Ubuntu
strongswan package

Merge ~paride/ubuntu/+source/strongswan:merge-5.9.4-1-JAMMY into ubuntu/+source/strongswan:debian/sid

  1. Git
  2. lp:~paride/ubuntu/+source/strongswan
  3. merge-5.9.4-1-JAMMY
  4. Merge into debian/sid
Proposed by Paride Legovini
Status: Merged
Merge reported by: Paride Legovini
Merged at revision: 577790f58fac4374a6598a10944da89f26db810e
Proposed branch: ~paride/ubuntu/+source/strongswan:merge-5.9.4-1-JAMMY
Merge into: ubuntu/+source/strongswan:debian/sid
Diff against target: 1934 lines (+1689/-3)
6 files modified
debian/changelog (+1661/-0)
debian/control (+8/-3)
debian/libcharon-extra-plugins.install (+6/-0)
debian/libcharon-extra-plugins.maintscript (+8/-0)
debian/libstrongswan-extra-plugins.install (+3/-0)
debian/rules (+3/-0)
Reviewer Review Type Date Requested Status
Christian Ehrhardt  (community) Approve
Canonical Server Pending
git-ubuntu import Pending
Review via email: mp+411793@code.launchpad.net
To post a comment you must log in.
Revision history for this message
Paride Legovini (paride) wrote (last edit ):

Merge 5.9.4-1 from Debian. Test PPA:

https://launchpad.net/~paride/+archive/ubuntu/strongswan-merge-5.9.4-1

I verified that the two security patches released in 5.9.1-1ubuntu3.1 are part of the new upstream version. No conflicts to resolve in the merge process.

I recovered the rich git history from the previous merge MP as the importer doesn't have it due to empty directories.

# Lintian

Note: the Debian package updated the lintian-overrides to work with the new lintian versions. This means that lintian 2.104.0ubuntu3 (currently in Jammy -release) is going to issue some error tags. Testing with lintian 2.111.0ubuntu1 (currently in jammy-proposed) tests clean.

# Autopkgtest results:

autopkgtest [15:53:10]: @@@@@@@@@@@@@@@@@@@@ summary
admin-strongswan-charon PASS
admin-strongswan-starter PASS
daemon PASS
plugins PASS

# OpenSSL 3.0

By looking at the upstream commit history I expected this merge to also fix the OpenSSL 3.0 FTBFS (LP: #1946213). The build stage indeed succeeds, but the upstream test suite then fails, so overall the package still FTBFS. There is an upstream issue about the failure, to which I commented:

https://github.com/strongswan/strongswan/issues/753

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

* Changelog:
  - [+] old content and logical tag match as expected
  - [+] changelog entry correct version and targeted codename
  - [+] changelog entries correct
  - [+] bug references correct
  - [+] update-maintainer has been run

* Merge - Indirect Changes:
  - [+] no upstream changes to consider
  - [+] no further upstream version to consider
  - [+] debian changes look safe

* Merge - Old Delta:
  - [+] dropped changes are ok to be dropped
  - [+] nothing else to drop
    This is the last time we see "Remove conf files of plugins removed from
    libcharon-extra-plugins", but for one more cycle we have to keep it :-)
  - [+] changes forwarded upstream/debian (no new ones, the old was forwarded
    and accepted, the rest is Ubuntu only)

* New Delta:
  - [+] no new patches added

* Git/Maintenance
  - [+] commits are properly split (more important on -dev than on SRUs)

* Build/Test:
  - [+] build is ok
  - [+] verified PPA package installs/uninstalls
  - [+] autopkgtest against the PPA package passes
  - [+] sanity checks test fine

In addition I have run some older strongswan testing i had using two VMs driving traffic between them. 5.9.4-1ubuntu1~paride1 worked for this in ike[12][cert|psk] modes as well.

TL;DR: LGTM +1

review: Approve
Revision history for this message
Paride Legovini (paride) wrote :

Thanks! Uploaded:

Uploading strongswan_5.9.4-1ubuntu1.dsc
Uploading strongswan_5.9.4.orig.tar.bz2
Uploading strongswan_5.9.4-1ubuntu1.debian.tar.xz
Uploading strongswan_5.9.4-1ubuntu1_source.buildinfo
Uploading strongswan_5.9.4-1ubuntu1_source.changes

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

This is merged, including your later FTBFS in
https://launchpad.net/ubuntu/+source/strongswan/5.9.4-1ubuntu2
and a no change rebuild for openssl3
https://launchpad.net/ubuntu/+source/strongswan/5.9.4-1ubuntu3

 strongswan | 5.9.4-1ubuntu3 | jammy | source, all

Completed, please set the MR to merged (plenty of pings today as I can't do that anymore nowadays :-/ )

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index 62a3611..420061f 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,31 @@
6+strongswan (5.9.4-1ubuntu1) jammy; urgency=medium
7+
8+ * Merge with Debian unstable. Remaining changes:
9+ - d/control: strongswan-starter hard-depends on strongswan-charon,
10+ therefore bump the dependency from Recommends to Depends. At the same
11+ time avoid a circular dependency by dropping
12+ strongswan-charon->strongswan-starter from Depends to Recommends as the
13+ binaries can work without the services but not vice versa.
14+ - re-add post-quantum encryption algorithm (NTRU) (LP #1863749)
15+ + d/control: mention plugins in package description
16+ + d/rules: enable ntru at build time
17+ + d/libstrongswan-extra-plugins.install: ship config and shared objects
18+ - Re-enable eap-{dynamic,peap} libcharon plugins (LP: 1878887)
19+ + d/control: update libcharon-extra-plugins description.
20+ + d/libcharon-extra-plugins.install: install .so and conf files.
21+ + d/rules: add plugins to the configuration arguments.
22+ - Remove conf files of plugins removed from libcharon-extra-plugins
23+ + The conf file of the following plugins were removed: eap-aka-3gpp2,
24+ eap-sim-file, eap-sim-pcsc, eap-sim, eap-simaka-pseudonym,
25+ eap-simaka-reauth, eap-simaka-sql, xauth-noauth.
26+ + Created d/libcharon-extra-plugins.maintscript to handle the removals
27+ properly.
28+ * Dropped changes:
29+ - Compile the tpm plugin against the tpm2 software stack (tss2).
30+ Merged in Debian (5.9.4-1).
31+
32+ -- Paride Legovini <paride@ubuntu.com> Fri, 12 Nov 2021 12:34:30 +0100
33+
34 strongswan (5.9.4-1) unstable; urgency=medium
35
36 [ Paride Legovini ]
37@@ -14,6 +42,62 @@ strongswan (5.9.4-1) unstable; urgency=medium
38
39 -- Yves-Alexis Perez <corsac@debian.org> Tue, 19 Oct 2021 22:34:40 +0200
40
41+strongswan (5.9.1-1ubuntu3.1) impish-security; urgency=medium
42+
43+ * SECURITY UPDATE: Integer Overflow in gmp Plugin
44+ - debian/patches/CVE-2021-41990.patch: reject RSASSA-PSS params with
45+ negative salt length in
46+ src/libstrongswan/credentials/keys/signature_params.c,
47+ src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c.
48+ - CVE-2021-41990
49+ * SECURITY UPDATE: Integer Overflow When Replacing Certificates in Cache
50+ - debian/patches/CVE-2021-41991.patch: prevent crash due to integer
51+ overflow/sign change in
52+ src/libstrongswan/credentials/sets/cert_cache.c.
53+ - CVE-2021-41991
54+
55+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 18 Oct 2021 13:10:30 -0400
56+
57+strongswan (5.9.1-1ubuntu3) impish; urgency=medium
58+
59+ * Compile the tpm plugin against the tpm2 software stack (tss2)
60+ (Debian packaging cherry-pick, LP: #1940079)
61+ - d/rules: add the --enable-tss-tss2 configure flag
62+ - d/control: add Build-Depends: libtss2-dev
63+
64+ -- Paride Legovini <paride@ubuntu.com> Thu, 16 Sep 2021 11:40:38 +0200
65+
66+strongswan (5.9.1-1ubuntu2) impish; urgency=medium
67+
68+ * No-change rebuild due to OpenLDAP soname bump.
69+
70+ -- Sergio Durigan Junior <sergio.durigan@canonical.com> Mon, 21 Jun 2021 18:09:22 -0400
71+
72+strongswan (5.9.1-1ubuntu1) hirsute; urgency=medium
73+
74+ * Merge with Debian unstable. Remaining changes:
75+ - d/control: strongswan-starter hard-depends on strongswan-charon,
76+ therefore bump the dependency from Recommends to Depends. At the same
77+ time avoid a circular dependency by dropping
78+ strongswan-charon->strongswan-starter from Depends to Recommends as the
79+ binaries can work without the services but not vice versa.
80+ - re-add post-quantum encryption algorithm (NTRU) (LP: 1863749)
81+ + d/control: mention plugins in package description
82+ + d/rules: enable ntru at build time
83+ + d/libstrongswan-extra-plugins.install: ship config and shared objects
84+ - Re-enable eap-{dynamic,peap} libcharon plugins (LP: 1878887)
85+ + d/control: update libcharon-extra-plugins description.
86+ + d/libcharon-extra-plugins.install: install .so and conf files.
87+ + d/rules: add plugins to the configuration arguments.
88+ - Remove conf files of plugins removed from libcharon-extra-plugins
89+ + The conf file of the following plugins were removed: eap-aka-3gpp2,
90+ eap-sim-file, eap-sim-pcsc, eap-sim, eap-simaka-pseudonym,
91+ eap-simaka-reauth, eap-simaka-sql, xauth-noauth.
92+ + Created d/libcharon-extra-plugins.maintscript to handle the removals
93+ properly.
94+
95+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Tue, 19 Jan 2021 12:39:11 +0100
96+
97 strongswan (5.9.1-1) unstable; urgency=medium
98
99 * New upstream version 5.9.1
100@@ -28,6 +112,45 @@ strongswan (5.9.0-1) unstable; urgency=medium
101
102 -- Yves-Alexis Perez <corsac@debian.org> Thu, 17 Sep 2020 10:21:30 +0200
103
104+strongswan (5.8.4-1ubuntu2) groovy; urgency=medium
105+
106+ * Re-enable eap-{dynamic,peap} libcharon plugins (LP: #1878887)
107+ - d/control: update libcharon-extra-plugins description.
108+ - d/libcharon-extra-plugins.install: install .so and conf files.
109+ - d/rules: add plugins to the configuration arguments.
110+ * Remove conf files of plugins removed from libcharon-extra-plugins
111+ - The conf file of the following plugins were removed: eap-aka-3gpp2,
112+ eap-sim-file, eap-sim-pcsc, eap-sim, eap-simaka-pseudonym,
113+ eap-simaka-reauth, eap-simaka-sql, xauth-noauth.
114+ - Created d/libcharon-extra-plugins.maintscript to handle the removals
115+ properly.
116+
117+ -- Lucas Kanashiro <kanashiro@ubuntu.com> Thu, 21 May 2020 14:53:05 -0300
118+
119+strongswan (5.8.4-1ubuntu1) groovy; urgency=medium
120+
121+ * Merge with Debian unstable. Remaining changes:
122+ - d/control: strongswan-starter hard-depends on strongswan-charon,
123+ therefore bump the dependency from Recommends to Depends. At the same
124+ time avoid a circular dependency by dropping
125+ strongswan-charon->strongswan-starter from Depends to Recommends as the
126+ binaries can work without the services but not vice versa.
127+ - re-add post-quantum encryption algorithm (NTRU) (LP: 1863749)
128+ + d/control: mention plugins in package description
129+ + d/rules: enable ntru at build time
130+ + d/libstrongswan-extra-plugins.install: ship config and shared objects
131+ * Dropped:
132+ - d/control: build-depend on libiptc-dev to avoid FTBFS (LP: #1861975)
133+ This is needed due to changes in regard to Debian bug 947176 and 939243
134+ and can later be dropped again.
135+ [applied by Debian in version 5.8.2-2]
136+ - d/control: Transition from former Ubuntu only libcharon-standard-plugins
137+ to common libcharon-extauth-plugins (drop after 20.04)
138+ - d/control: Transition from strongswan-tnc-* being in extra packages
139+ to libcharon-extra-plugins (drop after 20.04)
140+
141+ -- Lucas Kanashiro <lucas.kanashiro@canonical.com> Thu, 30 Apr 2020 18:06:55 -0300
142+
143 strongswan (5.8.4-1) unstable; urgency=medium
144
145 * New upstream version 5.8.4 (Closes: #956446)
146@@ -43,6 +166,43 @@ strongswan (5.8.2-2) unstable; urgency=medium
147
148 -- Yves-Alexis Perez <corsac@debian.org> Thu, 13 Feb 2020 22:46:40 +0100
149
150+strongswan (5.8.2-1ubuntu3) focal; urgency=medium
151+
152+ * Reverting part of 5.8.2-1ubuntu2 changes to remove BLISS again as
153+ there is a potential local side-channel attack on strongSwan's BLISS
154+ implementation (https://eprint.iacr.org/2017/505). (LP: #1866765)
155+
156+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Tue, 10 Mar 2020 07:56:56 +0100
157+
158+strongswan (5.8.2-1ubuntu2) focal; urgency=medium
159+
160+ * re-add post-quantum computer signature scheme (BLISS) and encryption
161+ algorithm (NTRU) as well as the dependent nttfft library (LP: #1863749)
162+ - d/control: mention plugins in package description
163+ - d/rules: enable ntru and bliss at build time
164+ - d/libstrongswan-extra-plugins.install: ship config and shared objects
165+
166+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Wed, 04 Mar 2020 07:54:26 +0100
167+
168+strongswan (5.8.2-1ubuntu1) focal; urgency=medium
169+
170+ * Merge with Debian unstable (LP: #1861971). Remaining changes:
171+ - d/control: Transition from strongswan-tnc-* being in extra packages
172+ to libcharon-extra-plugins (drop after 20.04)
173+ - d/control: Transition from former Ubuntu only libcharon-standard-plugins
174+ to common libcharon-extauth-plugins (drop after 20.04)
175+ - d/control: strongswan-starter hard-depends on strongswan-charon,
176+ therefore bump the dependency from Recommends to Depends. At the same
177+ time avoid a circular dependency by dropping
178+ strongswan-charon->strongswan-starter from Depends to Recommends as the
179+ binaries can work without the services but not vice versa.
180+ * Added Changes
181+ - d/control: build-depend on libiptc-dev to avoid FTBFS (LP: #1861975)
182+ This is needed due to changes in regard to Debian bug 947176 and 939243
183+ and can later be dropped again.
184+
185+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Wed, 05 Feb 2020 08:28:30 +0100
186+
187 strongswan (5.8.2-1) unstable; urgency=medium
188
189 [ Jean-Michel Vourgère ]
190@@ -59,6 +219,83 @@ strongswan (5.8.2-1) unstable; urgency=medium
191
192 -- Yves-Alexis Perez <corsac@debian.org> Wed, 01 Jan 2020 14:35:46 +0100
193
194+strongswan (5.8.1-1ubuntu1) focal; urgency=medium
195+
196+ * Merge with Debian unstable (LP: #1852579). Remaining changes:
197+ - d/control: Transition from strongswan-tnc-* being in extra packages
198+ to libcharon-extra-plugins
199+ * Added Changes:
200+ - d/control: Transition from former Ubuntu only libcharon-standard-plugins
201+ to common libcharon-extauth-plugins (drop after 20.04)
202+ - d/control: strongswan-starter hard-depends on strongswan-charon,
203+ therefore bump the dependency from Recommends to Depends. At the same
204+ time avoid a circular dependency by dropping
205+ strongswan-charon->strongswan-starter from Depends to Recommends as the
206+ binaries can work without the services but not vice versa.
207+ * Dropped Changes (now in Debian):
208+ - Clean up d/strongswan-starter.postinst: section about runlevel changes
209+ - Clean up d/strongswan-starter.postinst: Removed entire section on
210+ opportunistic encryption disabling - this was never in strongSwan and
211+ won't be see upstream issue #2160.
212+ - d/rules: Removed patching ipsec.conf on build (not using the
213+ debconf-managed config.)
214+ - d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was
215+ used for debconf-managed include of private key).
216+ - Add plugin kernel-libipsec to allow the use of strongswan in containers
217+ via this userspace implementation (please do note that this is still
218+ considered experimental by upstream).
219+ + d/libcharon-extra-plugins.install: Add kernel-libipsec components
220+ + d/control: List kernel-libipsec plugin at extra plugins description
221+ + d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
222+ upstream recommends to not load kernel-libipsec by default.
223+ - d/control: Mention mgf1 plugin which is in libstrongswan now
224+ - Complete the disabling of libfast; This was partially accepted in Debian,
225+ it is no more packaging medcli and medsrv, but still builds and
226+ mentions it.
227+ + d/rules: Add --disable-fast to avoid build time and dependencies
228+ + d/control: Remove medcli, medsrv from package description
229+ - Add now built (since 5.5.1) libraries libtpmtss and nttfft to
230+ libstrongswan-extra-plugins (no deps from default plugins).
231+ - d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
232+ plugins for the most common use cases from extra-plugins into a new
233+ standard-plugins package. This will allow those use cases without pulling
234+ in too much more plugins (a bit like the tnc package). Recommend that
235+ package from strongswan-libcharon.
236+ - d/usr.lib.ipsec.charon: allow reading of own FDs (LP 1786250)
237+ - d/usr.sbin.charon-systemd: allow CLUSTERIP for ha plugin (LP 1773956)
238+ - executables need to be able to read map and execute themselves otherwise
239+ execution in some environments e.g. containers is blocked (LP 1780534)
240+ + d/usr.lib.ipsec.stroke: add rmix permission to stroke binary
241+ + d/usr.lib.ipsec.lookip: add rmix permission to lookip binary
242+ - d/usr.lib.ipsec.charon, d/usr.sbin.charon-systemd: resync apparmor
243+ profiles of both ways to start charon (LP 1807664)
244+ - d/usr.sbin.swanctl: add apparmor rule for af-alg plugin (LP 1807962)
245+ - We fixed up tpmtss and nttfft in the past, but tpmtss is now packaged in
246+ Debian so this part was be dropped. Two changes remain
247+ - d/control: fix the mentioning of tpmtss in d/control
248+ - apparmor fixes for container and root usage (LP 1826238)
249+ + d/usr.sbin.swanctl: allow reading own binary
250+ + d/usr.sbin.charon-systemd: allow accessing the binary
251+ + d/usr.sbin.swanctl: add attach_disconnected to work inside containers
252+ + d/usr.lib.ipsec.charon, d/usr.sbin.charon-systemd: add CAP_SETPCAP
253+ to apparmor to allow dropping caps
254+ * Dropped Changes (too uncommon to support by default)
255+ - d/libstrongswan.install: Add kernel-netlink configuration files
256+ - d/usr.sbin.charon-systemd: allow to contact mysql for sql and
257+ attr-sql plugins (LP 1766240) - no more needed as itisn't enabled.
258+ - Mass enablement of extra plugins and features to allow a user to use
259+ strongswan for a variety of extra use cases without having to rebuild.
260+ + d/control: Add required additional build-deps
261+ + d/control: Mention addtionally enabled plugins
262+ + d/rules: Enable features at configure stage
263+ + d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
264+ + d/libstrongswan.install: Add plugins (so, conf)
265+ + d/strongswan-starter.install: Install pool feature, which is useful
266+ since we now have attr-sql plugin enabled it.
267+ - Enable additional TNC plugins and add them to libcharon-extra-plugins
268+
269+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Thu, 14 Nov 2019 15:00:15 +0100
270+
271 strongswan (5.8.1-1) unstable; urgency=medium
272
273 * d/rules: disable http and stream tests under CI
274@@ -128,6 +365,99 @@ strongswan (5.8.0-1) unstable; urgency=medium
275
276 -- Yves-Alexis Perez <corsac@debian.org> Mon, 26 Aug 2019 12:58:23 +0200
277
278+strongswan (5.7.2-1ubuntu3) eoan; urgency=medium
279+
280+ * No change rebuild for libmysqlclient21.
281+
282+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Thu, 15 Aug 2019 09:34:34 +0200
283+
284+strongswan (5.7.2-1ubuntu2) eoan; urgency=medium
285+
286+ * Rebuild against new libjson-c4.
287+
288+ -- Gianfranco Costamagna <locutusofborg@debian.org> Mon, 01 Jul 2019 10:53:07 +0200
289+
290+strongswan (5.7.2-1ubuntu1) eoan; urgency=medium
291+
292+ [ Christian Ehrhardt ]
293+ * Merge with Debian unstable. Remaining changes:
294+ - Clean up d/strongswan-starter.postinst: section about runlevel changes
295+ - Clean up d/strongswan-starter.postinst: Removed entire section on
296+ opportunistic encryption disabling - this was never in strongSwan and
297+ won't be see upstream issue #2160.
298+ - d/rules: Removed patching ipsec.conf on build (not using the
299+ debconf-managed config.)
300+ - d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was
301+ used for debconf-managed include of private key).
302+ - Mass enablement of extra plugins and features to allow a user to use
303+ strongswan for a variety of extra use cases without having to rebuild.
304+ + d/control: Add required additional build-deps
305+ + d/control: Mention addtionally enabled plugins
306+ + d/rules: Enable features at configure stage
307+ + d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
308+ + d/libstrongswan.install: Add plugins (so, conf)
309+ + d/strongswan-starter.install: Install pool feature, which is useful
310+ since we now have attr-sql plugin enabled it.
311+ - Add plugin kernel-libipsec to allow the use of strongswan in containers
312+ via this userspace implementation (please do note that this is still
313+ considered experimental by upstream).
314+ + d/libcharon-extra-plugins.install: Add kernel-libipsec components
315+ + d/control: List kernel-libipsec plugin at extra plugins description
316+ + d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
317+ upstream recommends to not load kernel-libipsec by default.
318+ - d/libstrongswan.install: Add kernel-netlink configuration files
319+ - Complete the disabling of libfast; This was partially accepted in Debian,
320+ it is no more packaging medcli and medsrv, but still builds and
321+ mentions it.
322+ + d/rules: Add --disable-fast to avoid build time and dependencies
323+ + d/control: Remove medcli, medsrv from package description
324+ - d/control: Mention mgf1 plugin which is in libstrongswan now
325+ - Add now built (since 5.5.1) libraries libtpmtss and nttfft to
326+ libstrongswan-extra-plugins (no deps from default plugins).
327+ - d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
328+ plugins for the most common use cases from extra-plugins into a new
329+ standard-plugins package. This will allow those use cases without pulling
330+ in too much more plugins (a bit like the tnc package). Recommend that
331+ package from strongswan-libcharon.
332+ - d/usr.sbin.charon-systemd: allow to contact mysql for sql and
333+ attr-sql plugins (LP #1766240)
334+ - d/usr.lib.ipsec.charon: allow reading of own FDs (LP #1786250)
335+ - d/usr.sbin.charon-systemd: allow CLUSTERIP for ha plugin (LP: 1773956)
336+ - executables need to be able to read map and execute themselves otherwise
337+ execution in some environments e.g. containers is blocked (LP: 1780534)
338+ + d/usr.lib.ipsec.stroke: add rmix permission to stroke binary
339+ + d/usr.lib.ipsec.lookip: add rmix permission to lookip binary
340+ - d/usr.lib.ipsec.charon, d/usr.sbin.charon-systemd: resync apparmor
341+ profiles of both ways to start charon (LP: 1807664)
342+ - d/usr.sbin.swanctl: add apparmor rule for af-alg plugin (LP: 1807962)
343+ * Dropped changes
344+ - d/p/lp1795813-mysql-Don-t-release-the-connection-if-transactions-a.patch:
345+ fix SIGSEGV when using mysql plugin (LP: 1795813)
346+ [upstream in 5.7.2]
347+ - d/libstrongswan.install: Reorder conf and .so alphabetically
348+ [was a non functional change, dropped to avoid merge noise]
349+ - Relocate tnc plugin
350+ [TNC is back at libcharon-extra-plugins as it is in Debian]
351+ * Added changes:
352+ - We fixed up tpmtss and nttfft in the past, but tpmtss is now packaged in
353+ Debian so this part was be dropped. Two changes remain
354+ - d/control: fix the mentioning of tpmtss in d/control
355+ - add nttfft (can be merged with the mass enablement change later)
356+ - Transitional packages to go back from strongswan-tnc-* being in extra
357+ packages to be part of libcharon-extra-plugins.
358+ [can be dropped after 20.04]
359+
360+ [ Simon Deziel ]
361+ * Added changes:
362+ - apparmor fixes for container and root usage (LP: #1826238)
363+ + d/usr.sbin.swanctl: allow reading own binary
364+ + d/usr.sbin.charon-systemd: allow accessing the binary
365+ + d/usr.sbin.swanctl: add attach_disconnected to work inside containers
366+ + d/usr.lib.ipsec.charon, d/usr.sbin.charon-systemd: add CAP_SETPCAP
367+ to apparmor to allow dropping caps
368+
369+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Fri, 26 Apr 2019 11:31:17 +0200
370+
371 strongswan (5.7.2-1) unstable; urgency=medium
372
373 * d/control: remove Rene from Uploaders, thanks!
374@@ -146,6 +476,86 @@ strongswan (5.7.2-1) unstable; urgency=medium
375
376 -- Yves-Alexis Perez <corsac@debian.org> Wed, 02 Jan 2019 13:02:11 +0100
377
378+strongswan (5.7.1-1ubuntu2) disco; urgency=medium
379+
380+ * d/usr.sbin.charon-systemd: fix rule for CLUSTERIP to match effective
381+ path (LP: #1773956)
382+ * d/usr.lib.ipsec.charon, d/usr.sbin.charon-systemd: resync apparmor
383+ profiles of both ways to start charon (LP: #1807664)
384+ * d/usr.sbin.swanctl: add apparmor rule for af-alg plugin (LP: #1807962)
385+
386+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 10 Dec 2018 08:30:01 +0100
387+
388+strongswan (5.7.1-1ubuntu1) disco; urgency=medium
389+
390+ * Merge with Debian unstable (LP: #1806401). Remaining changes:
391+ - Clean up d/strongswan-starter.postinst: section about runlevel changes
392+ - Clean up d/strongswan-starter.postinst: Removed entire section on
393+ opportunistic encryption disabling - this was never in strongSwan and
394+ won't be see upstream issue #2160.
395+ - d/rules: Removed patching ipsec.conf on build (not using the
396+ debconf-managed config.)
397+ - d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was
398+ used for debconf-managed include of private key).
399+ - Mass enablement of extra plugins and features to allow a user to use
400+ strongswan for a variety of extra use cases without having to rebuild.
401+ + d/control: Add required additional build-deps
402+ + d/control: Mention addtionally enabled plugins
403+ + d/rules: Enable features at configure stage
404+ + d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
405+ + d/libstrongswan.install: Add plugins (so, conf)
406+ - d/strongswan-starter.install: Install pool feature, which is useful since
407+ we have attr-sql plugin enabled as well using it.
408+ - Add plugin kernel-libipsec to allow the use of strongswan in containers
409+ via this userspace implementation (please do note that this is still
410+ considered experimental by upstream).
411+ + d/libcharon-extra-plugins.install: Add kernel-libipsec components
412+ + d/control: List kernel-libipsec plugin at extra plugins description
413+ + d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
414+ upstream recommends to not load kernel-libipsec by default.
415+ - Relocate tnc plugin
416+ + debian/libcharon-extra-plugins.install: Drop tnc from extra plugins
417+ + Add new subpackage for TNC in d/strongswan-tnc-* and d/control
418+ - d/libstrongswan.install: Reorder conf and .so alphabetically
419+ - d/libstrongswan.install: Add kernel-netlink configuration files
420+ - Complete the disabling of libfast; This was partially accepted in Debian,
421+ it is no more packaging medcli and medsrv, but still builds and
422+ mentions it.
423+ + d/rules: Add --disable-fast to avoid build time and dependencies
424+ + d/control: Remove medcli, medsrv from package description
425+ - d/control: Mention mgf1 plugin which is in libstrongswan now
426+ - Add now built (since 5.5.1) libraries libtpmtss and nttfft to
427+ libstrongswan-extra-plugins (no deps from default plugins).
428+ - d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
429+ plugins for the most common use cases from extra-plugins into a new
430+ standard-plugins package. This will allow those use cases without pulling
431+ in too much more plugins (a bit like the tnc package). Recommend that
432+ package from strongswan-libcharon.
433+ - d/usr.sbin.charon-systemd: allow to contact mysql for sql and
434+ attr-sql plugins (LP #1766240)
435+ - d/usr.lib.ipsec.charon: allow reading of own FDs (LP #1786250)
436+ * Added Changes:
437+ - d/p/lp1795813-mysql-Don-t-release-the-connection-if-transactions-a.patch:
438+ fix SIGSEGV when using mysql plugin (LP: #1795813)
439+ - d/usr.sbin.charon-systemd: allow CLUSTERIP for ha plugin (LP: #1773956)
440+ - executables need to be able to read map and execute themselves otherwise
441+ execution in some environments e.g. containers is blocked (LP: #1780534)
442+ + d/usr.lib.ipsec.stroke: add rmix permission to stroke binary
443+ + d/usr.lib.ipsec.lookip: add rmix permission to lookip binary
444+ - adapt "mass enablement of extra plugins" to match 5.7.x changes
445+ + d/rules: use new options for swima instead of swid
446+ + d/strongswan-tnc-server.install: add new sec updater tool
447+ + d/strongswan-tnc-client.install: add new sw-collector tool
448+ * Dropped (in Debian now):
449+ - SECURITY UPDATE: Insufficient input validation in gmp plugin
450+ (CVE-2018-17540)
451+ - SECURITY UPDATE: Insufficient input validation in gmp plugin
452+ (CVE-2018-16151 CVE-2018-16152)
453+ - d/usr.lib.ipsec.charon, d/usr/sbin/charon-systemd: Add support for
454+ usr-merge, thanks to Christian Ehrhardt. LP #1784023
455+
456+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 03 Dec 2018 15:18:31 +0100
457+
458 strongswan (5.7.1-1) unstable; urgency=medium
459
460 [ Ondřej Nový ]
461@@ -176,6 +586,96 @@ strongswan (5.7.0-1) unstable; urgency=medium
462
463 -- Yves-Alexis Perez <corsac@debian.org> Mon, 24 Sep 2018 16:36:28 +0200
464
465+strongswan (5.6.3-1ubuntu5) disco; urgency=medium
466+
467+ * No-change rebuild against libunbound8
468+
469+ -- Steve Langasek <steve.langasek@ubuntu.com> Sun, 11 Nov 2018 09:01:53 +0000
470+
471+strongswan (5.6.3-1ubuntu4) cosmic; urgency=medium
472+
473+ * d/usr.lib.ipsec.charon: allow reading of own FDs (LP: #1786250)
474+ Thanks to Matt Callaghan.
475+
476+ -- Andreas Hasenack <andreas@canonical.com> Thu, 04 Oct 2018 10:34:01 -0300
477+
478+strongswan (5.6.3-1ubuntu3) cosmic; urgency=medium
479+
480+ * SECURITY UPDATE: Insufficient input validation in gmp plugin
481+ - debian/patches/strongswan-4.4.0-5.7.0_gmp-pkcs1-overflow.patch: fix
482+ buffer overflow with very small RSA keys in
483+ src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c.
484+ - CVE-2018-17540
485+
486+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 01 Oct 2018 13:23:59 -0400
487+
488+strongswan (5.6.3-1ubuntu2) cosmic; urgency=medium
489+
490+ * SECURITY UPDATE: Insufficient input validation in gmp plugin
491+ - debian/patches/strongswan-5.6.1-5.6.3_gmp-pkcs1-verify.patch: don't
492+ parse PKCS1 v1.5 RSA signatures to verify them in
493+ src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c,
494+ src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c.
495+ - CVE-2018-16151
496+ - CVE-2018-16152
497+
498+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 25 Sep 2018 10:16:15 -0400
499+
500+strongswan (5.6.3-1ubuntu1) cosmic; urgency=medium
501+
502+ * Merge with Debian unstable. Remaining changes:
503+ - Clean up d/strongswan-starter.postinst: section about runlevel changes
504+ - Clean up d/strongswan-starter.postinst: Removed entire section on
505+ opportunistic encryption disabling - this was never in strongSwan and
506+ won't be see upstream issue #2160.
507+ - d/rules: Removed patching ipsec.conf on build (not using the
508+ debconf-managed config.)
509+ - d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was
510+ used for debconf-managed include of private key).
511+ - Mass enablement of extra plugins and features to allow a user to use
512+ strongswan for a variety of extra use cases without having to rebuild.
513+ + d/control: Add required additional build-deps
514+ + d/control: Mention addtionally enabled plugins
515+ + d/rules: Enable features at configure stage
516+ + d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
517+ + d/libstrongswan.install: Add plugins (so, conf)
518+ - d/strongswan-starter.install: Install pool feature, which is useful since
519+ we have attr-sql plugin enabled as well using it.
520+ - Add plugin kernel-libipsec to allow the use of strongswan in containers
521+ via this userspace implementation (please do note that this is still
522+ considered experimental by upstream).
523+ + d/libcharon-extra-plugins.install: Add kernel-libipsec components
524+ + d/control: List kernel-libipsec plugin at extra plugins description
525+ + d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
526+ upstream recommends to not load kernel-libipsec by default.
527+ - Relocate tnc plugin
528+ + debian/libcharon-extra-plugins.install: Drop tnc from extra plugins
529+ + Add new subpackage for TNC in d/strongswan-tnc-* and d/control
530+ - d/libstrongswan.install: Reorder conf and .so alphabetically
531+ - d/libstrongswan.install: Add kernel-netlink configuration files
532+ - Complete the disabling of libfast; This was partially accepted in Debian,
533+ it is no more packaging medcli and medsrv, but still builds and
534+ mentions it.
535+ + d/rules: Add --disable-fast to avoid build time and dependencies
536+ + d/control: Remove medcli, medsrv from package description
537+ - d/control: Mention mgf1 plugin which is in libstrongswan now
538+ - Add now built (since 5.5.1) libraries libtpmtss and nttfft to
539+ libstrongswan-extra-plugins (no deps from default plugins).
540+ - d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
541+ plugins for the most common use cases from extra-plugins into a new
542+ standard-plugins package. This will allow those use cases without pulling
543+ in too much more plugins (a bit like the tnc package). Recommend that
544+ package from strongswan-libcharon.
545+ - d/usr.sbin.charon-systemd: allow to contact mysql for sql and
546+ attr-sql plugins (LP #1766240)
547+ - d/usr.lib.ipsec.charon, d/usr/sbin/charon-systemd: Add support for
548+ usr-merge, thanks to Christian Ehrhardt. LP #1784023
549+ * Dropped:
550+ - d/usr.sbin.charon-systemd: allow systemd notifications (LP: #1765652)
551+ [Fixed in 5.6.3-1]
552+
553+ -- Andreas Hasenack <andreas@canonical.com> Thu, 23 Aug 2018 13:05:11 -0300
554+
555 strongswan (5.6.3-1) unstable; urgency=medium
556
557 * New upstream version 5.6.2
558@@ -191,6 +691,78 @@ strongswan (5.6.3-1) unstable; urgency=medium
559
560 -- Yves-Alexis Perez <corsac@debian.org> Mon, 04 Jun 2018 10:23:22 +0200
561
562+strongswan (5.6.2-2ubuntu2) cosmic; urgency=medium
563+
564+ * Add support for usr-merge, thanks to Christian Ehrhardt. LP: #1784023
565+
566+ -- Dimitri John Ledkov <xnox@ubuntu.com> Tue, 21 Aug 2018 00:42:38 +0100
567+
568+strongswan (5.6.2-2ubuntu1) cosmic; urgency=medium
569+
570+ * Merge with Debian unstable, closes LP: #1773814 and LP: #1772705.
571+ Remaining changes:
572+ + Clean up d/strongswan-starter.postinst: section about runlevel changes
573+ + Clean up d/strongswan-starter.postinst: Removed entire section on
574+ opportunistic encryption disabling - this was never in strongSwan and
575+ won't be see upstream issue #2160.
576+ + d/rules: Removed patching ipsec.conf on build (not using the
577+ debconf-managed config.)
578+ + d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was
579+ used for debconf-managed include of private key).
580+ + Mass enablement of extra plugins and features to allow a user to use
581+ strongswan for a variety of extra use cases without having to rebuild.
582+ - d/control: Add required additional build-deps
583+ - d/control: Mention addtionally enabled plugins
584+ - d/rules: Enable features at configure stage
585+ - d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
586+ - d/libstrongswan.install: Add plugins (so, conf)
587+ + d/strongswan-starter.install: Install pool feature, which is useful since
588+ we have attr-sql plugin enabled as well using it.
589+ + Add plugin kernel-libipsec to allow the use of strongswan in containers
590+ via this userspace implementation (please do note that this is still
591+ considered experimental by upstream).
592+ - d/libcharon-extra-plugins.install: Add kernel-libipsec components
593+ - d/control: List kernel-libipsec plugin at extra plugins description
594+ - d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
595+ upstream recommends to not load kernel-libipsec by default.
596+ + Relocate tnc plugin
597+ - debian/libcharon-extra-plugins.install: Drop tnc from extra plugins
598+ - Add new subpackage for TNC in d/strongswan-tnc-* and d/control
599+ + d/libstrongswan.install: Reorder conf and .so alphabetically
600+ + d/libstrongswan.install: Add kernel-netlink configuration files
601+ + Complete the disabling of libfast; This was partially accepted in Debian,
602+ it is no more packaging medcli and medsrv, but still builds and
603+ mentions it.
604+ - d/rules: Add --disable-fast to avoid build time and dependencies
605+ - d/control: Remove medcli, medsrv from package description
606+ + d/control: Mention mgf1 plugin which is in libstrongswan now
607+ + Add now built (since 5.5.1) libraries libtpmtss and nttfft to
608+ libstrongswan-extra-plugins (no deps from default plugins).
609+ + d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
610+ plugins for the most common use cases from extra-plugins into a new
611+ standard-plugins package. This will allow those use cases without pulling
612+ in too much more plugins (a bit like the tnc package). Recommend that
613+ package from strongswan-libcharon.
614+ * Dropped Changes (no more needed after 18.04)
615+ + Add rm_conffile for /etc/init.d/ipsec (transition from precies had
616+ missed that, droppable after 18.04)
617+ + d/control: bump breaks/replaces from libstrongswan-extra-plugins to
618+ libstrongswan as we dropped relocating ccm and test-vectors.
619+ (droppable >18.04).
620+ + d/control: add breaks/replace from libstrongswan to
621+ libstrongswan-extra-plugins for the move of mgf1 to libstrongswan.
622+ (droppable >18.04).
623+ + d/control: bump breaks/replaces for the move of the updown plugin
624+ (Missed Changelog entry on last merge)
625+ + d/control: fix dependencies of strongswan-libcharon due to the move
626+ the updown plugin (droppable >18.04).
627+ * Added Changes:
628+ + d/usr.sbin.charon-systemd: allow to contact mysql for sql and
629+ attr-sql plugins (LP: #1766240)
630+ + d/usr.sbin.charon-systemd: allow systemd notifications (LP: #1765652)
631+
632+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Tue, 29 May 2018 08:21:42 +0200
633+
634 strongswan (5.6.2-2) unstable; urgency=medium
635
636 * charon-nm: Fix building list of DNS/MDNS servers with libnm
637@@ -201,6 +773,74 @@ strongswan (5.6.2-2) unstable; urgency=medium
638
639 -- Yves-Alexis Perez <corsac@debian.org> Fri, 13 Apr 2018 13:46:04 +0200
640
641+strongswan (5.6.2-1ubuntu2) bionic; urgency=medium
642+
643+ * d/control: fix dependencies of strongswan-libcharon due to the move
644+ the updown plugin.
645+
646+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Tue, 20 Mar 2018 07:37:29 +0100
647+
648+strongswan (5.6.2-1ubuntu1) bionic; urgency=medium
649+
650+ * Merge with Debian unstable (LP: #1753018). Remaining changes:
651+ + Clean up d/strongswan-starter.postinst: section about runlevel changes
652+ + Clean up d/strongswan-starter.postinst: Removed entire section on
653+ opportunistic encryption disabling - this was never in strongSwan and
654+ won't be see upstream issue #2160.
655+ + Ubuntu is not using the debconf triggered private key generation
656+ - d/rules: Removed patching ipsec.conf on build (not using the
657+ debconf-managed config.)
658+ - d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was
659+ used for debconf-managed include of private key).
660+ + Mass enablement of extra plugins and features to allow a user to use
661+ strongswan for a variety of extra use cases without having to rebuild.
662+ - d/control: Add required additional build-deps
663+ - d/control: Mention addtionally enabled plugins
664+ - d/rules: Enable features at configure stage
665+ - d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
666+ - d/libstrongswan.install: Add plugins (so, conf)
667+ + d/strongswan-starter.install: Install pool feature, which is useful since
668+ we have attr-sql plugin enabled as well using it.
669+ + Add plugin kernel-libipsec to allow the use of strongswan in containers
670+ via this userspace implementation (please do note that this is still
671+ considered experimental by upstream).
672+ - d/libcharon-extra-plugins.install: Add kernel-libipsec components
673+ - d/control: List kernel-libipsec plugin at extra plugins description
674+ - d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
675+ upstream recommends to not load kernel-libipsec by default.
676+ + Relocate tnc plugin
677+ - debian/libcharon-extra-plugins.install: Drop tnc from extra plugins
678+ - Add new subpackage for TNC in d/strongswan-tnc-* and d/control
679+ + d/libstrongswan.install: Reorder conf and .so alphabetically
680+ + d/libstrongswan.install: Add kernel-netlink configuration files
681+ + Complete the disabling of libfast; This was partially accepted in Debian,
682+ it is no more packaging medcli and medsrv, but still builds and
683+ mentions it.
684+ - d/rules: Add --disable-fast to avoid build time and dependencies
685+ - d/control: Remove medcli, medsrv from package description
686+ + d/control: Mention mgf1 plugin which is in libstrongswan now
687+ + Add now built (since 5.5.1) libraries libtpmtss and nttfft to
688+ libstrongswan-extra-plugins (no deps from default plugins).
689+ + Add rm_conffile for /etc/init.d/ipsec (transition from precies had
690+ missed that, droppable after 18.04)
691+ + d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
692+ plugins for the most common use cases from extra-plugins into a new
693+ standard-plugins package. This will allow those use cases without pulling
694+ in too much more plugins (a bit like the tnc package). Recommend that
695+ package from strongswan-libcharon.
696+ + d/control: bump breaks/replaces from libstrongswan-extra-plugins to
697+ libstrongswan as we dropped relocating ccm and test-vectors.
698+ (droppable >18.04).
699+ + d/control: add breaks/replace from libstrongswan to
700+ libstrongswan-extra-plugins for the move of mgf1 to libstrongswan.
701+ (droppable >18.04).
702+ * Added Changes:
703+ + d/control: bump breaks/replaces from strongswan-libcharon to strongswan-
704+ starter as we followed Debian to move the updown plugin but need to
705+ match Ubuntu versions (Droppable >18.04).
706+
707+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Fri, 16 Mar 2018 11:08:47 +0100
708+
709 strongswan (5.6.2-1) unstable; urgency=medium
710
711 * d/NEWS: add information about disabled algorithms (closes: #883072)
712@@ -223,6 +863,129 @@ strongswan (5.6.1-3) unstable; urgency=medium
713
714 -- Yves-Alexis Perez <corsac@debian.org> Sun, 17 Dec 2017 16:40:39 +0100
715
716+strongswan (5.6.1-2ubuntu4) bionic; urgency=medium
717+
718+ * SECURITY UPDATE: DoS via crafted RSASSA-PSS signature
719+ - debian/patches/CVE-2018-6459.patch: Properly handle MGF1 algorithm
720+ identifier without parameters in
721+ src/libstrongswan/credentials/keys/signature_params.c.
722+ - CVE-2018-6459
723+
724+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 07 Mar 2018 14:52:02 +0100
725+
726+strongswan (5.6.1-2ubuntu3) bionic; urgency=medium
727+
728+ * No-change rebuild against libcurl4
729+
730+ -- Steve Langasek <steve.langasek@ubuntu.com> Wed, 28 Feb 2018 08:52:09 +0000
731+
732+strongswan (5.6.1-2ubuntu2) bionic; urgency=high
733+
734+ * No change rebuild against openssl1.1.
735+
736+ -- Dimitri John Ledkov <xnox@ubuntu.com> Mon, 12 Feb 2018 16:00:24 +0000
737+
738+strongswan (5.6.1-2ubuntu1) bionic; urgency=medium
739+
740+ * Merge with Debian unstable (LP: #1717343).
741+ Also fixes and issue with multiple psk's (LP: #1734207). Remaining changes:
742+ + Clean up d/strongswan-starter.postinst: section about runlevel changes
743+ + Clean up d/strongswan-starter.postinst: Removed entire section on
744+ opportunistic encryption disabling - this was never in strongSwan and
745+ won't be see upstream issue #2160.
746+ + Ubuntu is not using the debconf triggered private key generation
747+ - d/rules: Removed patching ipsec.conf on build (not using the
748+ debconf-managed config.)
749+ - d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was
750+ used for debconf-managed include of private key).
751+ + Mass enablement of extra plugins and features to allow a user to use
752+ strongswan for a variety of extra use cases without having to rebuild.
753+ - d/control: Add required additional build-deps
754+ - d/control: Mention addtionally enabled plugins
755+ - d/rules: Enable features at configure stage
756+ - d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
757+ - d/libstrongswan.install: Add plugins (so, conf)
758+ + d/strongswan-starter.install: Install pool feature, which is useful since
759+ we have attr-sql plugin enabled as well using it.
760+ + Add plugin kernel-libipsec to allow the use of strongswan in containers
761+ via this userspace implementation (please do note that this is still
762+ considered experimental by upstream).
763+ - d/libcharon-extra-plugins.install: Add kernel-libipsec components
764+ - d/control: List kernel-libipsec plugin at extra plugins description
765+ - d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
766+ upstream recommends to not load kernel-libipsec by default.
767+ + Relocate tnc plugin
768+ - debian/libcharon-extra-plugins.install: Drop tnc from extra plugins
769+ - Add new subpackage for TNC in d/strongswan-tnc-* and d/control
770+ + d/libstrongswan.install: Reorder conf and .so alphabetically
771+ + d/libstrongswan.install: Add kernel-netlink configuration files
772+ + Complete the disabling of libfast; This was partially accepted in Debian,
773+ it is no more packaging medcli and medsrv, but still builds and
774+ mentions it.
775+ - d/rules: Add --disable-fast to avoid build time and dependencies
776+ - d/control: Remove medcli, medsrv from package description
777+ + d/control: Mention mgf1 plugin which is in libstrongswan now
778+ + Add now built (since 5.5.1) libraries libtpmtss and nttfft to
779+ libstrongswan-extra-plugins (no deps from default plugins).
780+ + Add rm_conffile for /etc/init.d/ipsec (transition from precies had
781+ missed that, droppable after 18.04)
782+ + d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
783+ plugins for the most common use cases from extra-plugins into a new
784+ standard-plugins package. This will allow those use cases without pulling
785+ in too much more plugins (a bit like the tnc package). Recommend that
786+ package from strongswan-libcharon.
787+ * Added changes:
788+ + d/strongswan-tnc-client.install (relocate tnc) swidtag creation changed
789+ in 5.6
790+ + d/strongswan-tnc-server.install (relocate tnc) pacman no more needed
791+ + d/control: bump breaks/replaces from libstrongswan-extra-plugins to
792+ libstrongswan as we dropped relocating ccm and test-vectors.
793+ (droppable >18.04).
794+ - d/control: add breaks/replace from libstrongswan to
795+ libstrongswan-extra-plugins for the move of mgf1 to libstrongswan.
796+ (droppable >18.04).
797+ * Dropped changes:
798+ + Update init/service handling (debian default matches Ubuntu past now)
799+ Dropping this fixes (LP: #1734886)
800+ - d/rules: Change init/systemd program name to strongswan
801+ - d/strongswan-starter.strongswan.service: Add new systemd file instead of
802+ patching upstream
803+ - d/strongswan-starter.links: Removed, use Ubuntu systemd file instead of
804+ linking to upstream
805+ + d/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call
806+ (this is a never failing no-op for us, no need for Delta).
807+ + d/strongswan-starter.prerm: Stop strongswan service on package removal
808+ (ipsec now maps to strongswan service, so this works as-is).
809+ + Clean up d/strongswan-starter.postinst: rename service ipsec to
810+ strongswan (ipsec now maps to strongswan service, so this works as-is)
811+ + Clean up d/strongswan-starter.postinst: daemon enable/disable (the
812+ whole section is disabled, so no need for delta)
813+ + (is upstream) CVE-2017-11185 patches
814+ + (is upstream) FTBFS upstream fix for changed include files
815+ + (is upstream) debian/patches/increase-bliss-test-timeout.patch: Under
816+ QEMU/KVM autopkgtest the bliss test takes longer than the default
817+ + (in Debian) add now built (since 5.5.1) mgf1 plugin to
818+ libstrongswan-extra-plugins.
819+ + (in Debian) d/strongswan-starter.install: install stroke apparmor profile
820+ + (this was enabled as part of the former delta, squash changes to no-up)
821+ d/rules: Disable duplicheck.
822+ + (not needed) Relocate plugins test-vectors from extra-plugins to
823+ libstrongswan
824+ - d/libstrongswan-extra-plugins.install: Remove plugins/conffiles
825+ - d/libstrongswan.install: Add plugins/confiles
826+ - d/control: move package descriptions and add required breaks/replaces
827+ + (not needed) Relocate plugins ccm from extra-plugins to libstrongswan
828+ - d/libstrongswan-extra-plugins.install: Remove plugins/conffiles
829+ - d/libstrongswan.install: Add plugins/confiles
830+ - d/control: move package descriptions and add required breaks/replaces
831+ + (while using it requires special kernel, it does not hurt to be
832+ available in the package) Remove ha plugin
833+ - d/libcharon-extra-plugins.install: Stop installing ha (so, conf)
834+ - d/rules: Do not enable ha plugin
835+ - d/control: Drop listing the ha plugin in the package description
836+
837+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Wed, 29 Nov 2017 15:55:18 +0100
838+
839 strongswan (5.6.1-2) unstable; urgency=medium
840
841 * move counters plugin from -starter to -libcharon. closes: #882431
842@@ -309,6 +1072,213 @@ strongswan (5.5.2-1) experimental; urgency=medium
843
844 -- Yves-Alexis Perez <corsac@debian.org> Fri, 19 May 2017 11:32:00 +0200
845
846+strongswan (5.5.1-4ubuntu3) bionic; urgency=medium
847+
848+ * Fix Artful FTBFS due to newer glibc (LP: #1724859)
849+ - d/p/utils-Include-stdint.h.patch: upstream fix for changed include
850+ files.
851+
852+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Thu, 19 Oct 2017 15:18:52 +0200
853+
854+strongswan (5.5.1-4ubuntu2) artful; urgency=medium
855+
856+ * SECURITY UPDATE: Fix RSA signature verification
857+ - debian/patches/CVE-2017-11185.patch: does some
858+ verifications in order to avoid null-point dereference
859+ in src/libstrongswan/gmp/gmp_rsa_public_key.c
860+ - CVE-2017-11185
861+
862+ -- Leonidas S. Barbosa <leo.barbosa@canonical.com> Tue, 15 Aug 2017 14:49:49 -0300
863+
864+strongswan (5.5.1-4ubuntu1) artful; urgency=medium
865+
866+ * Merge from Debian to pick up latest security changes (CVE-2017-9022,
867+ CVE-2017-9023).
868+ * Remaining Changes:
869+ + Update init/service handling
870+ - d/rules: Change init/systemd program name to strongswan
871+ - d/strongswan-starter.strongswan.service: Add new systemd file instead of
872+ patching upstream
873+ - d/strongswan-starter.links: Removed, use Ubuntu systemd file instead of
874+ linking to upstream
875+ - d/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call.
876+ - d/strongswan-starter.prerm: Stop strongswan service on package
877+ removal (as opposed to using the old init.d script).
878+ + Clean up d/strongswan-starter.postinst:
879+ - Removed section about runlevel changes
880+ - Adapted service restart section for Upstart (kept to be Trusty
881+ backportable).
882+ - Remove old symlinks to init.d files is necessary.
883+ - Removed further out-dated code
884+ - Removed entire section on opportunistic encryption - this was never in
885+ strongSwan.
886+ + d/rules: Removed pieces on 'patching ipsec.conf' on build.
887+ + Mass enablement of extra plugins and features to allow a user to use
888+ strongswan for a variety of use cases without having to rebuild.
889+ - d/control: Add required additional build-deps
890+ - d/rules: Enable features at configure stage
891+ - d/control: Mention addtionally enabled plugins
892+ - d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
893+ - d/libstrongswan.install: Add plugins (so, conf)
894+ + d/rules: Disable duplicheck as per
895+ https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718291#10
896+ + Remove ha plugin (requires special kernel)
897+ - d/libcharon-extra-plugins.install: Stop installing ha (so, conf)
898+ - d/rules: Do not enable ha plugin
899+ - d/control: Drop listing the ha plugin in the package description
900+ + Add plugin kernel-libipsec to allow the use of strongswan in containers
901+ via this userspace implementation (please do note that this is still
902+ considered experimental by upstream).
903+ - d/libcharon-extra-plugins.install: Add kernel-libipsec components
904+ - d/control: List kernel-libipsec plugin at extra plugins description
905+ - d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
906+ upstream recommends to not load kernel-libipsec by default.
907+ + Relocate tnc plugin
908+ - debian/libcharon-extra-plugins.install: Drop tnc from extra plugins
909+ - Add new subpackage for TNC in d/strongswan-tnc-* and d/control
910+ + d/strongswan-starter.install: Install pool feature, that useful due to
911+ having attr-sql plugin that is enabled now.
912+ + Relocate plugins test-vectors and ccm from extra-plugins to libstrongswan
913+ - d/libstrongswan-extra-plugins.install: Remove plugins/conffiles
914+ - d/libstrongswan.install: Add plugins/confiles
915+ - d/control: move package descriptions and add required breaks/replaces
916+ + d/libstrongswan.install: Reorder conf and .so alphabetically
917+ + d/libstrongswan.install: Add kernel-netlink configuration files
918+ + d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference.
919+ + debian/patches/increase-bliss-test-timeout.patch: Under QEMU/KVM
920+ autopkgtest the bliss test takes longer than the default (Upstream in
921+ 5.5.2 via issue 2204)
922+ + Complete the disabling of libfast; This was partially accepted in Debian,
923+ it is no more packaging medcli and medsrv, but still builds and
924+ mentions it.
925+ - d/rules: Add --disable-fast to avoid build time and dependencies
926+ - d/control: Remove medcli, medsrv from package description
927+ + Add now built (5.5.1 vs 5.3.5) mgf1 plugin to libstrongswan-extra-plugins.
928+ "only" to extra-plugins Mgf1 is not listed as default plugin at
929+ https://wiki.strongswan.org/projects/strongswan/wiki/Pluginlist.
930+ + Add now built (5.5.1 vs 5.3.5) libraries libtpmtss and nttfft to
931+ libstrongswan-extra-plugins.
932+ + Add missing mention of md4 plugin in d/control
933+ + Add rm_conffile for /etc/init.d/ipsec (transition from precies had
934+ missed that)
935+ + d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
936+ plugins for the most common use cases from extra-plugins into a new
937+ standard-plugins package. This will allow those use cases without pulling
938+ in too much more plugins (a bit like the tnc package). Recommend that
939+ package from strongswan-libcharon.
940+
941+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Wed, 31 May 2017 15:57:54 +0200
942+
943+strongswan (5.5.1-3ubuntu1) artful; urgency=medium
944+
945+ * Merge from Debian to pick up latest changes. Among others this includes:
946+ - a lot of the Delta we upstreamed to Debian (more discussions are ongoing
947+ but likely have to wait until Debian stretch was released)
948+ - enabling mediation support (LP: #1657413)
949+ * Remaining Changes:
950+ + Update init/service handling
951+ - d/rules: Change init/systemd program name to strongswan
952+ - d/strongswan-starter.strongswan.service: Add new systemd file instead of
953+ patching upstream
954+ - d/strongswan-starter.links: Removed, use Ubuntu systemd file instead of
955+ linking to upstream
956+ - d/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call.
957+ - d/strongswan-starter.prerm: Stop strongswan service on package
958+ removal (as opposed to using the old init.d script).
959+ + Clean up d/strongswan-starter.postinst:
960+ - Removed section about runlevel changes
961+ - Adapted service restart section for Upstart (kept to be Trusty
962+ backportable).
963+ - Remove old symlinks to init.d files is necessary.
964+ - Removed further out-dated code
965+ - Removed entire section on opportunistic encryption - this was never in
966+ strongSwan.
967+ + d/rules: Removed pieces on 'patching ipsec.conf' on build.
968+ + Mass enablement of extra plugins and features to allow a user to use
969+ strongswan for a variety of use cases without having to rebuild.
970+ - d/control: Add required additional build-deps
971+ - d/rules: Enable features at configure stage
972+ - d/control: Mention addtionally enabled plugins
973+ - d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
974+ - d/libstrongswan.install: Add plugins (so, conf)
975+ + d/rules: Disable duplicheck as per
976+ https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718291#10
977+ + Remove ha plugin (requires special kernel)
978+ - d/libcharon-extra-plugins.install: Stop installing ha (so, conf)
979+ - d/rules: Do not enable ha plugin
980+ - d/control: Drop listing the ha plugin in the package description
981+ + Add plugin kernel-libipsec to allow the use of strongswan in containers
982+ via this userspace implementation (please do note that this is still
983+ considered experimental by upstream).
984+ - d/libcharon-extra-plugins.install: Add kernel-libipsec components
985+ - d/control: List kernel-libipsec plugin at extra plugins description
986+ - d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
987+ upstream recommends to not load kernel-libipsec by default.
988+ + Relocate tnc plugin
989+ - debian/libcharon-extra-plugins.install: Drop tnc from extra plugins
990+ - Add new subpackage for TNC in d/strongswan-tnc-* and d/control
991+ + d/strongswan-starter.install: Install pool feature, that useful due to
992+ having attr-sql plugin that is enabled now.
993+ + Relocate plugins test-vectors and ccm from extra-plugins to libstrongswan
994+ - d/libstrongswan-extra-plugins.install: Remove plugins/conffiles
995+ - d/libstrongswan.install: Add plugins/confiles
996+ - d/control: move package descriptions and add required breaks/replaces
997+ + d/libstrongswan.install: Reorder conf and .so alphabetically
998+ + d/libstrongswan.install: Add kernel-netlink configuration files
999+ + d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference.
1000+ + debian/patches/increase-bliss-test-timeout.patch: Under QEMU/KVM
1001+ autopkgtest the bliss test takes longer than the default (Upstream in
1002+ 5.5.2 via issue 2204)
1003+ + Complete the disabling of libfast; This was partially accepted in Debian,
1004+ it is no more packaging medcli and medsrv, but still builds and
1005+ mentions it.
1006+ - d/rules: Add --disable-fast to avoid build time and dependencies
1007+ - d/control: Remove medcli, medsrv from package description
1008+ + Add now built (5.5.1 vs 5.3.5) mgf1 plugin to libstrongswan-extra-plugins.
1009+ "only" to extra-plugins Mgf1 is not listed as default plugin at
1010+ https://wiki.strongswan.org/projects/strongswan/wiki/Pluginlist.
1011+ + Add now built (5.5.1 vs 5.3.5) libraries libtpmtss and nttfft to
1012+ libstrongswan-extra-plugins.
1013+ + Add missing mention of md4 plugin in d/control
1014+ + Add rm_conffile for /etc/init.d/ipsec (transition from precies had
1015+ missed that)
1016+ + d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
1017+ plugins for the most common use cases from extra-plugins into a new
1018+ standard-plugins package. This will allow those use cases without pulling
1019+ in too much more plugins (a bit like the tnc package). Recommend that
1020+ package from strongswan-libcharon.
1021+ * Dropped Changes:
1022+ + Add and install apparmor profiles (in Debian)
1023+ - d/rules: Install AppArmor profiles
1024+ - d/control: Add dh-apparmor build-dep
1025+ - d/usr.lib.ipsec.{charon, lookip, stroke}: Add latest AppArmor profiles
1026+ for charon, lookip and stroke
1027+ - d/libcharon-extra-plugins.install: Install profile for lookip
1028+ - d/strongswan-charon.install: Install profile for charon
1029+ - d/strongswan-starter.install: Install profile for stroke
1030+ - Fix strongswan ipsec status issue with apparmor
1031+ - Fix Dep8 tests for the now extra strongswan-pki package for pki
1032+ - Fix Dep8 tests for the now extra strongswan-scepclient package
1033+ + d/rules: Sorted and only one enable option per configure line (in
1034+ Debian)
1035+ + Add updated logcheck rules (in Debian)
1036+ - debian/libstrongswan.strongswan.logcheck.*: Remove outdated files
1037+ - debian/strongswan.logcheck: Add updated logcheck rules
1038+ + Add updated DEP8 tests (in Debian)
1039+ - d/tests/*: Add DEP8 tests
1040+ - d/control: Enable autotestpkg
1041+ + d/rules: do not strip for library integrity checking (After Discussion
1042+ with Debian this isn't acceptable there, but at the same time it turned
1043+ out the real use-case of this never uses this lib but instead third
1044+ party checks of checksums for e.g. FIPS cert; so drop the Delta)
1045+ - Use override_dh_strip to to avoid overwriting user build flags.
1046+ - Add missing mention of libchecksum integrity test in d/control
1047+ + d/rules: Set TESTS_REDUCED_KEYLENGTHS to one generate smallest key-lengths
1048+ in tests to avoid issues in low entropy environments. (Debian has
1049+ disabled !x86 tests for the same reason, one solution is enough)
1050+
1051+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Thu, 04 May 2017 14:06:23 +0200
1052+
1053 strongswan (5.5.1-3) unstable; urgency=medium
1054
1055 [ Christian Ehrhardt ]
1056@@ -342,6 +1312,136 @@ strongswan (5.5.1-2) unstable; urgency=medium
1057
1058 -- Yves-Alexis Perez <corsac@debian.org> Wed, 07 Dec 2016 08:34:52 +0100
1059
1060+strongswan (5.5.1-1ubuntu2) zesty; urgency=medium
1061+
1062+ * Update Maintainers which was missed while merging 5.5.1-1.
1063+
1064+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 19 Dec 2016 16:02:40 +0100
1065+
1066+strongswan (5.5.1-1ubuntu1) zesty; urgency=medium
1067+
1068+ * Merge from Debian (complex delta, discussions and broken out changes can be
1069+ found in the merge proposal linked from the merge bug LP: #1631198)
1070+ * Remaining Changes:
1071+ + d/rules: Enforcing DEB_BUILD_OPTIONS=nostrip for library integrity
1072+ checking.
1073+ + d/rules: Set TESTS_REDUCED_KEYLENGTHS to one generate smallest key-lengths
1074+ in tests to avoid issues in low entropy environments.
1075+ + Update init/service handling
1076+ - d/rules: Change init/systemd program name to strongswan
1077+ - d/strongswan-starter.strongswan.service: Add new systemd file instead of
1078+ patching upstream
1079+ - d/strongswan-starter.links: Removed, use Ubuntu systemd file instead of
1080+ linking to upstream
1081+ - d/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call.
1082+ - d/strongswan-starter.prerm: Stop strongswan service on package
1083+ removal (as opposed to using the old init.d script).
1084+ + Clean up d/strongswan-starter.postinst:
1085+ - Removed section about runlevel changes
1086+ - Adapted service restart section for Upstart (kept to be Trusty
1087+ backportable).
1088+ - Remove old symlinks to init.d files is necessary.
1089+ - Removed further out-dated code
1090+ - Removed entire section on opportunistic encryption - this was never in
1091+ strongSwan.
1092+ + Add and install apparmor profiles
1093+ - d/rules: Install AppArmor profiles
1094+ - d/control: Add dh-apparmor build-dep
1095+ - d/usr.lib.ipsec.{charon, lookip, stroke}: Add latest AppArmor profiles
1096+ for charon, lookip and stroke
1097+ - d/libcharon-extra-plugins.install: Install profile for lookip
1098+ - d/strongswan-charon.install: Install profile for charon
1099+ - d/strongswan-starter.install: Install profile for stroke
1100+ + d/rules: Removed pieces on 'patching ipsec.conf' on build.
1101+ + d/rules: Sorted and only one enable option per configure line
1102+ + Mass enablement of extra plugins and features to allow a user to use
1103+ strongswan for a variety of use cases without having to rebuild.
1104+ - d/control: Add required additional build-deps
1105+ - d/rules: Enable features at configure stage
1106+ - d/control: Mention addtionally enabled plugins
1107+ - d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
1108+ - d/libstrongswan.install: Add plugins (so, conf)
1109+ + d/rules: Disable duplicheck as per
1110+ https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718291#10
1111+ + Remove ha plugin (requires special kernel)
1112+ - d/libcharon-extra-plugins.install: Stop installing ha (so, conf)
1113+ - d/rules: Do not enable ha plugin
1114+ - d/control: Drop listing the ha plugin in the package description
1115+ + Add plugin kernel-libipsec to allow the use of strongswan in containers
1116+ via this userspace implementation (please do note that this is still
1117+ considered experimental by upstream).
1118+ - d/libcharon-extra-plugins.install: Add kernel-libipsec components
1119+ - d/control: List kernel-libipsec plugin at extra plugins description
1120+ - d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
1121+ upstream recommends to not load kernel-libipsec by default.
1122+ + Relocate tnc plugin
1123+ - debian/libcharon-extra-plugins.install: Drop tnc from extra plugins
1124+ - Add new subpackage for TNC in d/strongswan-tnc-* and d/control
1125+ + d/strongswan-starter.install: Install pool feature, that useful due to
1126+ having attr-sql plugin that is enabled now.
1127+ + Relocate plugins test-vectors and ccm from extra-plugins to libstrongswan
1128+ - d/libstrongswan-extra-plugins.install: Remove plugins
1129+ - d/libstrongswan.install: Add plugins
1130+ + d/libstrongswan.install: Reorder conf and .so alphabetically
1131+ + d/libstrongswan.install: Add kernel-netlink configuration files
1132+ + d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference.
1133+ + Add updated logcheck rules
1134+ - debian/libstrongswan.strongswan.logcheck.*: Remove outdated files
1135+ - debian/strongswan.logcheck: Add updated logcheck rules
1136+ + Add updated DEP8 tests
1137+ - d/tests/*: Add DEP8 tests
1138+ - d/control: Enable autotestpkg
1139+ + debian/patches/increase-bliss-test-timeout.patch: Under QEMU/KVM
1140+ autopkgtest the bliss test takes longer than the default
1141+ + Complete the disabling of libfast
1142+ - Note: This was partially accepted in Debian, it is no more
1143+ packaging medcli and medsrv, but still builds and mentions it
1144+ - d/rules: Add --disable-fast to avoid build time and dependencies
1145+ - d/control: Remove medcli, medsrv from package description
1146+ * Dropped Changes:
1147+ + Adding build-dep to iptables-dev (no change, was only in Changelog)
1148+ + Dropping of build deps libfcgi-dev, clearsilver-dev (in Debian)
1149+ + Adding strongswan-plugin-* virtual packages for dist-upgrade (no
1150+ upgrade path left needing them)
1151+ + Most of "disabling libfast" (Debian dropped it from package content)
1152+ + Transition for ipsec service (no upgrade path left)
1153+ + Reverted part of the cleanup to d/strongswan-starter.postinst as using
1154+ service should rather use invoke-rc.d (so it is a partial revert of our
1155+ delta)
1156+ + Transition handling (breaks/replaces) from per-plugin packages to the
1157+ three grouped plugin packages (no upgrade path left)
1158+ + debian/strongswan-starter.dirs: Don't touch /etc/init.d. (while "correct"
1159+ it is effectively a no-op still, so not worth the delta)
1160+ + Lower dpkg-dev to 1.16.1 from 1.16.2 to enable backporting to Precise
1161+ (no more needed)
1162+ + d/rules: Remove configure option --enable-unit-test (unit tests run by
1163+ default)
1164+ * Added Changes:
1165+ + Fix strongswan ipsec status issue with apparmor (LP: #1587886)
1166+ + d/control, d/libstrongswan.install, d/libstrongswan-extra-plugins: Fixup
1167+ the relocation of the ccm plugin which missed to move the conffiles.
1168+ + Complete move of test-vectors (was missing in d/control)
1169+ + Add now built (5.5.1 vs 5.3.5) mgf1 plugin to libstrongswan-extra-plugins.
1170+ "only" to extra-plugins Mgf1 is not listed as default plugin at
1171+ https://wiki.strongswan.org/projects/strongswan/wiki/Pluginlist.
1172+ + Add now built (5.5.1 vs 5.3.5) libraries libtpmtss and nttfft to
1173+ libstrongswan-extra-plugins.
1174+ + Add missing mention of md4 plugin in d/control
1175+ + Add missing mention of libchecksum integrity test in d/control
1176+ + Add rm_conffile for /etc/init.d/ipsec (transition from precies had
1177+ missed that)
1178+ + Use override_dh_strip to to fix library integrity checking instead of
1179+ DEB_BUILD_OPTION to avoid overwriting user build flags.
1180+ + d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
1181+ plugins for the most common use cases from extra-plugins into a new
1182+ standard-plugins package. This will allow those use cases without pulling
1183+ in too much more plugins (a bit like the tnc package). Recommend that
1184+ package from strongswan-libcharon (LP: #1640826).
1185+ + Fix Dep8 tests for the now extra strongswan-pki package for pki
1186+ + Fix Dep8 tests for the now extra strongswan-scepclient package
1187+
1188+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 07 Nov 2016 16:16:41 +0100
1189+
1190 strongswan (5.5.1-1) unstable; urgency=medium
1191
1192 * New upstream bugfix release.
1193@@ -458,6 +1558,177 @@ strongswan (5.3.5-2) unstable; urgency=medium
1194
1195 -- Yves-Alexis Perez <corsac@debian.org> Mon, 14 Mar 2016 23:53:34 +0100
1196
1197+strongswan (5.3.5-1ubuntu4) yakkety; urgency=medium
1198+
1199+ * Build-depend on libjson-c-dev instead of libjson0-dev.
1200+ * Rebuild against libjson-c3.
1201+
1202+ -- Graham Inggs <ginggs@ubuntu.com> Fri, 29 Apr 2016 19:04:22 +0200
1203+
1204+strongswan (5.3.5-1ubuntu3) xenial; urgency=medium
1205+
1206+ * Rebuild against libmysqlclient20.
1207+
1208+ -- Robie Basak <robie.basak@ubuntu.com> Tue, 05 Apr 2016 13:02:48 +0000
1209+
1210+strongswan (5.3.5-1ubuntu2) xenial; urgency=medium
1211+
1212+ * debian/tests/plugins: rdrand may or may not be loaded, depending on the
1213+ cpu features.
1214+
1215+ -- Iain Lane <iain@orangesquash.org.uk> Mon, 22 Feb 2016 17:13:01 +0000
1216+
1217+strongswan (5.3.5-1ubuntu1) xenial; urgency=medium
1218+
1219+ * debian/{rules,control,libstrongswan-extra-plugins.install}
1220+ Enable bliss plugin
1221+ * debian/{rules,control,libstrongswan-extra-plugins.install}
1222+ Enable chapoly plugin
1223+ * debian/patches/dont-load-kernel-libipsec-plugin-by-default.patch
1224+ Upstream suggests to not load this plugin by default as it has
1225+ some limitations.
1226+ https://wiki.strongswan.org/projects/strongswan/wiki/Kernel-libipsec
1227+ * debian/patches/increase-bliss-test-timeout.patch
1228+ Under QEMU/KVM for autopkgtest bliss test takes a bit longer then default
1229+ * Update Apparmor profiles
1230+ - usr.lib.ipsec.charon
1231+ - add capability audit_write for xauth-pam (LP: #1470277)
1232+ - add capability dac_override (needed by agent plugin)
1233+ - allow priv dropping (LP: #1333655)
1234+ - allow caching CRLs (LP: #1505222)
1235+ - allow rw access to /dev/net/tun for kernel-libipsec (LP: #1309594)
1236+ - usr.lib.ipsec.stroke
1237+ - allow priv dropping (LP: #1333655)
1238+ - add local include
1239+ - usr.lib.ipsec.lookip
1240+ - add local include
1241+ * Merge from Debian, which includes fixes for all previous CVEs
1242+ Fixes (LP: #1330504, #1451091, #1448870, #1470277)
1243+ Remaining changes:
1244+ * debian/control
1245+ - Lower dpkg-dev to 1.16.1 from 1.16.2 to enable backporting to Precise
1246+ - Update Maintainer for Ubuntu
1247+ - Add build-deps
1248+ - dh-apparmor
1249+ - iptables-dev
1250+ - libjson0-dev
1251+ - libldns-dev
1252+ - libmysqlclient-dev
1253+ - libpcsclite-dev
1254+ - libsoup2.4-dev
1255+ - libtspi-dev
1256+ - libunbound-dev
1257+ - Drop build-deps
1258+ - libfcgi-dev
1259+ - clearsilver-dev
1260+ - Create virtual packages for all strongswan-plugin-* for dist-upgrade
1261+ - Set XS-Testsuite: autopkgtest
1262+ * debian/rules:
1263+ - Enforcing DEB_BUILD_OPTIONS=nostrip for library integrity checking.
1264+ - Set TESTS_REDUCED_KEYLENGTHS to one generate smallest key-lengths in
1265+ tests.
1266+ - Change init/systemd program name to strongswan
1267+ - Install AppArmor profiles
1268+ - Removed pieces on 'patching ipsec.conf' on build.
1269+ - Enablement of features per Ubuntu current config suggested from
1270+ upstream recommendation
1271+ - Unpack and sort enabled features to one-per-line
1272+ - Disable duplicheck as per
1273+ https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718291#10
1274+ - Disable libfast (--disable-fast):
1275+ Requires dropping medsrv, medcli plugins which depend on libfast
1276+ - Add configure options
1277+ --with-tss=trousers
1278+ - Remove configure options:
1279+ --enable-ha (requires special kernel)
1280+ --enable-unit-test (unit tests run by default)
1281+ - Drop logcheck install
1282+ * debian/tests/*
1283+ - Add DEP8 test for strongswan service and plugins
1284+ * debian/strongswan-starter.strongswan.service
1285+ - Add new systemd file instead of patching upstream
1286+ * debian/strongswan-starter.links
1287+ - removed, use Ubuntu systemd file instead of linking to upstream
1288+ * debian/usr.lib.ipsec.{charon, lookip, stroke}
1289+ - added AppArmor profiles for charon, lookip and stroke
1290+ * debian/libcharon-extra-plugins.install
1291+ - Add plugins
1292+ - kernel-libipsec.{so, lib, conf, apparmor}
1293+ - Remove plugins
1294+ - libstrongswan-ha.so
1295+ - Relocate plugins
1296+ - libstrongswan-tnc-tnccs.so (strongswan-tnc-base.install)
1297+ * debian/libstrongswan-extra-plugins.install
1298+ - Add plugins (so, lib, conf)
1299+ - acert
1300+ - attr-sql
1301+ - coupling
1302+ - dnscert
1303+ - fips-prf
1304+ - gmp
1305+ - ipseckey
1306+ - load-tester
1307+ - mysql
1308+ - ntru
1309+ - radattr
1310+ - soup
1311+ - sqlite
1312+ - sql
1313+ - systime-fix
1314+ - unbound
1315+ - whitelist
1316+ - Relocate plugins (so, lib, conf)
1317+ - ccm (libstrongswan.install)
1318+ - test-vectors (libstrongswan.install)
1319+ * debian/libstrongswan.install
1320+ - Sort sections
1321+ - Add plugins (so, lib, conf)
1322+ - libchecksum
1323+ - ccm
1324+ - eap-identity
1325+ - md4
1326+ - test-vectors
1327+ * debian/strongswan-charon.install
1328+ - Add AppArmor profile for charon
1329+ * debian/strongswan-starter.install
1330+ - Add tools, manpages, conf
1331+ - openac
1332+ - pool
1333+ - _updown_espmark
1334+ - Add AppArmor profile for stroke
1335+ * debian/strongswan-tnc-base.install
1336+ - Add new subpackage for TNC
1337+ - remove non-existent (dropped in 5.2.1) libpts library files
1338+ * debian/strongswan-tnc-client.install
1339+ - Add new subpackage for TNC
1340+ * debian/strongswan-tnc-ifmap.install
1341+ - Add new subpackage for TNC
1342+ * debian/strongswan-tnc-pdp.install
1343+ - Add new subpackage for TNC
1344+ * debian/strongswan-tnc-server.install
1345+ - Add new subpackage for TNC
1346+ * debian/strongswan-starter.postinit:
1347+ - Removed section about runlevel changes, it's almost 2014.
1348+ - Adapted service restart section for Upstart.
1349+ - Remove old symlinks to init.d files is necessary.
1350+ * debian/strongswan-starter.dirs: Don't touch /etc/init.d.
1351+ * debian/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call.
1352+ * debian/strongswan-starter.prerm: Stop strongswan service on package
1353+ removal (as opposed to using the old init.d script).
1354+ * debian/libstrongswan.strongswan.logcheck combined into debian/strongswan.logcheck
1355+ - logcheck patterns updated to be helpful
1356+ * debian/strongswan-starter.postinst: Removed further out-dated code and
1357+ entire section on opportunistic encryption - this was never in strongSwan.
1358+ * debian/ipsec.secrets.proto: Removed ipsec.secrets.inc reference.
1359+ Drop changes:
1360+ * debian/control
1361+ - Per-plugin package breakup: Reducing packaging delta from Debian
1362+ - Don't build dhcp, farp subpackages: Reduce packging delta from Debian
1363+ * debian/watch: Already exists in Debian merge
1364+ * debian/upstream/signing-key.asc: Upstream has newer version.
1365+
1366+ -- Ryan Harper <ryan.harper@canonical.com> Fri, 12 Feb 2016 11:24:53 -0600
1367+
1368 strongswan (5.3.5-1) unstable; urgency=medium
1369
1370 * New upstream bugfix release.
1371@@ -730,6 +2001,210 @@ strongswan (5.1.2-1) unstable; urgency=medium
1372
1373 -- Yves-Alexis Perez <corsac@debian.org> Wed, 12 Mar 2014 11:22:38 +0100
1374
1375+strongswan (5.1.2-0ubuntu8) xenial; urgency=medium
1376+
1377+ * Import FTBFS for s390x from Debian 5.1.2-3 upload. (LP: #1521240)
1378+
1379+ -- Dimitri John Ledkov <xnox@ubuntu.com> Mon, 30 Nov 2015 15:46:06 +0000
1380+
1381+strongswan (5.1.2-0ubuntu7) xenial; urgency=medium
1382+
1383+ * SECURITY UPDATE: authentication bypass in eap-mschapv2 plugin
1384+ - debian/patches/CVE-2015-8023.patch: only succeed authentication if
1385+ MSK was established in
1386+ src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c.
1387+ - CVE-2015-8023
1388+ * debian/patches/disable_ntru_test.patch: disable test causing FTBFS
1389+ until regression is properly investigated.
1390+
1391+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 19 Nov 2015 14:00:17 -0500
1392+
1393+strongswan (5.1.2-0ubuntu6) wily; urgency=medium
1394+
1395+ * SECURITY UPDATE: user credential disclosure to rogue servers
1396+ - debian/patches/CVE-2015-4171.patch: enforce remote authentication
1397+ config before proceeding with own authentication in
1398+ src/libcharon/sa/ikev2/tasks/ike_auth.c.
1399+ - CVE-2015-4171
1400+ * debian/rules: don't FTBFS from unused service file
1401+
1402+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 08 Jun 2015 12:50:38 -0400
1403+
1404+strongswan (5.1.2-0ubuntu5) vivid; urgency=medium
1405+
1406+ * Add a systemd unit corresponding to strongswan-starter.strongswan.upstart.
1407+
1408+ -- Martin Pitt <martin.pitt@ubuntu.com> Fri, 16 Jan 2015 08:27:54 +0100
1409+
1410+strongswan (5.1.2-0ubuntu4) vivid; urgency=medium
1411+
1412+ * SECURITY UPDATE: denial of service via DH group 1025
1413+ - debian/patches/CVE-2014-9221.patch: define MODP_CUSTOM outside of
1414+ IKE DH range in src/libstrongswan/crypto/diffie_hellman.c,
1415+ src/libstrongswan/crypto/diffie_hellman.h.
1416+ - CVE-2014-9221
1417+
1418+ -- Tyler Hicks <tyhicks@canonical.com> Mon, 05 Jan 2015 08:25:29 -0500
1419+
1420+strongswan (5.1.2-0ubuntu3) utopic; urgency=low
1421+
1422+ * Added "libgcrypt20-dev | libgcrypt11-dev" to build dependencies to fix
1423+ build.
1424+
1425+ -- Jonathan Davies <jonathan.davies@canonical.com> Wed, 15 Oct 2014 16:49:18 +0000
1426+
1427+strongswan (5.1.2-0ubuntu2) trusty; urgency=medium
1428+
1429+ * SECURITY UPDATE: remote authentication bypass
1430+ - debian/patches/CVE-2014-2338.patch: reject CREATE_CHILD_SA exchange
1431+ on unestablished IKE_SAs in src/libcharon/sa/ikev2/task_manager_v2.c.
1432+ - CVE-2014-2338
1433+
1434+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 14 Apr 2014 11:24:34 -0400
1435+
1436+strongswan (5.1.2-0ubuntu1) trusty; urgency=low
1437+
1438+ * New upstream release.
1439+
1440+ -- Jonathan Davies <jonathan.davies@canonical.com> Sat, 01 Mar 2014 08:53:17 +0000
1441+
1442+strongswan (5.1.2~rc2-0ubuntu2) trusty; urgency=low
1443+
1444+ * debian/ipsec.secrets.proto: Removed ipsec.secrets.inc reference.
1445+ * debian/usr.lib.ipsec.charon: Allow read access to /run/charon.
1446+
1447+ -- Jonathan Davies <jonathan.davies@canonical.com> Wed, 19 Feb 2014 13:07:16 +0000
1448+
1449+strongswan (5.1.2~rc2-0ubuntu1) trusty; urgency=low
1450+
1451+ * New upstream release candidate.
1452+
1453+ -- Jonathan Davies <jonathan.davies@canonical.com> Wed, 19 Feb 2014 12:59:21 +0000
1454+
1455+strongswan (5.1.2~rc1-0ubuntu4) trusty; urgency=medium
1456+
1457+ * debian/strongswan-tnc-*.install: Fixed files so libraries go into correct
1458+ packages.
1459+ * debian/usr.lib.ipsec.stroke: Allow access to strongswan.d directories.
1460+
1461+ -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 17 Feb 2014 18:12:38 +0000
1462+
1463+strongswan (5.1.2~rc1-0ubuntu3) trusty; urgency=low
1464+
1465+ * debian/rules: Exclude rdrand.conf in dh_install's --fail-missing.
1466+
1467+ -- Jonathan Davies <jonathan.davies@canonical.com> Sat, 15 Feb 2014 15:46:46 +0000
1468+
1469+strongswan (5.1.2~rc1-0ubuntu2) trusty; urgency=low
1470+
1471+ * debian/libstrongswan.install: Moved rdrand plugin configuration to rules
1472+ as it's only useful on amd64.
1473+ * debian/watch: Added opts=pgpsigurlmangle option.
1474+ * debian/upstream/signing-key.asc: Added key: 0xB34DBA77.
1475+
1476+ -- Jonathan Davies <jonathan.davies@canonical.com> Sat, 15 Feb 2014 15:32:10 +0000
1477+
1478+strongswan (5.1.2~rc1-0ubuntu1) trusty; urgency=medium
1479+
1480+ * New upstream release candidate.
1481+ * debian/*.install - include new configuration files for plugins in
1482+ appropiate packages.
1483+
1484+ -- Jonathan Davies <jonathan.davies@canonical.com> Sat, 15 Feb 2014 15:03:14 +0000
1485+
1486+strongswan (5.1.2~dr3+git20130120-0ubuntu3) trusty; urgency=low
1487+
1488+ * debian/control:
1489+ - Added Breaks/Replaces for all library files which have been moved
1490+ about (LP: #1278176).
1491+ - Removed build-dependency on check and added one on dh-apparmor.
1492+ * debian/strongswan-starter.postinst: Removed further out-dated code and
1493+ entire section on opportunistic encryption - this was never in strongSwan.
1494+ * debian/rules: Removed pieces on 'patching ipsec.conf' on build.
1495+
1496+ -- Jonathan Davies <jonathan.davies@canonical.com> Sun, 09 Feb 2014 23:53:23 +0000
1497+
1498+strongswan (5.1.2~dr3+git20130120-0ubuntu2) trusty; urgency=low
1499+
1500+ * debian/control: Fixed references to plugin-fips-prf.
1501+
1502+ -- Jonathan Davies <jonathan.davies@canonical.com> Wed, 22 Jan 2014 11:22:14 +0000
1503+
1504+strongswan (5.1.2~dr3+git20130120-0ubuntu1) trusty; urgency=low
1505+
1506+ * Upstream Git snapshot for build fixes with regards to entropy.
1507+ * debian/rules:
1508+ - Enforcing DEB_BUILD_OPTIONS=nostrip for library integrity checking.
1509+ - Set TESTS_REDUCED_KEYLENGTHS to one generate smallest key-lengths in
1510+ tests.
1511+
1512+ -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 20 Jan 2014 19:00:59 +0000
1513+
1514+strongswan (5.1.2~dr3-0ubuntu1) trusty; urgency=low
1515+
1516+ * New upstream developer release.
1517+ * Made changes to packaging per upstream suggestions.
1518+ - Dropped medcli and medsrv packages - not recommended by upstream at this
1519+ time.
1520+ - Dropped ha plugin - needs special kernel.
1521+ - Improved all package descriptions in general.
1522+ - Drop build-dep on clearsilver-dev and libfcgi-dev - no longer needed.
1523+ - Removed debian/*logcheck* files - not relevant to strongSwan.
1524+ - Split dhcp and farp packages into sub-packages.
1525+ - Build kernel-libipsec, ntru, systime-fix, and xauth-noauth plugins.
1526+ - Changes to TNC-related packages.
1527+ * Created AppArmor profiles for lookip and stroke.
1528+
1529+ -- Jonathan Davies <jonathan.davies@canonical.com> Wed, 15 Jan 2014 22:52:53 +0000
1530+
1531+strongswan (5.1.2~dr2+git20130106-0ubuntu2) trusty; urgency=low
1532+
1533+ * libstrongswan.install: Removed lingering unit-tester.so reference.
1534+
1535+ -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 06 Jan 2014 20:29:59 +0000
1536+
1537+strongswan (5.1.2~dr2+git20130106-0ubuntu1) trusty; urgency=low
1538+
1539+ * Git snapshot of commit 94e10f15e51ead788d9947e966878ebfdc95b7ce.
1540+ Incorporates upstream fixes for:
1541+ - Integrity testing.
1542+ - Unit test failures on little endian systems.
1543+ * Dropped debian/patches/02_test_asn1_fix_32bit_time_test.patch - fixed
1544+ upstream.
1545+ * debian/rules:
1546+ - Stop using CK_TIMEOUT_MULTIPLIER.
1547+ - Stop enabling the test suite only on non-powerpc arches (it runs
1548+ anyway).
1549+
1550+ -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 06 Jan 2014 20:17:20 +0000
1551+
1552+strongswan (5.1.2~dr2-0ubuntu3) trusty; urgency=low
1553+
1554+ * debian/control: Reinstate missing comma in dependencies.
1555+
1556+ -- Jonathan Davies <jonathan.davies@canonical.com> Fri, 03 Jan 2014 05:39:13 +0000
1557+
1558+strongswan (5.1.2~dr2-0ubuntu2) trusty; urgency=low
1559+
1560+ * Added debian/patches/02_test_asn1_fix_32bit_time_test.patch - fixes issue
1561+ where test for >2038 tests on 32-bit platforms is broken.
1562+ - Reported upstream: https://wiki.strongswan.org/issues/477
1563+ * debian/control: Added strongswan-plugin-ntru to strongswan-ike Suggests.
1564+
1565+ -- Jonathan Davies <jonathan.davies@canonical.com> Fri, 03 Jan 2014 05:02:32 +0000
1566+
1567+strongswan (5.1.2~dr2-0ubuntu1) trusty; urgency=low
1568+
1569+ * New upstream developer release.
1570+ * debian/rules: Configure with: --enable-af-alg, --enable-ntru, --enable-soup,
1571+ and --enable-unity.
1572+ * debian/control:
1573+ - New plugin packages created for the above
1574+ - Split fips-prf into its own package.
1575+ - Added build-dependency on libsoup2.4-dev.
1576+
1577+ -- Jonathan Davies <jonathan.davies@canonical.com> Thu, 02 Jan 2014 17:37:33 +0000
1578+
1579 strongswan (5.1.1-3) unstable; urgency=low
1580
1581 * Upload to unstable.
1582@@ -821,6 +2296,192 @@ strongswan (5.1.1-1) unstable; urgency=low
1583
1584 -- Yves-Alexis Perez <corsac@debian.org> Fri, 24 Jan 2014 21:22:32 +0100
1585
1586+strongswan (5.1.1-0ubuntu17) trusty; urgency=low
1587+
1588+ * debian/control:
1589+ - Make strongswan-ike depend on iproute2.
1590+ - Added xauth plugin dependency on strongswan-plugin-eap-gtc.
1591+ - Created strongswan-libfast package.
1592+
1593+ -- Jonathan Davies <jonathan.davies@canonical.com> Wed, 01 Jan 2014 17:04:45 +0000
1594+
1595+strongswan (5.1.1-0ubuntu16) trusty; urgency=low
1596+
1597+ * debian/control:
1598+ - Further splitting of plugins into subpackages (such as all EAP plugins
1599+ to their own packages).
1600+ - Added libpcsclite-dev to build-dependencies.
1601+ * debian/rules:
1602+ - Sort configure options in alphabetical order.
1603+ - Added configure option of --enable-eap-aka-3gpp2, --enable-eap-dynamic,
1604+ --enable-eap-sim-file, --enable-eap-sim-pcsc,
1605+ --enable-eap-simaka-pseudonym, --enable-eap-simaka-reauth and
1606+ --enable-eap-simaka-sql.
1607+ - Don't exclude medsrv from install.
1608+ * Moved eap-identity.so to libstrongswan package as it's used by all the
1609+ other EAP plugins.
1610+
1611+ -- Jonathan Davies <jonathan.davies@canonical.com> Tue, 31 Dec 2013 21:25:50 +0000
1612+
1613+strongswan (5.1.1-0ubuntu15) trusty; urgency=low
1614+
1615+ * debian/control:
1616+ - Split plugins from libstrongswan package into modular subpackages.
1617+ - Added libmysqlclient-dev to build-dependencies.
1618+ - strongswan-ike: Set to depend on either strongswan-plugins-openssl or
1619+ strongswan-plugins-gcrypt.
1620+ - strongswan-ike: All other plugins added to Suggests.
1621+ - Created two new TNC packages: strongswan-tnc-ifmap and
1622+ strongswan-tnc-pdp and added to tnc-imcvs Suggests.
1623+ * debian/rules: Added to CONFIGUREARGS: --enable-certexpire,
1624+ --enable-error-notify, --enable-mysql, --enable-load-tester,
1625+ --enable-radattr, --enable-tnc-pdp, and --enable-whitelist.
1626+ * debian/strongswan-ike.install: Moved eap-identity.so to -tnc-imcvs package.
1627+
1628+ -- Jonathan Davies <jonathan.davies@canonical.com> Tue, 31 Dec 2013 16:15:32 +0000
1629+
1630+strongswan (5.1.1-0ubuntu14) trusty; urgency=low
1631+
1632+ * debian/rules:
1633+ - CK_TIMEOUT_MULTIPLIER back down to 6.
1634+ - Disable unit tests on powerpc.
1635+
1636+ -- Jonathan Davies <jonathan.davies@canonical.com> Tue, 31 Dec 2013 07:39:48 +0000
1637+
1638+strongswan (5.1.1-0ubuntu13) trusty; urgency=low
1639+
1640+ * debian/rules: CK_TIMEOUT_MULTIPLIER to 10 as just powerppc is being stubborn.
1641+
1642+ -- Jonathan Davies <jonathan.davies@canonical.com> Tue, 31 Dec 2013 07:23:42 +0000
1643+
1644+strongswan (5.1.1-0ubuntu12) trusty; urgency=low
1645+
1646+ * debian/rules: Bring CK_TIMEOUT_MULTIPLIER up to 6 to fix powerppc and
1647+ armhf.
1648+
1649+ -- Jonathan Davies <jonathan.davies@canonical.com> Tue, 31 Dec 2013 07:03:40 +0000
1650+
1651+strongswan (5.1.1-0ubuntu11) trusty; urgency=low
1652+
1653+ * 02_increase-test_rsa_generate-timeout.patch: Removed - only fixed build on
1654+ one extra arch.
1655+ * debian/rules: Set CK_TIMEOUT_MULTIPLIER to 4.
1656+
1657+ -- Jonathan Davies <jonathan.davies@canonical.com> Tue, 31 Dec 2013 06:51:47 +0000
1658+
1659+strongswan (5.1.1-0ubuntu10) trusty; urgency=low
1660+
1661+ * debian/patches: Added patch 02_increase-test_rsa_generate-timeout.patch -
1662+ - Increases RSA key generate test timeout to 30 seconds so that it doesn't
1663+ fail on armhf, arm64, and powerppc.
1664+ * Contrary to what the last changelog entry says, we are still running
1665+ strongswan as root (with AppArmor protection).
1666+
1667+ -- Jonathan Davies <jonathan.davies@canonical.com> Tue, 31 Dec 2013 06:06:47 +0000
1668+
1669+strongswan (5.1.1-0ubuntu9) trusty; urgency=low
1670+
1671+ * debian/rules: Added to configure options:
1672+ - --enable-tnc-ifmap: enable TNC IF-MAP module.
1673+ - --enable-duplicheck: enable duplicheck plugin.
1674+ - --enable-imv-swid, --enable-imc-swid: Added.
1675+ - Run strongswan as it's own user.
1676+ * debian/strongswan-starter.install: Install duplicheck.
1677+ * debian/strongswan-tnc-imcvs.install: Install swidtags.
1678+
1679+ -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 30 Dec 2013 19:33:27 +0000
1680+
1681+strongswan (5.1.1-0ubuntu8) trusty; urgency=low
1682+
1683+ * debian/rules: Added to configure options:
1684+ - --enable-unit-tests: check unit testing on build.
1685+ - --enable-unbound: for validating DNS lookups.
1686+ - --enable-dnscert: for DNSCERT peer authentication.
1687+ - --enable-ipseckey: for IPSEC key authentication.
1688+ - --enable-lookip: for LookIP functionality.
1689+ - --enable-coupling: certificate coupling functionality.
1690+ * debian/control: Added check, libldns-dev, libunbound-dev to
1691+ build-dependencies.
1692+ * debian/libstrongswan.install: Install new plugin .so's.
1693+ * debian/strongswan-starter.install: Added lookip.
1694+
1695+ -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 30 Dec 2013 17:52:07 +0000
1696+
1697+strongswan (5.1.1-0ubuntu7) trusty; urgency=low
1698+
1699+ * strongswan-starter.install: Moved pt-tls-client to tnc-imcvs (to prevent
1700+ the former from depending on the latter).
1701+
1702+ -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 30 Dec 2013 17:30:19 +0000
1703+
1704+strongswan (5.1.1-0ubuntu6) trusty; urgency=low
1705+
1706+ * debian/strongswan-starter.prerm: Stop strongswan service on package
1707+ removal (as opposed to using the old init.d script).
1708+
1709+ -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 30 Dec 2013 17:22:10 +0000
1710+
1711+strongswan (5.1.1-0ubuntu5) trusty; urgency=low
1712+
1713+ * debian/rules:
1714+ - CONFIGUREARGS: Merged Debian and RPM options.
1715+ - Brings in TNC functionality.
1716+ * debian/control:
1717+ - Added build-dependency on libtspi-dev.
1718+ - Created strongswan-tnc-imcvs binary package for TNC components.
1719+ - Added strongswan-tnc-imcvs to libstrongswan's Suggests.
1720+ * debian/libstrongswan.install:
1721+ - Included newly built MD4 and SQLite libraries.
1722+ - Removed 'tnc' references (moved to TNC package).
1723+ * debian/strongswan-tnc-imcvs.install: Created - handle new TNC libraries and
1724+ binaries.
1725+ * debian/usr.lib.ipsec.charon: Allow access to TNC modules.
1726+
1727+ -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 30 Dec 2013 14:05:43 +0000
1728+
1729+strongswan (5.1.1-0ubuntu4) trusty; urgency=low
1730+
1731+ * debian/usr.lib.ipsec.charon: Added - AppArmor profile for charon.
1732+ * debian/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call.
1733+ * debian/control: strongswan-ike - Stop depending on ipsec-tools.
1734+
1735+ -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 30 Dec 2013 05:35:17 +0000
1736+
1737+strongswan (5.1.1-0ubuntu3) trusty; urgency=low
1738+
1739+ * strongswan-starter.strongswan.upstart - Only start strongSwan when a
1740+ network connection is available.
1741+ * debian/control: Downgrade build-dep version of dpkg-dev from 1.16.2 to
1742+ 1.16.1 - to make precise backporting easier.
1743+
1744+ -- Jonathan Davies <jonathan.davies@canonical.com> Thu, 12 Dec 2013 10:43:15 +0000
1745+
1746+strongswan (5.1.1-0ubuntu2) trusty; urgency=low
1747+
1748+ * strongswan-starter.strongswan.upstart - Created Upstart job for
1749+ strongSwan.
1750+ * debian/rules: Set dh_installinit to install above file.
1751+ * debian/strongswan-starter.postinit:
1752+ - Removed section about runlevel changes, it's almost 2014.
1753+ - Adapted service restart section for Upstart.
1754+ - Remove old symlinks to init.d files is necessary.
1755+ * debian/strongswan-starter.dirs: Don't touch /etc/init.d.
1756+
1757+ -- Jonathan Davies <jonathan.davies@canonical.com> Wed, 11 Dec 2013 23:10:28 +0000
1758+
1759+strongswan (5.1.1-0ubuntu1) trusty; urgency=low
1760+
1761+ * New upstream release.
1762+ * Removed: debian/patches/CVE-2013-6075, CVE-2013-6076.patch - upsteamed.
1763+ * debian/control: Updated Standards-Version to 3.9.5 and applied
1764+ XSBC-Original-Maintainer policy.
1765+ * strongswan-starter.install:
1766+ - pki tool is now in /usr/bin.
1767+ - Install pt-tls-client.
1768+ - Install manpages (LP: #1206263).
1769+
1770+ -- Jonathan Davies <jpds@ubuntu.com> Sun, 01 Dec 2013 17:43:59 +0000
1771+
1772 strongswan (5.1.0-3) unstable; urgency=high
1773
1774 * urgency=high for the security fixes.
1775diff --git a/debian/control b/debian/control
1776index 9ed97b7..06faee6 100644
1777--- a/debian/control
1778+++ b/debian/control
1779@@ -1,7 +1,8 @@
1780 Source: strongswan
1781 Section: net
1782 Priority: optional
1783-Maintainer: strongSwan Maintainers <pkg-swan-devel@lists.alioth.debian.org>
1784+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
1785+XSBC-Original-Maintainer: strongSwan Maintainers <pkg-swan-devel@lists.alioth.debian.org>
1786 Uploaders: Yves-Alexis Perez <corsac@debian.org>
1787 Standards-Version: 4.6.0
1788 Vcs-Browser: https://salsa.debian.org/debian/strongswan
1789@@ -136,6 +137,7 @@ Description: strongSwan utility and crypto library (extra plugins)
1790 - gcrypt (Crypto backend based on libgcrypt, provides
1791 RSA/DH/ciphers/hashers/rng)
1792 - ldap (LDAP fetching plugin based on libldap)
1793+ - ntru (key exchanged based on post-quantum computer NTRU)
1794 - padlock (VIA padlock crypto backend, provides AES128/SHA1)
1795 - pkcs11 (PKCS#11 smartcard backend)
1796 - rdrand (High quality / high performance random source using the Intel
1797@@ -203,6 +205,9 @@ Description: strongSwan charon library (extra plugins)
1798 - unity (Cisco Unity extensions for IKEv1)
1799 - xauth-eap (XAuth backend that uses EAP methods to verify passwords)
1800 - xauth-pam (XAuth backend that uses PAM modules to verify passwords)
1801+ - eap-dynamic (EAP proxy plugin that dynamically selects an EAP method
1802+ requested/supported by the client (since 5.0.1))
1803+ - eap-peap (EAP-PEAP protocol handler, wraps other EAP methods securely)
1804
1805 Package: strongswan-starter
1806 Architecture: any
1807@@ -210,9 +215,9 @@ Pre-Depends: ${misc:Pre-Depends}
1808 Depends: adduser,
1809 libstrongswan (= ${binary:Version}),
1810 lsb-base (>= 3.0-6),
1811+ strongswan-charon,
1812 ${misc:Depends},
1813 ${shlibs:Depends}
1814-Recommends: strongswan-charon
1815 Conflicts: openswan
1816 Description: strongSwan daemon starter and configuration file parser
1817 The strongSwan VPN suite uses the native IPsec stack in the standard
1818@@ -251,9 +256,9 @@ Architecture: any
1819 Pre-Depends: debconf | debconf-2.0
1820 Depends: iproute2 [linux-any] | iproute [linux-any],
1821 libstrongswan (= ${binary:Version}),
1822- strongswan-starter,
1823 ${misc:Depends},
1824 ${shlibs:Depends}
1825+Recommends: strongswan-starter,
1826 Provides: ike-server
1827 Description: strongSwan Internet Key Exchange daemon
1828 The strongSwan VPN suite uses the native IPsec stack in the standard
1829diff --git a/debian/libcharon-extra-plugins.install b/debian/libcharon-extra-plugins.install
1830index 94fbabd..91ca716 100644
1831--- a/debian/libcharon-extra-plugins.install
1832+++ b/debian/libcharon-extra-plugins.install
1833@@ -2,9 +2,11 @@
1834 usr/lib/ipsec/plugins/libstrongswan-addrblock.so
1835 usr/lib/ipsec/plugins/libstrongswan-certexpire.so
1836 usr/lib/ipsec/plugins/libstrongswan-eap-aka.so
1837+usr/lib/ipsec/plugins/libstrongswan-eap-dynamic.so
1838 usr/lib/ipsec/plugins/libstrongswan-eap-gtc.so
1839 usr/lib/ipsec/plugins/libstrongswan-eap-identity.so
1840 usr/lib/ipsec/plugins/libstrongswan-eap-md5.so
1841+usr/lib/ipsec/plugins/libstrongswan-eap-peap.so
1842 usr/lib/ipsec/plugins/libstrongswan-eap-radius.so
1843 usr/lib/ipsec/plugins/libstrongswan-eap-tls.so
1844 usr/lib/ipsec/plugins/libstrongswan-eap-tnc.so
1845@@ -25,9 +27,11 @@ usr/lib/ipsec/plugins/libstrongswan-xauth-pam.so
1846 usr/share/strongswan/templates/config/plugins/addrblock.conf
1847 usr/share/strongswan/templates/config/plugins/certexpire.conf
1848 usr/share/strongswan/templates/config/plugins/eap-aka.conf
1849+usr/share/strongswan/templates/config/plugins/eap-dynamic.conf
1850 usr/share/strongswan/templates/config/plugins/eap-gtc.conf
1851 usr/share/strongswan/templates/config/plugins/eap-identity.conf
1852 usr/share/strongswan/templates/config/plugins/eap-md5.conf
1853+usr/share/strongswan/templates/config/plugins/eap-peap.conf
1854 usr/share/strongswan/templates/config/plugins/eap-radius.conf
1855 usr/share/strongswan/templates/config/plugins/eap-tls.conf
1856 usr/share/strongswan/templates/config/plugins/eap-tnc.conf
1857@@ -49,9 +53,11 @@ etc/strongswan.d/tnc.conf
1858 etc/strongswan.d/charon/addrblock.conf
1859 etc/strongswan.d/charon/certexpire.conf
1860 etc/strongswan.d/charon/eap-aka.conf
1861+etc/strongswan.d/charon/eap-dynamic.conf
1862 etc/strongswan.d/charon/eap-gtc.conf
1863 etc/strongswan.d/charon/eap-identity.conf
1864 etc/strongswan.d/charon/eap-md5.conf
1865+etc/strongswan.d/charon/eap-peap.conf
1866 etc/strongswan.d/charon/eap-radius.conf
1867 etc/strongswan.d/charon/eap-tls.conf
1868 etc/strongswan.d/charon/eap-tnc.conf
1869diff --git a/debian/libcharon-extra-plugins.maintscript b/debian/libcharon-extra-plugins.maintscript
1870new file mode 100644
1871index 0000000..f6e7a3a
1872--- /dev/null
1873+++ b/debian/libcharon-extra-plugins.maintscript
1874@@ -0,0 +1,8 @@
1875+rm_conffile /etc/strongswan.d/charon/eap-aka-3gpp2.conf 5.8.4-1ubuntu2~ libcharon-extra-plugins
1876+rm_conffile /etc/strongswan.d/charon/eap-sim-file.conf 5.8.4-1ubuntu2~ libcharon-extra-plugins
1877+rm_conffile /etc/strongswan.d/charon/eap-sim-pcsc.conf 5.8.4-1ubuntu2~ libcharon-extra-plugins
1878+rm_conffile /etc/strongswan.d/charon/eap-sim.conf 5.8.4-1ubuntu2~ libcharon-extra-plugins
1879+rm_conffile /etc/strongswan.d/charon/eap-simaka-pseudonym.conf 5.8.4-1ubuntu2~ libcharon-extra-plugins
1880+rm_conffile /etc/strongswan.d/charon/eap-simaka-reauth.conf 5.8.4-1ubuntu2~ libcharon-extra-plugins
1881+rm_conffile /etc/strongswan.d/charon/eap-simaka-sql.conf 5.8.4-1ubuntu2~ libcharon-extra-plugins
1882+rm_conffile /etc/strongswan.d/charon/xauth-noauth.conf 5.8.4-1ubuntu2~ libcharon-extra-plugins
1883diff --git a/debian/libstrongswan-extra-plugins.install b/debian/libstrongswan-extra-plugins.install
1884index 2846e21..8f71239 100644
1885--- a/debian/libstrongswan-extra-plugins.install
1886+++ b/debian/libstrongswan-extra-plugins.install
1887@@ -9,6 +9,7 @@ usr/lib/ipsec/plugins/libstrongswan-curl.so
1888 usr/lib/ipsec/plugins/libstrongswan-curve25519.so
1889 usr/lib/ipsec/plugins/libstrongswan-gcrypt.so
1890 usr/lib/ipsec/plugins/libstrongswan-ldap.so
1891+usr/lib/ipsec/plugins/libstrongswan-ntru.so
1892 usr/lib/ipsec/plugins/libstrongswan-pkcs11.so
1893 usr/lib/ipsec/plugins/libstrongswan-test-vectors.so
1894 usr/lib/ipsec/plugins/libstrongswan-tpm.so
1895@@ -21,6 +22,7 @@ usr/share/strongswan/templates/config/plugins/curl.conf
1896 usr/share/strongswan/templates/config/plugins/curve25519.conf
1897 usr/share/strongswan/templates/config/plugins/gcrypt.conf
1898 usr/share/strongswan/templates/config/plugins/ldap.conf
1899+usr/share/strongswan/templates/config/plugins/ntru.conf
1900 usr/share/strongswan/templates/config/plugins/pkcs11.conf
1901 usr/share/strongswan/templates/config/plugins/test-vectors.conf
1902 usr/share/strongswan/templates/config/plugins/tpm.conf
1903@@ -32,6 +34,7 @@ etc/strongswan.d/charon/curl.conf
1904 etc/strongswan.d/charon/curve25519.conf
1905 etc/strongswan.d/charon/gcrypt.conf
1906 etc/strongswan.d/charon/ldap.conf
1907+etc/strongswan.d/charon/ntru.conf
1908 etc/strongswan.d/charon/pkcs11.conf
1909 etc/strongswan.d/charon/test-vectors.conf
1910 etc/strongswan.d/charon/tpm.conf
1911diff --git a/debian/rules b/debian/rules
1912index 2fed1f1..8ca4bd7 100755
1913--- a/debian/rules
1914+++ b/debian/rules
1915@@ -15,9 +15,11 @@ CONFIGUREARGS := --libdir=/usr/lib --libexecdir=/usr/lib \
1916 --enable-curl \
1917 --enable-eap-aka \
1918 --enable-eap-gtc \
1919+ --enable-eap-dynamic \
1920 --enable-eap-identity \
1921 --enable-eap-md5 \
1922 --enable-eap-mschapv2 \
1923+ --enable-eap-peap \
1924 --enable-eap-radius \
1925 --enable-eap-tls \
1926 --enable-eap-tnc \
1927@@ -32,6 +34,7 @@ CONFIGUREARGS := --libdir=/usr/lib --libexecdir=/usr/lib \
1928 --enable-led \
1929 --enable-lookip \
1930 --enable-mediation \
1931+ --enable-ntru \
1932 --enable-openssl \
1933 --enable-pkcs11 \
1934 --enable-test-vectors \

Subscribers

People subscribed via source and target branches