + Fix Dep8 tests for the now extra strongswan-pki package for pki
1255 + Fix Dep8 tests for the now extra strongswan-scepclient package
1256
1257 -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 07 Nov 2016 16:16:41 +0100
1258
300strongswan (5.5.1-1) unstable; urgency=medium1259strongswan (5.5.1-1) unstable; urgency=medium
3011260
302 * New upstream bugfix release.1261 * New upstream bugfix release.
@@ -413,6 +1372,177 @@ strongswan (5.3.5-2) unstable; urgency=medium
4131372
414 -- Yves-Alexis Perez <corsac@debian.org> Mon, 14 Mar 2016 23:53:34 +01001373 -- Yves-Alexis Perez <corsac@debian.org> Mon, 14 Mar 2016 23:53:34 +0100
4151374
1375strongswan (5.3.5-1ubuntu4) yakkety; urgency=medium
1376
1377 * Build-depend on libjson-c-dev instead of libjson0-dev.
1378 * Rebuild against libjson-c3.
1379
1380 -- Graham Inggs <ginggs@ubuntu.com> Fri, 29 Apr 2016 19:04:22 +0200
1381
1382strongswan (5.3.5-1ubuntu3) xenial; urgency=medium
1383
1384 * Rebuild against libmysqlclient20.
1385
1386 -- Robie Basak <robie.basak@ubuntu.com> Tue, 05 Apr 2016 13:02:48 +0000
1387
1388strongswan (5.3.5-1ubuntu2) xenial; urgency=medium
1389
1390 * debian/tests/plugins: rdrand may or may not be loaded, depending on the
1391 cpu features.
1392
1393 -- Iain Lane <iain@orangesquash.org.uk> Mon, 22 Feb 2016 17:13:01 +0000
1394
1395strongswan (5.3.5-1ubuntu1) xenial; urgency=medium
1396
1397 * debian/{rules,control,libstrongswan-extra-plugins.install}
1398 Enable bliss plugin
1399 * debian/{rules,control,libstrongswan-extra-plugins.install}
1400 Enable chapoly plugin
1401 * debian/patches/dont-load-kernel-libipsec-plugin-by-default.patch
1402 Upstream suggests to not load this plugin by default as it has
1403 some limitations.
1404 https://wiki.strongswan.org/projects/strongswan/wiki/Kernel-libipsec
1405 * debian/patches/increase-bliss-test-timeout.patch
1406 Under QEMU/KVM for autopkgtest bliss test takes a bit longer then default
1407 * Update Apparmor profiles
1408 - usr.lib.ipsec.charon
1409 - add capability audit_write for xauth-pam (LP: #1470277)
1410 - add capability dac_override (needed by agent plugin)
1411 - allow priv dropping (LP: #1333655)
1412 - allow caching CRLs (LP: #1505222)
1413 - allow rw access to /dev/net/tun for kernel-libipsec (LP: #1309594)
1414 - usr.lib.ipsec.stroke
1415 - allow priv dropping (LP: #1333655)
1416 - add local include
1417 - usr.lib.ipsec.lookip
1418 - add local include
1419 * Merge from Debian, which includes fixes for all previous CVEs
1420 Fixes (LP: #1330504, #1451091, #1448870, #1470277)
1421 Remaining changes:
1422 * debian/control
1423 - Lower dpkg-dev to 1.16.1 from 1.16.2 to enable backporting to Precise
1424 - Update Maintainer for Ubuntu
1425 - Add build-deps
1426 - dh-apparmor
1427 - iptables-dev
1428 - libjson0-dev
1429 - libldns-dev
1430 - libmysqlclient-dev
1431 - libpcsclite-dev
1432 - libsoup2.4-dev
1433 - libtspi-dev
1434 - libunbound-dev
1435 - Drop build-deps
1436 - libfcgi-dev
1437 - clearsilver-dev
1438 - Create virtual packages for all strongswan-plugin-* for dist-upgrade
1439 - Set XS-Testsuite: autopkgtest
1440 * debian/rules:
1441 - Enforcing DEB_BUILD_OPTIONS=nostrip for library integrity checking.
1442 - Set TESTS_REDUCED_KEYLENGTHS to one generate smallest key-lengths in
1443 tests.
1444 - Change init/systemd program name to strongswan
1445 - Install AppArmor profiles
1446 - Removed pieces on 'patching ipsec.conf' on build.
1447 - Enablement of features per Ubuntu current config suggested from
1448 upstream recommendation
1449 - Unpack and sort enabled features to one-per-line
1450 - Disable duplicheck as per
1451 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718291#10
1452 - Disable libfast (--disable-fast):
1453 Requires dropping medsrv, medcli plugins which depend on libfast
1454 - Add configure options
1455 --with-tss=trousers
1456 - Remove configure options:
1457 --enable-ha (requires special kernel)
1458 --enable-unit-test (unit tests run by default)
1459 - Drop logcheck install
1460 * debian/tests/*
1461 - Add DEP8 test for strongswan service and plugins
1462 * debian/strongswan-starter.strongswan.service
1463 - Add new systemd file instead of patching upstream
1464 * debian/strongswan-starter.links
1465 - removed, use Ubuntu systemd file instead of linking to upstream
1466 * debian/usr.lib.ipsec.{charon, lookip, stroke}
1467 - added AppArmor profiles for charon, lookip and stroke
1468 * debian/libcharon-extra-plugins.install
1469 - Add plugins
1470 - kernel-libipsec.{so, lib, conf, apparmor}
1471 - Remove plugins
1472 - libstrongswan-ha.so
1473 - Relocate plugins
1474 - libstrongswan-tnc-tnccs.so (strongswan-tnc-base.install)
1475 * debian/libstrongswan-extra-plugins.install
1476 - Add plugins (so, lib, conf)
1477 - acert
1478 - attr-sql
1479 - coupling
1480 - dnscert
1481 - fips-prf
1482 - gmp
1483 - ipseckey
1484 - load-tester
1485 - mysql
1486 - ntru
1487 - radattr
1488 - soup
1489 - sqlite
1490 - sql
1491 - systime-fix
1492 - unbound
1493 - whitelist
1494 - Relocate plugins (so, lib, conf)
1495 - ccm (libstrongswan.install)
1496 - test-vectors (libstrongswan.install)
1497 * debian/libstrongswan.install
1498 - Sort sections
1499 - Add plugins (so, lib, conf)
1500 - libchecksum
1501 - ccm
1502 - eap-identity
1503 - md4
1504 - test-vectors
1505 * debian/strongswan-charon.install
1506 - Add AppArmor profile for charon
1507 * debian/strongswan-starter.install
1508 - Add tools, manpages, conf
1509 - openac
1510 - pool
1511 - _updown_espmark
1512 - Add AppArmor profile for stroke
1513 * debian/strongswan-tnc-base.install
1514 - Add new subpackage for TNC
1515 - remove non-existent (dropped in 5.2.1) libpts library files
1516 * debian/strongswan-tnc-client.install
1517 - Add new subpackage for TNC
1518 * debian/strongswan-tnc-ifmap.install
1519 - Add new subpackage for TNC
1520 * debian/strongswan-tnc-pdp.install
1521 - Add new subpackage for TNC
1522 * debian/strongswan-tnc-server.install
1523 - Add new subpackage for TNC
1524 * debian/strongswan-starter.postinit:
1525 - Removed section about runlevel changes, it's almost 2014.
1526 - Adapted service restart section for Upstart.
1527 - Remove old symlinks to init.d files is necessary.
1528 * debian/strongswan-starter.dirs: Don't touch /etc/init.d.
1529 * debian/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call.
1530 * debian/strongswan-starter.prerm: Stop strongswan service on package
1531 removal (as opposed to using the old init.d script).
1532 * debian/libstrongswan.strongswan.logcheck combined into debian/strongswan.logcheck
1533 - logcheck patterns updated to be helpful
1534 * debian/strongswan-starter.postinst: Removed further out-dated code and
1535 entire section on opportunistic encryption - this was never in strongSwan.
1536 * debian/ipsec.secrets.proto: Removed ipsec.secrets.inc reference.
1537 Drop changes:
1538 * debian/control
1539 - Per-plugin package breakup: Reducing packaging delta from Debian
1540 - Don't build dhcp, farp subpackages: Reduce packging delta from Debian
1541 * debian/watch: Already exists in Debian merge
1542 * debian/upstream/signing-key.asc: Upstream has newer version.
1543
1544 -- Ryan Harper <ryan.harper@canonical.com> Fri, 12 Feb 2016 11:24:53 -0600
1545
416strongswan (5.3.5-1) unstable; urgency=medium1546strongswan (5.3.5-1) unstable; urgency=medium
4171547
418 * New upstream bugfix release.1548 * New upstream bugfix release.
@@ -685,6 +1815,210 @@ strongswan (5.1.2-1) unstable; urgency=medium
6851815
686 -- Yves-Alexis Perez <corsac@debian.org> Wed, 12 Mar 2014 11:22:38 +01001816 -- Yves-Alexis Perez <corsac@debian.org> Wed, 12 Mar 2014 11:22:38 +0100
6871817
1818strongswan (5.1.2-0ubuntu8) xenial; urgency=medium
1819
1820 * Import FTBFS for s390x from Debian 5.1.2-3 upload. (LP: #1521240)
1821
1822 -- Dimitri John Ledkov <xnox@ubuntu.com> Mon, 30 Nov 2015 15:46:06 +0000
1823
1824strongswan (5.1.2-0ubuntu7) xenial; urgency=medium
1825
1826 * SECURITY UPDATE: authentication bypass in eap-mschapv2 plugin
1827 - debian/patches/CVE-2015-8023.patch: only succeed authentication if
1828 MSK was established in
1829 src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c.
1830 - CVE-2015-8023
1831 * debian/patches/disable_ntru_test.patch: disable test causing FTBFS
1832 until regression is properly investigated.
1833
1834 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 19 Nov 2015 14:00:17 -0500
1835
1836strongswan (5.1.2-0ubuntu6) wily; urgency=medium
1837
1838 * SECURITY UPDATE: user credential disclosure to rogue servers
1839 - debian/patches/CVE-2015-4171.patch: enforce remote authentication
1840 config before proceeding with own authentication in
1841 src/libcharon/sa/ikev2/tasks/ike_auth.c.
1842 - CVE-2015-4171
1843 * debian/rules: don't FTBFS from unused service file
1844
1845 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 08 Jun 2015 12:50:38 -0400
1846
1847strongswan (5.1.2-0ubuntu5) vivid; urgency=medium
1848
1849 * Add a systemd unit corresponding to strongswan-starter.strongswan.upstart.
1850
1851 -- Martin Pitt <martin.pitt@ubuntu.com> Fri, 16 Jan 2015 08:27:54 +0100
1852
1853strongswan (5.1.2-0ubuntu4) vivid; urgency=medium
1854
1855 * SECURITY UPDATE: denial of service via DH group 1025
1856 - debian/patches/CVE-2014-9221.patch: define MODP_CUSTOM outside of
1857 IKE DH range in src/libstrongswan/crypto/diffie_hellman.c,
1858 src/libstrongswan/crypto/diffie_hellman.h.
1859 - CVE-2014-9221
1860
1861 -- Tyler Hicks <tyhicks@canonical.com> Mon, 05 Jan 2015 08:25:29 -0500
1862
1863strongswan (5.1.2-0ubuntu3) utopic; urgency=low
1864
1865 * Added "libgcrypt20-dev | libgcrypt11-dev" to build dependencies to fix
1866 build.
1867
1868 -- Jonathan Davies <jonathan.davies@canonical.com> Wed, 15 Oct 2014 16:49:18 +0000
1869
1870strongswan (5.1.2-0ubuntu2) trusty; urgency=medium
1871
1872 * SECURITY UPDATE: remote authentication bypass
1873 - debian/patches/CVE-2014-2338.patch: reject CREATE_CHILD_SA exchange
1874 on unestablished IKE_SAs in src/libcharon/sa/ikev2/task_manager_v2.c.
1875 - CVE-2014-2338
1876
1877 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 14 Apr 2014 11:24:34 -0400
1878
1879strongswan (5.1.2-0ubuntu1) trusty; urgency=low
1880
1881 * New upstream release.
1882
1883 -- Jonathan Davies <jonathan.davies@canonical.com> Sat, 01 Mar 2014 08:53:17 +0000
1884
1885strongswan (5.1.2~rc2-0ubuntu2) trusty; urgency=low
1886
1887 * debian/ipsec.secrets.proto: Removed ipsec.secrets.inc reference.
1888 * debian/usr.lib.ipsec.charon: Allow read access to /run/charon.
1889
1890 -- Jonathan Davies <jonathan.davies@canonical.com> Wed, 19 Feb 2014 13:07:16 +0000
1891
1892strongswan (5.1.2~rc2-0ubuntu1) trusty; urgency=low
1893
1894 * New upstream release candidate.
1895
1896 -- Jonathan Davies <jonathan.davies@canonical.com> Wed, 19 Feb 2014 12:59:21 +0000
1897
1898strongswan (5.1.2~rc1-0ubuntu4) trusty; urgency=medium
1899
1900 * debian/strongswan-tnc-*.install: Fixed files so libraries go into correct
1901 packages.
1902 * debian/usr.lib.ipsec.stroke: Allow access to strongswan.d directories.
1903
1904 -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 17 Feb 2014 18:12:38 +0000
1905
1906strongswan (5.1.2~rc1-0ubuntu3) trusty; urgency=low
1907
1908 * debian/rules: Exclude rdrand.conf in dh_install's --fail-missing.
1909
1910 -- Jonathan Davies <jonathan.davies@canonical.com> Sat, 15 Feb 2014 15:46:46 +0000
1911
1912strongswan (5.1.2~rc1-0ubuntu2) trusty; urgency=low
1913
1914 * debian/libstrongswan.install: Moved rdrand plugin configuration to rules
1915 as it's only useful on amd64.
1916 * debian/watch: Added opts=pgpsigurlmangle option.
1917 * debian/upstream/signing-key.asc: Added key: 0xB34DBA77.
1918
1919 -- Jonathan Davies <jonathan.davies@canonical.com> Sat, 15 Feb 2014 15:32:10 +0000
1920
1921strongswan (5.1.2~rc1-0ubuntu1) trusty; urgency=medium
1922
1923 * New upstream release candidate.
1924 * debian/*.install - include new configuration files for plugins in
1925 appropiate packages.
1926
1927 -- Jonathan Davies <jonathan.davies@canonical.com> Sat, 15 Feb 2014 15:03:14 +0000
1928
1929strongswan (5.1.2~dr3+git20130120-0ubuntu3) trusty; urgency=low
1930
1931 * debian/control:
1932 - Added Breaks/Replaces for all library files which have been moved
1933 about (LP: #1278176).
1934 - Removed build-dependency on check and added one on dh-apparmor.
1935 * debian/strongswan-starter.postinst: Removed further out-dated code and
1936 entire section on opportunistic encryption - this was never in strongSwan.
1937 * debian/rules: Removed pieces on 'patching ipsec.conf' on build.
1938
1939 -- Jonathan Davies <jonathan.davies@canonical.com> Sun, 09 Feb 2014 23:53:23 +0000
1940
1941strongswan (5.1.2~dr3+git20130120-0ubuntu2) trusty; urgency=low
1942
1943 * debian/control: Fixed references to plugin-fips-prf.
1944
1945 -- Jonathan Davies <jonathan.davies@canonical.com> Wed, 22 Jan 2014 11:22:14 +0000
1946
1947strongswan (5.1.2~dr3+git20130120-0ubuntu1) trusty; urgency=low
1948
1949 * Upstream Git snapshot for build fixes with regards to entropy.
1950 * debian/rules:
1951 - Enforcing DEB_BUILD_OPTIONS=nostrip for library integrity checking.
1952 - Set TESTS_REDUCED_KEYLENGTHS to one generate smallest key-lengths in
1953 tests.
1954
1955 -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 20 Jan 2014 19:00:59 +0000
1956
1957strongswan (5.1.2~dr3-0ubuntu1) trusty; urgency=low
1958
1959 * New upstream developer release.
1960 * Made changes to packaging per upstream suggestions.
1961 - Dropped medcli and medsrv packages - not recommended by upstream at this
1962 time.
1963 - Dropped ha plugin - needs special kernel.
1964 - Improved all package descriptions in general.
1965 - Drop build-dep on clearsilver-dev and libfcgi-dev - no longer needed.
1966 - Removed debian/*logcheck* files - not relevant to strongSwan.
1967 - Split dhcp and farp packages into sub-packages.
1968 - Build kernel-libipsec, ntru, systime-fix, and xauth-noauth plugins.
1969 - Changes to TNC-related packages.
1970 * Created AppArmor profiles for lookip and stroke.
1971
1972 -- Jonathan Davies <jonathan.davies@canonical.com> Wed, 15 Jan 2014 22:52:53 +0000
1973
1974strongswan (5.1.2~dr2+git20130106-0ubuntu2) trusty; urgency=low
1975
1976 * libstrongswan.install: Removed lingering unit-tester.so reference.
1977
1978 -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 06 Jan 2014 20:29:59 +0000
1979
1980strongswan (5.1.2~dr2+git20130106-0ubuntu1) trusty; urgency=low
1981
1982 * Git snapshot of commit 94e10f15e51ead788d9947e966878ebfdc95b7ce.
1983 Incorporates upstream fixes for:
1984 - Integrity testing.
1985 - Unit test failures on little endian systems.
1986 * Dropped debian/patches/02_test_asn1_fix_32bit_time_test.patch - fixed
1987 upstream.
1988 * debian/rules:
1989 - Stop using CK_TIMEOUT_MULTIPLIER.
1990 - Stop enabling the test suite only on non-powerpc arches (it runs
1991 anyway).
1992
1993 -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 06 Jan 2014 20:17:20 +0000
1994
1995strongswan (5.1.2~dr2-0ubuntu3) trusty; urgency=low
1996
1997 * debian/control: Reinstate missing comma in dependencies.
1998
1999 -- Jonathan Davies <jonathan.davies@canonical.com> Fri, 03 Jan 2014 05:39:13 +0000
2000
2001strongswan (5.1.2~dr2-0ubuntu2) trusty; urgency=low
2002
2003 * Added debian/patches/02_test_asn1_fix_32bit_time_test.patch - fixes issue
2004 where test for >2038 tests on 32-bit platforms is broken.
2005 - Reported upstream: https://wiki.strongswan.org/issues/477
2006 * debian/control: Added strongswan-plugin-ntru to strongswan-ike Suggests.
2007
2008 -- Jonathan Davies <jonathan.davies@canonical.com> Fri, 03 Jan 2014 05:02:32 +0000
2009
2010strongswan (5.1.2~dr2-0ubuntu1) trusty; urgency=low
2011
2012 * New upstream developer release.
2013 * debian/rules: Configure with: --enable-af-alg, --enable-ntru, --enable-soup,
2014 and --enable-unity.
2015 * debian/control:
2016 - New plugin packages created for the above
2017 - Split fips-prf into its own package.
2018 - Added build-dependency on libsoup2.4-dev.
2019
2020 -- Jonathan Davies <jonathan.davies@canonical.com> Thu, 02 Jan 2014 17:37:33 +0000
2021
688strongswan (5.1.1-3) unstable; urgency=low2022strongswan (5.1.1-3) unstable; urgency=low
6892023
690 * Upload to unstable.2024 * Upload to unstable.
@@ -776,6 +2110,192 @@ strongswan (5.1.1-1) unstable; urgency=low
7762110
777 -- Yves-Alexis Perez <corsac@debian.org> Fri, 24 Jan 2014 21:22:32 +01002111 -- Yves-Alexis Perez <corsac@debian.org> Fri, 24 Jan 2014 21:22:32 +0100
7782112
2113strongswan (5.1.1-0ubuntu17) trusty; urgency=low
2114
2115 * debian/control:
2116 - Make strongswan-ike depend on iproute2.
2117 - Added xauth plugin dependency on strongswan-plugin-eap-gtc.
2118 - Created strongswan-libfast package.
2119
2120 -- Jonathan Davies <jonathan.davies@canonical.com> Wed, 01 Jan 2014 17:04:45 +0000
2121
2122strongswan (5.1.1-0ubuntu16) trusty; urgency=low
2123
2124 * debian/control:
2125 - Further splitting of plugins into subpackages (such as all EAP plugins
2126 to their own packages).
2127 - Added libpcsclite-dev to build-dependencies.
2128 * debian/rules:
2129 - Sort configure options in alphabetical order.
2130 - Added configure option of --enable-eap-aka-3gpp2, --enable-eap-dynamic,
2131 --enable-eap-sim-file, --enable-eap-sim-pcsc,
2132 --enable-eap-simaka-pseudonym, --enable-eap-simaka-reauth and
2133 --enable-eap-simaka-sql.
2134 - Don't exclude medsrv from install.
2135 * Moved eap-identity.so to libstrongswan package as it's used by all the
2136 other EAP plugins.
2137
2138 -- Jonathan Davies <jonathan.davies@canonical.com> Tue, 31 Dec 2013 21:25:50 +0000
2139
2140strongswan (5.1.1-0ubuntu15) trusty; urgency=low
2141
2142 * debian/control:
2143 - Split plugins from libstrongswan package into modular subpackages.
2144 - Added libmysqlclient-dev to build-dependencies.
2145 - strongswan-ike: Set to depend on either strongswan-plugins-openssl or
2146 strongswan-plugins-gcrypt.
2147 - strongswan-ike: All other plugins added to Suggests.
2148 - Created two new TNC packages: strongswan-tnc-ifmap and
2149 strongswan-tnc-pdp and added to tnc-imcvs Suggests.
2150 * debian/rules: Added to CONFIGUREARGS: --enable-certexpire,
2151 --enable-error-notify, --enable-mysql, --enable-load-tester,
2152 --enable-radattr, --enable-tnc-pdp, and --enable-whitelist.
2153 * debian/strongswan-ike.install: Moved eap-identity.so to -tnc-imcvs package.
2154
2155 -- Jonathan Davies <jonathan.davies@canonical.com> Tue, 31 Dec 2013 16:15:32 +0000
2156
2157strongswan (5.1.1-0ubuntu14) trusty; urgency=low
2158
2159 * debian/rules:
2160 - CK_TIMEOUT_MULTIPLIER back down to 6.
2161 - Disable unit tests on powerpc.
2162
2163 -- Jonathan Davies <jonathan.davies@canonical.com> Tue, 31 Dec 2013 07:39:48 +0000
2164
2165strongswan (5.1.1-0ubuntu13) trusty; urgency=low
2166
2167 * debian/rules: CK_TIMEOUT_MULTIPLIER to 10 as just powerppc is being stubborn.
2168
2169 -- Jonathan Davies <jonathan.davies@canonical.com> Tue, 31 Dec 2013 07:23:42 +0000
2170
2171strongswan (5.1.1-0ubuntu12) trusty; urgency=low
2172
2173 * debian/rules: Bring CK_TIMEOUT_MULTIPLIER up to 6 to fix powerppc and
2174 armhf.
2175
2176 -- Jonathan Davies <jonathan.davies@canonical.com> Tue, 31 Dec 2013 07:03:40 +0000
2177
2178strongswan (5.1.1-0ubuntu11) trusty; urgency=low
2179
2180 * 02_increase-test_rsa_generate-timeout.patch: Removed - only fixed build on
2181 one extra arch.
2182 * debian/rules: Set CK_TIMEOUT_MULTIPLIER to 4.
2183
2184 -- Jonathan Davies <jonathan.davies@canonical.com> Tue, 31 Dec 2013 06:51:47 +0000
2185
2186strongswan (5.1.1-0ubuntu10) trusty; urgency=low
2187
2188 * debian/patches: Added patch 02_increase-test_rsa_generate-timeout.patch -
2189 - Increases RSA key generate test timeout to 30 seconds so that it doesn't
2190 fail on armhf, arm64, and powerppc.
2191 * Contrary to what the last changelog entry says, we are still running
2192 strongswan as root (with AppArmor protection).
2193
2194 -- Jonathan Davies <jonathan.davies@canonical.com> Tue, 31 Dec 2013 06:06:47 +0000
2195
2196strongswan (5.1.1-0ubuntu9) trusty; urgency=low
2197
2198 * debian/rules: Added to configure options:
2199 - --enable-tnc-ifmap: enable TNC IF-MAP module.
2200 - --enable-duplicheck: enable duplicheck plugin.
2201 - --enable-imv-swid, --enable-imc-swid: Added.
2202 - Run strongswan as it's own user.
2203 * debian/strongswan-starter.install: Install duplicheck.
2204 * debian/strongswan-tnc-imcvs.install: Install swidtags.
2205
2206 -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 30 Dec 2013 19:33:27 +0000
2207
2208strongswan (5.1.1-0ubuntu8) trusty; urgency=low
2209
2210 * debian/rules: Added to configure options:
2211 - --enable-unit-tests: check unit testing on build.
2212 - --enable-unbound: for validating DNS lookups.
2213 - --enable-dnscert: for DNSCERT peer authentication.
2214 - --enable-ipseckey: for IPSEC key authentication.
2215 - --enable-lookip: for LookIP functionality.
2216 - --enable-coupling: certificate coupling functionality.
2217 * debian/control: Added check, libldns-dev, libunbound-dev to
2218 build-dependencies.
2219 * debian/libstrongswan.install: Install new plugin .so's.
2220 * debian/strongswan-starter.install: Added lookip.
2221
2222 -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 30 Dec 2013 17:52:07 +0000
2223
2224strongswan (5.1.1-0ubuntu7) trusty; urgency=low
2225
2226 * strongswan-starter.install: Moved pt-tls-client to tnc-imcvs (to prevent
2227 the former from depending on the latter).
2228
2229 -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 30 Dec 2013 17:30:19 +0000
2230
2231strongswan (5.1.1-0ubuntu6) trusty; urgency=low
2232
2233 * debian/strongswan-starter.prerm: Stop strongswan service on package
2234 removal (as opposed to using the old init.d script).
2235
2236 -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 30 Dec 2013 17:22:10 +0000
2237
2238strongswan (5.1.1-0ubuntu5) trusty; urgency=low
2239
2240 * debian/rules:
2241 - CONFIGUREARGS: Merged Debian and RPM options.
2242 - Brings in TNC functionality.
2243 * debian/control:
2244 - Added build-dependency on libtspi-dev.
2245 - Created strongswan-tnc-imcvs binary package for TNC components.
2246 - Added strongswan-tnc-imcvs to libstrongswan's Suggests.
2247 * debian/libstrongswan.install:
2248 - Included newly built MD4 and SQLite libraries.
2249 - Removed 'tnc' references (moved to TNC package).
2250 * debian/strongswan-tnc-imcvs.install: Created - handle new TNC libraries and
2251 binaries.
2252 * debian/usr.lib.ipsec.charon: Allow access to TNC modules.
2253
2254 -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 30 Dec 2013 14:05:43 +0000
2255
2256strongswan (5.1.1-0ubuntu4) trusty; urgency=low
2257
2258 * debian/usr.lib.ipsec.charon: Added - AppArmor profile for charon.
2259 * debian/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call.
2260 * debian/control: strongswan-ike - Stop depending on ipsec-tools.
2261
2262 -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 30 Dec 2013 05:35:17 +0000
2263
2264strongswan (5.1.1-0ubuntu3) trusty; urgency=low
2265
2266 * strongswan-starter.strongswan.upstart - Only start strongSwan when a
2267 network connection is available.
2268 * debian/control: Downgrade build-dep version of dpkg-dev from 1.16.2 to
2269 1.16.1 - to make precise backporting easier.
2270
2271 -- Jonathan Davies <jonathan.davies@canonical.com> Thu, 12 Dec 2013 10:43:15 +0000
2272
2273strongswan (5.1.1-0ubuntu2) trusty; urgency=low
2274
2275 * strongswan-starter.strongswan.upstart - Created Upstart job for
2276 strongSwan.
2277 * debian/rules: Set dh_installinit to install above file.
2278 * debian/strongswan-starter.postinit:
2279 - Removed section about runlevel changes, it's almost 2014.
2280 - Adapted service restart section for Upstart.
2281 - Remove old symlinks to init.d files is necessary.
2282 * debian/strongswan-starter.dirs: Don't touch /etc/init.d.
2283
2284 -- Jonathan Davies <jonathan.davies@canonical.com> Wed, 11 Dec 2013 23:10:28 +0000
2285
2286strongswan (5.1.1-0ubuntu1) trusty; urgency=low
2287
2288 * New upstream release.
2289 * Removed: debian/patches/CVE-2013-6075, CVE-2013-6076.patch - upsteamed.
2290 * debian/control: Updated Standards-Version to 3.9.5 and applied
2291 XSBC-Original-Maintainer policy.
2292 * strongswan-starter.install:
2293 - pki tool is now in /usr/bin.
2294 - Install pt-tls-client.
2295 - Install manpages (LP: #1206263).
2296
2297 -- Jonathan Davies <jpds@ubuntu.com> Sun, 01 Dec 2013 17:43:59 +0000
2298
779strongswan (5.1.0-3) unstable; urgency=high2299strongswan (5.1.0-3) unstable; urgency=high
7802300
781 * urgency=high for the security fixes.2301 * urgency=high for the security fixes.
diff --git a/debian/control b/debian/control
index 20c45c4..5cd92c7 100644
--- a/debian/control
+++ b/debian/control
@@ -1,7 +1,8 @@
1Source: strongswan1Source: strongswan
2Section: net2Section: net
3Priority: optional3Priority: optional
4Maintainer: strongSwan Maintainers <pkg-swan-devel@lists.alioth.debian.org>4Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
5XSBC-Original-Maintainer: strongSwan Maintainers <pkg-swan-devel@lists.alioth.debian.org>
5Uploaders: Yves-Alexis Perez <corsac@debian.org>6Uploaders: Yves-Alexis Perez <corsac@debian.org>
6Standards-Version: 4.4.17Standards-Version: 4.4.1
7Vcs-Browser: https://salsa.debian.org/debian/strongswan8Vcs-Browser: https://salsa.debian.org/debian/strongswan
@@ -15,6 +16,7 @@ Build-Depends: bison,
15 gperf,16 gperf,
16 libip4tc-dev [linux-any],17 libip4tc-dev [linux-any],
17 libip6tc-dev [linux-any],18 libip6tc-dev [linux-any],
19 libiptc-dev [linux-any],
18 libcap-dev [linux-any],20 libcap-dev [linux-any],
19 libcurl4-openssl-dev | libcurl3-dev | libcurl2-dev,21 libcurl4-openssl-dev | libcurl3-dev | libcurl2-dev,
20 libgcrypt20-dev | libgcrypt11-dev,22 libgcrypt20-dev | libgcrypt11-dev,
@@ -150,8 +152,8 @@ Architecture: any
150Depends: libstrongswan (= ${binary:Version}),152Depends: libstrongswan (= ${binary:Version}),
151 ${misc:Depends},153 ${misc:Depends},
152 ${shlibs:Depends}154 ${shlibs:Depends}
153Breaks: libcharon-extra-plugins (<< 5.8.0-2~)155Breaks: libcharon-extra-plugins (<< 5.8.0-2~), libcharon-standard-plugins (<< 5.8.1-1ubuntu1~)
154Replaces: libcharon-extra-plugins (<< 5.8.0-2~)156Replaces: libcharon-extra-plugins (<< 5.8.0-2~), libcharon-standard-plugins (<< 5.8.1-1ubuntu1~)
155Description: strongSwan charon library (extended authentication plugins)157Description: strongSwan charon library (extended authentication plugins)
156 The strongSwan VPN suite uses the native IPsec stack in the standard158 The strongSwan VPN suite uses the native IPsec stack in the standard
157 Linux kernel. It supports both the IKEv1 and IKEv2 protocols.159 Linux kernel. It supports both the IKEv1 and IKEv2 protocols.
@@ -170,11 +172,65 @@ Description: strongSwan charon library (extended authentication plugins)
170 These are the "not always, but still more commonly used" plugins, for further172 These are the "not always, but still more commonly used" plugins, for further
171 needs even more plugins can be found in the package libcharon-extra-plugins.173 needs even more plugins can be found in the package libcharon-extra-plugins.
172174
175# Transition from former Ubuntu only libcharon-standard-plugins to common libcharon-extauth-plugins
176Package: libcharon-standard-plugins
177Depends: libcharon-extauth-plugins (= ${source:Version}), ${misc:Depends}
178Architecture: all
179Priority: optional
180Section: oldlibs
181Description: transitional package
182 This is a transitional package. It can safely be removed.
183
184# Transition back from strongswan-tnc-* being in extra packages
185# Can be dropped after 20.04
186Package: strongswan-tnc-ifmap
187Depends: libcharon-extra-plugins (= ${source:Version}), ${misc:Depends}
188Architecture: all
189Priority: optional
190Section: oldlibs
191Description: transitional package
192 This is a transitional package. It can safely be removed.
193
194Package: strongswan-tnc-base
195Depends: libcharon-extra-plugins (= ${source:Version}), ${misc:Depends}
196Architecture: all
197Priority: optional
198Section: oldlibs
199Description: transitional package
200 This is a transitional package. It can safely be removed.
201
202Package: strongswan-tnc-client
203Depends: libcharon-extra-plugins (= ${source:Version}), ${misc:Depends}
204Architecture: all
205Priority: optional
206Section: oldlibs
207Description: transitional package
208 This is a transitional package. It can safely be removed.
209
210Package: strongswan-tnc-server
211Depends: libcharon-extra-plugins (= ${source:Version}), ${misc:Depends}
212Architecture: all
213Priority: optional
214Section: oldlibs
215Description: transitional package
216 This is a transitional package. It can safely be removed.
217
218Package: strongswan-tnc-pdp
219Depends: libcharon-extra-plugins (= ${source:Version}), ${misc:Depends}
220Architecture: all
221Priority: optional
222Section: oldlibs
223Description: transitional package
224 This is a transitional package. It can safely be removed.
225
173Package: libcharon-extra-plugins226Package: libcharon-extra-plugins
174Architecture: any227Architecture: any
175Depends: libstrongswan (= ${binary:Version}),228Depends: libstrongswan (= ${binary:Version}),
176 ${misc:Depends},229 ${misc:Depends},
177 ${shlibs:Depends}230 ${shlibs:Depends}
231Breaks: strongswan-tnc-ifmap (<< 5.7.2-1ubuntu1), strongswan-tnc-base (<< 5.7.2-1ubuntu1), strongswan-tnc-client (<< 5.7.2-1ubuntu1), strongswan-tnc-server (<< 5.7.2-1ubuntu1), strongswan-tnc-pdp (<< 5.7.2-1ubuntu1)
232Replaces: strongswan-tnc-ifmap (<< 5.7.2-1ubuntu1), strongswan-tnc-base (<< 5.7.2-1ubuntu1), strongswan-tnc-client (<< 5.7.2-1ubuntu1), strongswan-tnc-server (<< 5.7.2-1ubuntu1), strongswan-tnc-pdp (<< 5.7.2-1ubuntu1)
233Provides: strongswan-tnc-base
178Description: strongSwan charon library (extra plugins)234Description: strongSwan charon library (extra plugins)
179 The strongSwan VPN suite uses the native IPsec stack in the standard235 The strongSwan VPN suite uses the native IPsec stack in the standard
180 Linux kernel. It supports both the IKEv1 and IKEv2 protocols.236 Linux kernel. It supports both the IKEv1 and IKEv2 protocols.
@@ -210,9 +266,9 @@ Pre-Depends: ${misc:Pre-Depends}
210Depends: adduser,266Depends: adduser,
211 libstrongswan (= ${binary:Version}),267 libstrongswan (= ${binary:Version}),
212 lsb-base (>= 3.0-6),268 lsb-base (>= 3.0-6),
269 strongswan-charon,
213 ${misc:Depends},270 ${misc:Depends},
214 ${shlibs:Depends}271 ${shlibs:Depends}
215Recommends: strongswan-charon
216Conflicts: openswan272Conflicts: openswan
217Description: strongSwan daemon starter and configuration file parser273Description: strongSwan daemon starter and configuration file parser
218 The strongSwan VPN suite uses the native IPsec stack in the standard274 The strongSwan VPN suite uses the native IPsec stack in the standard
@@ -251,9 +307,9 @@ Architecture: any
251Pre-Depends: debconf | debconf-2.0307Pre-Depends: debconf | debconf-2.0
252Depends: iproute2 [linux-any] | iproute [linux-any],308Depends: iproute2 [linux-any] | iproute [linux-any],
253 libstrongswan (= ${binary:Version}),309 libstrongswan (= ${binary:Version}),
254 strongswan-starter,
255 ${misc:Depends},310 ${misc:Depends},
256 ${shlibs:Depends}311 ${shlibs:Depends}
312Recommends: strongswan-starter,
257Provides: ike-server313Provides: ike-server
258Description: strongSwan Internet Key Exchange daemon314Description: strongSwan Internet Key Exchange daemon
259 The strongSwan VPN suite uses the native IPsec stack in the standard315 The strongSwan VPN suite uses the native IPsec stack in the standard

Subscribers

People subscribed via source and target branches