Merge ~paride/ubuntu/+source/strongswan:merge-5.9.4-1-JAMMY into ubuntu/+source/strongswan:debian/sid
- Git
- lp:~paride/ubuntu/+source/strongswan
- merge-5.9.4-1-JAMMY
- Merge into debian/sid
Status: | Merged | ||||||||
---|---|---|---|---|---|---|---|---|---|
Merge reported by: | Paride Legovini | ||||||||
Merged at revision: | 577790f58fac4374a6598a10944da89f26db810e | ||||||||
Proposed branch: | ~paride/ubuntu/+source/strongswan:merge-5.9.4-1-JAMMY | ||||||||
Merge into: | ubuntu/+source/strongswan:debian/sid | ||||||||
Diff against target: |
1934 lines (+1689/-3) 6 files modified
debian/changelog (+1661/-0) debian/control (+8/-3) debian/libcharon-extra-plugins.install (+6/-0) debian/libcharon-extra-plugins.maintscript (+8/-0) debian/libstrongswan-extra-plugins.install (+3/-0) debian/rules (+3/-0) |
||||||||
Related bugs: |
|
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Christian Ehrhardt (community) | Approve | ||
Canonical Server | Pending | ||
git-ubuntu import | Pending | ||
Review via email: mp+411793@code.launchpad.net |
Commit message
Description of the change
Paride Legovini (paride) wrote (last edit ): | # |
Christian Ehrhardt (paelzer) wrote : | # |
* Changelog:
- [+] old content and logical tag match as expected
- [+] changelog entry correct version and targeted codename
- [+] changelog entries correct
- [+] bug references correct
- [+] update-maintainer has been run
* Merge - Indirect Changes:
- [+] no upstream changes to consider
- [+] no further upstream version to consider
- [+] debian changes look safe
* Merge - Old Delta:
- [+] dropped changes are ok to be dropped
- [+] nothing else to drop
This is the last time we see "Remove conf files of plugins removed from
libcharon-
- [+] changes forwarded upstream/debian (no new ones, the old was forwarded
and accepted, the rest is Ubuntu only)
* New Delta:
- [+] no new patches added
* Git/Maintenance
- [+] commits are properly split (more important on -dev than on SRUs)
* Build/Test:
- [+] build is ok
- [+] verified PPA package installs/uninstalls
- [+] autopkgtest against the PPA package passes
- [+] sanity checks test fine
In addition I have run some older strongswan testing i had using two VMs driving traffic between them. 5.9.4-1ubuntu1~
TL;DR: LGTM +1
Paride Legovini (paride) wrote : | # |
Thanks! Uploaded:
Uploading strongswan_
Uploading strongswan_
Uploading strongswan_
Uploading strongswan_
Uploading strongswan_
Christian Ehrhardt (paelzer) wrote : | # |
This is merged, including your later FTBFS in
https:/
and a no change rebuild for openssl3
https:/
strongswan | 5.9.4-1ubuntu3 | jammy | source, all
Completed, please set the MR to merged (plenty of pings today as I can't do that anymore nowadays :-/ )
Preview Diff
1 | diff --git a/debian/changelog b/debian/changelog |
2 | index 62a3611..420061f 100644 |
3 | --- a/debian/changelog |
4 | +++ b/debian/changelog |
5 | @@ -1,3 +1,31 @@ |
6 | +strongswan (5.9.4-1ubuntu1) jammy; urgency=medium |
7 | + |
8 | + * Merge with Debian unstable. Remaining changes: |
9 | + - d/control: strongswan-starter hard-depends on strongswan-charon, |
10 | + therefore bump the dependency from Recommends to Depends. At the same |
11 | + time avoid a circular dependency by dropping |
12 | + strongswan-charon->strongswan-starter from Depends to Recommends as the |
13 | + binaries can work without the services but not vice versa. |
14 | + - re-add post-quantum encryption algorithm (NTRU) (LP #1863749) |
15 | + + d/control: mention plugins in package description |
16 | + + d/rules: enable ntru at build time |
17 | + + d/libstrongswan-extra-plugins.install: ship config and shared objects |
18 | + - Re-enable eap-{dynamic,peap} libcharon plugins (LP: 1878887) |
19 | + + d/control: update libcharon-extra-plugins description. |
20 | + + d/libcharon-extra-plugins.install: install .so and conf files. |
21 | + + d/rules: add plugins to the configuration arguments. |
22 | + - Remove conf files of plugins removed from libcharon-extra-plugins |
23 | + + The conf file of the following plugins were removed: eap-aka-3gpp2, |
24 | + eap-sim-file, eap-sim-pcsc, eap-sim, eap-simaka-pseudonym, |
25 | + eap-simaka-reauth, eap-simaka-sql, xauth-noauth. |
26 | + + Created d/libcharon-extra-plugins.maintscript to handle the removals |
27 | + properly. |
28 | + * Dropped changes: |
29 | + - Compile the tpm plugin against the tpm2 software stack (tss2). |
30 | + Merged in Debian (5.9.4-1). |
31 | + |
32 | + -- Paride Legovini <paride@ubuntu.com> Fri, 12 Nov 2021 12:34:30 +0100 |
33 | + |
34 | strongswan (5.9.4-1) unstable; urgency=medium |
35 | |
36 | [ Paride Legovini ] |
37 | @@ -14,6 +42,62 @@ strongswan (5.9.4-1) unstable; urgency=medium |
38 | |
39 | -- Yves-Alexis Perez <corsac@debian.org> Tue, 19 Oct 2021 22:34:40 +0200 |
40 | |
41 | +strongswan (5.9.1-1ubuntu3.1) impish-security; urgency=medium |
42 | + |
43 | + * SECURITY UPDATE: Integer Overflow in gmp Plugin |
44 | + - debian/patches/CVE-2021-41990.patch: reject RSASSA-PSS params with |
45 | + negative salt length in |
46 | + src/libstrongswan/credentials/keys/signature_params.c, |
47 | + src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c. |
48 | + - CVE-2021-41990 |
49 | + * SECURITY UPDATE: Integer Overflow When Replacing Certificates in Cache |
50 | + - debian/patches/CVE-2021-41991.patch: prevent crash due to integer |
51 | + overflow/sign change in |
52 | + src/libstrongswan/credentials/sets/cert_cache.c. |
53 | + - CVE-2021-41991 |
54 | + |
55 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 18 Oct 2021 13:10:30 -0400 |
56 | + |
57 | +strongswan (5.9.1-1ubuntu3) impish; urgency=medium |
58 | + |
59 | + * Compile the tpm plugin against the tpm2 software stack (tss2) |
60 | + (Debian packaging cherry-pick, LP: #1940079) |
61 | + - d/rules: add the --enable-tss-tss2 configure flag |
62 | + - d/control: add Build-Depends: libtss2-dev |
63 | + |
64 | + -- Paride Legovini <paride@ubuntu.com> Thu, 16 Sep 2021 11:40:38 +0200 |
65 | + |
66 | +strongswan (5.9.1-1ubuntu2) impish; urgency=medium |
67 | + |
68 | + * No-change rebuild due to OpenLDAP soname bump. |
69 | + |
70 | + -- Sergio Durigan Junior <sergio.durigan@canonical.com> Mon, 21 Jun 2021 18:09:22 -0400 |
71 | + |
72 | +strongswan (5.9.1-1ubuntu1) hirsute; urgency=medium |
73 | + |
74 | + * Merge with Debian unstable. Remaining changes: |
75 | + - d/control: strongswan-starter hard-depends on strongswan-charon, |
76 | + therefore bump the dependency from Recommends to Depends. At the same |
77 | + time avoid a circular dependency by dropping |
78 | + strongswan-charon->strongswan-starter from Depends to Recommends as the |
79 | + binaries can work without the services but not vice versa. |
80 | + - re-add post-quantum encryption algorithm (NTRU) (LP: 1863749) |
81 | + + d/control: mention plugins in package description |
82 | + + d/rules: enable ntru at build time |
83 | + + d/libstrongswan-extra-plugins.install: ship config and shared objects |
84 | + - Re-enable eap-{dynamic,peap} libcharon plugins (LP: 1878887) |
85 | + + d/control: update libcharon-extra-plugins description. |
86 | + + d/libcharon-extra-plugins.install: install .so and conf files. |
87 | + + d/rules: add plugins to the configuration arguments. |
88 | + - Remove conf files of plugins removed from libcharon-extra-plugins |
89 | + + The conf file of the following plugins were removed: eap-aka-3gpp2, |
90 | + eap-sim-file, eap-sim-pcsc, eap-sim, eap-simaka-pseudonym, |
91 | + eap-simaka-reauth, eap-simaka-sql, xauth-noauth. |
92 | + + Created d/libcharon-extra-plugins.maintscript to handle the removals |
93 | + properly. |
94 | + |
95 | + -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Tue, 19 Jan 2021 12:39:11 +0100 |
96 | + |
97 | strongswan (5.9.1-1) unstable; urgency=medium |
98 | |
99 | * New upstream version 5.9.1 |
100 | @@ -28,6 +112,45 @@ strongswan (5.9.0-1) unstable; urgency=medium |
101 | |
102 | -- Yves-Alexis Perez <corsac@debian.org> Thu, 17 Sep 2020 10:21:30 +0200 |
103 | |
104 | +strongswan (5.8.4-1ubuntu2) groovy; urgency=medium |
105 | + |
106 | + * Re-enable eap-{dynamic,peap} libcharon plugins (LP: #1878887) |
107 | + - d/control: update libcharon-extra-plugins description. |
108 | + - d/libcharon-extra-plugins.install: install .so and conf files. |
109 | + - d/rules: add plugins to the configuration arguments. |
110 | + * Remove conf files of plugins removed from libcharon-extra-plugins |
111 | + - The conf file of the following plugins were removed: eap-aka-3gpp2, |
112 | + eap-sim-file, eap-sim-pcsc, eap-sim, eap-simaka-pseudonym, |
113 | + eap-simaka-reauth, eap-simaka-sql, xauth-noauth. |
114 | + - Created d/libcharon-extra-plugins.maintscript to handle the removals |
115 | + properly. |
116 | + |
117 | + -- Lucas Kanashiro <kanashiro@ubuntu.com> Thu, 21 May 2020 14:53:05 -0300 |
118 | + |
119 | +strongswan (5.8.4-1ubuntu1) groovy; urgency=medium |
120 | + |
121 | + * Merge with Debian unstable. Remaining changes: |
122 | + - d/control: strongswan-starter hard-depends on strongswan-charon, |
123 | + therefore bump the dependency from Recommends to Depends. At the same |
124 | + time avoid a circular dependency by dropping |
125 | + strongswan-charon->strongswan-starter from Depends to Recommends as the |
126 | + binaries can work without the services but not vice versa. |
127 | + - re-add post-quantum encryption algorithm (NTRU) (LP: 1863749) |
128 | + + d/control: mention plugins in package description |
129 | + + d/rules: enable ntru at build time |
130 | + + d/libstrongswan-extra-plugins.install: ship config and shared objects |
131 | + * Dropped: |
132 | + - d/control: build-depend on libiptc-dev to avoid FTBFS (LP: #1861975) |
133 | + This is needed due to changes in regard to Debian bug 947176 and 939243 |
134 | + and can later be dropped again. |
135 | + [applied by Debian in version 5.8.2-2] |
136 | + - d/control: Transition from former Ubuntu only libcharon-standard-plugins |
137 | + to common libcharon-extauth-plugins (drop after 20.04) |
138 | + - d/control: Transition from strongswan-tnc-* being in extra packages |
139 | + to libcharon-extra-plugins (drop after 20.04) |
140 | + |
141 | + -- Lucas Kanashiro <lucas.kanashiro@canonical.com> Thu, 30 Apr 2020 18:06:55 -0300 |
142 | + |
143 | strongswan (5.8.4-1) unstable; urgency=medium |
144 | |
145 | * New upstream version 5.8.4 (Closes: #956446) |
146 | @@ -43,6 +166,43 @@ strongswan (5.8.2-2) unstable; urgency=medium |
147 | |
148 | -- Yves-Alexis Perez <corsac@debian.org> Thu, 13 Feb 2020 22:46:40 +0100 |
149 | |
150 | +strongswan (5.8.2-1ubuntu3) focal; urgency=medium |
151 | + |
152 | + * Reverting part of 5.8.2-1ubuntu2 changes to remove BLISS again as |
153 | + there is a potential local side-channel attack on strongSwan's BLISS |
154 | + implementation (https://eprint.iacr.org/2017/505). (LP: #1866765) |
155 | + |
156 | + -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Tue, 10 Mar 2020 07:56:56 +0100 |
157 | + |
158 | +strongswan (5.8.2-1ubuntu2) focal; urgency=medium |
159 | + |
160 | + * re-add post-quantum computer signature scheme (BLISS) and encryption |
161 | + algorithm (NTRU) as well as the dependent nttfft library (LP: #1863749) |
162 | + - d/control: mention plugins in package description |
163 | + - d/rules: enable ntru and bliss at build time |
164 | + - d/libstrongswan-extra-plugins.install: ship config and shared objects |
165 | + |
166 | + -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Wed, 04 Mar 2020 07:54:26 +0100 |
167 | + |
168 | +strongswan (5.8.2-1ubuntu1) focal; urgency=medium |
169 | + |
170 | + * Merge with Debian unstable (LP: #1861971). Remaining changes: |
171 | + - d/control: Transition from strongswan-tnc-* being in extra packages |
172 | + to libcharon-extra-plugins (drop after 20.04) |
173 | + - d/control: Transition from former Ubuntu only libcharon-standard-plugins |
174 | + to common libcharon-extauth-plugins (drop after 20.04) |
175 | + - d/control: strongswan-starter hard-depends on strongswan-charon, |
176 | + therefore bump the dependency from Recommends to Depends. At the same |
177 | + time avoid a circular dependency by dropping |
178 | + strongswan-charon->strongswan-starter from Depends to Recommends as the |
179 | + binaries can work without the services but not vice versa. |
180 | + * Added Changes |
181 | + - d/control: build-depend on libiptc-dev to avoid FTBFS (LP: #1861975) |
182 | + This is needed due to changes in regard to Debian bug 947176 and 939243 |
183 | + and can later be dropped again. |
184 | + |
185 | + -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Wed, 05 Feb 2020 08:28:30 +0100 |
186 | + |
187 | strongswan (5.8.2-1) unstable; urgency=medium |
188 | |
189 | [ Jean-Michel Vourgère ] |
190 | @@ -59,6 +219,83 @@ strongswan (5.8.2-1) unstable; urgency=medium |
191 | |
192 | -- Yves-Alexis Perez <corsac@debian.org> Wed, 01 Jan 2020 14:35:46 +0100 |
193 | |
194 | +strongswan (5.8.1-1ubuntu1) focal; urgency=medium |
195 | + |
196 | + * Merge with Debian unstable (LP: #1852579). Remaining changes: |
197 | + - d/control: Transition from strongswan-tnc-* being in extra packages |
198 | + to libcharon-extra-plugins |
199 | + * Added Changes: |
200 | + - d/control: Transition from former Ubuntu only libcharon-standard-plugins |
201 | + to common libcharon-extauth-plugins (drop after 20.04) |
202 | + - d/control: strongswan-starter hard-depends on strongswan-charon, |
203 | + therefore bump the dependency from Recommends to Depends. At the same |
204 | + time avoid a circular dependency by dropping |
205 | + strongswan-charon->strongswan-starter from Depends to Recommends as the |
206 | + binaries can work without the services but not vice versa. |
207 | + * Dropped Changes (now in Debian): |
208 | + - Clean up d/strongswan-starter.postinst: section about runlevel changes |
209 | + - Clean up d/strongswan-starter.postinst: Removed entire section on |
210 | + opportunistic encryption disabling - this was never in strongSwan and |
211 | + won't be see upstream issue #2160. |
212 | + - d/rules: Removed patching ipsec.conf on build (not using the |
213 | + debconf-managed config.) |
214 | + - d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was |
215 | + used for debconf-managed include of private key). |
216 | + - Add plugin kernel-libipsec to allow the use of strongswan in containers |
217 | + via this userspace implementation (please do note that this is still |
218 | + considered experimental by upstream). |
219 | + + d/libcharon-extra-plugins.install: Add kernel-libipsec components |
220 | + + d/control: List kernel-libipsec plugin at extra plugins description |
221 | + + d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As |
222 | + upstream recommends to not load kernel-libipsec by default. |
223 | + - d/control: Mention mgf1 plugin which is in libstrongswan now |
224 | + - Complete the disabling of libfast; This was partially accepted in Debian, |
225 | + it is no more packaging medcli and medsrv, but still builds and |
226 | + mentions it. |
227 | + + d/rules: Add --disable-fast to avoid build time and dependencies |
228 | + + d/control: Remove medcli, medsrv from package description |
229 | + - Add now built (since 5.5.1) libraries libtpmtss and nttfft to |
230 | + libstrongswan-extra-plugins (no deps from default plugins). |
231 | + - d/control, d/libcharon-{extras,standard}-plugins.install: Move charon |
232 | + plugins for the most common use cases from extra-plugins into a new |
233 | + standard-plugins package. This will allow those use cases without pulling |
234 | + in too much more plugins (a bit like the tnc package). Recommend that |
235 | + package from strongswan-libcharon. |
236 | + - d/usr.lib.ipsec.charon: allow reading of own FDs (LP 1786250) |
237 | + - d/usr.sbin.charon-systemd: allow CLUSTERIP for ha plugin (LP 1773956) |
238 | + - executables need to be able to read map and execute themselves otherwise |
239 | + execution in some environments e.g. containers is blocked (LP 1780534) |
240 | + + d/usr.lib.ipsec.stroke: add rmix permission to stroke binary |
241 | + + d/usr.lib.ipsec.lookip: add rmix permission to lookip binary |
242 | + - d/usr.lib.ipsec.charon, d/usr.sbin.charon-systemd: resync apparmor |
243 | + profiles of both ways to start charon (LP 1807664) |
244 | + - d/usr.sbin.swanctl: add apparmor rule for af-alg plugin (LP 1807962) |
245 | + - We fixed up tpmtss and nttfft in the past, but tpmtss is now packaged in |
246 | + Debian so this part was be dropped. Two changes remain |
247 | + - d/control: fix the mentioning of tpmtss in d/control |
248 | + - apparmor fixes for container and root usage (LP 1826238) |
249 | + + d/usr.sbin.swanctl: allow reading own binary |
250 | + + d/usr.sbin.charon-systemd: allow accessing the binary |
251 | + + d/usr.sbin.swanctl: add attach_disconnected to work inside containers |
252 | + + d/usr.lib.ipsec.charon, d/usr.sbin.charon-systemd: add CAP_SETPCAP |
253 | + to apparmor to allow dropping caps |
254 | + * Dropped Changes (too uncommon to support by default) |
255 | + - d/libstrongswan.install: Add kernel-netlink configuration files |
256 | + - d/usr.sbin.charon-systemd: allow to contact mysql for sql and |
257 | + attr-sql plugins (LP 1766240) - no more needed as itisn't enabled. |
258 | + - Mass enablement of extra plugins and features to allow a user to use |
259 | + strongswan for a variety of extra use cases without having to rebuild. |
260 | + + d/control: Add required additional build-deps |
261 | + + d/control: Mention addtionally enabled plugins |
262 | + + d/rules: Enable features at configure stage |
263 | + + d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf) |
264 | + + d/libstrongswan.install: Add plugins (so, conf) |
265 | + + d/strongswan-starter.install: Install pool feature, which is useful |
266 | + since we now have attr-sql plugin enabled it. |
267 | + - Enable additional TNC plugins and add them to libcharon-extra-plugins |
268 | + |
269 | + -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Thu, 14 Nov 2019 15:00:15 +0100 |
270 | + |
271 | strongswan (5.8.1-1) unstable; urgency=medium |
272 | |
273 | * d/rules: disable http and stream tests under CI |
274 | @@ -128,6 +365,99 @@ strongswan (5.8.0-1) unstable; urgency=medium |
275 | |
276 | -- Yves-Alexis Perez <corsac@debian.org> Mon, 26 Aug 2019 12:58:23 +0200 |
277 | |
278 | +strongswan (5.7.2-1ubuntu3) eoan; urgency=medium |
279 | + |
280 | + * No change rebuild for libmysqlclient21. |
281 | + |
282 | + -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Thu, 15 Aug 2019 09:34:34 +0200 |
283 | + |
284 | +strongswan (5.7.2-1ubuntu2) eoan; urgency=medium |
285 | + |
286 | + * Rebuild against new libjson-c4. |
287 | + |
288 | + -- Gianfranco Costamagna <locutusofborg@debian.org> Mon, 01 Jul 2019 10:53:07 +0200 |
289 | + |
290 | +strongswan (5.7.2-1ubuntu1) eoan; urgency=medium |
291 | + |
292 | + [ Christian Ehrhardt ] |
293 | + * Merge with Debian unstable. Remaining changes: |
294 | + - Clean up d/strongswan-starter.postinst: section about runlevel changes |
295 | + - Clean up d/strongswan-starter.postinst: Removed entire section on |
296 | + opportunistic encryption disabling - this was never in strongSwan and |
297 | + won't be see upstream issue #2160. |
298 | + - d/rules: Removed patching ipsec.conf on build (not using the |
299 | + debconf-managed config.) |
300 | + - d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was |
301 | + used for debconf-managed include of private key). |
302 | + - Mass enablement of extra plugins and features to allow a user to use |
303 | + strongswan for a variety of extra use cases without having to rebuild. |
304 | + + d/control: Add required additional build-deps |
305 | + + d/control: Mention addtionally enabled plugins |
306 | + + d/rules: Enable features at configure stage |
307 | + + d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf) |
308 | + + d/libstrongswan.install: Add plugins (so, conf) |
309 | + + d/strongswan-starter.install: Install pool feature, which is useful |
310 | + since we now have attr-sql plugin enabled it. |
311 | + - Add plugin kernel-libipsec to allow the use of strongswan in containers |
312 | + via this userspace implementation (please do note that this is still |
313 | + considered experimental by upstream). |
314 | + + d/libcharon-extra-plugins.install: Add kernel-libipsec components |
315 | + + d/control: List kernel-libipsec plugin at extra plugins description |
316 | + + d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As |
317 | + upstream recommends to not load kernel-libipsec by default. |
318 | + - d/libstrongswan.install: Add kernel-netlink configuration files |
319 | + - Complete the disabling of libfast; This was partially accepted in Debian, |
320 | + it is no more packaging medcli and medsrv, but still builds and |
321 | + mentions it. |
322 | + + d/rules: Add --disable-fast to avoid build time and dependencies |
323 | + + d/control: Remove medcli, medsrv from package description |
324 | + - d/control: Mention mgf1 plugin which is in libstrongswan now |
325 | + - Add now built (since 5.5.1) libraries libtpmtss and nttfft to |
326 | + libstrongswan-extra-plugins (no deps from default plugins). |
327 | + - d/control, d/libcharon-{extras,standard}-plugins.install: Move charon |
328 | + plugins for the most common use cases from extra-plugins into a new |
329 | + standard-plugins package. This will allow those use cases without pulling |
330 | + in too much more plugins (a bit like the tnc package). Recommend that |
331 | + package from strongswan-libcharon. |
332 | + - d/usr.sbin.charon-systemd: allow to contact mysql for sql and |
333 | + attr-sql plugins (LP #1766240) |
334 | + - d/usr.lib.ipsec.charon: allow reading of own FDs (LP #1786250) |
335 | + - d/usr.sbin.charon-systemd: allow CLUSTERIP for ha plugin (LP: 1773956) |
336 | + - executables need to be able to read map and execute themselves otherwise |
337 | + execution in some environments e.g. containers is blocked (LP: 1780534) |
338 | + + d/usr.lib.ipsec.stroke: add rmix permission to stroke binary |
339 | + + d/usr.lib.ipsec.lookip: add rmix permission to lookip binary |
340 | + - d/usr.lib.ipsec.charon, d/usr.sbin.charon-systemd: resync apparmor |
341 | + profiles of both ways to start charon (LP: 1807664) |
342 | + - d/usr.sbin.swanctl: add apparmor rule for af-alg plugin (LP: 1807962) |
343 | + * Dropped changes |
344 | + - d/p/lp1795813-mysql-Don-t-release-the-connection-if-transactions-a.patch: |
345 | + fix SIGSEGV when using mysql plugin (LP: 1795813) |
346 | + [upstream in 5.7.2] |
347 | + - d/libstrongswan.install: Reorder conf and .so alphabetically |
348 | + [was a non functional change, dropped to avoid merge noise] |
349 | + - Relocate tnc plugin |
350 | + [TNC is back at libcharon-extra-plugins as it is in Debian] |
351 | + * Added changes: |
352 | + - We fixed up tpmtss and nttfft in the past, but tpmtss is now packaged in |
353 | + Debian so this part was be dropped. Two changes remain |
354 | + - d/control: fix the mentioning of tpmtss in d/control |
355 | + - add nttfft (can be merged with the mass enablement change later) |
356 | + - Transitional packages to go back from strongswan-tnc-* being in extra |
357 | + packages to be part of libcharon-extra-plugins. |
358 | + [can be dropped after 20.04] |
359 | + |
360 | + [ Simon Deziel ] |
361 | + * Added changes: |
362 | + - apparmor fixes for container and root usage (LP: #1826238) |
363 | + + d/usr.sbin.swanctl: allow reading own binary |
364 | + + d/usr.sbin.charon-systemd: allow accessing the binary |
365 | + + d/usr.sbin.swanctl: add attach_disconnected to work inside containers |
366 | + + d/usr.lib.ipsec.charon, d/usr.sbin.charon-systemd: add CAP_SETPCAP |
367 | + to apparmor to allow dropping caps |
368 | + |
369 | + -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Fri, 26 Apr 2019 11:31:17 +0200 |
370 | + |
371 | strongswan (5.7.2-1) unstable; urgency=medium |
372 | |
373 | * d/control: remove Rene from Uploaders, thanks! |
374 | @@ -146,6 +476,86 @@ strongswan (5.7.2-1) unstable; urgency=medium |
375 | |
376 | -- Yves-Alexis Perez <corsac@debian.org> Wed, 02 Jan 2019 13:02:11 +0100 |
377 | |
378 | +strongswan (5.7.1-1ubuntu2) disco; urgency=medium |
379 | + |
380 | + * d/usr.sbin.charon-systemd: fix rule for CLUSTERIP to match effective |
381 | + path (LP: #1773956) |
382 | + * d/usr.lib.ipsec.charon, d/usr.sbin.charon-systemd: resync apparmor |
383 | + profiles of both ways to start charon (LP: #1807664) |
384 | + * d/usr.sbin.swanctl: add apparmor rule for af-alg plugin (LP: #1807962) |
385 | + |
386 | + -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 10 Dec 2018 08:30:01 +0100 |
387 | + |
388 | +strongswan (5.7.1-1ubuntu1) disco; urgency=medium |
389 | + |
390 | + * Merge with Debian unstable (LP: #1806401). Remaining changes: |
391 | + - Clean up d/strongswan-starter.postinst: section about runlevel changes |
392 | + - Clean up d/strongswan-starter.postinst: Removed entire section on |
393 | + opportunistic encryption disabling - this was never in strongSwan and |
394 | + won't be see upstream issue #2160. |
395 | + - d/rules: Removed patching ipsec.conf on build (not using the |
396 | + debconf-managed config.) |
397 | + - d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was |
398 | + used for debconf-managed include of private key). |
399 | + - Mass enablement of extra plugins and features to allow a user to use |
400 | + strongswan for a variety of extra use cases without having to rebuild. |
401 | + + d/control: Add required additional build-deps |
402 | + + d/control: Mention addtionally enabled plugins |
403 | + + d/rules: Enable features at configure stage |
404 | + + d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf) |
405 | + + d/libstrongswan.install: Add plugins (so, conf) |
406 | + - d/strongswan-starter.install: Install pool feature, which is useful since |
407 | + we have attr-sql plugin enabled as well using it. |
408 | + - Add plugin kernel-libipsec to allow the use of strongswan in containers |
409 | + via this userspace implementation (please do note that this is still |
410 | + considered experimental by upstream). |
411 | + + d/libcharon-extra-plugins.install: Add kernel-libipsec components |
412 | + + d/control: List kernel-libipsec plugin at extra plugins description |
413 | + + d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As |
414 | + upstream recommends to not load kernel-libipsec by default. |
415 | + - Relocate tnc plugin |
416 | + + debian/libcharon-extra-plugins.install: Drop tnc from extra plugins |
417 | + + Add new subpackage for TNC in d/strongswan-tnc-* and d/control |
418 | + - d/libstrongswan.install: Reorder conf and .so alphabetically |
419 | + - d/libstrongswan.install: Add kernel-netlink configuration files |
420 | + - Complete the disabling of libfast; This was partially accepted in Debian, |
421 | + it is no more packaging medcli and medsrv, but still builds and |
422 | + mentions it. |
423 | + + d/rules: Add --disable-fast to avoid build time and dependencies |
424 | + + d/control: Remove medcli, medsrv from package description |
425 | + - d/control: Mention mgf1 plugin which is in libstrongswan now |
426 | + - Add now built (since 5.5.1) libraries libtpmtss and nttfft to |
427 | + libstrongswan-extra-plugins (no deps from default plugins). |
428 | + - d/control, d/libcharon-{extras,standard}-plugins.install: Move charon |
429 | + plugins for the most common use cases from extra-plugins into a new |
430 | + standard-plugins package. This will allow those use cases without pulling |
431 | + in too much more plugins (a bit like the tnc package). Recommend that |
432 | + package from strongswan-libcharon. |
433 | + - d/usr.sbin.charon-systemd: allow to contact mysql for sql and |
434 | + attr-sql plugins (LP #1766240) |
435 | + - d/usr.lib.ipsec.charon: allow reading of own FDs (LP #1786250) |
436 | + * Added Changes: |
437 | + - d/p/lp1795813-mysql-Don-t-release-the-connection-if-transactions-a.patch: |
438 | + fix SIGSEGV when using mysql plugin (LP: #1795813) |
439 | + - d/usr.sbin.charon-systemd: allow CLUSTERIP for ha plugin (LP: #1773956) |
440 | + - executables need to be able to read map and execute themselves otherwise |
441 | + execution in some environments e.g. containers is blocked (LP: #1780534) |
442 | + + d/usr.lib.ipsec.stroke: add rmix permission to stroke binary |
443 | + + d/usr.lib.ipsec.lookip: add rmix permission to lookip binary |
444 | + - adapt "mass enablement of extra plugins" to match 5.7.x changes |
445 | + + d/rules: use new options for swima instead of swid |
446 | + + d/strongswan-tnc-server.install: add new sec updater tool |
447 | + + d/strongswan-tnc-client.install: add new sw-collector tool |
448 | + * Dropped (in Debian now): |
449 | + - SECURITY UPDATE: Insufficient input validation in gmp plugin |
450 | + (CVE-2018-17540) |
451 | + - SECURITY UPDATE: Insufficient input validation in gmp plugin |
452 | + (CVE-2018-16151 CVE-2018-16152) |
453 | + - d/usr.lib.ipsec.charon, d/usr/sbin/charon-systemd: Add support for |
454 | + usr-merge, thanks to Christian Ehrhardt. LP #1784023 |
455 | + |
456 | + -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 03 Dec 2018 15:18:31 +0100 |
457 | + |
458 | strongswan (5.7.1-1) unstable; urgency=medium |
459 | |
460 | [ Ondřej Nový ] |
461 | @@ -176,6 +586,96 @@ strongswan (5.7.0-1) unstable; urgency=medium |
462 | |
463 | -- Yves-Alexis Perez <corsac@debian.org> Mon, 24 Sep 2018 16:36:28 +0200 |
464 | |
465 | +strongswan (5.6.3-1ubuntu5) disco; urgency=medium |
466 | + |
467 | + * No-change rebuild against libunbound8 |
468 | + |
469 | + -- Steve Langasek <steve.langasek@ubuntu.com> Sun, 11 Nov 2018 09:01:53 +0000 |
470 | + |
471 | +strongswan (5.6.3-1ubuntu4) cosmic; urgency=medium |
472 | + |
473 | + * d/usr.lib.ipsec.charon: allow reading of own FDs (LP: #1786250) |
474 | + Thanks to Matt Callaghan. |
475 | + |
476 | + -- Andreas Hasenack <andreas@canonical.com> Thu, 04 Oct 2018 10:34:01 -0300 |
477 | + |
478 | +strongswan (5.6.3-1ubuntu3) cosmic; urgency=medium |
479 | + |
480 | + * SECURITY UPDATE: Insufficient input validation in gmp plugin |
481 | + - debian/patches/strongswan-4.4.0-5.7.0_gmp-pkcs1-overflow.patch: fix |
482 | + buffer overflow with very small RSA keys in |
483 | + src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c. |
484 | + - CVE-2018-17540 |
485 | + |
486 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 01 Oct 2018 13:23:59 -0400 |
487 | + |
488 | +strongswan (5.6.3-1ubuntu2) cosmic; urgency=medium |
489 | + |
490 | + * SECURITY UPDATE: Insufficient input validation in gmp plugin |
491 | + - debian/patches/strongswan-5.6.1-5.6.3_gmp-pkcs1-verify.patch: don't |
492 | + parse PKCS1 v1.5 RSA signatures to verify them in |
493 | + src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c, |
494 | + src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c. |
495 | + - CVE-2018-16151 |
496 | + - CVE-2018-16152 |
497 | + |
498 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 25 Sep 2018 10:16:15 -0400 |
499 | + |
500 | +strongswan (5.6.3-1ubuntu1) cosmic; urgency=medium |
501 | + |
502 | + * Merge with Debian unstable. Remaining changes: |
503 | + - Clean up d/strongswan-starter.postinst: section about runlevel changes |
504 | + - Clean up d/strongswan-starter.postinst: Removed entire section on |
505 | + opportunistic encryption disabling - this was never in strongSwan and |
506 | + won't be see upstream issue #2160. |
507 | + - d/rules: Removed patching ipsec.conf on build (not using the |
508 | + debconf-managed config.) |
509 | + - d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was |
510 | + used for debconf-managed include of private key). |
511 | + - Mass enablement of extra plugins and features to allow a user to use |
512 | + strongswan for a variety of extra use cases without having to rebuild. |
513 | + + d/control: Add required additional build-deps |
514 | + + d/control: Mention addtionally enabled plugins |
515 | + + d/rules: Enable features at configure stage |
516 | + + d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf) |
517 | + + d/libstrongswan.install: Add plugins (so, conf) |
518 | + - d/strongswan-starter.install: Install pool feature, which is useful since |
519 | + we have attr-sql plugin enabled as well using it. |
520 | + - Add plugin kernel-libipsec to allow the use of strongswan in containers |
521 | + via this userspace implementation (please do note that this is still |
522 | + considered experimental by upstream). |
523 | + + d/libcharon-extra-plugins.install: Add kernel-libipsec components |
524 | + + d/control: List kernel-libipsec plugin at extra plugins description |
525 | + + d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As |
526 | + upstream recommends to not load kernel-libipsec by default. |
527 | + - Relocate tnc plugin |
528 | + + debian/libcharon-extra-plugins.install: Drop tnc from extra plugins |
529 | + + Add new subpackage for TNC in d/strongswan-tnc-* and d/control |
530 | + - d/libstrongswan.install: Reorder conf and .so alphabetically |
531 | + - d/libstrongswan.install: Add kernel-netlink configuration files |
532 | + - Complete the disabling of libfast; This was partially accepted in Debian, |
533 | + it is no more packaging medcli and medsrv, but still builds and |
534 | + mentions it. |
535 | + + d/rules: Add --disable-fast to avoid build time and dependencies |
536 | + + d/control: Remove medcli, medsrv from package description |
537 | + - d/control: Mention mgf1 plugin which is in libstrongswan now |
538 | + - Add now built (since 5.5.1) libraries libtpmtss and nttfft to |
539 | + libstrongswan-extra-plugins (no deps from default plugins). |
540 | + - d/control, d/libcharon-{extras,standard}-plugins.install: Move charon |
541 | + plugins for the most common use cases from extra-plugins into a new |
542 | + standard-plugins package. This will allow those use cases without pulling |
543 | + in too much more plugins (a bit like the tnc package). Recommend that |
544 | + package from strongswan-libcharon. |
545 | + - d/usr.sbin.charon-systemd: allow to contact mysql for sql and |
546 | + attr-sql plugins (LP #1766240) |
547 | + - d/usr.lib.ipsec.charon, d/usr/sbin/charon-systemd: Add support for |
548 | + usr-merge, thanks to Christian Ehrhardt. LP #1784023 |
549 | + * Dropped: |
550 | + - d/usr.sbin.charon-systemd: allow systemd notifications (LP: #1765652) |
551 | + [Fixed in 5.6.3-1] |
552 | + |
553 | + -- Andreas Hasenack <andreas@canonical.com> Thu, 23 Aug 2018 13:05:11 -0300 |
554 | + |
555 | strongswan (5.6.3-1) unstable; urgency=medium |
556 | |
557 | * New upstream version 5.6.2 |
558 | @@ -191,6 +691,78 @@ strongswan (5.6.3-1) unstable; urgency=medium |
559 | |
560 | -- Yves-Alexis Perez <corsac@debian.org> Mon, 04 Jun 2018 10:23:22 +0200 |
561 | |
562 | +strongswan (5.6.2-2ubuntu2) cosmic; urgency=medium |
563 | + |
564 | + * Add support for usr-merge, thanks to Christian Ehrhardt. LP: #1784023 |
565 | + |
566 | + -- Dimitri John Ledkov <xnox@ubuntu.com> Tue, 21 Aug 2018 00:42:38 +0100 |
567 | + |
568 | +strongswan (5.6.2-2ubuntu1) cosmic; urgency=medium |
569 | + |
570 | + * Merge with Debian unstable, closes LP: #1773814 and LP: #1772705. |
571 | + Remaining changes: |
572 | + + Clean up d/strongswan-starter.postinst: section about runlevel changes |
573 | + + Clean up d/strongswan-starter.postinst: Removed entire section on |
574 | + opportunistic encryption disabling - this was never in strongSwan and |
575 | + won't be see upstream issue #2160. |
576 | + + d/rules: Removed patching ipsec.conf on build (not using the |
577 | + debconf-managed config.) |
578 | + + d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was |
579 | + used for debconf-managed include of private key). |
580 | + + Mass enablement of extra plugins and features to allow a user to use |
581 | + strongswan for a variety of extra use cases without having to rebuild. |
582 | + - d/control: Add required additional build-deps |
583 | + - d/control: Mention addtionally enabled plugins |
584 | + - d/rules: Enable features at configure stage |
585 | + - d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf) |
586 | + - d/libstrongswan.install: Add plugins (so, conf) |
587 | + + d/strongswan-starter.install: Install pool feature, which is useful since |
588 | + we have attr-sql plugin enabled as well using it. |
589 | + + Add plugin kernel-libipsec to allow the use of strongswan in containers |
590 | + via this userspace implementation (please do note that this is still |
591 | + considered experimental by upstream). |
592 | + - d/libcharon-extra-plugins.install: Add kernel-libipsec components |
593 | + - d/control: List kernel-libipsec plugin at extra plugins description |
594 | + - d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As |
595 | + upstream recommends to not load kernel-libipsec by default. |
596 | + + Relocate tnc plugin |
597 | + - debian/libcharon-extra-plugins.install: Drop tnc from extra plugins |
598 | + - Add new subpackage for TNC in d/strongswan-tnc-* and d/control |
599 | + + d/libstrongswan.install: Reorder conf and .so alphabetically |
600 | + + d/libstrongswan.install: Add kernel-netlink configuration files |
601 | + + Complete the disabling of libfast; This was partially accepted in Debian, |
602 | + it is no more packaging medcli and medsrv, but still builds and |
603 | + mentions it. |
604 | + - d/rules: Add --disable-fast to avoid build time and dependencies |
605 | + - d/control: Remove medcli, medsrv from package description |
606 | + + d/control: Mention mgf1 plugin which is in libstrongswan now |
607 | + + Add now built (since 5.5.1) libraries libtpmtss and nttfft to |
608 | + libstrongswan-extra-plugins (no deps from default plugins). |
609 | + + d/control, d/libcharon-{extras,standard}-plugins.install: Move charon |
610 | + plugins for the most common use cases from extra-plugins into a new |
611 | + standard-plugins package. This will allow those use cases without pulling |
612 | + in too much more plugins (a bit like the tnc package). Recommend that |
613 | + package from strongswan-libcharon. |
614 | + * Dropped Changes (no more needed after 18.04) |
615 | + + Add rm_conffile for /etc/init.d/ipsec (transition from precies had |
616 | + missed that, droppable after 18.04) |
617 | + + d/control: bump breaks/replaces from libstrongswan-extra-plugins to |
618 | + libstrongswan as we dropped relocating ccm and test-vectors. |
619 | + (droppable >18.04). |
620 | + + d/control: add breaks/replace from libstrongswan to |
621 | + libstrongswan-extra-plugins for the move of mgf1 to libstrongswan. |
622 | + (droppable >18.04). |
623 | + + d/control: bump breaks/replaces for the move of the updown plugin |
624 | + (Missed Changelog entry on last merge) |
625 | + + d/control: fix dependencies of strongswan-libcharon due to the move |
626 | + the updown plugin (droppable >18.04). |
627 | + * Added Changes: |
628 | + + d/usr.sbin.charon-systemd: allow to contact mysql for sql and |
629 | + attr-sql plugins (LP: #1766240) |
630 | + + d/usr.sbin.charon-systemd: allow systemd notifications (LP: #1765652) |
631 | + |
632 | + -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Tue, 29 May 2018 08:21:42 +0200 |
633 | + |
634 | strongswan (5.6.2-2) unstable; urgency=medium |
635 | |
636 | * charon-nm: Fix building list of DNS/MDNS servers with libnm |
637 | @@ -201,6 +773,74 @@ strongswan (5.6.2-2) unstable; urgency=medium |
638 | |
639 | -- Yves-Alexis Perez <corsac@debian.org> Fri, 13 Apr 2018 13:46:04 +0200 |
640 | |
641 | +strongswan (5.6.2-1ubuntu2) bionic; urgency=medium |
642 | + |
643 | + * d/control: fix dependencies of strongswan-libcharon due to the move |
644 | + the updown plugin. |
645 | + |
646 | + -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Tue, 20 Mar 2018 07:37:29 +0100 |
647 | + |
648 | +strongswan (5.6.2-1ubuntu1) bionic; urgency=medium |
649 | + |
650 | + * Merge with Debian unstable (LP: #1753018). Remaining changes: |
651 | + + Clean up d/strongswan-starter.postinst: section about runlevel changes |
652 | + + Clean up d/strongswan-starter.postinst: Removed entire section on |
653 | + opportunistic encryption disabling - this was never in strongSwan and |
654 | + won't be see upstream issue #2160. |
655 | + + Ubuntu is not using the debconf triggered private key generation |
656 | + - d/rules: Removed patching ipsec.conf on build (not using the |
657 | + debconf-managed config.) |
658 | + - d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was |
659 | + used for debconf-managed include of private key). |
660 | + + Mass enablement of extra plugins and features to allow a user to use |
661 | + strongswan for a variety of extra use cases without having to rebuild. |
662 | + - d/control: Add required additional build-deps |
663 | + - d/control: Mention addtionally enabled plugins |
664 | + - d/rules: Enable features at configure stage |
665 | + - d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf) |
666 | + - d/libstrongswan.install: Add plugins (so, conf) |
667 | + + d/strongswan-starter.install: Install pool feature, which is useful since |
668 | + we have attr-sql plugin enabled as well using it. |
669 | + + Add plugin kernel-libipsec to allow the use of strongswan in containers |
670 | + via this userspace implementation (please do note that this is still |
671 | + considered experimental by upstream). |
672 | + - d/libcharon-extra-plugins.install: Add kernel-libipsec components |
673 | + - d/control: List kernel-libipsec plugin at extra plugins description |
674 | + - d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As |
675 | + upstream recommends to not load kernel-libipsec by default. |
676 | + + Relocate tnc plugin |
677 | + - debian/libcharon-extra-plugins.install: Drop tnc from extra plugins |
678 | + - Add new subpackage for TNC in d/strongswan-tnc-* and d/control |
679 | + + d/libstrongswan.install: Reorder conf and .so alphabetically |
680 | + + d/libstrongswan.install: Add kernel-netlink configuration files |
681 | + + Complete the disabling of libfast; This was partially accepted in Debian, |
682 | + it is no more packaging medcli and medsrv, but still builds and |
683 | + mentions it. |
684 | + - d/rules: Add --disable-fast to avoid build time and dependencies |
685 | + - d/control: Remove medcli, medsrv from package description |
686 | + + d/control: Mention mgf1 plugin which is in libstrongswan now |
687 | + + Add now built (since 5.5.1) libraries libtpmtss and nttfft to |
688 | + libstrongswan-extra-plugins (no deps from default plugins). |
689 | + + Add rm_conffile for /etc/init.d/ipsec (transition from precies had |
690 | + missed that, droppable after 18.04) |
691 | + + d/control, d/libcharon-{extras,standard}-plugins.install: Move charon |
692 | + plugins for the most common use cases from extra-plugins into a new |
693 | + standard-plugins package. This will allow those use cases without pulling |
694 | + in too much more plugins (a bit like the tnc package). Recommend that |
695 | + package from strongswan-libcharon. |
696 | + + d/control: bump breaks/replaces from libstrongswan-extra-plugins to |
697 | + libstrongswan as we dropped relocating ccm and test-vectors. |
698 | + (droppable >18.04). |
699 | + + d/control: add breaks/replace from libstrongswan to |
700 | + libstrongswan-extra-plugins for the move of mgf1 to libstrongswan. |
701 | + (droppable >18.04). |
702 | + * Added Changes: |
703 | + + d/control: bump breaks/replaces from strongswan-libcharon to strongswan- |
704 | + starter as we followed Debian to move the updown plugin but need to |
705 | + match Ubuntu versions (Droppable >18.04). |
706 | + |
707 | + -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Fri, 16 Mar 2018 11:08:47 +0100 |
708 | + |
709 | strongswan (5.6.2-1) unstable; urgency=medium |
710 | |
711 | * d/NEWS: add information about disabled algorithms (closes: #883072) |
712 | @@ -223,6 +863,129 @@ strongswan (5.6.1-3) unstable; urgency=medium |
713 | |
714 | -- Yves-Alexis Perez <corsac@debian.org> Sun, 17 Dec 2017 16:40:39 +0100 |
715 | |
716 | +strongswan (5.6.1-2ubuntu4) bionic; urgency=medium |
717 | + |
718 | + * SECURITY UPDATE: DoS via crafted RSASSA-PSS signature |
719 | + - debian/patches/CVE-2018-6459.patch: Properly handle MGF1 algorithm |
720 | + identifier without parameters in |
721 | + src/libstrongswan/credentials/keys/signature_params.c. |
722 | + - CVE-2018-6459 |
723 | + |
724 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 07 Mar 2018 14:52:02 +0100 |
725 | + |
726 | +strongswan (5.6.1-2ubuntu3) bionic; urgency=medium |
727 | + |
728 | + * No-change rebuild against libcurl4 |
729 | + |
730 | + -- Steve Langasek <steve.langasek@ubuntu.com> Wed, 28 Feb 2018 08:52:09 +0000 |
731 | + |
732 | +strongswan (5.6.1-2ubuntu2) bionic; urgency=high |
733 | + |
734 | + * No change rebuild against openssl1.1. |
735 | + |
736 | + -- Dimitri John Ledkov <xnox@ubuntu.com> Mon, 12 Feb 2018 16:00:24 +0000 |
737 | + |
738 | +strongswan (5.6.1-2ubuntu1) bionic; urgency=medium |
739 | + |
740 | + * Merge with Debian unstable (LP: #1717343). |
741 | + Also fixes and issue with multiple psk's (LP: #1734207). Remaining changes: |
742 | + + Clean up d/strongswan-starter.postinst: section about runlevel changes |
743 | + + Clean up d/strongswan-starter.postinst: Removed entire section on |
744 | + opportunistic encryption disabling - this was never in strongSwan and |
745 | + won't be see upstream issue #2160. |
746 | + + Ubuntu is not using the debconf triggered private key generation |
747 | + - d/rules: Removed patching ipsec.conf on build (not using the |
748 | + debconf-managed config.) |
749 | + - d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was |
750 | + used for debconf-managed include of private key). |
751 | + + Mass enablement of extra plugins and features to allow a user to use |
752 | + strongswan for a variety of extra use cases without having to rebuild. |
753 | + - d/control: Add required additional build-deps |
754 | + - d/control: Mention addtionally enabled plugins |
755 | + - d/rules: Enable features at configure stage |
756 | + - d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf) |
757 | + - d/libstrongswan.install: Add plugins (so, conf) |
758 | + + d/strongswan-starter.install: Install pool feature, which is useful since |
759 | + we have attr-sql plugin enabled as well using it. |
760 | + + Add plugin kernel-libipsec to allow the use of strongswan in containers |
761 | + via this userspace implementation (please do note that this is still |
762 | + considered experimental by upstream). |
763 | + - d/libcharon-extra-plugins.install: Add kernel-libipsec components |
764 | + - d/control: List kernel-libipsec plugin at extra plugins description |
765 | + - d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As |
766 | + upstream recommends to not load kernel-libipsec by default. |
767 | + + Relocate tnc plugin |
768 | + - debian/libcharon-extra-plugins.install: Drop tnc from extra plugins |
769 | + - Add new subpackage for TNC in d/strongswan-tnc-* and d/control |
770 | + + d/libstrongswan.install: Reorder conf and .so alphabetically |
771 | + + d/libstrongswan.install: Add kernel-netlink configuration files |
772 | + + Complete the disabling of libfast; This was partially accepted in Debian, |
773 | + it is no more packaging medcli and medsrv, but still builds and |
774 | + mentions it. |
775 | + - d/rules: Add --disable-fast to avoid build time and dependencies |
776 | + - d/control: Remove medcli, medsrv from package description |
777 | + + d/control: Mention mgf1 plugin which is in libstrongswan now |
778 | + + Add now built (since 5.5.1) libraries libtpmtss and nttfft to |
779 | + libstrongswan-extra-plugins (no deps from default plugins). |
780 | + + Add rm_conffile for /etc/init.d/ipsec (transition from precies had |
781 | + missed that, droppable after 18.04) |
782 | + + d/control, d/libcharon-{extras,standard}-plugins.install: Move charon |
783 | + plugins for the most common use cases from extra-plugins into a new |
784 | + standard-plugins package. This will allow those use cases without pulling |
785 | + in too much more plugins (a bit like the tnc package). Recommend that |
786 | + package from strongswan-libcharon. |
787 | + * Added changes: |
788 | + + d/strongswan-tnc-client.install (relocate tnc) swidtag creation changed |
789 | + in 5.6 |
790 | + + d/strongswan-tnc-server.install (relocate tnc) pacman no more needed |
791 | + + d/control: bump breaks/replaces from libstrongswan-extra-plugins to |
792 | + libstrongswan as we dropped relocating ccm and test-vectors. |
793 | + (droppable >18.04). |
794 | + - d/control: add breaks/replace from libstrongswan to |
795 | + libstrongswan-extra-plugins for the move of mgf1 to libstrongswan. |
796 | + (droppable >18.04). |
797 | + * Dropped changes: |
798 | + + Update init/service handling (debian default matches Ubuntu past now) |
799 | + Dropping this fixes (LP: #1734886) |
800 | + - d/rules: Change init/systemd program name to strongswan |
801 | + - d/strongswan-starter.strongswan.service: Add new systemd file instead of |
802 | + patching upstream |
803 | + - d/strongswan-starter.links: Removed, use Ubuntu systemd file instead of |
804 | + linking to upstream |
805 | + + d/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call |
806 | + (this is a never failing no-op for us, no need for Delta). |
807 | + + d/strongswan-starter.prerm: Stop strongswan service on package removal |
808 | + (ipsec now maps to strongswan service, so this works as-is). |
809 | + + Clean up d/strongswan-starter.postinst: rename service ipsec to |
810 | + strongswan (ipsec now maps to strongswan service, so this works as-is) |
811 | + + Clean up d/strongswan-starter.postinst: daemon enable/disable (the |
812 | + whole section is disabled, so no need for delta) |
813 | + + (is upstream) CVE-2017-11185 patches |
814 | + + (is upstream) FTBFS upstream fix for changed include files |
815 | + + (is upstream) debian/patches/increase-bliss-test-timeout.patch: Under |
816 | + QEMU/KVM autopkgtest the bliss test takes longer than the default |
817 | + + (in Debian) add now built (since 5.5.1) mgf1 plugin to |
818 | + libstrongswan-extra-plugins. |
819 | + + (in Debian) d/strongswan-starter.install: install stroke apparmor profile |
820 | + + (this was enabled as part of the former delta, squash changes to no-up) |
821 | + d/rules: Disable duplicheck. |
822 | + + (not needed) Relocate plugins test-vectors from extra-plugins to |
823 | + libstrongswan |
824 | + - d/libstrongswan-extra-plugins.install: Remove plugins/conffiles |
825 | + - d/libstrongswan.install: Add plugins/confiles |
826 | + - d/control: move package descriptions and add required breaks/replaces |
827 | + + (not needed) Relocate plugins ccm from extra-plugins to libstrongswan |
828 | + - d/libstrongswan-extra-plugins.install: Remove plugins/conffiles |
829 | + - d/libstrongswan.install: Add plugins/confiles |
830 | + - d/control: move package descriptions and add required breaks/replaces |
831 | + + (while using it requires special kernel, it does not hurt to be |
832 | + available in the package) Remove ha plugin |
833 | + - d/libcharon-extra-plugins.install: Stop installing ha (so, conf) |
834 | + - d/rules: Do not enable ha plugin |
835 | + - d/control: Drop listing the ha plugin in the package description |
836 | + |
837 | + -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Wed, 29 Nov 2017 15:55:18 +0100 |
838 | + |
839 | strongswan (5.6.1-2) unstable; urgency=medium |
840 | |
841 | * move counters plugin from -starter to -libcharon. closes: #882431 |
842 | @@ -309,6 +1072,213 @@ strongswan (5.5.2-1) experimental; urgency=medium |
843 | |
844 | -- Yves-Alexis Perez <corsac@debian.org> Fri, 19 May 2017 11:32:00 +0200 |
845 | |
846 | +strongswan (5.5.1-4ubuntu3) bionic; urgency=medium |
847 | + |
848 | + * Fix Artful FTBFS due to newer glibc (LP: #1724859) |
849 | + - d/p/utils-Include-stdint.h.patch: upstream fix for changed include |
850 | + files. |
851 | + |
852 | + -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Thu, 19 Oct 2017 15:18:52 +0200 |
853 | + |
854 | +strongswan (5.5.1-4ubuntu2) artful; urgency=medium |
855 | + |
856 | + * SECURITY UPDATE: Fix RSA signature verification |
857 | + - debian/patches/CVE-2017-11185.patch: does some |
858 | + verifications in order to avoid null-point dereference |
859 | + in src/libstrongswan/gmp/gmp_rsa_public_key.c |
860 | + - CVE-2017-11185 |
861 | + |
862 | + -- Leonidas S. Barbosa <leo.barbosa@canonical.com> Tue, 15 Aug 2017 14:49:49 -0300 |
863 | + |
864 | +strongswan (5.5.1-4ubuntu1) artful; urgency=medium |
865 | + |
866 | + * Merge from Debian to pick up latest security changes (CVE-2017-9022, |
867 | + CVE-2017-9023). |
868 | + * Remaining Changes: |
869 | + + Update init/service handling |
870 | + - d/rules: Change init/systemd program name to strongswan |
871 | + - d/strongswan-starter.strongswan.service: Add new systemd file instead of |
872 | + patching upstream |
873 | + - d/strongswan-starter.links: Removed, use Ubuntu systemd file instead of |
874 | + linking to upstream |
875 | + - d/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call. |
876 | + - d/strongswan-starter.prerm: Stop strongswan service on package |
877 | + removal (as opposed to using the old init.d script). |
878 | + + Clean up d/strongswan-starter.postinst: |
879 | + - Removed section about runlevel changes |
880 | + - Adapted service restart section for Upstart (kept to be Trusty |
881 | + backportable). |
882 | + - Remove old symlinks to init.d files is necessary. |
883 | + - Removed further out-dated code |
884 | + - Removed entire section on opportunistic encryption - this was never in |
885 | + strongSwan. |
886 | + + d/rules: Removed pieces on 'patching ipsec.conf' on build. |
887 | + + Mass enablement of extra plugins and features to allow a user to use |
888 | + strongswan for a variety of use cases without having to rebuild. |
889 | + - d/control: Add required additional build-deps |
890 | + - d/rules: Enable features at configure stage |
891 | + - d/control: Mention addtionally enabled plugins |
892 | + - d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf) |
893 | + - d/libstrongswan.install: Add plugins (so, conf) |
894 | + + d/rules: Disable duplicheck as per |
895 | + https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718291#10 |
896 | + + Remove ha plugin (requires special kernel) |
897 | + - d/libcharon-extra-plugins.install: Stop installing ha (so, conf) |
898 | + - d/rules: Do not enable ha plugin |
899 | + - d/control: Drop listing the ha plugin in the package description |
900 | + + Add plugin kernel-libipsec to allow the use of strongswan in containers |
901 | + via this userspace implementation (please do note that this is still |
902 | + considered experimental by upstream). |
903 | + - d/libcharon-extra-plugins.install: Add kernel-libipsec components |
904 | + - d/control: List kernel-libipsec plugin at extra plugins description |
905 | + - d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As |
906 | + upstream recommends to not load kernel-libipsec by default. |
907 | + + Relocate tnc plugin |
908 | + - debian/libcharon-extra-plugins.install: Drop tnc from extra plugins |
909 | + - Add new subpackage for TNC in d/strongswan-tnc-* and d/control |
910 | + + d/strongswan-starter.install: Install pool feature, that useful due to |
911 | + having attr-sql plugin that is enabled now. |
912 | + + Relocate plugins test-vectors and ccm from extra-plugins to libstrongswan |
913 | + - d/libstrongswan-extra-plugins.install: Remove plugins/conffiles |
914 | + - d/libstrongswan.install: Add plugins/confiles |
915 | + - d/control: move package descriptions and add required breaks/replaces |
916 | + + d/libstrongswan.install: Reorder conf and .so alphabetically |
917 | + + d/libstrongswan.install: Add kernel-netlink configuration files |
918 | + + d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference. |
919 | + + debian/patches/increase-bliss-test-timeout.patch: Under QEMU/KVM |
920 | + autopkgtest the bliss test takes longer than the default (Upstream in |
921 | + 5.5.2 via issue 2204) |
922 | + + Complete the disabling of libfast; This was partially accepted in Debian, |
923 | + it is no more packaging medcli and medsrv, but still builds and |
924 | + mentions it. |
925 | + - d/rules: Add --disable-fast to avoid build time and dependencies |
926 | + - d/control: Remove medcli, medsrv from package description |
927 | + + Add now built (5.5.1 vs 5.3.5) mgf1 plugin to libstrongswan-extra-plugins. |
928 | + "only" to extra-plugins Mgf1 is not listed as default plugin at |
929 | + https://wiki.strongswan.org/projects/strongswan/wiki/Pluginlist. |
930 | + + Add now built (5.5.1 vs 5.3.5) libraries libtpmtss and nttfft to |
931 | + libstrongswan-extra-plugins. |
932 | + + Add missing mention of md4 plugin in d/control |
933 | + + Add rm_conffile for /etc/init.d/ipsec (transition from precies had |
934 | + missed that) |
935 | + + d/control, d/libcharon-{extras,standard}-plugins.install: Move charon |
936 | + plugins for the most common use cases from extra-plugins into a new |
937 | + standard-plugins package. This will allow those use cases without pulling |
938 | + in too much more plugins (a bit like the tnc package). Recommend that |
939 | + package from strongswan-libcharon. |
940 | + |
941 | + -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Wed, 31 May 2017 15:57:54 +0200 |
942 | + |
943 | +strongswan (5.5.1-3ubuntu1) artful; urgency=medium |
944 | + |
945 | + * Merge from Debian to pick up latest changes. Among others this includes: |
946 | + - a lot of the Delta we upstreamed to Debian (more discussions are ongoing |
947 | + but likely have to wait until Debian stretch was released) |
948 | + - enabling mediation support (LP: #1657413) |
949 | + * Remaining Changes: |
950 | + + Update init/service handling |
951 | + - d/rules: Change init/systemd program name to strongswan |
952 | + - d/strongswan-starter.strongswan.service: Add new systemd file instead of |
953 | + patching upstream |
954 | + - d/strongswan-starter.links: Removed, use Ubuntu systemd file instead of |
955 | + linking to upstream |
956 | + - d/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call. |
957 | + - d/strongswan-starter.prerm: Stop strongswan service on package |
958 | + removal (as opposed to using the old init.d script). |
959 | + + Clean up d/strongswan-starter.postinst: |
960 | + - Removed section about runlevel changes |
961 | + - Adapted service restart section for Upstart (kept to be Trusty |
962 | + backportable). |
963 | + - Remove old symlinks to init.d files is necessary. |
964 | + - Removed further out-dated code |
965 | + - Removed entire section on opportunistic encryption - this was never in |
966 | + strongSwan. |
967 | + + d/rules: Removed pieces on 'patching ipsec.conf' on build. |
968 | + + Mass enablement of extra plugins and features to allow a user to use |
969 | + strongswan for a variety of use cases without having to rebuild. |
970 | + - d/control: Add required additional build-deps |
971 | + - d/rules: Enable features at configure stage |
972 | + - d/control: Mention addtionally enabled plugins |
973 | + - d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf) |
974 | + - d/libstrongswan.install: Add plugins (so, conf) |
975 | + + d/rules: Disable duplicheck as per |
976 | + https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718291#10 |
977 | + + Remove ha plugin (requires special kernel) |
978 | + - d/libcharon-extra-plugins.install: Stop installing ha (so, conf) |
979 | + - d/rules: Do not enable ha plugin |
980 | + - d/control: Drop listing the ha plugin in the package description |
981 | + + Add plugin kernel-libipsec to allow the use of strongswan in containers |
982 | + via this userspace implementation (please do note that this is still |
983 | + considered experimental by upstream). |
984 | + - d/libcharon-extra-plugins.install: Add kernel-libipsec components |
985 | + - d/control: List kernel-libipsec plugin at extra plugins description |
986 | + - d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As |
987 | + upstream recommends to not load kernel-libipsec by default. |
988 | + + Relocate tnc plugin |
989 | + - debian/libcharon-extra-plugins.install: Drop tnc from extra plugins |
990 | + - Add new subpackage for TNC in d/strongswan-tnc-* and d/control |
991 | + + d/strongswan-starter.install: Install pool feature, that useful due to |
992 | + having attr-sql plugin that is enabled now. |
993 | + + Relocate plugins test-vectors and ccm from extra-plugins to libstrongswan |
994 | + - d/libstrongswan-extra-plugins.install: Remove plugins/conffiles |
995 | + - d/libstrongswan.install: Add plugins/confiles |
996 | + - d/control: move package descriptions and add required breaks/replaces |
997 | + + d/libstrongswan.install: Reorder conf and .so alphabetically |
998 | + + d/libstrongswan.install: Add kernel-netlink configuration files |
999 | + + d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference. |
1000 | + + debian/patches/increase-bliss-test-timeout.patch: Under QEMU/KVM |
1001 | + autopkgtest the bliss test takes longer than the default (Upstream in |
1002 | + 5.5.2 via issue 2204) |
1003 | + + Complete the disabling of libfast; This was partially accepted in Debian, |
1004 | + it is no more packaging medcli and medsrv, but still builds and |
1005 | + mentions it. |
1006 | + - d/rules: Add --disable-fast to avoid build time and dependencies |
1007 | + - d/control: Remove medcli, medsrv from package description |
1008 | + + Add now built (5.5.1 vs 5.3.5) mgf1 plugin to libstrongswan-extra-plugins. |
1009 | + "only" to extra-plugins Mgf1 is not listed as default plugin at |
1010 | + https://wiki.strongswan.org/projects/strongswan/wiki/Pluginlist. |
1011 | + + Add now built (5.5.1 vs 5.3.5) libraries libtpmtss and nttfft to |
1012 | + libstrongswan-extra-plugins. |
1013 | + + Add missing mention of md4 plugin in d/control |
1014 | + + Add rm_conffile for /etc/init.d/ipsec (transition from precies had |
1015 | + missed that) |
1016 | + + d/control, d/libcharon-{extras,standard}-plugins.install: Move charon |
1017 | + plugins for the most common use cases from extra-plugins into a new |
1018 | + standard-plugins package. This will allow those use cases without pulling |
1019 | + in too much more plugins (a bit like the tnc package). Recommend that |
1020 | + package from strongswan-libcharon. |
1021 | + * Dropped Changes: |
1022 | + + Add and install apparmor profiles (in Debian) |
1023 | + - d/rules: Install AppArmor profiles |
1024 | + - d/control: Add dh-apparmor build-dep |
1025 | + - d/usr.lib.ipsec.{charon, lookip, stroke}: Add latest AppArmor profiles |
1026 | + for charon, lookip and stroke |
1027 | + - d/libcharon-extra-plugins.install: Install profile for lookip |
1028 | + - d/strongswan-charon.install: Install profile for charon |
1029 | + - d/strongswan-starter.install: Install profile for stroke |
1030 | + - Fix strongswan ipsec status issue with apparmor |
1031 | + - Fix Dep8 tests for the now extra strongswan-pki package for pki |
1032 | + - Fix Dep8 tests for the now extra strongswan-scepclient package |
1033 | + + d/rules: Sorted and only one enable option per configure line (in |
1034 | + Debian) |
1035 | + + Add updated logcheck rules (in Debian) |
1036 | + - debian/libstrongswan.strongswan.logcheck.*: Remove outdated files |
1037 | + - debian/strongswan.logcheck: Add updated logcheck rules |
1038 | + + Add updated DEP8 tests (in Debian) |
1039 | + - d/tests/*: Add DEP8 tests |
1040 | + - d/control: Enable autotestpkg |
1041 | + + d/rules: do not strip for library integrity checking (After Discussion |
1042 | + with Debian this isn't acceptable there, but at the same time it turned |
1043 | + out the real use-case of this never uses this lib but instead third |
1044 | + party checks of checksums for e.g. FIPS cert; so drop the Delta) |
1045 | + - Use override_dh_strip to to avoid overwriting user build flags. |
1046 | + - Add missing mention of libchecksum integrity test in d/control |
1047 | + + d/rules: Set TESTS_REDUCED_KEYLENGTHS to one generate smallest key-lengths |
1048 | + in tests to avoid issues in low entropy environments. (Debian has |
1049 | + disabled !x86 tests for the same reason, one solution is enough) |
1050 | + |
1051 | + -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Thu, 04 May 2017 14:06:23 +0200 |
1052 | + |
1053 | strongswan (5.5.1-3) unstable; urgency=medium |
1054 | |
1055 | [ Christian Ehrhardt ] |
1056 | @@ -342,6 +1312,136 @@ strongswan (5.5.1-2) unstable; urgency=medium |
1057 | |
1058 | -- Yves-Alexis Perez <corsac@debian.org> Wed, 07 Dec 2016 08:34:52 +0100 |
1059 | |
1060 | +strongswan (5.5.1-1ubuntu2) zesty; urgency=medium |
1061 | + |
1062 | + * Update Maintainers which was missed while merging 5.5.1-1. |
1063 | + |
1064 | + -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 19 Dec 2016 16:02:40 +0100 |
1065 | + |
1066 | +strongswan (5.5.1-1ubuntu1) zesty; urgency=medium |
1067 | + |
1068 | + * Merge from Debian (complex delta, discussions and broken out changes can be |
1069 | + found in the merge proposal linked from the merge bug LP: #1631198) |
1070 | + * Remaining Changes: |
1071 | + + d/rules: Enforcing DEB_BUILD_OPTIONS=nostrip for library integrity |
1072 | + checking. |
1073 | + + d/rules: Set TESTS_REDUCED_KEYLENGTHS to one generate smallest key-lengths |
1074 | + in tests to avoid issues in low entropy environments. |
1075 | + + Update init/service handling |
1076 | + - d/rules: Change init/systemd program name to strongswan |
1077 | + - d/strongswan-starter.strongswan.service: Add new systemd file instead of |
1078 | + patching upstream |
1079 | + - d/strongswan-starter.links: Removed, use Ubuntu systemd file instead of |
1080 | + linking to upstream |
1081 | + - d/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call. |
1082 | + - d/strongswan-starter.prerm: Stop strongswan service on package |
1083 | + removal (as opposed to using the old init.d script). |
1084 | + + Clean up d/strongswan-starter.postinst: |
1085 | + - Removed section about runlevel changes |
1086 | + - Adapted service restart section for Upstart (kept to be Trusty |
1087 | + backportable). |
1088 | + - Remove old symlinks to init.d files is necessary. |
1089 | + - Removed further out-dated code |
1090 | + - Removed entire section on opportunistic encryption - this was never in |
1091 | + strongSwan. |
1092 | + + Add and install apparmor profiles |
1093 | + - d/rules: Install AppArmor profiles |
1094 | + - d/control: Add dh-apparmor build-dep |
1095 | + - d/usr.lib.ipsec.{charon, lookip, stroke}: Add latest AppArmor profiles |
1096 | + for charon, lookip and stroke |
1097 | + - d/libcharon-extra-plugins.install: Install profile for lookip |
1098 | + - d/strongswan-charon.install: Install profile for charon |
1099 | + - d/strongswan-starter.install: Install profile for stroke |
1100 | + + d/rules: Removed pieces on 'patching ipsec.conf' on build. |
1101 | + + d/rules: Sorted and only one enable option per configure line |
1102 | + + Mass enablement of extra plugins and features to allow a user to use |
1103 | + strongswan for a variety of use cases without having to rebuild. |
1104 | + - d/control: Add required additional build-deps |
1105 | + - d/rules: Enable features at configure stage |
1106 | + - d/control: Mention addtionally enabled plugins |
1107 | + - d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf) |
1108 | + - d/libstrongswan.install: Add plugins (so, conf) |
1109 | + + d/rules: Disable duplicheck as per |
1110 | + https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718291#10 |
1111 | + + Remove ha plugin (requires special kernel) |
1112 | + - d/libcharon-extra-plugins.install: Stop installing ha (so, conf) |
1113 | + - d/rules: Do not enable ha plugin |
1114 | + - d/control: Drop listing the ha plugin in the package description |
1115 | + + Add plugin kernel-libipsec to allow the use of strongswan in containers |
1116 | + via this userspace implementation (please do note that this is still |
1117 | + considered experimental by upstream). |
1118 | + - d/libcharon-extra-plugins.install: Add kernel-libipsec components |
1119 | + - d/control: List kernel-libipsec plugin at extra plugins description |
1120 | + - d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As |
1121 | + upstream recommends to not load kernel-libipsec by default. |
1122 | + + Relocate tnc plugin |
1123 | + - debian/libcharon-extra-plugins.install: Drop tnc from extra plugins |
1124 | + - Add new subpackage for TNC in d/strongswan-tnc-* and d/control |
1125 | + + d/strongswan-starter.install: Install pool feature, that useful due to |
1126 | + having attr-sql plugin that is enabled now. |
1127 | + + Relocate plugins test-vectors and ccm from extra-plugins to libstrongswan |
1128 | + - d/libstrongswan-extra-plugins.install: Remove plugins |
1129 | + - d/libstrongswan.install: Add plugins |
1130 | + + d/libstrongswan.install: Reorder conf and .so alphabetically |
1131 | + + d/libstrongswan.install: Add kernel-netlink configuration files |
1132 | + + d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference. |
1133 | + + Add updated logcheck rules |
1134 | + - debian/libstrongswan.strongswan.logcheck.*: Remove outdated files |
1135 | + - debian/strongswan.logcheck: Add updated logcheck rules |
1136 | + + Add updated DEP8 tests |
1137 | + - d/tests/*: Add DEP8 tests |
1138 | + - d/control: Enable autotestpkg |
1139 | + + debian/patches/increase-bliss-test-timeout.patch: Under QEMU/KVM |
1140 | + autopkgtest the bliss test takes longer than the default |
1141 | + + Complete the disabling of libfast |
1142 | + - Note: This was partially accepted in Debian, it is no more |
1143 | + packaging medcli and medsrv, but still builds and mentions it |
1144 | + - d/rules: Add --disable-fast to avoid build time and dependencies |
1145 | + - d/control: Remove medcli, medsrv from package description |
1146 | + * Dropped Changes: |
1147 | + + Adding build-dep to iptables-dev (no change, was only in Changelog) |
1148 | + + Dropping of build deps libfcgi-dev, clearsilver-dev (in Debian) |
1149 | + + Adding strongswan-plugin-* virtual packages for dist-upgrade (no |
1150 | + upgrade path left needing them) |
1151 | + + Most of "disabling libfast" (Debian dropped it from package content) |
1152 | + + Transition for ipsec service (no upgrade path left) |
1153 | + + Reverted part of the cleanup to d/strongswan-starter.postinst as using |
1154 | + service should rather use invoke-rc.d (so it is a partial revert of our |
1155 | + delta) |
1156 | + + Transition handling (breaks/replaces) from per-plugin packages to the |
1157 | + three grouped plugin packages (no upgrade path left) |
1158 | + + debian/strongswan-starter.dirs: Don't touch /etc/init.d. (while "correct" |
1159 | + it is effectively a no-op still, so not worth the delta) |
1160 | + + Lower dpkg-dev to 1.16.1 from 1.16.2 to enable backporting to Precise |
1161 | + (no more needed) |
1162 | + + d/rules: Remove configure option --enable-unit-test (unit tests run by |
1163 | + default) |
1164 | + * Added Changes: |
1165 | + + Fix strongswan ipsec status issue with apparmor (LP: #1587886) |
1166 | + + d/control, d/libstrongswan.install, d/libstrongswan-extra-plugins: Fixup |
1167 | + the relocation of the ccm plugin which missed to move the conffiles. |
1168 | + + Complete move of test-vectors (was missing in d/control) |
1169 | + + Add now built (5.5.1 vs 5.3.5) mgf1 plugin to libstrongswan-extra-plugins. |
1170 | + "only" to extra-plugins Mgf1 is not listed as default plugin at |
1171 | + https://wiki.strongswan.org/projects/strongswan/wiki/Pluginlist. |
1172 | + + Add now built (5.5.1 vs 5.3.5) libraries libtpmtss and nttfft to |
1173 | + libstrongswan-extra-plugins. |
1174 | + + Add missing mention of md4 plugin in d/control |
1175 | + + Add missing mention of libchecksum integrity test in d/control |
1176 | + + Add rm_conffile for /etc/init.d/ipsec (transition from precies had |
1177 | + missed that) |
1178 | + + Use override_dh_strip to to fix library integrity checking instead of |
1179 | + DEB_BUILD_OPTION to avoid overwriting user build flags. |
1180 | + + d/control, d/libcharon-{extras,standard}-plugins.install: Move charon |
1181 | + plugins for the most common use cases from extra-plugins into a new |
1182 | + standard-plugins package. This will allow those use cases without pulling |
1183 | + in too much more plugins (a bit like the tnc package). Recommend that |
1184 | + package from strongswan-libcharon (LP: #1640826). |
1185 | + + Fix Dep8 tests for the now extra strongswan-pki package for pki |
1186 | + + Fix Dep8 tests for the now extra strongswan-scepclient package |
1187 | + |
1188 | + -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 07 Nov 2016 16:16:41 +0100 |
1189 | + |
1190 | strongswan (5.5.1-1) unstable; urgency=medium |
1191 | |
1192 | * New upstream bugfix release. |
1193 | @@ -458,6 +1558,177 @@ strongswan (5.3.5-2) unstable; urgency=medium |
1194 | |
1195 | -- Yves-Alexis Perez <corsac@debian.org> Mon, 14 Mar 2016 23:53:34 +0100 |
1196 | |
1197 | +strongswan (5.3.5-1ubuntu4) yakkety; urgency=medium |
1198 | + |
1199 | + * Build-depend on libjson-c-dev instead of libjson0-dev. |
1200 | + * Rebuild against libjson-c3. |
1201 | + |
1202 | + -- Graham Inggs <ginggs@ubuntu.com> Fri, 29 Apr 2016 19:04:22 +0200 |
1203 | + |
1204 | +strongswan (5.3.5-1ubuntu3) xenial; urgency=medium |
1205 | + |
1206 | + * Rebuild against libmysqlclient20. |
1207 | + |
1208 | + -- Robie Basak <robie.basak@ubuntu.com> Tue, 05 Apr 2016 13:02:48 +0000 |
1209 | + |
1210 | +strongswan (5.3.5-1ubuntu2) xenial; urgency=medium |
1211 | + |
1212 | + * debian/tests/plugins: rdrand may or may not be loaded, depending on the |
1213 | + cpu features. |
1214 | + |
1215 | + -- Iain Lane <iain@orangesquash.org.uk> Mon, 22 Feb 2016 17:13:01 +0000 |
1216 | + |
1217 | +strongswan (5.3.5-1ubuntu1) xenial; urgency=medium |
1218 | + |
1219 | + * debian/{rules,control,libstrongswan-extra-plugins.install} |
1220 | + Enable bliss plugin |
1221 | + * debian/{rules,control,libstrongswan-extra-plugins.install} |
1222 | + Enable chapoly plugin |
1223 | + * debian/patches/dont-load-kernel-libipsec-plugin-by-default.patch |
1224 | + Upstream suggests to not load this plugin by default as it has |
1225 | + some limitations. |
1226 | + https://wiki.strongswan.org/projects/strongswan/wiki/Kernel-libipsec |
1227 | + * debian/patches/increase-bliss-test-timeout.patch |
1228 | + Under QEMU/KVM for autopkgtest bliss test takes a bit longer then default |
1229 | + * Update Apparmor profiles |
1230 | + - usr.lib.ipsec.charon |
1231 | + - add capability audit_write for xauth-pam (LP: #1470277) |
1232 | + - add capability dac_override (needed by agent plugin) |
1233 | + - allow priv dropping (LP: #1333655) |
1234 | + - allow caching CRLs (LP: #1505222) |
1235 | + - allow rw access to /dev/net/tun for kernel-libipsec (LP: #1309594) |
1236 | + - usr.lib.ipsec.stroke |
1237 | + - allow priv dropping (LP: #1333655) |
1238 | + - add local include |
1239 | + - usr.lib.ipsec.lookip |
1240 | + - add local include |
1241 | + * Merge from Debian, which includes fixes for all previous CVEs |
1242 | + Fixes (LP: #1330504, #1451091, #1448870, #1470277) |
1243 | + Remaining changes: |
1244 | + * debian/control |
1245 | + - Lower dpkg-dev to 1.16.1 from 1.16.2 to enable backporting to Precise |
1246 | + - Update Maintainer for Ubuntu |
1247 | + - Add build-deps |
1248 | + - dh-apparmor |
1249 | + - iptables-dev |
1250 | + - libjson0-dev |
1251 | + - libldns-dev |
1252 | + - libmysqlclient-dev |
1253 | + - libpcsclite-dev |
1254 | + - libsoup2.4-dev |
1255 | + - libtspi-dev |
1256 | + - libunbound-dev |
1257 | + - Drop build-deps |
1258 | + - libfcgi-dev |
1259 | + - clearsilver-dev |
1260 | + - Create virtual packages for all strongswan-plugin-* for dist-upgrade |
1261 | + - Set XS-Testsuite: autopkgtest |
1262 | + * debian/rules: |
1263 | + - Enforcing DEB_BUILD_OPTIONS=nostrip for library integrity checking. |
1264 | + - Set TESTS_REDUCED_KEYLENGTHS to one generate smallest key-lengths in |
1265 | + tests. |
1266 | + - Change init/systemd program name to strongswan |
1267 | + - Install AppArmor profiles |
1268 | + - Removed pieces on 'patching ipsec.conf' on build. |
1269 | + - Enablement of features per Ubuntu current config suggested from |
1270 | + upstream recommendation |
1271 | + - Unpack and sort enabled features to one-per-line |
1272 | + - Disable duplicheck as per |
1273 | + https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718291#10 |
1274 | + - Disable libfast (--disable-fast): |
1275 | + Requires dropping medsrv, medcli plugins which depend on libfast |
1276 | + - Add configure options |
1277 | + --with-tss=trousers |
1278 | + - Remove configure options: |
1279 | + --enable-ha (requires special kernel) |
1280 | + --enable-unit-test (unit tests run by default) |
1281 | + - Drop logcheck install |
1282 | + * debian/tests/* |
1283 | + - Add DEP8 test for strongswan service and plugins |
1284 | + * debian/strongswan-starter.strongswan.service |
1285 | + - Add new systemd file instead of patching upstream |
1286 | + * debian/strongswan-starter.links |
1287 | + - removed, use Ubuntu systemd file instead of linking to upstream |
1288 | + * debian/usr.lib.ipsec.{charon, lookip, stroke} |
1289 | + - added AppArmor profiles for charon, lookip and stroke |
1290 | + * debian/libcharon-extra-plugins.install |
1291 | + - Add plugins |
1292 | + - kernel-libipsec.{so, lib, conf, apparmor} |
1293 | + - Remove plugins |
1294 | + - libstrongswan-ha.so |
1295 | + - Relocate plugins |
1296 | + - libstrongswan-tnc-tnccs.so (strongswan-tnc-base.install) |
1297 | + * debian/libstrongswan-extra-plugins.install |
1298 | + - Add plugins (so, lib, conf) |
1299 | + - acert |
1300 | + - attr-sql |
1301 | + - coupling |
1302 | + - dnscert |
1303 | + - fips-prf |
1304 | + - gmp |
1305 | + - ipseckey |
1306 | + - load-tester |
1307 | + - mysql |
1308 | + - ntru |
1309 | + - radattr |
1310 | + - soup |
1311 | + - sqlite |
1312 | + - sql |
1313 | + - systime-fix |
1314 | + - unbound |
1315 | + - whitelist |
1316 | + - Relocate plugins (so, lib, conf) |
1317 | + - ccm (libstrongswan.install) |
1318 | + - test-vectors (libstrongswan.install) |
1319 | + * debian/libstrongswan.install |
1320 | + - Sort sections |
1321 | + - Add plugins (so, lib, conf) |
1322 | + - libchecksum |
1323 | + - ccm |
1324 | + - eap-identity |
1325 | + - md4 |
1326 | + - test-vectors |
1327 | + * debian/strongswan-charon.install |
1328 | + - Add AppArmor profile for charon |
1329 | + * debian/strongswan-starter.install |
1330 | + - Add tools, manpages, conf |
1331 | + - openac |
1332 | + - pool |
1333 | + - _updown_espmark |
1334 | + - Add AppArmor profile for stroke |
1335 | + * debian/strongswan-tnc-base.install |
1336 | + - Add new subpackage for TNC |
1337 | + - remove non-existent (dropped in 5.2.1) libpts library files |
1338 | + * debian/strongswan-tnc-client.install |
1339 | + - Add new subpackage for TNC |
1340 | + * debian/strongswan-tnc-ifmap.install |
1341 | + - Add new subpackage for TNC |
1342 | + * debian/strongswan-tnc-pdp.install |
1343 | + - Add new subpackage for TNC |
1344 | + * debian/strongswan-tnc-server.install |
1345 | + - Add new subpackage for TNC |
1346 | + * debian/strongswan-starter.postinit: |
1347 | + - Removed section about runlevel changes, it's almost 2014. |
1348 | + - Adapted service restart section for Upstart. |
1349 | + - Remove old symlinks to init.d files is necessary. |
1350 | + * debian/strongswan-starter.dirs: Don't touch /etc/init.d. |
1351 | + * debian/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call. |
1352 | + * debian/strongswan-starter.prerm: Stop strongswan service on package |
1353 | + removal (as opposed to using the old init.d script). |
1354 | + * debian/libstrongswan.strongswan.logcheck combined into debian/strongswan.logcheck |
1355 | + - logcheck patterns updated to be helpful |
1356 | + * debian/strongswan-starter.postinst: Removed further out-dated code and |
1357 | + entire section on opportunistic encryption - this was never in strongSwan. |
1358 | + * debian/ipsec.secrets.proto: Removed ipsec.secrets.inc reference. |
1359 | + Drop changes: |
1360 | + * debian/control |
1361 | + - Per-plugin package breakup: Reducing packaging delta from Debian |
1362 | + - Don't build dhcp, farp subpackages: Reduce packging delta from Debian |
1363 | + * debian/watch: Already exists in Debian merge |
1364 | + * debian/upstream/signing-key.asc: Upstream has newer version. |
1365 | + |
1366 | + -- Ryan Harper <ryan.harper@canonical.com> Fri, 12 Feb 2016 11:24:53 -0600 |
1367 | + |
1368 | strongswan (5.3.5-1) unstable; urgency=medium |
1369 | |
1370 | * New upstream bugfix release. |
1371 | @@ -730,6 +2001,210 @@ strongswan (5.1.2-1) unstable; urgency=medium |
1372 | |
1373 | -- Yves-Alexis Perez <corsac@debian.org> Wed, 12 Mar 2014 11:22:38 +0100 |
1374 | |
1375 | +strongswan (5.1.2-0ubuntu8) xenial; urgency=medium |
1376 | + |
1377 | + * Import FTBFS for s390x from Debian 5.1.2-3 upload. (LP: #1521240) |
1378 | + |
1379 | + -- Dimitri John Ledkov <xnox@ubuntu.com> Mon, 30 Nov 2015 15:46:06 +0000 |
1380 | + |
1381 | +strongswan (5.1.2-0ubuntu7) xenial; urgency=medium |
1382 | + |
1383 | + * SECURITY UPDATE: authentication bypass in eap-mschapv2 plugin |
1384 | + - debian/patches/CVE-2015-8023.patch: only succeed authentication if |
1385 | + MSK was established in |
1386 | + src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c. |
1387 | + - CVE-2015-8023 |
1388 | + * debian/patches/disable_ntru_test.patch: disable test causing FTBFS |
1389 | + until regression is properly investigated. |
1390 | + |
1391 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 19 Nov 2015 14:00:17 -0500 |
1392 | + |
1393 | +strongswan (5.1.2-0ubuntu6) wily; urgency=medium |
1394 | + |
1395 | + * SECURITY UPDATE: user credential disclosure to rogue servers |
1396 | + - debian/patches/CVE-2015-4171.patch: enforce remote authentication |
1397 | + config before proceeding with own authentication in |
1398 | + src/libcharon/sa/ikev2/tasks/ike_auth.c. |
1399 | + - CVE-2015-4171 |
1400 | + * debian/rules: don't FTBFS from unused service file |
1401 | + |
1402 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 08 Jun 2015 12:50:38 -0400 |
1403 | + |
1404 | +strongswan (5.1.2-0ubuntu5) vivid; urgency=medium |
1405 | + |
1406 | + * Add a systemd unit corresponding to strongswan-starter.strongswan.upstart. |
1407 | + |
1408 | + -- Martin Pitt <martin.pitt@ubuntu.com> Fri, 16 Jan 2015 08:27:54 +0100 |
1409 | + |
1410 | +strongswan (5.1.2-0ubuntu4) vivid; urgency=medium |
1411 | + |
1412 | + * SECURITY UPDATE: denial of service via DH group 1025 |
1413 | + - debian/patches/CVE-2014-9221.patch: define MODP_CUSTOM outside of |
1414 | + IKE DH range in src/libstrongswan/crypto/diffie_hellman.c, |
1415 | + src/libstrongswan/crypto/diffie_hellman.h. |
1416 | + - CVE-2014-9221 |
1417 | + |
1418 | + -- Tyler Hicks <tyhicks@canonical.com> Mon, 05 Jan 2015 08:25:29 -0500 |
1419 | + |
1420 | +strongswan (5.1.2-0ubuntu3) utopic; urgency=low |
1421 | + |
1422 | + * Added "libgcrypt20-dev | libgcrypt11-dev" to build dependencies to fix |
1423 | + build. |
1424 | + |
1425 | + -- Jonathan Davies <jonathan.davies@canonical.com> Wed, 15 Oct 2014 16:49:18 +0000 |
1426 | + |
1427 | +strongswan (5.1.2-0ubuntu2) trusty; urgency=medium |
1428 | + |
1429 | + * SECURITY UPDATE: remote authentication bypass |
1430 | + - debian/patches/CVE-2014-2338.patch: reject CREATE_CHILD_SA exchange |
1431 | + on unestablished IKE_SAs in src/libcharon/sa/ikev2/task_manager_v2.c. |
1432 | + - CVE-2014-2338 |
1433 | + |
1434 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 14 Apr 2014 11:24:34 -0400 |
1435 | + |
1436 | +strongswan (5.1.2-0ubuntu1) trusty; urgency=low |
1437 | + |
1438 | + * New upstream release. |
1439 | + |
1440 | + -- Jonathan Davies <jonathan.davies@canonical.com> Sat, 01 Mar 2014 08:53:17 +0000 |
1441 | + |
1442 | +strongswan (5.1.2~rc2-0ubuntu2) trusty; urgency=low |
1443 | + |
1444 | + * debian/ipsec.secrets.proto: Removed ipsec.secrets.inc reference. |
1445 | + * debian/usr.lib.ipsec.charon: Allow read access to /run/charon. |
1446 | + |
1447 | + -- Jonathan Davies <jonathan.davies@canonical.com> Wed, 19 Feb 2014 13:07:16 +0000 |
1448 | + |
1449 | +strongswan (5.1.2~rc2-0ubuntu1) trusty; urgency=low |
1450 | + |
1451 | + * New upstream release candidate. |
1452 | + |
1453 | + -- Jonathan Davies <jonathan.davies@canonical.com> Wed, 19 Feb 2014 12:59:21 +0000 |
1454 | + |
1455 | +strongswan (5.1.2~rc1-0ubuntu4) trusty; urgency=medium |
1456 | + |
1457 | + * debian/strongswan-tnc-*.install: Fixed files so libraries go into correct |
1458 | + packages. |
1459 | + * debian/usr.lib.ipsec.stroke: Allow access to strongswan.d directories. |
1460 | + |
1461 | + -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 17 Feb 2014 18:12:38 +0000 |
1462 | + |
1463 | +strongswan (5.1.2~rc1-0ubuntu3) trusty; urgency=low |
1464 | + |
1465 | + * debian/rules: Exclude rdrand.conf in dh_install's --fail-missing. |
1466 | + |
1467 | + -- Jonathan Davies <jonathan.davies@canonical.com> Sat, 15 Feb 2014 15:46:46 +0000 |
1468 | + |
1469 | +strongswan (5.1.2~rc1-0ubuntu2) trusty; urgency=low |
1470 | + |
1471 | + * debian/libstrongswan.install: Moved rdrand plugin configuration to rules |
1472 | + as it's only useful on amd64. |
1473 | + * debian/watch: Added opts=pgpsigurlmangle option. |
1474 | + * debian/upstream/signing-key.asc: Added key: 0xB34DBA77. |
1475 | + |
1476 | + -- Jonathan Davies <jonathan.davies@canonical.com> Sat, 15 Feb 2014 15:32:10 +0000 |
1477 | + |
1478 | +strongswan (5.1.2~rc1-0ubuntu1) trusty; urgency=medium |
1479 | + |
1480 | + * New upstream release candidate. |
1481 | + * debian/*.install - include new configuration files for plugins in |
1482 | + appropiate packages. |
1483 | + |
1484 | + -- Jonathan Davies <jonathan.davies@canonical.com> Sat, 15 Feb 2014 15:03:14 +0000 |
1485 | + |
1486 | +strongswan (5.1.2~dr3+git20130120-0ubuntu3) trusty; urgency=low |
1487 | + |
1488 | + * debian/control: |
1489 | + - Added Breaks/Replaces for all library files which have been moved |
1490 | + about (LP: #1278176). |
1491 | + - Removed build-dependency on check and added one on dh-apparmor. |
1492 | + * debian/strongswan-starter.postinst: Removed further out-dated code and |
1493 | + entire section on opportunistic encryption - this was never in strongSwan. |
1494 | + * debian/rules: Removed pieces on 'patching ipsec.conf' on build. |
1495 | + |
1496 | + -- Jonathan Davies <jonathan.davies@canonical.com> Sun, 09 Feb 2014 23:53:23 +0000 |
1497 | + |
1498 | +strongswan (5.1.2~dr3+git20130120-0ubuntu2) trusty; urgency=low |
1499 | + |
1500 | + * debian/control: Fixed references to plugin-fips-prf. |
1501 | + |
1502 | + -- Jonathan Davies <jonathan.davies@canonical.com> Wed, 22 Jan 2014 11:22:14 +0000 |
1503 | + |
1504 | +strongswan (5.1.2~dr3+git20130120-0ubuntu1) trusty; urgency=low |
1505 | + |
1506 | + * Upstream Git snapshot for build fixes with regards to entropy. |
1507 | + * debian/rules: |
1508 | + - Enforcing DEB_BUILD_OPTIONS=nostrip for library integrity checking. |
1509 | + - Set TESTS_REDUCED_KEYLENGTHS to one generate smallest key-lengths in |
1510 | + tests. |
1511 | + |
1512 | + -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 20 Jan 2014 19:00:59 +0000 |
1513 | + |
1514 | +strongswan (5.1.2~dr3-0ubuntu1) trusty; urgency=low |
1515 | + |
1516 | + * New upstream developer release. |
1517 | + * Made changes to packaging per upstream suggestions. |
1518 | + - Dropped medcli and medsrv packages - not recommended by upstream at this |
1519 | + time. |
1520 | + - Dropped ha plugin - needs special kernel. |
1521 | + - Improved all package descriptions in general. |
1522 | + - Drop build-dep on clearsilver-dev and libfcgi-dev - no longer needed. |
1523 | + - Removed debian/*logcheck* files - not relevant to strongSwan. |
1524 | + - Split dhcp and farp packages into sub-packages. |
1525 | + - Build kernel-libipsec, ntru, systime-fix, and xauth-noauth plugins. |
1526 | + - Changes to TNC-related packages. |
1527 | + * Created AppArmor profiles for lookip and stroke. |
1528 | + |
1529 | + -- Jonathan Davies <jonathan.davies@canonical.com> Wed, 15 Jan 2014 22:52:53 +0000 |
1530 | + |
1531 | +strongswan (5.1.2~dr2+git20130106-0ubuntu2) trusty; urgency=low |
1532 | + |
1533 | + * libstrongswan.install: Removed lingering unit-tester.so reference. |
1534 | + |
1535 | + -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 06 Jan 2014 20:29:59 +0000 |
1536 | + |
1537 | +strongswan (5.1.2~dr2+git20130106-0ubuntu1) trusty; urgency=low |
1538 | + |
1539 | + * Git snapshot of commit 94e10f15e51ead788d9947e966878ebfdc95b7ce. |
1540 | + Incorporates upstream fixes for: |
1541 | + - Integrity testing. |
1542 | + - Unit test failures on little endian systems. |
1543 | + * Dropped debian/patches/02_test_asn1_fix_32bit_time_test.patch - fixed |
1544 | + upstream. |
1545 | + * debian/rules: |
1546 | + - Stop using CK_TIMEOUT_MULTIPLIER. |
1547 | + - Stop enabling the test suite only on non-powerpc arches (it runs |
1548 | + anyway). |
1549 | + |
1550 | + -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 06 Jan 2014 20:17:20 +0000 |
1551 | + |
1552 | +strongswan (5.1.2~dr2-0ubuntu3) trusty; urgency=low |
1553 | + |
1554 | + * debian/control: Reinstate missing comma in dependencies. |
1555 | + |
1556 | + -- Jonathan Davies <jonathan.davies@canonical.com> Fri, 03 Jan 2014 05:39:13 +0000 |
1557 | + |
1558 | +strongswan (5.1.2~dr2-0ubuntu2) trusty; urgency=low |
1559 | + |
1560 | + * Added debian/patches/02_test_asn1_fix_32bit_time_test.patch - fixes issue |
1561 | + where test for >2038 tests on 32-bit platforms is broken. |
1562 | + - Reported upstream: https://wiki.strongswan.org/issues/477 |
1563 | + * debian/control: Added strongswan-plugin-ntru to strongswan-ike Suggests. |
1564 | + |
1565 | + -- Jonathan Davies <jonathan.davies@canonical.com> Fri, 03 Jan 2014 05:02:32 +0000 |
1566 | + |
1567 | +strongswan (5.1.2~dr2-0ubuntu1) trusty; urgency=low |
1568 | + |
1569 | + * New upstream developer release. |
1570 | + * debian/rules: Configure with: --enable-af-alg, --enable-ntru, --enable-soup, |
1571 | + and --enable-unity. |
1572 | + * debian/control: |
1573 | + - New plugin packages created for the above |
1574 | + - Split fips-prf into its own package. |
1575 | + - Added build-dependency on libsoup2.4-dev. |
1576 | + |
1577 | + -- Jonathan Davies <jonathan.davies@canonical.com> Thu, 02 Jan 2014 17:37:33 +0000 |
1578 | + |
1579 | strongswan (5.1.1-3) unstable; urgency=low |
1580 | |
1581 | * Upload to unstable. |
1582 | @@ -821,6 +2296,192 @@ strongswan (5.1.1-1) unstable; urgency=low |
1583 | |
1584 | -- Yves-Alexis Perez <corsac@debian.org> Fri, 24 Jan 2014 21:22:32 +0100 |
1585 | |
1586 | +strongswan (5.1.1-0ubuntu17) trusty; urgency=low |
1587 | + |
1588 | + * debian/control: |
1589 | + - Make strongswan-ike depend on iproute2. |
1590 | + - Added xauth plugin dependency on strongswan-plugin-eap-gtc. |
1591 | + - Created strongswan-libfast package. |
1592 | + |
1593 | + -- Jonathan Davies <jonathan.davies@canonical.com> Wed, 01 Jan 2014 17:04:45 +0000 |
1594 | + |
1595 | +strongswan (5.1.1-0ubuntu16) trusty; urgency=low |
1596 | + |
1597 | + * debian/control: |
1598 | + - Further splitting of plugins into subpackages (such as all EAP plugins |
1599 | + to their own packages). |
1600 | + - Added libpcsclite-dev to build-dependencies. |
1601 | + * debian/rules: |
1602 | + - Sort configure options in alphabetical order. |
1603 | + - Added configure option of --enable-eap-aka-3gpp2, --enable-eap-dynamic, |
1604 | + --enable-eap-sim-file, --enable-eap-sim-pcsc, |
1605 | + --enable-eap-simaka-pseudonym, --enable-eap-simaka-reauth and |
1606 | + --enable-eap-simaka-sql. |
1607 | + - Don't exclude medsrv from install. |
1608 | + * Moved eap-identity.so to libstrongswan package as it's used by all the |
1609 | + other EAP plugins. |
1610 | + |
1611 | + -- Jonathan Davies <jonathan.davies@canonical.com> Tue, 31 Dec 2013 21:25:50 +0000 |
1612 | + |
1613 | +strongswan (5.1.1-0ubuntu15) trusty; urgency=low |
1614 | + |
1615 | + * debian/control: |
1616 | + - Split plugins from libstrongswan package into modular subpackages. |
1617 | + - Added libmysqlclient-dev to build-dependencies. |
1618 | + - strongswan-ike: Set to depend on either strongswan-plugins-openssl or |
1619 | + strongswan-plugins-gcrypt. |
1620 | + - strongswan-ike: All other plugins added to Suggests. |
1621 | + - Created two new TNC packages: strongswan-tnc-ifmap and |
1622 | + strongswan-tnc-pdp and added to tnc-imcvs Suggests. |
1623 | + * debian/rules: Added to CONFIGUREARGS: --enable-certexpire, |
1624 | + --enable-error-notify, --enable-mysql, --enable-load-tester, |
1625 | + --enable-radattr, --enable-tnc-pdp, and --enable-whitelist. |
1626 | + * debian/strongswan-ike.install: Moved eap-identity.so to -tnc-imcvs package. |
1627 | + |
1628 | + -- Jonathan Davies <jonathan.davies@canonical.com> Tue, 31 Dec 2013 16:15:32 +0000 |
1629 | + |
1630 | +strongswan (5.1.1-0ubuntu14) trusty; urgency=low |
1631 | + |
1632 | + * debian/rules: |
1633 | + - CK_TIMEOUT_MULTIPLIER back down to 6. |
1634 | + - Disable unit tests on powerpc. |
1635 | + |
1636 | + -- Jonathan Davies <jonathan.davies@canonical.com> Tue, 31 Dec 2013 07:39:48 +0000 |
1637 | + |
1638 | +strongswan (5.1.1-0ubuntu13) trusty; urgency=low |
1639 | + |
1640 | + * debian/rules: CK_TIMEOUT_MULTIPLIER to 10 as just powerppc is being stubborn. |
1641 | + |
1642 | + -- Jonathan Davies <jonathan.davies@canonical.com> Tue, 31 Dec 2013 07:23:42 +0000 |
1643 | + |
1644 | +strongswan (5.1.1-0ubuntu12) trusty; urgency=low |
1645 | + |
1646 | + * debian/rules: Bring CK_TIMEOUT_MULTIPLIER up to 6 to fix powerppc and |
1647 | + armhf. |
1648 | + |
1649 | + -- Jonathan Davies <jonathan.davies@canonical.com> Tue, 31 Dec 2013 07:03:40 +0000 |
1650 | + |
1651 | +strongswan (5.1.1-0ubuntu11) trusty; urgency=low |
1652 | + |
1653 | + * 02_increase-test_rsa_generate-timeout.patch: Removed - only fixed build on |
1654 | + one extra arch. |
1655 | + * debian/rules: Set CK_TIMEOUT_MULTIPLIER to 4. |
1656 | + |
1657 | + -- Jonathan Davies <jonathan.davies@canonical.com> Tue, 31 Dec 2013 06:51:47 +0000 |
1658 | + |
1659 | +strongswan (5.1.1-0ubuntu10) trusty; urgency=low |
1660 | + |
1661 | + * debian/patches: Added patch 02_increase-test_rsa_generate-timeout.patch - |
1662 | + - Increases RSA key generate test timeout to 30 seconds so that it doesn't |
1663 | + fail on armhf, arm64, and powerppc. |
1664 | + * Contrary to what the last changelog entry says, we are still running |
1665 | + strongswan as root (with AppArmor protection). |
1666 | + |
1667 | + -- Jonathan Davies <jonathan.davies@canonical.com> Tue, 31 Dec 2013 06:06:47 +0000 |
1668 | + |
1669 | +strongswan (5.1.1-0ubuntu9) trusty; urgency=low |
1670 | + |
1671 | + * debian/rules: Added to configure options: |
1672 | + - --enable-tnc-ifmap: enable TNC IF-MAP module. |
1673 | + - --enable-duplicheck: enable duplicheck plugin. |
1674 | + - --enable-imv-swid, --enable-imc-swid: Added. |
1675 | + - Run strongswan as it's own user. |
1676 | + * debian/strongswan-starter.install: Install duplicheck. |
1677 | + * debian/strongswan-tnc-imcvs.install: Install swidtags. |
1678 | + |
1679 | + -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 30 Dec 2013 19:33:27 +0000 |
1680 | + |
1681 | +strongswan (5.1.1-0ubuntu8) trusty; urgency=low |
1682 | + |
1683 | + * debian/rules: Added to configure options: |
1684 | + - --enable-unit-tests: check unit testing on build. |
1685 | + - --enable-unbound: for validating DNS lookups. |
1686 | + - --enable-dnscert: for DNSCERT peer authentication. |
1687 | + - --enable-ipseckey: for IPSEC key authentication. |
1688 | + - --enable-lookip: for LookIP functionality. |
1689 | + - --enable-coupling: certificate coupling functionality. |
1690 | + * debian/control: Added check, libldns-dev, libunbound-dev to |
1691 | + build-dependencies. |
1692 | + * debian/libstrongswan.install: Install new plugin .so's. |
1693 | + * debian/strongswan-starter.install: Added lookip. |
1694 | + |
1695 | + -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 30 Dec 2013 17:52:07 +0000 |
1696 | + |
1697 | +strongswan (5.1.1-0ubuntu7) trusty; urgency=low |
1698 | + |
1699 | + * strongswan-starter.install: Moved pt-tls-client to tnc-imcvs (to prevent |
1700 | + the former from depending on the latter). |
1701 | + |
1702 | + -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 30 Dec 2013 17:30:19 +0000 |
1703 | + |
1704 | +strongswan (5.1.1-0ubuntu6) trusty; urgency=low |
1705 | + |
1706 | + * debian/strongswan-starter.prerm: Stop strongswan service on package |
1707 | + removal (as opposed to using the old init.d script). |
1708 | + |
1709 | + -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 30 Dec 2013 17:22:10 +0000 |
1710 | + |
1711 | +strongswan (5.1.1-0ubuntu5) trusty; urgency=low |
1712 | + |
1713 | + * debian/rules: |
1714 | + - CONFIGUREARGS: Merged Debian and RPM options. |
1715 | + - Brings in TNC functionality. |
1716 | + * debian/control: |
1717 | + - Added build-dependency on libtspi-dev. |
1718 | + - Created strongswan-tnc-imcvs binary package for TNC components. |
1719 | + - Added strongswan-tnc-imcvs to libstrongswan's Suggests. |
1720 | + * debian/libstrongswan.install: |
1721 | + - Included newly built MD4 and SQLite libraries. |
1722 | + - Removed 'tnc' references (moved to TNC package). |
1723 | + * debian/strongswan-tnc-imcvs.install: Created - handle new TNC libraries and |
1724 | + binaries. |
1725 | + * debian/usr.lib.ipsec.charon: Allow access to TNC modules. |
1726 | + |
1727 | + -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 30 Dec 2013 14:05:43 +0000 |
1728 | + |
1729 | +strongswan (5.1.1-0ubuntu4) trusty; urgency=low |
1730 | + |
1731 | + * debian/usr.lib.ipsec.charon: Added - AppArmor profile for charon. |
1732 | + * debian/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call. |
1733 | + * debian/control: strongswan-ike - Stop depending on ipsec-tools. |
1734 | + |
1735 | + -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 30 Dec 2013 05:35:17 +0000 |
1736 | + |
1737 | +strongswan (5.1.1-0ubuntu3) trusty; urgency=low |
1738 | + |
1739 | + * strongswan-starter.strongswan.upstart - Only start strongSwan when a |
1740 | + network connection is available. |
1741 | + * debian/control: Downgrade build-dep version of dpkg-dev from 1.16.2 to |
1742 | + 1.16.1 - to make precise backporting easier. |
1743 | + |
1744 | + -- Jonathan Davies <jonathan.davies@canonical.com> Thu, 12 Dec 2013 10:43:15 +0000 |
1745 | + |
1746 | +strongswan (5.1.1-0ubuntu2) trusty; urgency=low |
1747 | + |
1748 | + * strongswan-starter.strongswan.upstart - Created Upstart job for |
1749 | + strongSwan. |
1750 | + * debian/rules: Set dh_installinit to install above file. |
1751 | + * debian/strongswan-starter.postinit: |
1752 | + - Removed section about runlevel changes, it's almost 2014. |
1753 | + - Adapted service restart section for Upstart. |
1754 | + - Remove old symlinks to init.d files is necessary. |
1755 | + * debian/strongswan-starter.dirs: Don't touch /etc/init.d. |
1756 | + |
1757 | + -- Jonathan Davies <jonathan.davies@canonical.com> Wed, 11 Dec 2013 23:10:28 +0000 |
1758 | + |
1759 | +strongswan (5.1.1-0ubuntu1) trusty; urgency=low |
1760 | + |
1761 | + * New upstream release. |
1762 | + * Removed: debian/patches/CVE-2013-6075, CVE-2013-6076.patch - upsteamed. |
1763 | + * debian/control: Updated Standards-Version to 3.9.5 and applied |
1764 | + XSBC-Original-Maintainer policy. |
1765 | + * strongswan-starter.install: |
1766 | + - pki tool is now in /usr/bin. |
1767 | + - Install pt-tls-client. |
1768 | + - Install manpages (LP: #1206263). |
1769 | + |
1770 | + -- Jonathan Davies <jpds@ubuntu.com> Sun, 01 Dec 2013 17:43:59 +0000 |
1771 | + |
1772 | strongswan (5.1.0-3) unstable; urgency=high |
1773 | |
1774 | * urgency=high for the security fixes. |
1775 | diff --git a/debian/control b/debian/control |
1776 | index 9ed97b7..06faee6 100644 |
1777 | --- a/debian/control |
1778 | +++ b/debian/control |
1779 | @@ -1,7 +1,8 @@ |
1780 | Source: strongswan |
1781 | Section: net |
1782 | Priority: optional |
1783 | -Maintainer: strongSwan Maintainers <pkg-swan-devel@lists.alioth.debian.org> |
1784 | +Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com> |
1785 | +XSBC-Original-Maintainer: strongSwan Maintainers <pkg-swan-devel@lists.alioth.debian.org> |
1786 | Uploaders: Yves-Alexis Perez <corsac@debian.org> |
1787 | Standards-Version: 4.6.0 |
1788 | Vcs-Browser: https://salsa.debian.org/debian/strongswan |
1789 | @@ -136,6 +137,7 @@ Description: strongSwan utility and crypto library (extra plugins) |
1790 | - gcrypt (Crypto backend based on libgcrypt, provides |
1791 | RSA/DH/ciphers/hashers/rng) |
1792 | - ldap (LDAP fetching plugin based on libldap) |
1793 | + - ntru (key exchanged based on post-quantum computer NTRU) |
1794 | - padlock (VIA padlock crypto backend, provides AES128/SHA1) |
1795 | - pkcs11 (PKCS#11 smartcard backend) |
1796 | - rdrand (High quality / high performance random source using the Intel |
1797 | @@ -203,6 +205,9 @@ Description: strongSwan charon library (extra plugins) |
1798 | - unity (Cisco Unity extensions for IKEv1) |
1799 | - xauth-eap (XAuth backend that uses EAP methods to verify passwords) |
1800 | - xauth-pam (XAuth backend that uses PAM modules to verify passwords) |
1801 | + - eap-dynamic (EAP proxy plugin that dynamically selects an EAP method |
1802 | + requested/supported by the client (since 5.0.1)) |
1803 | + - eap-peap (EAP-PEAP protocol handler, wraps other EAP methods securely) |
1804 | |
1805 | Package: strongswan-starter |
1806 | Architecture: any |
1807 | @@ -210,9 +215,9 @@ Pre-Depends: ${misc:Pre-Depends} |
1808 | Depends: adduser, |
1809 | libstrongswan (= ${binary:Version}), |
1810 | lsb-base (>= 3.0-6), |
1811 | + strongswan-charon, |
1812 | ${misc:Depends}, |
1813 | ${shlibs:Depends} |
1814 | -Recommends: strongswan-charon |
1815 | Conflicts: openswan |
1816 | Description: strongSwan daemon starter and configuration file parser |
1817 | The strongSwan VPN suite uses the native IPsec stack in the standard |
1818 | @@ -251,9 +256,9 @@ Architecture: any |
1819 | Pre-Depends: debconf | debconf-2.0 |
1820 | Depends: iproute2 [linux-any] | iproute [linux-any], |
1821 | libstrongswan (= ${binary:Version}), |
1822 | - strongswan-starter, |
1823 | ${misc:Depends}, |
1824 | ${shlibs:Depends} |
1825 | +Recommends: strongswan-starter, |
1826 | Provides: ike-server |
1827 | Description: strongSwan Internet Key Exchange daemon |
1828 | The strongSwan VPN suite uses the native IPsec stack in the standard |
1829 | diff --git a/debian/libcharon-extra-plugins.install b/debian/libcharon-extra-plugins.install |
1830 | index 94fbabd..91ca716 100644 |
1831 | --- a/debian/libcharon-extra-plugins.install |
1832 | +++ b/debian/libcharon-extra-plugins.install |
1833 | @@ -2,9 +2,11 @@ |
1834 | usr/lib/ipsec/plugins/libstrongswan-addrblock.so |
1835 | usr/lib/ipsec/plugins/libstrongswan-certexpire.so |
1836 | usr/lib/ipsec/plugins/libstrongswan-eap-aka.so |
1837 | +usr/lib/ipsec/plugins/libstrongswan-eap-dynamic.so |
1838 | usr/lib/ipsec/plugins/libstrongswan-eap-gtc.so |
1839 | usr/lib/ipsec/plugins/libstrongswan-eap-identity.so |
1840 | usr/lib/ipsec/plugins/libstrongswan-eap-md5.so |
1841 | +usr/lib/ipsec/plugins/libstrongswan-eap-peap.so |
1842 | usr/lib/ipsec/plugins/libstrongswan-eap-radius.so |
1843 | usr/lib/ipsec/plugins/libstrongswan-eap-tls.so |
1844 | usr/lib/ipsec/plugins/libstrongswan-eap-tnc.so |
1845 | @@ -25,9 +27,11 @@ usr/lib/ipsec/plugins/libstrongswan-xauth-pam.so |
1846 | usr/share/strongswan/templates/config/plugins/addrblock.conf |
1847 | usr/share/strongswan/templates/config/plugins/certexpire.conf |
1848 | usr/share/strongswan/templates/config/plugins/eap-aka.conf |
1849 | +usr/share/strongswan/templates/config/plugins/eap-dynamic.conf |
1850 | usr/share/strongswan/templates/config/plugins/eap-gtc.conf |
1851 | usr/share/strongswan/templates/config/plugins/eap-identity.conf |
1852 | usr/share/strongswan/templates/config/plugins/eap-md5.conf |
1853 | +usr/share/strongswan/templates/config/plugins/eap-peap.conf |
1854 | usr/share/strongswan/templates/config/plugins/eap-radius.conf |
1855 | usr/share/strongswan/templates/config/plugins/eap-tls.conf |
1856 | usr/share/strongswan/templates/config/plugins/eap-tnc.conf |
1857 | @@ -49,9 +53,11 @@ etc/strongswan.d/tnc.conf |
1858 | etc/strongswan.d/charon/addrblock.conf |
1859 | etc/strongswan.d/charon/certexpire.conf |
1860 | etc/strongswan.d/charon/eap-aka.conf |
1861 | +etc/strongswan.d/charon/eap-dynamic.conf |
1862 | etc/strongswan.d/charon/eap-gtc.conf |
1863 | etc/strongswan.d/charon/eap-identity.conf |
1864 | etc/strongswan.d/charon/eap-md5.conf |
1865 | +etc/strongswan.d/charon/eap-peap.conf |
1866 | etc/strongswan.d/charon/eap-radius.conf |
1867 | etc/strongswan.d/charon/eap-tls.conf |
1868 | etc/strongswan.d/charon/eap-tnc.conf |
1869 | diff --git a/debian/libcharon-extra-plugins.maintscript b/debian/libcharon-extra-plugins.maintscript |
1870 | new file mode 100644 |
1871 | index 0000000..f6e7a3a |
1872 | --- /dev/null |
1873 | +++ b/debian/libcharon-extra-plugins.maintscript |
1874 | @@ -0,0 +1,8 @@ |
1875 | +rm_conffile /etc/strongswan.d/charon/eap-aka-3gpp2.conf 5.8.4-1ubuntu2~ libcharon-extra-plugins |
1876 | +rm_conffile /etc/strongswan.d/charon/eap-sim-file.conf 5.8.4-1ubuntu2~ libcharon-extra-plugins |
1877 | +rm_conffile /etc/strongswan.d/charon/eap-sim-pcsc.conf 5.8.4-1ubuntu2~ libcharon-extra-plugins |
1878 | +rm_conffile /etc/strongswan.d/charon/eap-sim.conf 5.8.4-1ubuntu2~ libcharon-extra-plugins |
1879 | +rm_conffile /etc/strongswan.d/charon/eap-simaka-pseudonym.conf 5.8.4-1ubuntu2~ libcharon-extra-plugins |
1880 | +rm_conffile /etc/strongswan.d/charon/eap-simaka-reauth.conf 5.8.4-1ubuntu2~ libcharon-extra-plugins |
1881 | +rm_conffile /etc/strongswan.d/charon/eap-simaka-sql.conf 5.8.4-1ubuntu2~ libcharon-extra-plugins |
1882 | +rm_conffile /etc/strongswan.d/charon/xauth-noauth.conf 5.8.4-1ubuntu2~ libcharon-extra-plugins |
1883 | diff --git a/debian/libstrongswan-extra-plugins.install b/debian/libstrongswan-extra-plugins.install |
1884 | index 2846e21..8f71239 100644 |
1885 | --- a/debian/libstrongswan-extra-plugins.install |
1886 | +++ b/debian/libstrongswan-extra-plugins.install |
1887 | @@ -9,6 +9,7 @@ usr/lib/ipsec/plugins/libstrongswan-curl.so |
1888 | usr/lib/ipsec/plugins/libstrongswan-curve25519.so |
1889 | usr/lib/ipsec/plugins/libstrongswan-gcrypt.so |
1890 | usr/lib/ipsec/plugins/libstrongswan-ldap.so |
1891 | +usr/lib/ipsec/plugins/libstrongswan-ntru.so |
1892 | usr/lib/ipsec/plugins/libstrongswan-pkcs11.so |
1893 | usr/lib/ipsec/plugins/libstrongswan-test-vectors.so |
1894 | usr/lib/ipsec/plugins/libstrongswan-tpm.so |
1895 | @@ -21,6 +22,7 @@ usr/share/strongswan/templates/config/plugins/curl.conf |
1896 | usr/share/strongswan/templates/config/plugins/curve25519.conf |
1897 | usr/share/strongswan/templates/config/plugins/gcrypt.conf |
1898 | usr/share/strongswan/templates/config/plugins/ldap.conf |
1899 | +usr/share/strongswan/templates/config/plugins/ntru.conf |
1900 | usr/share/strongswan/templates/config/plugins/pkcs11.conf |
1901 | usr/share/strongswan/templates/config/plugins/test-vectors.conf |
1902 | usr/share/strongswan/templates/config/plugins/tpm.conf |
1903 | @@ -32,6 +34,7 @@ etc/strongswan.d/charon/curl.conf |
1904 | etc/strongswan.d/charon/curve25519.conf |
1905 | etc/strongswan.d/charon/gcrypt.conf |
1906 | etc/strongswan.d/charon/ldap.conf |
1907 | +etc/strongswan.d/charon/ntru.conf |
1908 | etc/strongswan.d/charon/pkcs11.conf |
1909 | etc/strongswan.d/charon/test-vectors.conf |
1910 | etc/strongswan.d/charon/tpm.conf |
1911 | diff --git a/debian/rules b/debian/rules |
1912 | index 2fed1f1..8ca4bd7 100755 |
1913 | --- a/debian/rules |
1914 | +++ b/debian/rules |
1915 | @@ -15,9 +15,11 @@ CONFIGUREARGS := --libdir=/usr/lib --libexecdir=/usr/lib \ |
1916 | --enable-curl \ |
1917 | --enable-eap-aka \ |
1918 | --enable-eap-gtc \ |
1919 | + --enable-eap-dynamic \ |
1920 | --enable-eap-identity \ |
1921 | --enable-eap-md5 \ |
1922 | --enable-eap-mschapv2 \ |
1923 | + --enable-eap-peap \ |
1924 | --enable-eap-radius \ |
1925 | --enable-eap-tls \ |
1926 | --enable-eap-tnc \ |
1927 | @@ -32,6 +34,7 @@ CONFIGUREARGS := --libdir=/usr/lib --libexecdir=/usr/lib \ |
1928 | --enable-led \ |
1929 | --enable-lookip \ |
1930 | --enable-mediation \ |
1931 | + --enable-ntru \ |
1932 | --enable-openssl \ |
1933 | --enable-pkcs11 \ |
1934 | --enable-test-vectors \ |
Merge 5.9.4-1 from Debian. Test PPA:
https:/ /launchpad. net/~paride/ +archive/ ubuntu/ strongswan- merge-5. 9.4-1
I verified that the two security patches released in 5.9.1-1ubuntu3.1 are part of the new upstream version. No conflicts to resolve in the merge process.
I recovered the rich git history from the previous merge MP as the importer doesn't have it due to empty directories.
# Lintian
Note: the Debian package updated the lintian-overrides to work with the new lintian versions. This means that lintian 2.104.0ubuntu3 (currently in Jammy -release) is going to issue some error tags. Testing with lintian 2.111.0ubuntu1 (currently in jammy-proposed) tests clean.
# Autopkgtest results:
autopkgtest [15:53:10]: @@@@@@@ @@@@@@@ @@@@@@ summary n-charon PASS n-starter PASS
admin-strongswa
admin-strongswa
daemon PASS
plugins PASS
# OpenSSL 3.0
By looking at the upstream commit history I expected this merge to also fix the OpenSSL 3.0 FTBFS (LP: #1946213). The build stage indeed succeeds, but the upstream test suite then fails, so overall the package still FTBFS. There is an upstream issue about the failure, to which I commented:
https:/ /github. com/strongswan/ strongswan/ issues/ 753