Ubuntu
strongswan package

Merge ~slyon/ubuntu/+source/strongswan:merge-lp2110449-questing into ubuntu/+source/strongswan:debian/sid

  1. Git
  2. lp:~slyon/ubuntu/+source/strongswan
  3. merge-lp2110449-questing
  4. Merge into debian/sid
Proposed by Lukas Märdian
Status: Merged
Approved by: git-ubuntu bot
Approved revision: not available
Merge reported by: git-ubuntu bot
Merged at revision: 65ff0dd7923aacde8e7c9c31a6a6236f6d05f523
Proposed branch: ~slyon/ubuntu/+source/strongswan:merge-lp2110449-questing
Merge into: ubuntu/+source/strongswan:debian/sid
Diff against target: 2749 lines (+2466/-4)
8 files modified
debian/changelog (+1982/-0)
debian/control (+7/-3)
debian/libcharon-extra-plugins.install (+6/-0)
debian/rules (+2/-0)
debian/tests/control (+6/-0)
debian/tests/host-to-host (+401/-0)
debian/tests/utils (+61/-0)
debian/usr.sbin.swanctl (+1/-1)
Reviewer Review Type Date Requested Status
git-ubuntu bot Approve
Lena Voytek (community) Approve
Canonical Server Reporter Pending
Canonical Server Pending
Canonical Server Core Reviewers Pending
Review via email: mp+489619@code.launchpad.net

Description of the change

PPA: https://launchpad.net/~slyon/+archive/ubuntu/merge-lp2110449-strongswan-questing/+packages

Release Notes: https://discourse.ubuntu.com/t/questing-quokka-release-notes/59220#p-151948-strongswan-58

Range diff is looking rather clean:
$ git range-diff lp2110449/old/debian..lp2110449/logical/5.9.13-2ubuntu5 lp2110449/new/debian..slyon/merge-lp2110449-questing

DEP-8: (green)
$ ppa tests ppa:slyon/merge-lp2110449-strongswan-questing

* Results:
  - strongswan: questing/strongswan/6.0.1-6ubuntu1~ppa3 [amd64]
    + ✅ strongswan on questing for amd64 @ 29.07.25 10:49:41 Log️ 🗒️
  - strongswan: questing/strongswan/6.0.1-6ubuntu1~ppa3 [arm64]
    + ✅ strongswan on questing for arm64 @ 29.07.25 10:51:39 Log️ 🗒️
  - strongswan: questing/strongswan/6.0.1-6ubuntu1~ppa3 [armhf]
    + ✅ strongswan on questing for armhf @ 29.07.25 10:46:09 Log️ 🗒️
  - strongswan: questing/strongswan/6.0.1-6ubuntu1~ppa3 [ppc64el]
    + ✅ strongswan on questing for ppc64el @ 29.07.25 10:55:00 Log️ 🗒️
  - strongswan: questing/strongswan/6.0.1-6ubuntu1~ppa3 [s390x]
    + ✅ strongswan on questing for s390x @ 29.07.25 11:28:46 Log️ 🗒️

To post a comment you must log in.
Revision history for this message
Christian Ehrhardt (paelzer) wrote :

=> Lvoytek for review

Revision history for this message
Lena Voytek (lvoytek) wrote :

LGTM! Delta drops, changelog, commit messages, and remaining delta all look good

review: Approve
Revision history for this message
git-ubuntu bot (git-ubuntu-bot) wrote :

Approvers: slyon, lvoytek
Uploaders: slyon, lvoytek
MP auto-approved

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index bfd5400..744a3f5 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,27 @@
6+strongswan (6.0.1-6ubuntu1) questing; urgency=medium
7+
8+ * Merge with Debian unstable (LP: #2110449). Remaining changes:
9+ - d/control: strongswan-starter hard-depends on strongswan-charon,
10+ therefore bump the dependency from Recommends to Depends. At the same
11+ time avoid a circular dependency by dropping
12+ strongswan-charon->strongswan-starter from Depends to Recommends as the
13+ binaries can work without the services but not vice versa.
14+ - Re-enable eap-{dynamic,peap} libcharon plugins (LP #1878887)
15+ + d/control: update libcharon-extra-plugins description.
16+ + d/libcharon-extra-plugins.install: install .so and conf files.
17+ + d/rules: add plugins to the configuration arguments.
18+ - d/t/{control,host-to-host,utils}: new host-to-host test
19+ (LP #1999525)
20+ - d/usr.sbin.swanctl: allow "m" flag for /usr/sbin/swanctl
21+ (LP #1999935)
22+ * Drop changes:
23+ - re-add post-quantum encryption algorithm (NTRU) (LP #1863749)
24+ [ deprecated & dropped upstream as of 6.0.0 ]
25+ - Remove conf files of plugins removed from libcharon-extra-plugins
26+ [ Not relevant anymore after > 1 LTS cyle ]
27+
28+ -- Lukas Märdian <slyon@ubuntu.com> Thu, 24 Jul 2025 15:43:37 +0200
29+
30 strongswan (6.0.1-6) unstable; urgency=medium
31
32 * d/control: keep strongswan-charon and strongswan-starter as acceptable
33@@ -78,6 +102,59 @@ strongswan (6.0.0-1) unstable; urgency=medium
34
35 -- Yves-Alexis Perez <corsac@debian.org> Fri, 21 Feb 2025 14:09:27 +0100
36
37+strongswan (5.9.13-2ubuntu5) questing; urgency=medium
38+
39+ * No-change rebuild for libxml2 soname change.
40+
41+ -- Matthias Klose <doko@ubuntu.com> Tue, 20 May 2025 12:22:36 +0200
42+
43+strongswan (5.9.13-2ubuntu4) noble; urgency=medium
44+
45+ * No-change rebuild for CVE-2024-3094
46+
47+ -- William Grant <wgrant@ubuntu.com> Mon, 01 Apr 2024 15:55:30 +1100
48+
49+strongswan (5.9.13-2ubuntu3) noble; urgency=medium
50+
51+ * No-change rebuild against libcurl4t64
52+
53+ -- Steve Langasek <steve.langasek@ubuntu.com> Sat, 16 Mar 2024 07:03:41 +0000
54+
55+strongswan (5.9.13-2ubuntu2) noble; urgency=medium
56+
57+ * No-change rebuild against libssl3t64
58+
59+ -- Steve Langasek <steve.langasek@ubuntu.com> Mon, 04 Mar 2024 21:28:04 +0000
60+
61+strongswan (5.9.13-2ubuntu1) noble; urgency=medium
62+
63+ * Merge with Debian unstable (LP: #2050099). Remaining changes:
64+ - d/control: strongswan-starter hard-depends on strongswan-charon,
65+ therefore bump the dependency from Recommends to Depends. At the same
66+ time avoid a circular dependency by dropping
67+ strongswan-charon->strongswan-starter from Depends to Recommends as the
68+ binaries can work without the services but not vice versa.
69+ - re-add post-quantum encryption algorithm (NTRU) (LP #1863749)
70+ + d/control: mention plugins in package description
71+ + d/rules: enable ntru at build time
72+ + d/libstrongswan-extra-plugins.install: ship config and shared objects
73+ - Re-enable eap-{dynamic,peap} libcharon plugins (LP #1878887)
74+ + d/control: update libcharon-extra-plugins description.
75+ + d/libcharon-extra-plugins.install: install .so and conf files.
76+ + d/rules: add plugins to the configuration arguments.
77+ - Remove conf files of plugins removed from libcharon-extra-plugins
78+ + The conf file of the following plugins were removed: eap-aka-3gpp2,
79+ eap-sim-file, eap-sim-pcsc, eap-sim, eap-simaka-pseudonym,
80+ eap-simaka-reauth, eap-simaka-sql, xauth-noauth.
81+ + Created d/libcharon-extra-plugins.maintscript to handle the removals
82+ properly.
83+ - d/t/{control,host-to-host,utils}: new host-to-host test
84+ (LP #1999525)
85+ - d/usr.sbin.swanctl: allow "m" flag for /usr/sbin/swanctl
86+ (LP #1999935)
87+
88+ -- Andreas Hasenack <andreas@canonical.com> Mon, 22 Jan 2024 11:48:33 -0300
89+
90 strongswan (5.9.13-2) unstable; urgency=medium
91
92 * d/control: drop build-dep on systemd (Closes: #1060509)
93@@ -90,6 +167,42 @@ strongswan (5.9.13-1) unstable; urgency=medium
94
95 -- Yves-Alexis Perez <corsac@debian.org> Thu, 11 Jan 2024 17:09:17 +0100
96
97+strongswan (5.9.12-1ubuntu1) noble; urgency=medium
98+
99+ * Merge with Debian unstable (LP: #2040430). Remaining changes:
100+ - d/control: strongswan-starter hard-depends on strongswan-charon,
101+ therefore bump the dependency from Recommends to Depends. At the same
102+ time avoid a circular dependency by dropping
103+ strongswan-charon->strongswan-starter from Depends to Recommends as the
104+ binaries can work without the services but not vice versa.
105+ - re-add post-quantum encryption algorithm (NTRU) (LP #1863749)
106+ + d/control: mention plugins in package description
107+ + d/rules: enable ntru at build time
108+ + d/libstrongswan-extra-plugins.install: ship config and shared objects
109+ - Re-enable eap-{dynamic,peap} libcharon plugins (LP #1878887)
110+ + d/control: update libcharon-extra-plugins description.
111+ + d/libcharon-extra-plugins.install: install .so and conf files.
112+ + d/rules: add plugins to the configuration arguments.
113+ - Remove conf files of plugins removed from libcharon-extra-plugins
114+ + The conf file of the following plugins were removed: eap-aka-3gpp2,
115+ eap-sim-file, eap-sim-pcsc, eap-sim, eap-simaka-pseudonym,
116+ eap-simaka-reauth, eap-simaka-sql, xauth-noauth.
117+ + Created d/libcharon-extra-plugins.maintscript to handle the removals
118+ properly.
119+ - d/t/{control,host-to-host,utils}: new host-to-host test
120+ (LP #1999525)
121+ - d/usr.sbin.swanctl: allow "m" flag for /usr/sbin/swanctl
122+ (LP #1999935)
123+ * Dropped:
124+ - SECURITY UPDATE: Buffer Overflow When Handling DH Public Values
125+ + debian/patches/CVE-2023-41913.patch: Validate DH public key to fix
126+ potential buffer overflow in
127+ src/charon-tkm/src/tkm/tkm_diffie_hellman.c.
128+ + CVE-2023-41913
129+ [Fixed upstream in 5.9.12]
130+
131+ -- Andreas Hasenack <andreas@canonical.com> Thu, 04 Jan 2024 10:25:23 -0300
132+
133 strongswan (5.9.12-1) unstable; urgency=medium
134
135 * New upstream version 5.9.12
136@@ -106,6 +219,52 @@ strongswan (5.9.11-2) unstable; urgency=medium
137
138 -- Yves-Alexis Perez <corsac@debian.org> Mon, 13 Nov 2023 20:22:47 +0100
139
140+strongswan (5.9.11-1ubuntu2) noble; urgency=medium
141+
142+ * SECURITY UPDATE: Buffer Overflow When Handling DH Public Values
143+ - debian/patches/CVE-2023-41913.patch: Validate DH public key to fix
144+ potential buffer overflow in
145+ src/charon-tkm/src/tkm/tkm_diffie_hellman.c.
146+ - CVE-2023-41913
147+
148+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 07 Nov 2023 11:43:00 +0200
149+
150+strongswan (5.9.11-1ubuntu1) mantic; urgency=medium
151+
152+ * Merge with Debian unstable (LP: #2018113). Remaining changes:
153+ - d/control: strongswan-starter hard-depends on strongswan-charon,
154+ therefore bump the dependency from Recommends to Depends. At the same
155+ time avoid a circular dependency by dropping
156+ strongswan-charon->strongswan-starter from Depends to Recommends as the
157+ binaries can work without the services but not vice versa.
158+ - re-add post-quantum encryption algorithm (NTRU) (LP #1863749)
159+ + d/control: mention plugins in package description
160+ + d/rules: enable ntru at build time
161+ + d/libstrongswan-extra-plugins.install: ship config and shared objects
162+ - Re-enable eap-{dynamic,peap} libcharon plugins (LP #1878887)
163+ + d/control: update libcharon-extra-plugins description.
164+ + d/libcharon-extra-plugins.install: install .so and conf files.
165+ + d/rules: add plugins to the configuration arguments.
166+ - Remove conf files of plugins removed from libcharon-extra-plugins
167+ + The conf file of the following plugins were removed: eap-aka-3gpp2,
168+ eap-sim-file, eap-sim-pcsc, eap-sim, eap-simaka-pseudonym,
169+ eap-simaka-reauth, eap-simaka-sql, xauth-noauth.
170+ + Created d/libcharon-extra-plugins.maintscript to handle the removals
171+ properly.
172+ - d/t/{control,host-to-host,utils}: new host-to-host test
173+ (LP #1999525)
174+ - d/usr.sbin.swanctl: allow "m" flag for /usr/sbin/swanctl
175+ (LP #1999935)
176+ * Dropped:
177+ - SECURITY UPDATE: Incorrectly Accepted Untrusted Public Key With
178+ Incorrect Refcount
179+ + debian/patches/CVE-2023-26463.patch: fix authentication bypass and
180+ expired pointer dereference in src/libtls/tls_server.c.
181+ + CVE-2023-26463
182+ [Fixed upstream in 5.9.10]
183+
184+ -- Andreas Hasenack <andreas@canonical.com> Fri, 23 Jun 2023 14:05:18 -0300
185+
186 strongswan (5.9.11-1) unstable; urgency=medium
187
188 * New upstream version 5.9.10
189@@ -125,6 +284,66 @@ strongswan (5.9.8-4) unstable; urgency=medium
190
191 -- Yves-Alexis Perez <corsac@debian.org> Sun, 26 Feb 2023 09:40:09 +0100
192
193+strongswan (5.9.8-3ubuntu4) lunar; urgency=medium
194+
195+ * d/t/utils: also give `cloud-init status --wait` the same amount of
196+ ${limit} seconds to complete, and bump limit to 5min. The logs show
197+ the container started up fine, with an IP.
198+
199+ -- Andreas Hasenack <andreas@canonical.com> Mon, 06 Mar 2023 11:00:58 -0300
200+
201+strongswan (5.9.8-3ubuntu3) lunar; urgency=medium
202+
203+ * SECURITY UPDATE: Incorrectly Accepted Untrusted Public Key With
204+ Incorrect Refcount
205+ - debian/patches/CVE-2023-26463.patch: fix authentication bypass and
206+ expired pointer dereference in src/libtls/tls_server.c.
207+ - CVE-2023-26463
208+
209+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 02 Mar 2023 12:58:47 -0500
210+
211+strongswan (5.9.8-3ubuntu2) lunar; urgency=medium
212+
213+ * d/usr.sbin.swanctl: allow "m" flag for /usr/sbin/swanctl
214+ (LP: #1999935)
215+
216+ -- Andreas Hasenack <andreas@canonical.com> Fri, 16 Dec 2022 16:07:51 -0300
217+
218+strongswan (5.9.8-3ubuntu1) lunar; urgency=medium
219+
220+ * Merge with Debian unstable (LP: #1993449). Remaining changes:
221+ - d/control: strongswan-starter hard-depends on strongswan-charon,
222+ therefore bump the dependency from Recommends to Depends. At the same
223+ time avoid a circular dependency by dropping
224+ strongswan-charon->strongswan-starter from Depends to Recommends as the
225+ binaries can work without the services but not vice versa.
226+ - re-add post-quantum encryption algorithm (NTRU) (LP #1863749)
227+ + d/control: mention plugins in package description
228+ + d/rules: enable ntru at build time
229+ + d/libstrongswan-extra-plugins.install: ship config and shared objects
230+ - Re-enable eap-{dynamic,peap} libcharon plugins (LP #1878887)
231+ + d/control: update libcharon-extra-plugins description.
232+ + d/libcharon-extra-plugins.install: install .so and conf files.
233+ + d/rules: add plugins to the configuration arguments.
234+ - Remove conf files of plugins removed from libcharon-extra-plugins
235+ + The conf file of the following plugins were removed: eap-aka-3gpp2,
236+ eap-sim-file, eap-sim-pcsc, eap-sim, eap-simaka-pseudonym,
237+ eap-simaka-reauth, eap-simaka-sql, xauth-noauth.
238+ + Created d/libcharon-extra-plugins.maintscript to handle the removals
239+ properly.
240+ * Dropped:
241+ - SECURITY UPDATE: Using Untrusted URIs for Revocation Checking
242+ + debian/patches/CVE-2022-40617.patch: do online revocation checks only
243+ after basic trust chain validation in
244+ src/libstrongswan/credentials/credential_manager.c.
245+ + CVE-2022-40617
246+ [Included upstream in 5.9.8]
247+ * Added:
248+ - d/t/{control,host-to-host,utils}: new host-to-host test
249+ (LP: #1999525)
250+
251+ -- Andreas Hasenack <andreas@canonical.com> Tue, 13 Dec 2022 11:04:24 -0300
252+
253 strongswan (5.9.8-3) unstable; urgency=medium
254
255 * d/tests: also drop _copyright test since the util is gone as well
256@@ -153,6 +372,46 @@ strongswan (5.9.8-1) unstable; urgency=medium
257
258 -- Yves-Alexis Perez <corsac@debian.org> Wed, 05 Oct 2022 15:25:18 +0200
259
260+strongswan (5.9.6-1ubuntu2) kinetic; urgency=medium
261+
262+ * SECURITY UPDATE: Using Untrusted URIs for Revocation Checking
263+ - debian/patches/CVE-2022-40617.patch: do online revocation checks only
264+ after basic trust chain validation in
265+ src/libstrongswan/credentials/credential_manager.c.
266+ - CVE-2022-40617
267+
268+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 05 Oct 2022 08:11:03 -0400
269+
270+strongswan (5.9.6-1ubuntu1) kinetic; urgency=medium
271+
272+ * Merge with Debian unstable (LP: #1971328). Remaining changes:
273+ - d/control: strongswan-starter hard-depends on strongswan-charon,
274+ therefore bump the dependency from Recommends to Depends. At the same
275+ time avoid a circular dependency by dropping
276+ strongswan-charon->strongswan-starter from Depends to Recommends as the
277+ binaries can work without the services but not vice versa.
278+ - re-add post-quantum encryption algorithm (NTRU) (LP #1863749)
279+ + d/control: mention plugins in package description
280+ + d/rules: enable ntru at build time
281+ + d/libstrongswan-extra-plugins.install: ship config and shared objects
282+ - Re-enable eap-{dynamic,peap} libcharon plugins (LP #1878887)
283+ + d/control: update libcharon-extra-plugins description.
284+ + d/libcharon-extra-plugins.install: install .so and conf files.
285+ + d/rules: add plugins to the configuration arguments.
286+ - Remove conf files of plugins removed from libcharon-extra-plugins
287+ + The conf file of the following plugins were removed: eap-aka-3gpp2,
288+ eap-sim-file, eap-sim-pcsc, eap-sim, eap-simaka-pseudonym,
289+ eap-simaka-reauth, eap-simaka-sql, xauth-noauth.
290+ + Created d/libcharon-extra-plugins.maintscript to handle the removals
291+ properly.
292+ * Dropped:
293+ - d/p/lp1964977-fix-ipsec-pki-segfault.patch: Fix "ipsec pki"
294+ segmentation fault; don't access OpenSSL objects inside atexit()
295+ handlers. (LP #1964977)
296+ [included by upstream in version 5.9.6]
297+
298+ -- Lucas Kanashiro <kanashiro@ubuntu.com> Fri, 10 Jun 2022 15:03:17 -0300
299+
300 strongswan (5.9.6-1) unstable; urgency=medium
301
302 * New upstream version 5.9.6
303@@ -161,6 +420,42 @@ strongswan (5.9.6-1) unstable; urgency=medium
304
305 -- Yves-Alexis Perez <corsac@debian.org> Sat, 07 May 2022 20:19:18 +0200
306
307+strongswan (5.9.5-2ubuntu2) jammy; urgency=medium
308+
309+ * d/p/lp1964977-fix-ipsec-pki-segfault.patch: Fix "ipsec pki"
310+ segmentation fault; don't access OpenSSL objects inside atexit()
311+ handlers. (LP: #1964977)
312+
313+ -- Sergio Durigan Junior <sergio.durigan@canonical.com> Fri, 18 Mar 2022 14:24:34 -0400
314+
315+strongswan (5.9.5-2ubuntu1) jammy; urgency=medium
316+
317+ * Merge with Debian unstable. Remaining changes:
318+ - d/control: strongswan-starter hard-depends on strongswan-charon,
319+ therefore bump the dependency from Recommends to Depends. At the same
320+ time avoid a circular dependency by dropping
321+ strongswan-charon->strongswan-starter from Depends to Recommends as the
322+ binaries can work without the services but not vice versa.
323+ - re-add post-quantum encryption algorithm (NTRU) (LP #1863749)
324+ + d/control: mention plugins in package description
325+ + d/rules: enable ntru at build time
326+ + d/libstrongswan-extra-plugins.install: ship config and shared objects
327+ - Re-enable eap-{dynamic,peap} libcharon plugins (LP: 1878887)
328+ + d/control: update libcharon-extra-plugins description.
329+ + d/libcharon-extra-plugins.install: install .so and conf files.
330+ + d/rules: add plugins to the configuration arguments.
331+ - Remove conf files of plugins removed from libcharon-extra-plugins
332+ + The conf file of the following plugins were removed: eap-aka-3gpp2,
333+ eap-sim-file, eap-sim-pcsc, eap-sim, eap-simaka-pseudonym,
334+ eap-simaka-reauth, eap-simaka-sql, xauth-noauth.
335+ + Created d/libcharon-extra-plugins.maintscript to handle the removals
336+ properly.
337+ * Dropped patches included in new version:
338+ - debian/patches/CVE-2021-45079.patch
339+ - debian/patches/load-legacy-provider-in-openssl3.patch
340+
341+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 03 Feb 2022 10:49:49 -0500
342+
343 strongswan (5.9.5-2) unstable; urgency=medium
344
345 * actually fix lintian overrides
346@@ -176,6 +471,60 @@ strongswan (5.9.5-1) unstable; urgency=medium
347
348 -- Yves-Alexis Perez <corsac@debian.org> Wed, 26 Jan 2022 14:38:54 +0100
349
350+strongswan (5.9.4-1ubuntu4) jammy; urgency=medium
351+
352+ * SECURITY UPDATE: Incorrect Handling of Early EAP-Success Messages
353+ - debian/patches/CVE-2021-45079.patch: enforce failure if MSK
354+ generation fails in src/libcharon/plugins/eap_gtc/eap_gtc.c,
355+ src/libcharon/plugins/eap_md5/eap_md5.c,
356+ src/libcharon/plugins/eap_radius/eap_radius.c,
357+ src/libcharon/sa/eap/eap_method.h,
358+ src/libcharon/sa/ikev2/authenticators/eap_authenticator.c.
359+ - CVE-2021-45079
360+
361+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 01 Feb 2022 07:23:37 -0500
362+
363+strongswan (5.9.4-1ubuntu3) jammy; urgency=medium
364+
365+ * No-change rebuild against libssl3
366+
367+ -- Steve Langasek <steve.langasek@ubuntu.com> Thu, 09 Dec 2021 00:19:38 +0000
368+
369+strongswan (5.9.4-1ubuntu2) jammy; urgency=medium
370+
371+ * Add d/p/load-legacy-provider-in-openssl3.patch.
372+ Upstream cherry-pick to fix FTBFS against OpenSSL 3.0. (LP: #1946213)
373+
374+ -- Paride Legovini <paride@ubuntu.com> Wed, 17 Nov 2021 17:04:27 +0100
375+
376+strongswan (5.9.4-1ubuntu1) jammy; urgency=medium
377+
378+ * Merge with Debian unstable. Remaining changes:
379+ - d/control: strongswan-starter hard-depends on strongswan-charon,
380+ therefore bump the dependency from Recommends to Depends. At the same
381+ time avoid a circular dependency by dropping
382+ strongswan-charon->strongswan-starter from Depends to Recommends as the
383+ binaries can work without the services but not vice versa.
384+ - re-add post-quantum encryption algorithm (NTRU) (LP #1863749)
385+ + d/control: mention plugins in package description
386+ + d/rules: enable ntru at build time
387+ + d/libstrongswan-extra-plugins.install: ship config and shared objects
388+ - Re-enable eap-{dynamic,peap} libcharon plugins (LP: 1878887)
389+ + d/control: update libcharon-extra-plugins description.
390+ + d/libcharon-extra-plugins.install: install .so and conf files.
391+ + d/rules: add plugins to the configuration arguments.
392+ - Remove conf files of plugins removed from libcharon-extra-plugins
393+ + The conf file of the following plugins were removed: eap-aka-3gpp2,
394+ eap-sim-file, eap-sim-pcsc, eap-sim, eap-simaka-pseudonym,
395+ eap-simaka-reauth, eap-simaka-sql, xauth-noauth.
396+ + Created d/libcharon-extra-plugins.maintscript to handle the removals
397+ properly.
398+ * Dropped changes:
399+ - Compile the tpm plugin against the tpm2 software stack (tss2).
400+ Merged in Debian (5.9.4-1).
401+
402+ -- Paride Legovini <paride@ubuntu.com> Fri, 12 Nov 2021 12:34:30 +0100
403+
404 strongswan (5.9.4-1) unstable; urgency=medium
405
406 [ Paride Legovini ]
407@@ -192,6 +541,62 @@ strongswan (5.9.4-1) unstable; urgency=medium
408
409 -- Yves-Alexis Perez <corsac@debian.org> Tue, 19 Oct 2021 22:34:40 +0200
410
411+strongswan (5.9.1-1ubuntu3.1) impish-security; urgency=medium
412+
413+ * SECURITY UPDATE: Integer Overflow in gmp Plugin
414+ - debian/patches/CVE-2021-41990.patch: reject RSASSA-PSS params with
415+ negative salt length in
416+ src/libstrongswan/credentials/keys/signature_params.c,
417+ src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c.
418+ - CVE-2021-41990
419+ * SECURITY UPDATE: Integer Overflow When Replacing Certificates in Cache
420+ - debian/patches/CVE-2021-41991.patch: prevent crash due to integer
421+ overflow/sign change in
422+ src/libstrongswan/credentials/sets/cert_cache.c.
423+ - CVE-2021-41991
424+
425+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 18 Oct 2021 13:10:30 -0400
426+
427+strongswan (5.9.1-1ubuntu3) impish; urgency=medium
428+
429+ * Compile the tpm plugin against the tpm2 software stack (tss2)
430+ (Debian packaging cherry-pick, LP: #1940079)
431+ - d/rules: add the --enable-tss-tss2 configure flag
432+ - d/control: add Build-Depends: libtss2-dev
433+
434+ -- Paride Legovini <paride@ubuntu.com> Thu, 16 Sep 2021 11:40:38 +0200
435+
436+strongswan (5.9.1-1ubuntu2) impish; urgency=medium
437+
438+ * No-change rebuild due to OpenLDAP soname bump.
439+
440+ -- Sergio Durigan Junior <sergio.durigan@canonical.com> Mon, 21 Jun 2021 18:09:22 -0400
441+
442+strongswan (5.9.1-1ubuntu1) hirsute; urgency=medium
443+
444+ * Merge with Debian unstable. Remaining changes:
445+ - d/control: strongswan-starter hard-depends on strongswan-charon,
446+ therefore bump the dependency from Recommends to Depends. At the same
447+ time avoid a circular dependency by dropping
448+ strongswan-charon->strongswan-starter from Depends to Recommends as the
449+ binaries can work without the services but not vice versa.
450+ - re-add post-quantum encryption algorithm (NTRU) (LP: 1863749)
451+ + d/control: mention plugins in package description
452+ + d/rules: enable ntru at build time
453+ + d/libstrongswan-extra-plugins.install: ship config and shared objects
454+ - Re-enable eap-{dynamic,peap} libcharon plugins (LP: 1878887)
455+ + d/control: update libcharon-extra-plugins description.
456+ + d/libcharon-extra-plugins.install: install .so and conf files.
457+ + d/rules: add plugins to the configuration arguments.
458+ - Remove conf files of plugins removed from libcharon-extra-plugins
459+ + The conf file of the following plugins were removed: eap-aka-3gpp2,
460+ eap-sim-file, eap-sim-pcsc, eap-sim, eap-simaka-pseudonym,
461+ eap-simaka-reauth, eap-simaka-sql, xauth-noauth.
462+ + Created d/libcharon-extra-plugins.maintscript to handle the removals
463+ properly.
464+
465+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Tue, 19 Jan 2021 12:39:11 +0100
466+
467 strongswan (5.9.1-1) unstable; urgency=medium
468
469 * New upstream version 5.9.1
470@@ -206,6 +611,45 @@ strongswan (5.9.0-1) unstable; urgency=medium
471
472 -- Yves-Alexis Perez <corsac@debian.org> Thu, 17 Sep 2020 10:21:30 +0200
473
474+strongswan (5.8.4-1ubuntu2) groovy; urgency=medium
475+
476+ * Re-enable eap-{dynamic,peap} libcharon plugins (LP: #1878887)
477+ - d/control: update libcharon-extra-plugins description.
478+ - d/libcharon-extra-plugins.install: install .so and conf files.
479+ - d/rules: add plugins to the configuration arguments.
480+ * Remove conf files of plugins removed from libcharon-extra-plugins
481+ - The conf file of the following plugins were removed: eap-aka-3gpp2,
482+ eap-sim-file, eap-sim-pcsc, eap-sim, eap-simaka-pseudonym,
483+ eap-simaka-reauth, eap-simaka-sql, xauth-noauth.
484+ - Created d/libcharon-extra-plugins.maintscript to handle the removals
485+ properly.
486+
487+ -- Lucas Kanashiro <kanashiro@ubuntu.com> Thu, 21 May 2020 14:53:05 -0300
488+
489+strongswan (5.8.4-1ubuntu1) groovy; urgency=medium
490+
491+ * Merge with Debian unstable. Remaining changes:
492+ - d/control: strongswan-starter hard-depends on strongswan-charon,
493+ therefore bump the dependency from Recommends to Depends. At the same
494+ time avoid a circular dependency by dropping
495+ strongswan-charon->strongswan-starter from Depends to Recommends as the
496+ binaries can work without the services but not vice versa.
497+ - re-add post-quantum encryption algorithm (NTRU) (LP: 1863749)
498+ + d/control: mention plugins in package description
499+ + d/rules: enable ntru at build time
500+ + d/libstrongswan-extra-plugins.install: ship config and shared objects
501+ * Dropped:
502+ - d/control: build-depend on libiptc-dev to avoid FTBFS (LP: #1861975)
503+ This is needed due to changes in regard to Debian bug 947176 and 939243
504+ and can later be dropped again.
505+ [applied by Debian in version 5.8.2-2]
506+ - d/control: Transition from former Ubuntu only libcharon-standard-plugins
507+ to common libcharon-extauth-plugins (drop after 20.04)
508+ - d/control: Transition from strongswan-tnc-* being in extra packages
509+ to libcharon-extra-plugins (drop after 20.04)
510+
511+ -- Lucas Kanashiro <lucas.kanashiro@canonical.com> Thu, 30 Apr 2020 18:06:55 -0300
512+
513 strongswan (5.8.4-1) unstable; urgency=medium
514
515 * New upstream version 5.8.4 (Closes: #956446)
516@@ -221,6 +665,43 @@ strongswan (5.8.2-2) unstable; urgency=medium
517
518 -- Yves-Alexis Perez <corsac@debian.org> Thu, 13 Feb 2020 22:46:40 +0100
519
520+strongswan (5.8.2-1ubuntu3) focal; urgency=medium
521+
522+ * Reverting part of 5.8.2-1ubuntu2 changes to remove BLISS again as
523+ there is a potential local side-channel attack on strongSwan's BLISS
524+ implementation (https://eprint.iacr.org/2017/505). (LP: #1866765)
525+
526+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Tue, 10 Mar 2020 07:56:56 +0100
527+
528+strongswan (5.8.2-1ubuntu2) focal; urgency=medium
529+
530+ * re-add post-quantum computer signature scheme (BLISS) and encryption
531+ algorithm (NTRU) as well as the dependent nttfft library (LP: #1863749)
532+ - d/control: mention plugins in package description
533+ - d/rules: enable ntru and bliss at build time
534+ - d/libstrongswan-extra-plugins.install: ship config and shared objects
535+
536+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Wed, 04 Mar 2020 07:54:26 +0100
537+
538+strongswan (5.8.2-1ubuntu1) focal; urgency=medium
539+
540+ * Merge with Debian unstable (LP: #1861971). Remaining changes:
541+ - d/control: Transition from strongswan-tnc-* being in extra packages
542+ to libcharon-extra-plugins (drop after 20.04)
543+ - d/control: Transition from former Ubuntu only libcharon-standard-plugins
544+ to common libcharon-extauth-plugins (drop after 20.04)
545+ - d/control: strongswan-starter hard-depends on strongswan-charon,
546+ therefore bump the dependency from Recommends to Depends. At the same
547+ time avoid a circular dependency by dropping
548+ strongswan-charon->strongswan-starter from Depends to Recommends as the
549+ binaries can work without the services but not vice versa.
550+ * Added Changes
551+ - d/control: build-depend on libiptc-dev to avoid FTBFS (LP: #1861975)
552+ This is needed due to changes in regard to Debian bug 947176 and 939243
553+ and can later be dropped again.
554+
555+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Wed, 05 Feb 2020 08:28:30 +0100
556+
557 strongswan (5.8.2-1) unstable; urgency=medium
558
559 [ Jean-Michel Vourgère ]
560@@ -237,6 +718,83 @@ strongswan (5.8.2-1) unstable; urgency=medium
561
562 -- Yves-Alexis Perez <corsac@debian.org> Wed, 01 Jan 2020 14:35:46 +0100
563
564+strongswan (5.8.1-1ubuntu1) focal; urgency=medium
565+
566+ * Merge with Debian unstable (LP: #1852579). Remaining changes:
567+ - d/control: Transition from strongswan-tnc-* being in extra packages
568+ to libcharon-extra-plugins
569+ * Added Changes:
570+ - d/control: Transition from former Ubuntu only libcharon-standard-plugins
571+ to common libcharon-extauth-plugins (drop after 20.04)
572+ - d/control: strongswan-starter hard-depends on strongswan-charon,
573+ therefore bump the dependency from Recommends to Depends. At the same
574+ time avoid a circular dependency by dropping
575+ strongswan-charon->strongswan-starter from Depends to Recommends as the
576+ binaries can work without the services but not vice versa.
577+ * Dropped Changes (now in Debian):
578+ - Clean up d/strongswan-starter.postinst: section about runlevel changes
579+ - Clean up d/strongswan-starter.postinst: Removed entire section on
580+ opportunistic encryption disabling - this was never in strongSwan and
581+ won't be see upstream issue #2160.
582+ - d/rules: Removed patching ipsec.conf on build (not using the
583+ debconf-managed config.)
584+ - d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was
585+ used for debconf-managed include of private key).
586+ - Add plugin kernel-libipsec to allow the use of strongswan in containers
587+ via this userspace implementation (please do note that this is still
588+ considered experimental by upstream).
589+ + d/libcharon-extra-plugins.install: Add kernel-libipsec components
590+ + d/control: List kernel-libipsec plugin at extra plugins description
591+ + d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
592+ upstream recommends to not load kernel-libipsec by default.
593+ - d/control: Mention mgf1 plugin which is in libstrongswan now
594+ - Complete the disabling of libfast; This was partially accepted in Debian,
595+ it is no more packaging medcli and medsrv, but still builds and
596+ mentions it.
597+ + d/rules: Add --disable-fast to avoid build time and dependencies
598+ + d/control: Remove medcli, medsrv from package description
599+ - Add now built (since 5.5.1) libraries libtpmtss and nttfft to
600+ libstrongswan-extra-plugins (no deps from default plugins).
601+ - d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
602+ plugins for the most common use cases from extra-plugins into a new
603+ standard-plugins package. This will allow those use cases without pulling
604+ in too much more plugins (a bit like the tnc package). Recommend that
605+ package from strongswan-libcharon.
606+ - d/usr.lib.ipsec.charon: allow reading of own FDs (LP 1786250)
607+ - d/usr.sbin.charon-systemd: allow CLUSTERIP for ha plugin (LP 1773956)
608+ - executables need to be able to read map and execute themselves otherwise
609+ execution in some environments e.g. containers is blocked (LP 1780534)
610+ + d/usr.lib.ipsec.stroke: add rmix permission to stroke binary
611+ + d/usr.lib.ipsec.lookip: add rmix permission to lookip binary
612+ - d/usr.lib.ipsec.charon, d/usr.sbin.charon-systemd: resync apparmor
613+ profiles of both ways to start charon (LP 1807664)
614+ - d/usr.sbin.swanctl: add apparmor rule for af-alg plugin (LP 1807962)
615+ - We fixed up tpmtss and nttfft in the past, but tpmtss is now packaged in
616+ Debian so this part was be dropped. Two changes remain
617+ - d/control: fix the mentioning of tpmtss in d/control
618+ - apparmor fixes for container and root usage (LP 1826238)
619+ + d/usr.sbin.swanctl: allow reading own binary
620+ + d/usr.sbin.charon-systemd: allow accessing the binary
621+ + d/usr.sbin.swanctl: add attach_disconnected to work inside containers
622+ + d/usr.lib.ipsec.charon, d/usr.sbin.charon-systemd: add CAP_SETPCAP
623+ to apparmor to allow dropping caps
624+ * Dropped Changes (too uncommon to support by default)
625+ - d/libstrongswan.install: Add kernel-netlink configuration files
626+ - d/usr.sbin.charon-systemd: allow to contact mysql for sql and
627+ attr-sql plugins (LP 1766240) - no more needed as itisn't enabled.
628+ - Mass enablement of extra plugins and features to allow a user to use
629+ strongswan for a variety of extra use cases without having to rebuild.
630+ + d/control: Add required additional build-deps
631+ + d/control: Mention addtionally enabled plugins
632+ + d/rules: Enable features at configure stage
633+ + d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
634+ + d/libstrongswan.install: Add plugins (so, conf)
635+ + d/strongswan-starter.install: Install pool feature, which is useful
636+ since we now have attr-sql plugin enabled it.
637+ - Enable additional TNC plugins and add them to libcharon-extra-plugins
638+
639+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Thu, 14 Nov 2019 15:00:15 +0100
640+
641 strongswan (5.8.1-1) unstable; urgency=medium
642
643 * d/rules: disable http and stream tests under CI
644@@ -306,6 +864,99 @@ strongswan (5.8.0-1) unstable; urgency=medium
645
646 -- Yves-Alexis Perez <corsac@debian.org> Mon, 26 Aug 2019 12:58:23 +0200
647
648+strongswan (5.7.2-1ubuntu3) eoan; urgency=medium
649+
650+ * No change rebuild for libmysqlclient21.
651+
652+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Thu, 15 Aug 2019 09:34:34 +0200
653+
654+strongswan (5.7.2-1ubuntu2) eoan; urgency=medium
655+
656+ * Rebuild against new libjson-c4.
657+
658+ -- Gianfranco Costamagna <locutusofborg@debian.org> Mon, 01 Jul 2019 10:53:07 +0200
659+
660+strongswan (5.7.2-1ubuntu1) eoan; urgency=medium
661+
662+ [ Christian Ehrhardt ]
663+ * Merge with Debian unstable. Remaining changes:
664+ - Clean up d/strongswan-starter.postinst: section about runlevel changes
665+ - Clean up d/strongswan-starter.postinst: Removed entire section on
666+ opportunistic encryption disabling - this was never in strongSwan and
667+ won't be see upstream issue #2160.
668+ - d/rules: Removed patching ipsec.conf on build (not using the
669+ debconf-managed config.)
670+ - d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was
671+ used for debconf-managed include of private key).
672+ - Mass enablement of extra plugins and features to allow a user to use
673+ strongswan for a variety of extra use cases without having to rebuild.
674+ + d/control: Add required additional build-deps
675+ + d/control: Mention addtionally enabled plugins
676+ + d/rules: Enable features at configure stage
677+ + d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
678+ + d/libstrongswan.install: Add plugins (so, conf)
679+ + d/strongswan-starter.install: Install pool feature, which is useful
680+ since we now have attr-sql plugin enabled it.
681+ - Add plugin kernel-libipsec to allow the use of strongswan in containers
682+ via this userspace implementation (please do note that this is still
683+ considered experimental by upstream).
684+ + d/libcharon-extra-plugins.install: Add kernel-libipsec components
685+ + d/control: List kernel-libipsec plugin at extra plugins description
686+ + d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
687+ upstream recommends to not load kernel-libipsec by default.
688+ - d/libstrongswan.install: Add kernel-netlink configuration files
689+ - Complete the disabling of libfast; This was partially accepted in Debian,
690+ it is no more packaging medcli and medsrv, but still builds and
691+ mentions it.
692+ + d/rules: Add --disable-fast to avoid build time and dependencies
693+ + d/control: Remove medcli, medsrv from package description
694+ - d/control: Mention mgf1 plugin which is in libstrongswan now
695+ - Add now built (since 5.5.1) libraries libtpmtss and nttfft to
696+ libstrongswan-extra-plugins (no deps from default plugins).
697+ - d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
698+ plugins for the most common use cases from extra-plugins into a new
699+ standard-plugins package. This will allow those use cases without pulling
700+ in too much more plugins (a bit like the tnc package). Recommend that
701+ package from strongswan-libcharon.
702+ - d/usr.sbin.charon-systemd: allow to contact mysql for sql and
703+ attr-sql plugins (LP #1766240)
704+ - d/usr.lib.ipsec.charon: allow reading of own FDs (LP #1786250)
705+ - d/usr.sbin.charon-systemd: allow CLUSTERIP for ha plugin (LP: 1773956)
706+ - executables need to be able to read map and execute themselves otherwise
707+ execution in some environments e.g. containers is blocked (LP: 1780534)
708+ + d/usr.lib.ipsec.stroke: add rmix permission to stroke binary
709+ + d/usr.lib.ipsec.lookip: add rmix permission to lookip binary
710+ - d/usr.lib.ipsec.charon, d/usr.sbin.charon-systemd: resync apparmor
711+ profiles of both ways to start charon (LP: 1807664)
712+ - d/usr.sbin.swanctl: add apparmor rule for af-alg plugin (LP: 1807962)
713+ * Dropped changes
714+ - d/p/lp1795813-mysql-Don-t-release-the-connection-if-transactions-a.patch:
715+ fix SIGSEGV when using mysql plugin (LP: 1795813)
716+ [upstream in 5.7.2]
717+ - d/libstrongswan.install: Reorder conf and .so alphabetically
718+ [was a non functional change, dropped to avoid merge noise]
719+ - Relocate tnc plugin
720+ [TNC is back at libcharon-extra-plugins as it is in Debian]
721+ * Added changes:
722+ - We fixed up tpmtss and nttfft in the past, but tpmtss is now packaged in
723+ Debian so this part was be dropped. Two changes remain
724+ - d/control: fix the mentioning of tpmtss in d/control
725+ - add nttfft (can be merged with the mass enablement change later)
726+ - Transitional packages to go back from strongswan-tnc-* being in extra
727+ packages to be part of libcharon-extra-plugins.
728+ [can be dropped after 20.04]
729+
730+ [ Simon Deziel ]
731+ * Added changes:
732+ - apparmor fixes for container and root usage (LP: #1826238)
733+ + d/usr.sbin.swanctl: allow reading own binary
734+ + d/usr.sbin.charon-systemd: allow accessing the binary
735+ + d/usr.sbin.swanctl: add attach_disconnected to work inside containers
736+ + d/usr.lib.ipsec.charon, d/usr.sbin.charon-systemd: add CAP_SETPCAP
737+ to apparmor to allow dropping caps
738+
739+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Fri, 26 Apr 2019 11:31:17 +0200
740+
741 strongswan (5.7.2-1) unstable; urgency=medium
742
743 * d/control: remove Rene from Uploaders, thanks!
744@@ -324,6 +975,86 @@ strongswan (5.7.2-1) unstable; urgency=medium
745
746 -- Yves-Alexis Perez <corsac@debian.org> Wed, 02 Jan 2019 13:02:11 +0100
747
748+strongswan (5.7.1-1ubuntu2) disco; urgency=medium
749+
750+ * d/usr.sbin.charon-systemd: fix rule for CLUSTERIP to match effective
751+ path (LP: #1773956)
752+ * d/usr.lib.ipsec.charon, d/usr.sbin.charon-systemd: resync apparmor
753+ profiles of both ways to start charon (LP: #1807664)
754+ * d/usr.sbin.swanctl: add apparmor rule for af-alg plugin (LP: #1807962)
755+
756+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 10 Dec 2018 08:30:01 +0100
757+
758+strongswan (5.7.1-1ubuntu1) disco; urgency=medium
759+
760+ * Merge with Debian unstable (LP: #1806401). Remaining changes:
761+ - Clean up d/strongswan-starter.postinst: section about runlevel changes
762+ - Clean up d/strongswan-starter.postinst: Removed entire section on
763+ opportunistic encryption disabling - this was never in strongSwan and
764+ won't be see upstream issue #2160.
765+ - d/rules: Removed patching ipsec.conf on build (not using the
766+ debconf-managed config.)
767+ - d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was
768+ used for debconf-managed include of private key).
769+ - Mass enablement of extra plugins and features to allow a user to use
770+ strongswan for a variety of extra use cases without having to rebuild.
771+ + d/control: Add required additional build-deps
772+ + d/control: Mention addtionally enabled plugins
773+ + d/rules: Enable features at configure stage
774+ + d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
775+ + d/libstrongswan.install: Add plugins (so, conf)
776+ - d/strongswan-starter.install: Install pool feature, which is useful since
777+ we have attr-sql plugin enabled as well using it.
778+ - Add plugin kernel-libipsec to allow the use of strongswan in containers
779+ via this userspace implementation (please do note that this is still
780+ considered experimental by upstream).
781+ + d/libcharon-extra-plugins.install: Add kernel-libipsec components
782+ + d/control: List kernel-libipsec plugin at extra plugins description
783+ + d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
784+ upstream recommends to not load kernel-libipsec by default.
785+ - Relocate tnc plugin
786+ + debian/libcharon-extra-plugins.install: Drop tnc from extra plugins
787+ + Add new subpackage for TNC in d/strongswan-tnc-* and d/control
788+ - d/libstrongswan.install: Reorder conf and .so alphabetically
789+ - d/libstrongswan.install: Add kernel-netlink configuration files
790+ - Complete the disabling of libfast; This was partially accepted in Debian,
791+ it is no more packaging medcli and medsrv, but still builds and
792+ mentions it.
793+ + d/rules: Add --disable-fast to avoid build time and dependencies
794+ + d/control: Remove medcli, medsrv from package description
795+ - d/control: Mention mgf1 plugin which is in libstrongswan now
796+ - Add now built (since 5.5.1) libraries libtpmtss and nttfft to
797+ libstrongswan-extra-plugins (no deps from default plugins).
798+ - d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
799+ plugins for the most common use cases from extra-plugins into a new
800+ standard-plugins package. This will allow those use cases without pulling
801+ in too much more plugins (a bit like the tnc package). Recommend that
802+ package from strongswan-libcharon.
803+ - d/usr.sbin.charon-systemd: allow to contact mysql for sql and
804+ attr-sql plugins (LP #1766240)
805+ - d/usr.lib.ipsec.charon: allow reading of own FDs (LP #1786250)
806+ * Added Changes:
807+ - d/p/lp1795813-mysql-Don-t-release-the-connection-if-transactions-a.patch:
808+ fix SIGSEGV when using mysql plugin (LP: #1795813)
809+ - d/usr.sbin.charon-systemd: allow CLUSTERIP for ha plugin (LP: #1773956)
810+ - executables need to be able to read map and execute themselves otherwise
811+ execution in some environments e.g. containers is blocked (LP: #1780534)
812+ + d/usr.lib.ipsec.stroke: add rmix permission to stroke binary
813+ + d/usr.lib.ipsec.lookip: add rmix permission to lookip binary
814+ - adapt "mass enablement of extra plugins" to match 5.7.x changes
815+ + d/rules: use new options for swima instead of swid
816+ + d/strongswan-tnc-server.install: add new sec updater tool
817+ + d/strongswan-tnc-client.install: add new sw-collector tool
818+ * Dropped (in Debian now):
819+ - SECURITY UPDATE: Insufficient input validation in gmp plugin
820+ (CVE-2018-17540)
821+ - SECURITY UPDATE: Insufficient input validation in gmp plugin
822+ (CVE-2018-16151 CVE-2018-16152)
823+ - d/usr.lib.ipsec.charon, d/usr/sbin/charon-systemd: Add support for
824+ usr-merge, thanks to Christian Ehrhardt. LP #1784023
825+
826+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 03 Dec 2018 15:18:31 +0100
827+
828 strongswan (5.7.1-1) unstable; urgency=medium
829
830 [ Ondřej Nový ]
831@@ -354,6 +1085,96 @@ strongswan (5.7.0-1) unstable; urgency=medium
832
833 -- Yves-Alexis Perez <corsac@debian.org> Mon, 24 Sep 2018 16:36:28 +0200
834
835+strongswan (5.6.3-1ubuntu5) disco; urgency=medium
836+
837+ * No-change rebuild against libunbound8
838+
839+ -- Steve Langasek <steve.langasek@ubuntu.com> Sun, 11 Nov 2018 09:01:53 +0000
840+
841+strongswan (5.6.3-1ubuntu4) cosmic; urgency=medium
842+
843+ * d/usr.lib.ipsec.charon: allow reading of own FDs (LP: #1786250)
844+ Thanks to Matt Callaghan.
845+
846+ -- Andreas Hasenack <andreas@canonical.com> Thu, 04 Oct 2018 10:34:01 -0300
847+
848+strongswan (5.6.3-1ubuntu3) cosmic; urgency=medium
849+
850+ * SECURITY UPDATE: Insufficient input validation in gmp plugin
851+ - debian/patches/strongswan-4.4.0-5.7.0_gmp-pkcs1-overflow.patch: fix
852+ buffer overflow with very small RSA keys in
853+ src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c.
854+ - CVE-2018-17540
855+
856+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 01 Oct 2018 13:23:59 -0400
857+
858+strongswan (5.6.3-1ubuntu2) cosmic; urgency=medium
859+
860+ * SECURITY UPDATE: Insufficient input validation in gmp plugin
861+ - debian/patches/strongswan-5.6.1-5.6.3_gmp-pkcs1-verify.patch: don't
862+ parse PKCS1 v1.5 RSA signatures to verify them in
863+ src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c,
864+ src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c.
865+ - CVE-2018-16151
866+ - CVE-2018-16152
867+
868+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 25 Sep 2018 10:16:15 -0400
869+
870+strongswan (5.6.3-1ubuntu1) cosmic; urgency=medium
871+
872+ * Merge with Debian unstable. Remaining changes:
873+ - Clean up d/strongswan-starter.postinst: section about runlevel changes
874+ - Clean up d/strongswan-starter.postinst: Removed entire section on
875+ opportunistic encryption disabling - this was never in strongSwan and
876+ won't be see upstream issue #2160.
877+ - d/rules: Removed patching ipsec.conf on build (not using the
878+ debconf-managed config.)
879+ - d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was
880+ used for debconf-managed include of private key).
881+ - Mass enablement of extra plugins and features to allow a user to use
882+ strongswan for a variety of extra use cases without having to rebuild.
883+ + d/control: Add required additional build-deps
884+ + d/control: Mention addtionally enabled plugins
885+ + d/rules: Enable features at configure stage
886+ + d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
887+ + d/libstrongswan.install: Add plugins (so, conf)
888+ - d/strongswan-starter.install: Install pool feature, which is useful since
889+ we have attr-sql plugin enabled as well using it.
890+ - Add plugin kernel-libipsec to allow the use of strongswan in containers
891+ via this userspace implementation (please do note that this is still
892+ considered experimental by upstream).
893+ + d/libcharon-extra-plugins.install: Add kernel-libipsec components
894+ + d/control: List kernel-libipsec plugin at extra plugins description
895+ + d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
896+ upstream recommends to not load kernel-libipsec by default.
897+ - Relocate tnc plugin
898+ + debian/libcharon-extra-plugins.install: Drop tnc from extra plugins
899+ + Add new subpackage for TNC in d/strongswan-tnc-* and d/control
900+ - d/libstrongswan.install: Reorder conf and .so alphabetically
901+ - d/libstrongswan.install: Add kernel-netlink configuration files
902+ - Complete the disabling of libfast; This was partially accepted in Debian,
903+ it is no more packaging medcli and medsrv, but still builds and
904+ mentions it.
905+ + d/rules: Add --disable-fast to avoid build time and dependencies
906+ + d/control: Remove medcli, medsrv from package description
907+ - d/control: Mention mgf1 plugin which is in libstrongswan now
908+ - Add now built (since 5.5.1) libraries libtpmtss and nttfft to
909+ libstrongswan-extra-plugins (no deps from default plugins).
910+ - d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
911+ plugins for the most common use cases from extra-plugins into a new
912+ standard-plugins package. This will allow those use cases without pulling
913+ in too much more plugins (a bit like the tnc package). Recommend that
914+ package from strongswan-libcharon.
915+ - d/usr.sbin.charon-systemd: allow to contact mysql for sql and
916+ attr-sql plugins (LP #1766240)
917+ - d/usr.lib.ipsec.charon, d/usr/sbin/charon-systemd: Add support for
918+ usr-merge, thanks to Christian Ehrhardt. LP #1784023
919+ * Dropped:
920+ - d/usr.sbin.charon-systemd: allow systemd notifications (LP: #1765652)
921+ [Fixed in 5.6.3-1]
922+
923+ -- Andreas Hasenack <andreas@canonical.com> Thu, 23 Aug 2018 13:05:11 -0300
924+
925 strongswan (5.6.3-1) unstable; urgency=medium
926
927 * New upstream version 5.6.2
928@@ -369,6 +1190,78 @@ strongswan (5.6.3-1) unstable; urgency=medium
929
930 -- Yves-Alexis Perez <corsac@debian.org> Mon, 04 Jun 2018 10:23:22 +0200
931
932+strongswan (5.6.2-2ubuntu2) cosmic; urgency=medium
933+
934+ * Add support for usr-merge, thanks to Christian Ehrhardt. LP: #1784023
935+
936+ -- Dimitri John Ledkov <xnox@ubuntu.com> Tue, 21 Aug 2018 00:42:38 +0100
937+
938+strongswan (5.6.2-2ubuntu1) cosmic; urgency=medium
939+
940+ * Merge with Debian unstable, closes LP: #1773814 and LP: #1772705.
941+ Remaining changes:
942+ + Clean up d/strongswan-starter.postinst: section about runlevel changes
943+ + Clean up d/strongswan-starter.postinst: Removed entire section on
944+ opportunistic encryption disabling - this was never in strongSwan and
945+ won't be see upstream issue #2160.
946+ + d/rules: Removed patching ipsec.conf on build (not using the
947+ debconf-managed config.)
948+ + d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was
949+ used for debconf-managed include of private key).
950+ + Mass enablement of extra plugins and features to allow a user to use
951+ strongswan for a variety of extra use cases without having to rebuild.
952+ - d/control: Add required additional build-deps
953+ - d/control: Mention addtionally enabled plugins
954+ - d/rules: Enable features at configure stage
955+ - d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
956+ - d/libstrongswan.install: Add plugins (so, conf)
957+ + d/strongswan-starter.install: Install pool feature, which is useful since
958+ we have attr-sql plugin enabled as well using it.
959+ + Add plugin kernel-libipsec to allow the use of strongswan in containers
960+ via this userspace implementation (please do note that this is still
961+ considered experimental by upstream).
962+ - d/libcharon-extra-plugins.install: Add kernel-libipsec components
963+ - d/control: List kernel-libipsec plugin at extra plugins description
964+ - d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
965+ upstream recommends to not load kernel-libipsec by default.
966+ + Relocate tnc plugin
967+ - debian/libcharon-extra-plugins.install: Drop tnc from extra plugins
968+ - Add new subpackage for TNC in d/strongswan-tnc-* and d/control
969+ + d/libstrongswan.install: Reorder conf and .so alphabetically
970+ + d/libstrongswan.install: Add kernel-netlink configuration files
971+ + Complete the disabling of libfast; This was partially accepted in Debian,
972+ it is no more packaging medcli and medsrv, but still builds and
973+ mentions it.
974+ - d/rules: Add --disable-fast to avoid build time and dependencies
975+ - d/control: Remove medcli, medsrv from package description
976+ + d/control: Mention mgf1 plugin which is in libstrongswan now
977+ + Add now built (since 5.5.1) libraries libtpmtss and nttfft to
978+ libstrongswan-extra-plugins (no deps from default plugins).
979+ + d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
980+ plugins for the most common use cases from extra-plugins into a new
981+ standard-plugins package. This will allow those use cases without pulling
982+ in too much more plugins (a bit like the tnc package). Recommend that
983+ package from strongswan-libcharon.
984+ * Dropped Changes (no more needed after 18.04)
985+ + Add rm_conffile for /etc/init.d/ipsec (transition from precies had
986+ missed that, droppable after 18.04)
987+ + d/control: bump breaks/replaces from libstrongswan-extra-plugins to
988+ libstrongswan as we dropped relocating ccm and test-vectors.
989+ (droppable >18.04).
990+ + d/control: add breaks/replace from libstrongswan to
991+ libstrongswan-extra-plugins for the move of mgf1 to libstrongswan.
992+ (droppable >18.04).
993+ + d/control: bump breaks/replaces for the move of the updown plugin
994+ (Missed Changelog entry on last merge)
995+ + d/control: fix dependencies of strongswan-libcharon due to the move
996+ the updown plugin (droppable >18.04).
997+ * Added Changes:
998+ + d/usr.sbin.charon-systemd: allow to contact mysql for sql and
999+ attr-sql plugins (LP: #1766240)
1000+ + d/usr.sbin.charon-systemd: allow systemd notifications (LP: #1765652)
1001+
1002+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Tue, 29 May 2018 08:21:42 +0200
1003+
1004 strongswan (5.6.2-2) unstable; urgency=medium
1005
1006 * charon-nm: Fix building list of DNS/MDNS servers with libnm
1007@@ -379,6 +1272,74 @@ strongswan (5.6.2-2) unstable; urgency=medium
1008
1009 -- Yves-Alexis Perez <corsac@debian.org> Fri, 13 Apr 2018 13:46:04 +0200
1010
1011+strongswan (5.6.2-1ubuntu2) bionic; urgency=medium
1012+
1013+ * d/control: fix dependencies of strongswan-libcharon due to the move
1014+ the updown plugin.
1015+
1016+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Tue, 20 Mar 2018 07:37:29 +0100
1017+
1018+strongswan (5.6.2-1ubuntu1) bionic; urgency=medium
1019+
1020+ * Merge with Debian unstable (LP: #1753018). Remaining changes:
1021+ + Clean up d/strongswan-starter.postinst: section about runlevel changes
1022+ + Clean up d/strongswan-starter.postinst: Removed entire section on
1023+ opportunistic encryption disabling - this was never in strongSwan and
1024+ won't be see upstream issue #2160.
1025+ + Ubuntu is not using the debconf triggered private key generation
1026+ - d/rules: Removed patching ipsec.conf on build (not using the
1027+ debconf-managed config.)
1028+ - d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was
1029+ used for debconf-managed include of private key).
1030+ + Mass enablement of extra plugins and features to allow a user to use
1031+ strongswan for a variety of extra use cases without having to rebuild.
1032+ - d/control: Add required additional build-deps
1033+ - d/control: Mention addtionally enabled plugins
1034+ - d/rules: Enable features at configure stage
1035+ - d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
1036+ - d/libstrongswan.install: Add plugins (so, conf)
1037+ + d/strongswan-starter.install: Install pool feature, which is useful since
1038+ we have attr-sql plugin enabled as well using it.
1039+ + Add plugin kernel-libipsec to allow the use of strongswan in containers
1040+ via this userspace implementation (please do note that this is still
1041+ considered experimental by upstream).
1042+ - d/libcharon-extra-plugins.install: Add kernel-libipsec components
1043+ - d/control: List kernel-libipsec plugin at extra plugins description
1044+ - d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
1045+ upstream recommends to not load kernel-libipsec by default.
1046+ + Relocate tnc plugin
1047+ - debian/libcharon-extra-plugins.install: Drop tnc from extra plugins
1048+ - Add new subpackage for TNC in d/strongswan-tnc-* and d/control
1049+ + d/libstrongswan.install: Reorder conf and .so alphabetically
1050+ + d/libstrongswan.install: Add kernel-netlink configuration files
1051+ + Complete the disabling of libfast; This was partially accepted in Debian,
1052+ it is no more packaging medcli and medsrv, but still builds and
1053+ mentions it.
1054+ - d/rules: Add --disable-fast to avoid build time and dependencies
1055+ - d/control: Remove medcli, medsrv from package description
1056+ + d/control: Mention mgf1 plugin which is in libstrongswan now
1057+ + Add now built (since 5.5.1) libraries libtpmtss and nttfft to
1058+ libstrongswan-extra-plugins (no deps from default plugins).
1059+ + Add rm_conffile for /etc/init.d/ipsec (transition from precies had
1060+ missed that, droppable after 18.04)
1061+ + d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
1062+ plugins for the most common use cases from extra-plugins into a new
1063+ standard-plugins package. This will allow those use cases without pulling
1064+ in too much more plugins (a bit like the tnc package). Recommend that
1065+ package from strongswan-libcharon.
1066+ + d/control: bump breaks/replaces from libstrongswan-extra-plugins to
1067+ libstrongswan as we dropped relocating ccm and test-vectors.
1068+ (droppable >18.04).
1069+ + d/control: add breaks/replace from libstrongswan to
1070+ libstrongswan-extra-plugins for the move of mgf1 to libstrongswan.
1071+ (droppable >18.04).
1072+ * Added Changes:
1073+ + d/control: bump breaks/replaces from strongswan-libcharon to strongswan-
1074+ starter as we followed Debian to move the updown plugin but need to
1075+ match Ubuntu versions (Droppable >18.04).
1076+
1077+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Fri, 16 Mar 2018 11:08:47 +0100
1078+
1079 strongswan (5.6.2-1) unstable; urgency=medium
1080
1081 * d/NEWS: add information about disabled algorithms (closes: #883072)
1082@@ -401,6 +1362,129 @@ strongswan (5.6.1-3) unstable; urgency=medium
1083
1084 -- Yves-Alexis Perez <corsac@debian.org> Sun, 17 Dec 2017 16:40:39 +0100
1085
1086+strongswan (5.6.1-2ubuntu4) bionic; urgency=medium
1087+
1088+ * SECURITY UPDATE: DoS via crafted RSASSA-PSS signature
1089+ - debian/patches/CVE-2018-6459.patch: Properly handle MGF1 algorithm
1090+ identifier without parameters in
1091+ src/libstrongswan/credentials/keys/signature_params.c.
1092+ - CVE-2018-6459
1093+
1094+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 07 Mar 2018 14:52:02 +0100
1095+
1096+strongswan (5.6.1-2ubuntu3) bionic; urgency=medium
1097+
1098+ * No-change rebuild against libcurl4
1099+
1100+ -- Steve Langasek <steve.langasek@ubuntu.com> Wed, 28 Feb 2018 08:52:09 +0000
1101+
1102+strongswan (5.6.1-2ubuntu2) bionic; urgency=high
1103+
1104+ * No change rebuild against openssl1.1.
1105+
1106+ -- Dimitri John Ledkov <xnox@ubuntu.com> Mon, 12 Feb 2018 16:00:24 +0000
1107+
1108+strongswan (5.6.1-2ubuntu1) bionic; urgency=medium
1109+
1110+ * Merge with Debian unstable (LP: #1717343).
1111+ Also fixes and issue with multiple psk's (LP: #1734207). Remaining changes:
1112+ + Clean up d/strongswan-starter.postinst: section about runlevel changes
1113+ + Clean up d/strongswan-starter.postinst: Removed entire section on
1114+ opportunistic encryption disabling - this was never in strongSwan and
1115+ won't be see upstream issue #2160.
1116+ + Ubuntu is not using the debconf triggered private key generation
1117+ - d/rules: Removed patching ipsec.conf on build (not using the
1118+ debconf-managed config.)
1119+ - d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was
1120+ used for debconf-managed include of private key).
1121+ + Mass enablement of extra plugins and features to allow a user to use
1122+ strongswan for a variety of extra use cases without having to rebuild.
1123+ - d/control: Add required additional build-deps
1124+ - d/control: Mention addtionally enabled plugins
1125+ - d/rules: Enable features at configure stage
1126+ - d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
1127+ - d/libstrongswan.install: Add plugins (so, conf)
1128+ + d/strongswan-starter.install: Install pool feature, which is useful since
1129+ we have attr-sql plugin enabled as well using it.
1130+ + Add plugin kernel-libipsec to allow the use of strongswan in containers
1131+ via this userspace implementation (please do note that this is still
1132+ considered experimental by upstream).
1133+ - d/libcharon-extra-plugins.install: Add kernel-libipsec components
1134+ - d/control: List kernel-libipsec plugin at extra plugins description
1135+ - d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
1136+ upstream recommends to not load kernel-libipsec by default.
1137+ + Relocate tnc plugin
1138+ - debian/libcharon-extra-plugins.install: Drop tnc from extra plugins
1139+ - Add new subpackage for TNC in d/strongswan-tnc-* and d/control
1140+ + d/libstrongswan.install: Reorder conf and .so alphabetically
1141+ + d/libstrongswan.install: Add kernel-netlink configuration files
1142+ + Complete the disabling of libfast; This was partially accepted in Debian,
1143+ it is no more packaging medcli and medsrv, but still builds and
1144+ mentions it.
1145+ - d/rules: Add --disable-fast to avoid build time and dependencies
1146+ - d/control: Remove medcli, medsrv from package description
1147+ + d/control: Mention mgf1 plugin which is in libstrongswan now
1148+ + Add now built (since 5.5.1) libraries libtpmtss and nttfft to
1149+ libstrongswan-extra-plugins (no deps from default plugins).
1150+ + Add rm_conffile for /etc/init.d/ipsec (transition from precies had
1151+ missed that, droppable after 18.04)
1152+ + d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
1153+ plugins for the most common use cases from extra-plugins into a new
1154+ standard-plugins package. This will allow those use cases without pulling
1155+ in too much more plugins (a bit like the tnc package). Recommend that
1156+ package from strongswan-libcharon.
1157+ * Added changes:
1158+ + d/strongswan-tnc-client.install (relocate tnc) swidtag creation changed
1159+ in 5.6
1160+ + d/strongswan-tnc-server.install (relocate tnc) pacman no more needed
1161+ + d/control: bump breaks/replaces from libstrongswan-extra-plugins to
1162+ libstrongswan as we dropped relocating ccm and test-vectors.
1163+ (droppable >18.04).
1164+ - d/control: add breaks/replace from libstrongswan to
1165+ libstrongswan-extra-plugins for the move of mgf1 to libstrongswan.
1166+ (droppable >18.04).
1167+ * Dropped changes:
1168+ + Update init/service handling (debian default matches Ubuntu past now)
1169+ Dropping this fixes (LP: #1734886)
1170+ - d/rules: Change init/systemd program name to strongswan
1171+ - d/strongswan-starter.strongswan.service: Add new systemd file instead of
1172+ patching upstream
1173+ - d/strongswan-starter.links: Removed, use Ubuntu systemd file instead of
1174+ linking to upstream
1175+ + d/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call
1176+ (this is a never failing no-op for us, no need for Delta).
1177+ + d/strongswan-starter.prerm: Stop strongswan service on package removal
1178+ (ipsec now maps to strongswan service, so this works as-is).
1179+ + Clean up d/strongswan-starter.postinst: rename service ipsec to
1180+ strongswan (ipsec now maps to strongswan service, so this works as-is)
1181+ + Clean up d/strongswan-starter.postinst: daemon enable/disable (the
1182+ whole section is disabled, so no need for delta)
1183+ + (is upstream) CVE-2017-11185 patches
1184+ + (is upstream) FTBFS upstream fix for changed include files
1185+ + (is upstream) debian/patches/increase-bliss-test-timeout.patch: Under
1186+ QEMU/KVM autopkgtest the bliss test takes longer than the default
1187+ + (in Debian) add now built (since 5.5.1) mgf1 plugin to
1188+ libstrongswan-extra-plugins.
1189+ + (in Debian) d/strongswan-starter.install: install stroke apparmor profile
1190+ + (this was enabled as part of the former delta, squash changes to no-up)
1191+ d/rules: Disable duplicheck.
1192+ + (not needed) Relocate plugins test-vectors from extra-plugins to
1193+ libstrongswan
1194+ - d/libstrongswan-extra-plugins.install: Remove plugins/conffiles
1195+ - d/libstrongswan.install: Add plugins/confiles
1196+ - d/control: move package descriptions and add required breaks/replaces
1197+ + (not needed) Relocate plugins ccm from extra-plugins to libstrongswan
1198+ - d/libstrongswan-extra-plugins.install: Remove plugins/conffiles
1199+ - d/libstrongswan.install: Add plugins/confiles
1200+ - d/control: move package descriptions and add required breaks/replaces
1201+ + (while using it requires special kernel, it does not hurt to be
1202+ available in the package) Remove ha plugin
1203+ - d/libcharon-extra-plugins.install: Stop installing ha (so, conf)
1204+ - d/rules: Do not enable ha plugin
1205+ - d/control: Drop listing the ha plugin in the package description
1206+
1207+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Wed, 29 Nov 2017 15:55:18 +0100
1208+
1209 strongswan (5.6.1-2) unstable; urgency=medium
1210
1211 * move counters plugin from -starter to -libcharon. closes: #882431
1212@@ -487,6 +1571,213 @@ strongswan (5.5.2-1) experimental; urgency=medium
1213
1214 -- Yves-Alexis Perez <corsac@debian.org> Fri, 19 May 2017 11:32:00 +0200
1215
1216+strongswan (5.5.1-4ubuntu3) bionic; urgency=medium
1217+
1218+ * Fix Artful FTBFS due to newer glibc (LP: #1724859)
1219+ - d/p/utils-Include-stdint.h.patch: upstream fix for changed include
1220+ files.
1221+
1222+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Thu, 19 Oct 2017 15:18:52 +0200
1223+
1224+strongswan (5.5.1-4ubuntu2) artful; urgency=medium
1225+
1226+ * SECURITY UPDATE: Fix RSA signature verification
1227+ - debian/patches/CVE-2017-11185.patch: does some
1228+ verifications in order to avoid null-point dereference
1229+ in src/libstrongswan/gmp/gmp_rsa_public_key.c
1230+ - CVE-2017-11185
1231+
1232+ -- Leonidas S. Barbosa <leo.barbosa@canonical.com> Tue, 15 Aug 2017 14:49:49 -0300
1233+
1234+strongswan (5.5.1-4ubuntu1) artful; urgency=medium
1235+
1236+ * Merge from Debian to pick up latest security changes (CVE-2017-9022,
1237+ CVE-2017-9023).
1238+ * Remaining Changes:
1239+ + Update init/service handling
1240+ - d/rules: Change init/systemd program name to strongswan
1241+ - d/strongswan-starter.strongswan.service: Add new systemd file instead of
1242+ patching upstream
1243+ - d/strongswan-starter.links: Removed, use Ubuntu systemd file instead of
1244+ linking to upstream
1245+ - d/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call.
1246+ - d/strongswan-starter.prerm: Stop strongswan service on package
1247+ removal (as opposed to using the old init.d script).
1248+ + Clean up d/strongswan-starter.postinst:
1249+ - Removed section about runlevel changes
1250+ - Adapted service restart section for Upstart (kept to be Trusty
1251+ backportable).
1252+ - Remove old symlinks to init.d files is necessary.
1253+ - Removed further out-dated code
1254+ - Removed entire section on opportunistic encryption - this was never in
1255+ strongSwan.
1256+ + d/rules: Removed pieces on 'patching ipsec.conf' on build.
1257+ + Mass enablement of extra plugins and features to allow a user to use
1258+ strongswan for a variety of use cases without having to rebuild.
1259+ - d/control: Add required additional build-deps
1260+ - d/rules: Enable features at configure stage
1261+ - d/control: Mention addtionally enabled plugins
1262+ - d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
1263+ - d/libstrongswan.install: Add plugins (so, conf)
1264+ + d/rules: Disable duplicheck as per
1265+ https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718291#10
1266+ + Remove ha plugin (requires special kernel)
1267+ - d/libcharon-extra-plugins.install: Stop installing ha (so, conf)
1268+ - d/rules: Do not enable ha plugin
1269+ - d/control: Drop listing the ha plugin in the package description
1270+ + Add plugin kernel-libipsec to allow the use of strongswan in containers
1271+ via this userspace implementation (please do note that this is still
1272+ considered experimental by upstream).
1273+ - d/libcharon-extra-plugins.install: Add kernel-libipsec components
1274+ - d/control: List kernel-libipsec plugin at extra plugins description
1275+ - d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
1276+ upstream recommends to not load kernel-libipsec by default.
1277+ + Relocate tnc plugin
1278+ - debian/libcharon-extra-plugins.install: Drop tnc from extra plugins
1279+ - Add new subpackage for TNC in d/strongswan-tnc-* and d/control
1280+ + d/strongswan-starter.install: Install pool feature, that useful due to
1281+ having attr-sql plugin that is enabled now.
1282+ + Relocate plugins test-vectors and ccm from extra-plugins to libstrongswan
1283+ - d/libstrongswan-extra-plugins.install: Remove plugins/conffiles
1284+ - d/libstrongswan.install: Add plugins/confiles
1285+ - d/control: move package descriptions and add required breaks/replaces
1286+ + d/libstrongswan.install: Reorder conf and .so alphabetically
1287+ + d/libstrongswan.install: Add kernel-netlink configuration files
1288+ + d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference.
1289+ + debian/patches/increase-bliss-test-timeout.patch: Under QEMU/KVM
1290+ autopkgtest the bliss test takes longer than the default (Upstream in
1291+ 5.5.2 via issue 2204)
1292+ + Complete the disabling of libfast; This was partially accepted in Debian,
1293+ it is no more packaging medcli and medsrv, but still builds and
1294+ mentions it.
1295+ - d/rules: Add --disable-fast to avoid build time and dependencies
1296+ - d/control: Remove medcli, medsrv from package description
1297+ + Add now built (5.5.1 vs 5.3.5) mgf1 plugin to libstrongswan-extra-plugins.
1298+ "only" to extra-plugins Mgf1 is not listed as default plugin at
1299+ https://wiki.strongswan.org/projects/strongswan/wiki/Pluginlist.
1300+ + Add now built (5.5.1 vs 5.3.5) libraries libtpmtss and nttfft to
1301+ libstrongswan-extra-plugins.
1302+ + Add missing mention of md4 plugin in d/control
1303+ + Add rm_conffile for /etc/init.d/ipsec (transition from precies had
1304+ missed that)
1305+ + d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
1306+ plugins for the most common use cases from extra-plugins into a new
1307+ standard-plugins package. This will allow those use cases without pulling
1308+ in too much more plugins (a bit like the tnc package). Recommend that
1309+ package from strongswan-libcharon.
1310+
1311+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Wed, 31 May 2017 15:57:54 +0200
1312+
1313+strongswan (5.5.1-3ubuntu1) artful; urgency=medium
1314+
1315+ * Merge from Debian to pick up latest changes. Among others this includes:
1316+ - a lot of the Delta we upstreamed to Debian (more discussions are ongoing
1317+ but likely have to wait until Debian stretch was released)
1318+ - enabling mediation support (LP: #1657413)
1319+ * Remaining Changes:
1320+ + Update init/service handling
1321+ - d/rules: Change init/systemd program name to strongswan
1322+ - d/strongswan-starter.strongswan.service: Add new systemd file instead of
1323+ patching upstream
1324+ - d/strongswan-starter.links: Removed, use Ubuntu systemd file instead of
1325+ linking to upstream
1326+ - d/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call.
1327+ - d/strongswan-starter.prerm: Stop strongswan service on package
1328+ removal (as opposed to using the old init.d script).
1329+ + Clean up d/strongswan-starter.postinst:
1330+ - Removed section about runlevel changes
1331+ - Adapted service restart section for Upstart (kept to be Trusty
1332+ backportable).
1333+ - Remove old symlinks to init.d files is necessary.
1334+ - Removed further out-dated code
1335+ - Removed entire section on opportunistic encryption - this was never in
1336+ strongSwan.
1337+ + d/rules: Removed pieces on 'patching ipsec.conf' on build.
1338+ + Mass enablement of extra plugins and features to allow a user to use
1339+ strongswan for a variety of use cases without having to rebuild.
1340+ - d/control: Add required additional build-deps
1341+ - d/rules: Enable features at configure stage
1342+ - d/control: Mention addtionally enabled plugins
1343+ - d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
1344+ - d/libstrongswan.install: Add plugins (so, conf)
1345+ + d/rules: Disable duplicheck as per
1346+ https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718291#10
1347+ + Remove ha plugin (requires special kernel)
1348+ - d/libcharon-extra-plugins.install: Stop installing ha (so, conf)
1349+ - d/rules: Do not enable ha plugin
1350+ - d/control: Drop listing the ha plugin in the package description
1351+ + Add plugin kernel-libipsec to allow the use of strongswan in containers
1352+ via this userspace implementation (please do note that this is still
1353+ considered experimental by upstream).
1354+ - d/libcharon-extra-plugins.install: Add kernel-libipsec components
1355+ - d/control: List kernel-libipsec plugin at extra plugins description
1356+ - d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
1357+ upstream recommends to not load kernel-libipsec by default.
1358+ + Relocate tnc plugin
1359+ - debian/libcharon-extra-plugins.install: Drop tnc from extra plugins
1360+ - Add new subpackage for TNC in d/strongswan-tnc-* and d/control
1361+ + d/strongswan-starter.install: Install pool feature, that useful due to
1362+ having attr-sql plugin that is enabled now.
1363+ + Relocate plugins test-vectors and ccm from extra-plugins to libstrongswan
1364+ - d/libstrongswan-extra-plugins.install: Remove plugins/conffiles
1365+ - d/libstrongswan.install: Add plugins/confiles
1366+ - d/control: move package descriptions and add required breaks/replaces
1367+ + d/libstrongswan.install: Reorder conf and .so alphabetically
1368+ + d/libstrongswan.install: Add kernel-netlink configuration files
1369+ + d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference.
1370+ + debian/patches/increase-bliss-test-timeout.patch: Under QEMU/KVM
1371+ autopkgtest the bliss test takes longer than the default (Upstream in
1372+ 5.5.2 via issue 2204)
1373+ + Complete the disabling of libfast; This was partially accepted in Debian,
1374+ it is no more packaging medcli and medsrv, but still builds and
1375+ mentions it.
1376+ - d/rules: Add --disable-fast to avoid build time and dependencies
1377+ - d/control: Remove medcli, medsrv from package description
1378+ + Add now built (5.5.1 vs 5.3.5) mgf1 plugin to libstrongswan-extra-plugins.
1379+ "only" to extra-plugins Mgf1 is not listed as default plugin at
1380+ https://wiki.strongswan.org/projects/strongswan/wiki/Pluginlist.
1381+ + Add now built (5.5.1 vs 5.3.5) libraries libtpmtss and nttfft to
1382+ libstrongswan-extra-plugins.
1383+ + Add missing mention of md4 plugin in d/control
1384+ + Add rm_conffile for /etc/init.d/ipsec (transition from precies had
1385+ missed that)
1386+ + d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
1387+ plugins for the most common use cases from extra-plugins into a new
1388+ standard-plugins package. This will allow those use cases without pulling
1389+ in too much more plugins (a bit like the tnc package). Recommend that
1390+ package from strongswan-libcharon.
1391+ * Dropped Changes:
1392+ + Add and install apparmor profiles (in Debian)
1393+ - d/rules: Install AppArmor profiles
1394+ - d/control: Add dh-apparmor build-dep
1395+ - d/usr.lib.ipsec.{charon, lookip, stroke}: Add latest AppArmor profiles
1396+ for charon, lookip and stroke
1397+ - d/libcharon-extra-plugins.install: Install profile for lookip
1398+ - d/strongswan-charon.install: Install profile for charon
1399+ - d/strongswan-starter.install: Install profile for stroke
1400+ - Fix strongswan ipsec status issue with apparmor
1401+ - Fix Dep8 tests for the now extra strongswan-pki package for pki
1402+ - Fix Dep8 tests for the now extra strongswan-scepclient package
1403+ + d/rules: Sorted and only one enable option per configure line (in
1404+ Debian)
1405+ + Add updated logcheck rules (in Debian)
1406+ - debian/libstrongswan.strongswan.logcheck.*: Remove outdated files
1407+ - debian/strongswan.logcheck: Add updated logcheck rules
1408+ + Add updated DEP8 tests (in Debian)
1409+ - d/tests/*: Add DEP8 tests
1410+ - d/control: Enable autotestpkg
1411+ + d/rules: do not strip for library integrity checking (After Discussion
1412+ with Debian this isn't acceptable there, but at the same time it turned
1413+ out the real use-case of this never uses this lib but instead third
1414+ party checks of checksums for e.g. FIPS cert; so drop the Delta)
1415+ - Use override_dh_strip to to avoid overwriting user build flags.
1416+ - Add missing mention of libchecksum integrity test in d/control
1417+ + d/rules: Set TESTS_REDUCED_KEYLENGTHS to one generate smallest key-lengths
1418+ in tests to avoid issues in low entropy environments. (Debian has
1419+ disabled !x86 tests for the same reason, one solution is enough)
1420+
1421+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Thu, 04 May 2017 14:06:23 +0200
1422+
1423 strongswan (5.5.1-3) unstable; urgency=medium
1424
1425 [ Christian Ehrhardt ]
1426@@ -520,6 +1811,136 @@ strongswan (5.5.1-2) unstable; urgency=medium
1427
1428 -- Yves-Alexis Perez <corsac@debian.org> Wed, 07 Dec 2016 08:34:52 +0100
1429
1430+strongswan (5.5.1-1ubuntu2) zesty; urgency=medium
1431+
1432+ * Update Maintainers which was missed while merging 5.5.1-1.
1433+
1434+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 19 Dec 2016 16:02:40 +0100
1435+
1436+strongswan (5.5.1-1ubuntu1) zesty; urgency=medium
1437+
1438+ * Merge from Debian (complex delta, discussions and broken out changes can be
1439+ found in the merge proposal linked from the merge bug LP: #1631198)
1440+ * Remaining Changes:
1441+ + d/rules: Enforcing DEB_BUILD_OPTIONS=nostrip for library integrity
1442+ checking.
1443+ + d/rules: Set TESTS_REDUCED_KEYLENGTHS to one generate smallest key-lengths
1444+ in tests to avoid issues in low entropy environments.
1445+ + Update init/service handling
1446+ - d/rules: Change init/systemd program name to strongswan
1447+ - d/strongswan-starter.strongswan.service: Add new systemd file instead of
1448+ patching upstream
1449+ - d/strongswan-starter.links: Removed, use Ubuntu systemd file instead of
1450+ linking to upstream
1451+ - d/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call.
1452+ - d/strongswan-starter.prerm: Stop strongswan service on package
1453+ removal (as opposed to using the old init.d script).
1454+ + Clean up d/strongswan-starter.postinst:
1455+ - Removed section about runlevel changes
1456+ - Adapted service restart section for Upstart (kept to be Trusty
1457+ backportable).
1458+ - Remove old symlinks to init.d files is necessary.
1459+ - Removed further out-dated code
1460+ - Removed entire section on opportunistic encryption - this was never in
1461+ strongSwan.
1462+ + Add and install apparmor profiles
1463+ - d/rules: Install AppArmor profiles
1464+ - d/control: Add dh-apparmor build-dep
1465+ - d/usr.lib.ipsec.{charon, lookip, stroke}: Add latest AppArmor profiles
1466+ for charon, lookip and stroke
1467+ - d/libcharon-extra-plugins.install: Install profile for lookip
1468+ - d/strongswan-charon.install: Install profile for charon
1469+ - d/strongswan-starter.install: Install profile for stroke
1470+ + d/rules: Removed pieces on 'patching ipsec.conf' on build.
1471+ + d/rules: Sorted and only one enable option per configure line
1472+ + Mass enablement of extra plugins and features to allow a user to use
1473+ strongswan for a variety of use cases without having to rebuild.
1474+ - d/control: Add required additional build-deps
1475+ - d/rules: Enable features at configure stage
1476+ - d/control: Mention addtionally enabled plugins
1477+ - d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
1478+ - d/libstrongswan.install: Add plugins (so, conf)
1479+ + d/rules: Disable duplicheck as per
1480+ https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718291#10
1481+ + Remove ha plugin (requires special kernel)
1482+ - d/libcharon-extra-plugins.install: Stop installing ha (so, conf)
1483+ - d/rules: Do not enable ha plugin
1484+ - d/control: Drop listing the ha plugin in the package description
1485+ + Add plugin kernel-libipsec to allow the use of strongswan in containers
1486+ via this userspace implementation (please do note that this is still
1487+ considered experimental by upstream).
1488+ - d/libcharon-extra-plugins.install: Add kernel-libipsec components
1489+ - d/control: List kernel-libipsec plugin at extra plugins description
1490+ - d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
1491+ upstream recommends to not load kernel-libipsec by default.
1492+ + Relocate tnc plugin
1493+ - debian/libcharon-extra-plugins.install: Drop tnc from extra plugins
1494+ - Add new subpackage for TNC in d/strongswan-tnc-* and d/control
1495+ + d/strongswan-starter.install: Install pool feature, that useful due to
1496+ having attr-sql plugin that is enabled now.
1497+ + Relocate plugins test-vectors and ccm from extra-plugins to libstrongswan
1498+ - d/libstrongswan-extra-plugins.install: Remove plugins
1499+ - d/libstrongswan.install: Add plugins
1500+ + d/libstrongswan.install: Reorder conf and .so alphabetically
1501+ + d/libstrongswan.install: Add kernel-netlink configuration files
1502+ + d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference.
1503+ + Add updated logcheck rules
1504+ - debian/libstrongswan.strongswan.logcheck.*: Remove outdated files
1505+ - debian/strongswan.logcheck: Add updated logcheck rules
1506+ + Add updated DEP8 tests
1507+ - d/tests/*: Add DEP8 tests
1508+ - d/control: Enable autotestpkg
1509+ + debian/patches/increase-bliss-test-timeout.patch: Under QEMU/KVM
1510+ autopkgtest the bliss test takes longer than the default
1511+ + Complete the disabling of libfast
1512+ - Note: This was partially accepted in Debian, it is no more
1513+ packaging medcli and medsrv, but still builds and mentions it
1514+ - d/rules: Add --disable-fast to avoid build time and dependencies
1515+ - d/control: Remove medcli, medsrv from package description
1516+ * Dropped Changes:
1517+ + Adding build-dep to iptables-dev (no change, was only in Changelog)
1518+ + Dropping of build deps libfcgi-dev, clearsilver-dev (in Debian)
1519+ + Adding strongswan-plugin-* virtual packages for dist-upgrade (no
1520+ upgrade path left needing them)
1521+ + Most of "disabling libfast" (Debian dropped it from package content)
1522+ + Transition for ipsec service (no upgrade path left)
1523+ + Reverted part of the cleanup to d/strongswan-starter.postinst as using
1524+ service should rather use invoke-rc.d (so it is a partial revert of our
1525+ delta)
1526+ + Transition handling (breaks/replaces) from per-plugin packages to the
1527+ three grouped plugin packages (no upgrade path left)
1528+ + debian/strongswan-starter.dirs: Don't touch /etc/init.d. (while "correct"
1529+ it is effectively a no-op still, so not worth the delta)
1530+ + Lower dpkg-dev to 1.16.1 from 1.16.2 to enable backporting to Precise
1531+ (no more needed)
1532+ + d/rules: Remove configure option --enable-unit-test (unit tests run by
1533+ default)
1534+ * Added Changes:
1535+ + Fix strongswan ipsec status issue with apparmor (LP: #1587886)
1536+ + d/control, d/libstrongswan.install, d/libstrongswan-extra-plugins: Fixup
1537+ the relocation of the ccm plugin which missed to move the conffiles.
1538+ + Complete move of test-vectors (was missing in d/control)
1539+ + Add now built (5.5.1 vs 5.3.5) mgf1 plugin to libstrongswan-extra-plugins.
1540+ "only" to extra-plugins Mgf1 is not listed as default plugin at
1541+ https://wiki.strongswan.org/projects/strongswan/wiki/Pluginlist.
1542+ + Add now built (5.5.1 vs 5.3.5) libraries libtpmtss and nttfft to
1543+ libstrongswan-extra-plugins.
1544+ + Add missing mention of md4 plugin in d/control
1545+ + Add missing mention of libchecksum integrity test in d/control
1546+ + Add rm_conffile for /etc/init.d/ipsec (transition from precies had
1547+ missed that)
1548+ + Use override_dh_strip to to fix library integrity checking instead of
1549+ DEB_BUILD_OPTION to avoid overwriting user build flags.
1550+ + d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
1551+ plugins for the most common use cases from extra-plugins into a new
1552+ standard-plugins package. This will allow those use cases without pulling
1553+ in too much more plugins (a bit like the tnc package). Recommend that
1554+ package from strongswan-libcharon (LP: #1640826).
1555+ + Fix Dep8 tests for the now extra strongswan-pki package for pki
1556+ + Fix Dep8 tests for the now extra strongswan-scepclient package
1557+
1558+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 07 Nov 2016 16:16:41 +0100
1559+
1560 strongswan (5.5.1-1) unstable; urgency=medium
1561
1562 * New upstream bugfix release.
1563@@ -636,6 +2057,177 @@ strongswan (5.3.5-2) unstable; urgency=medium
1564
1565 -- Yves-Alexis Perez <corsac@debian.org> Mon, 14 Mar 2016 23:53:34 +0100
1566
1567+strongswan (5.3.5-1ubuntu4) yakkety; urgency=medium
1568+
1569+ * Build-depend on libjson-c-dev instead of libjson0-dev.
1570+ * Rebuild against libjson-c3.
1571+
1572+ -- Graham Inggs <ginggs@ubuntu.com> Fri, 29 Apr 2016 19:04:22 +0200
1573+
1574+strongswan (5.3.5-1ubuntu3) xenial; urgency=medium
1575+
1576+ * Rebuild against libmysqlclient20.
1577+
1578+ -- Robie Basak <robie.basak@ubuntu.com> Tue, 05 Apr 2016 13:02:48 +0000
1579+
1580+strongswan (5.3.5-1ubuntu2) xenial; urgency=medium
1581+
1582+ * debian/tests/plugins: rdrand may or may not be loaded, depending on the
1583+ cpu features.
1584+
1585+ -- Iain Lane <iain@orangesquash.org.uk> Mon, 22 Feb 2016 17:13:01 +0000
1586+
1587+strongswan (5.3.5-1ubuntu1) xenial; urgency=medium
1588+
1589+ * debian/{rules,control,libstrongswan-extra-plugins.install}
1590+ Enable bliss plugin
1591+ * debian/{rules,control,libstrongswan-extra-plugins.install}
1592+ Enable chapoly plugin
1593+ * debian/patches/dont-load-kernel-libipsec-plugin-by-default.patch
1594+ Upstream suggests to not load this plugin by default as it has
1595+ some limitations.
1596+ https://wiki.strongswan.org/projects/strongswan/wiki/Kernel-libipsec
1597+ * debian/patches/increase-bliss-test-timeout.patch
1598+ Under QEMU/KVM for autopkgtest bliss test takes a bit longer then default
1599+ * Update Apparmor profiles
1600+ - usr.lib.ipsec.charon
1601+ - add capability audit_write for xauth-pam (LP: #1470277)
1602+ - add capability dac_override (needed by agent plugin)
1603+ - allow priv dropping (LP: #1333655)
1604+ - allow caching CRLs (LP: #1505222)
1605+ - allow rw access to /dev/net/tun for kernel-libipsec (LP: #1309594)
1606+ - usr.lib.ipsec.stroke
1607+ - allow priv dropping (LP: #1333655)
1608+ - add local include
1609+ - usr.lib.ipsec.lookip
1610+ - add local include
1611+ * Merge from Debian, which includes fixes for all previous CVEs
1612+ Fixes (LP: #1330504, #1451091, #1448870, #1470277)
1613+ Remaining changes:
1614+ * debian/control
1615+ - Lower dpkg-dev to 1.16.1 from 1.16.2 to enable backporting to Precise
1616+ - Update Maintainer for Ubuntu
1617+ - Add build-deps
1618+ - dh-apparmor
1619+ - iptables-dev
1620+ - libjson0-dev
1621+ - libldns-dev
1622+ - libmysqlclient-dev
1623+ - libpcsclite-dev
1624+ - libsoup2.4-dev
1625+ - libtspi-dev
1626+ - libunbound-dev
1627+ - Drop build-deps
1628+ - libfcgi-dev
1629+ - clearsilver-dev
1630+ - Create virtual packages for all strongswan-plugin-* for dist-upgrade
1631+ - Set XS-Testsuite: autopkgtest
1632+ * debian/rules:
1633+ - Enforcing DEB_BUILD_OPTIONS=nostrip for library integrity checking.
1634+ - Set TESTS_REDUCED_KEYLENGTHS to one generate smallest key-lengths in
1635+ tests.
1636+ - Change init/systemd program name to strongswan
1637+ - Install AppArmor profiles
1638+ - Removed pieces on 'patching ipsec.conf' on build.
1639+ - Enablement of features per Ubuntu current config suggested from
1640+ upstream recommendation
1641+ - Unpack and sort enabled features to one-per-line
1642+ - Disable duplicheck as per
1643+ https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718291#10
1644+ - Disable libfast (--disable-fast):
1645+ Requires dropping medsrv, medcli plugins which depend on libfast
1646+ - Add configure options
1647+ --with-tss=trousers
1648+ - Remove configure options:
1649+ --enable-ha (requires special kernel)
1650+ --enable-unit-test (unit tests run by default)
1651+ - Drop logcheck install
1652+ * debian/tests/*
1653+ - Add DEP8 test for strongswan service and plugins
1654+ * debian/strongswan-starter.strongswan.service
1655+ - Add new systemd file instead of patching upstream
1656+ * debian/strongswan-starter.links
1657+ - removed, use Ubuntu systemd file instead of linking to upstream
1658+ * debian/usr.lib.ipsec.{charon, lookip, stroke}
1659+ - added AppArmor profiles for charon, lookip and stroke
1660+ * debian/libcharon-extra-plugins.install
1661+ - Add plugins
1662+ - kernel-libipsec.{so, lib, conf, apparmor}
1663+ - Remove plugins
1664+ - libstrongswan-ha.so
1665+ - Relocate plugins
1666+ - libstrongswan-tnc-tnccs.so (strongswan-tnc-base.install)
1667+ * debian/libstrongswan-extra-plugins.install
1668+ - Add plugins (so, lib, conf)
1669+ - acert
1670+ - attr-sql
1671+ - coupling
1672+ - dnscert
1673+ - fips-prf
1674+ - gmp
1675+ - ipseckey
1676+ - load-tester
1677+ - mysql
1678+ - ntru
1679+ - radattr
1680+ - soup
1681+ - sqlite
1682+ - sql
1683+ - systime-fix
1684+ - unbound
1685+ - whitelist
1686+ - Relocate plugins (so, lib, conf)
1687+ - ccm (libstrongswan.install)
1688+ - test-vectors (libstrongswan.install)
1689+ * debian/libstrongswan.install
1690+ - Sort sections
1691+ - Add plugins (so, lib, conf)
1692+ - libchecksum
1693+ - ccm
1694+ - eap-identity
1695+ - md4
1696+ - test-vectors
1697+ * debian/strongswan-charon.install
1698+ - Add AppArmor profile for charon
1699+ * debian/strongswan-starter.install
1700+ - Add tools, manpages, conf
1701+ - openac
1702+ - pool
1703+ - _updown_espmark
1704+ - Add AppArmor profile for stroke
1705+ * debian/strongswan-tnc-base.install
1706+ - Add new subpackage for TNC
1707+ - remove non-existent (dropped in 5.2.1) libpts library files
1708+ * debian/strongswan-tnc-client.install
1709+ - Add new subpackage for TNC
1710+ * debian/strongswan-tnc-ifmap.install
1711+ - Add new subpackage for TNC
1712+ * debian/strongswan-tnc-pdp.install
1713+ - Add new subpackage for TNC
1714+ * debian/strongswan-tnc-server.install
1715+ - Add new subpackage for TNC
1716+ * debian/strongswan-starter.postinit:
1717+ - Removed section about runlevel changes, it's almost 2014.
1718+ - Adapted service restart section for Upstart.
1719+ - Remove old symlinks to init.d files is necessary.
1720+ * debian/strongswan-starter.dirs: Don't touch /etc/init.d.
1721+ * debian/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call.
1722+ * debian/strongswan-starter.prerm: Stop strongswan service on package
1723+ removal (as opposed to using the old init.d script).
1724+ * debian/libstrongswan.strongswan.logcheck combined into debian/strongswan.logcheck
1725+ - logcheck patterns updated to be helpful
1726+ * debian/strongswan-starter.postinst: Removed further out-dated code and
1727+ entire section on opportunistic encryption - this was never in strongSwan.
1728+ * debian/ipsec.secrets.proto: Removed ipsec.secrets.inc reference.
1729+ Drop changes:
1730+ * debian/control
1731+ - Per-plugin package breakup: Reducing packaging delta from Debian
1732+ - Don't build dhcp, farp subpackages: Reduce packging delta from Debian
1733+ * debian/watch: Already exists in Debian merge
1734+ * debian/upstream/signing-key.asc: Upstream has newer version.
1735+
1736+ -- Ryan Harper <ryan.harper@canonical.com> Fri, 12 Feb 2016 11:24:53 -0600
1737+
1738 strongswan (5.3.5-1) unstable; urgency=medium
1739
1740 * New upstream bugfix release.
1741@@ -908,6 +2500,210 @@ strongswan (5.1.2-1) unstable; urgency=medium
1742
1743 -- Yves-Alexis Perez <corsac@debian.org> Wed, 12 Mar 2014 11:22:38 +0100
1744
1745+strongswan (5.1.2-0ubuntu8) xenial; urgency=medium
1746+
1747+ * Import FTBFS for s390x from Debian 5.1.2-3 upload. (LP: #1521240)
1748+
1749+ -- Dimitri John Ledkov <xnox@ubuntu.com> Mon, 30 Nov 2015 15:46:06 +0000
1750+
1751+strongswan (5.1.2-0ubuntu7) xenial; urgency=medium
1752+
1753+ * SECURITY UPDATE: authentication bypass in eap-mschapv2 plugin
1754+ - debian/patches/CVE-2015-8023.patch: only succeed authentication if
1755+ MSK was established in
1756+ src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c.
1757+ - CVE-2015-8023
1758+ * debian/patches/disable_ntru_test.patch: disable test causing FTBFS
1759+ until regression is properly investigated.
1760+
1761+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 19 Nov 2015 14:00:17 -0500
1762+
1763+strongswan (5.1.2-0ubuntu6) wily; urgency=medium
1764+
1765+ * SECURITY UPDATE: user credential disclosure to rogue servers
1766+ - debian/patches/CVE-2015-4171.patch: enforce remote authentication
1767+ config before proceeding with own authentication in
1768+ src/libcharon/sa/ikev2/tasks/ike_auth.c.
1769+ - CVE-2015-4171
1770+ * debian/rules: don't FTBFS from unused service file
1771+
1772+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 08 Jun 2015 12:50:38 -0400
1773+
1774+strongswan (5.1.2-0ubuntu5) vivid; urgency=medium
1775+
1776+ * Add a systemd unit corresponding to strongswan-starter.strongswan.upstart.
1777+
1778+ -- Martin Pitt <martin.pitt@ubuntu.com> Fri, 16 Jan 2015 08:27:54 +0100
1779+
1780+strongswan (5.1.2-0ubuntu4) vivid; urgency=medium
1781+
1782+ * SECURITY UPDATE: denial of service via DH group 1025
1783+ - debian/patches/CVE-2014-9221.patch: define MODP_CUSTOM outside of
1784+ IKE DH range in src/libstrongswan/crypto/diffie_hellman.c,
1785+ src/libstrongswan/crypto/diffie_hellman.h.
1786+ - CVE-2014-9221
1787+
1788+ -- Tyler Hicks <tyhicks@canonical.com> Mon, 05 Jan 2015 08:25:29 -0500
1789+
1790+strongswan (5.1.2-0ubuntu3) utopic; urgency=low
1791+
1792+ * Added "libgcrypt20-dev | libgcrypt11-dev" to build dependencies to fix
1793+ build.
1794+
1795+ -- Jonathan Davies <jonathan.davies@canonical.com> Wed, 15 Oct 2014 16:49:18 +0000
1796+
1797+strongswan (5.1.2-0ubuntu2) trusty; urgency=medium
1798+
1799+ * SECURITY UPDATE: remote authentication bypass
1800+ - debian/patches/CVE-2014-2338.patch: reject CREATE_CHILD_SA exchange
1801+ on unestablished IKE_SAs in src/libcharon/sa/ikev2/task_manager_v2.c.
1802+ - CVE-2014-2338
1803+
1804+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 14 Apr 2014 11:24:34 -0400
1805+
1806+strongswan (5.1.2-0ubuntu1) trusty; urgency=low
1807+
1808+ * New upstream release.
1809+
1810+ -- Jonathan Davies <jonathan.davies@canonical.com> Sat, 01 Mar 2014 08:53:17 +0000
1811+
1812+strongswan (5.1.2~rc2-0ubuntu2) trusty; urgency=low
1813+
1814+ * debian/ipsec.secrets.proto: Removed ipsec.secrets.inc reference.
1815+ * debian/usr.lib.ipsec.charon: Allow read access to /run/charon.
1816+
1817+ -- Jonathan Davies <jonathan.davies@canonical.com> Wed, 19 Feb 2014 13:07:16 +0000
1818+
1819+strongswan (5.1.2~rc2-0ubuntu1) trusty; urgency=low
1820+
1821+ * New upstream release candidate.
1822+
1823+ -- Jonathan Davies <jonathan.davies@canonical.com> Wed, 19 Feb 2014 12:59:21 +0000
1824+
1825+strongswan (5.1.2~rc1-0ubuntu4) trusty; urgency=medium
1826+
1827+ * debian/strongswan-tnc-*.install: Fixed files so libraries go into correct
1828+ packages.
1829+ * debian/usr.lib.ipsec.stroke: Allow access to strongswan.d directories.
1830+
1831+ -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 17 Feb 2014 18:12:38 +0000
1832+
1833+strongswan (5.1.2~rc1-0ubuntu3) trusty; urgency=low
1834+
1835+ * debian/rules: Exclude rdrand.conf in dh_install's --fail-missing.
1836+
1837+ -- Jonathan Davies <jonathan.davies@canonical.com> Sat, 15 Feb 2014 15:46:46 +0000
1838+
1839+strongswan (5.1.2~rc1-0ubuntu2) trusty; urgency=low
1840+
1841+ * debian/libstrongswan.install: Moved rdrand plugin configuration to rules
1842+ as it's only useful on amd64.
1843+ * debian/watch: Added opts=pgpsigurlmangle option.
1844+ * debian/upstream/signing-key.asc: Added key: 0xB34DBA77.
1845+
1846+ -- Jonathan Davies <jonathan.davies@canonical.com> Sat, 15 Feb 2014 15:32:10 +0000
1847+
1848+strongswan (5.1.2~rc1-0ubuntu1) trusty; urgency=medium
1849+
1850+ * New upstream release candidate.
1851+ * debian/*.install - include new configuration files for plugins in
1852+ appropiate packages.
1853+
1854+ -- Jonathan Davies <jonathan.davies@canonical.com> Sat, 15 Feb 2014 15:03:14 +0000
1855+
1856+strongswan (5.1.2~dr3+git20130120-0ubuntu3) trusty; urgency=low
1857+
1858+ * debian/control:
1859+ - Added Breaks/Replaces for all library files which have been moved
1860+ about (LP: #1278176).
1861+ - Removed build-dependency on check and added one on dh-apparmor.
1862+ * debian/strongswan-starter.postinst: Removed further out-dated code and
1863+ entire section on opportunistic encryption - this was never in strongSwan.
1864+ * debian/rules: Removed pieces on 'patching ipsec.conf' on build.
1865+
1866+ -- Jonathan Davies <jonathan.davies@canonical.com> Sun, 09 Feb 2014 23:53:23 +0000
1867+
1868+strongswan (5.1.2~dr3+git20130120-0ubuntu2) trusty; urgency=low
1869+
1870+ * debian/control: Fixed references to plugin-fips-prf.
1871+
1872+ -- Jonathan Davies <jonathan.davies@canonical.com> Wed, 22 Jan 2014 11:22:14 +0000
1873+
1874+strongswan (5.1.2~dr3+git20130120-0ubuntu1) trusty; urgency=low
1875+
1876+ * Upstream Git snapshot for build fixes with regards to entropy.
1877+ * debian/rules:
1878+ - Enforcing DEB_BUILD_OPTIONS=nostrip for library integrity checking.
1879+ - Set TESTS_REDUCED_KEYLENGTHS to one generate smallest key-lengths in
1880+ tests.
1881+
1882+ -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 20 Jan 2014 19:00:59 +0000
1883+
1884+strongswan (5.1.2~dr3-0ubuntu1) trusty; urgency=low
1885+
1886+ * New upstream developer release.
1887+ * Made changes to packaging per upstream suggestions.
1888+ - Dropped medcli and medsrv packages - not recommended by upstream at this
1889+ time.
1890+ - Dropped ha plugin - needs special kernel.
1891+ - Improved all package descriptions in general.
1892+ - Drop build-dep on clearsilver-dev and libfcgi-dev - no longer needed.
1893+ - Removed debian/*logcheck* files - not relevant to strongSwan.
1894+ - Split dhcp and farp packages into sub-packages.
1895+ - Build kernel-libipsec, ntru, systime-fix, and xauth-noauth plugins.
1896+ - Changes to TNC-related packages.
1897+ * Created AppArmor profiles for lookip and stroke.
1898+
1899+ -- Jonathan Davies <jonathan.davies@canonical.com> Wed, 15 Jan 2014 22:52:53 +0000
1900+
1901+strongswan (5.1.2~dr2+git20130106-0ubuntu2) trusty; urgency=low
1902+
1903+ * libstrongswan.install: Removed lingering unit-tester.so reference.
1904+
1905+ -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 06 Jan 2014 20:29:59 +0000
1906+
1907+strongswan (5.1.2~dr2+git20130106-0ubuntu1) trusty; urgency=low
1908+
1909+ * Git snapshot of commit 94e10f15e51ead788d9947e966878ebfdc95b7ce.
1910+ Incorporates upstream fixes for:
1911+ - Integrity testing.
1912+ - Unit test failures on little endian systems.
1913+ * Dropped debian/patches/02_test_asn1_fix_32bit_time_test.patch - fixed
1914+ upstream.
1915+ * debian/rules:
1916+ - Stop using CK_TIMEOUT_MULTIPLIER.
1917+ - Stop enabling the test suite only on non-powerpc arches (it runs
1918+ anyway).
1919+
1920+ -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 06 Jan 2014 20:17:20 +0000
1921+
1922+strongswan (5.1.2~dr2-0ubuntu3) trusty; urgency=low
1923+
1924+ * debian/control: Reinstate missing comma in dependencies.
1925+
1926+ -- Jonathan Davies <jonathan.davies@canonical.com> Fri, 03 Jan 2014 05:39:13 +0000
1927+
1928+strongswan (5.1.2~dr2-0ubuntu2) trusty; urgency=low
1929+
1930+ * Added debian/patches/02_test_asn1_fix_32bit_time_test.patch - fixes issue
1931+ where test for >2038 tests on 32-bit platforms is broken.
1932+ - Reported upstream: https://wiki.strongswan.org/issues/477
1933+ * debian/control: Added strongswan-plugin-ntru to strongswan-ike Suggests.
1934+
1935+ -- Jonathan Davies <jonathan.davies@canonical.com> Fri, 03 Jan 2014 05:02:32 +0000
1936+
1937+strongswan (5.1.2~dr2-0ubuntu1) trusty; urgency=low
1938+
1939+ * New upstream developer release.
1940+ * debian/rules: Configure with: --enable-af-alg, --enable-ntru, --enable-soup,
1941+ and --enable-unity.
1942+ * debian/control:
1943+ - New plugin packages created for the above
1944+ - Split fips-prf into its own package.
1945+ - Added build-dependency on libsoup2.4-dev.
1946+
1947+ -- Jonathan Davies <jonathan.davies@canonical.com> Thu, 02 Jan 2014 17:37:33 +0000
1948+
1949 strongswan (5.1.1-3) unstable; urgency=low
1950
1951 * Upload to unstable.
1952@@ -999,6 +2795,192 @@ strongswan (5.1.1-1) unstable; urgency=low
1953
1954 -- Yves-Alexis Perez <corsac@debian.org> Fri, 24 Jan 2014 21:22:32 +0100
1955
1956+strongswan (5.1.1-0ubuntu17) trusty; urgency=low
1957+
1958+ * debian/control:
1959+ - Make strongswan-ike depend on iproute2.
1960+ - Added xauth plugin dependency on strongswan-plugin-eap-gtc.
1961+ - Created strongswan-libfast package.
1962+
1963+ -- Jonathan Davies <jonathan.davies@canonical.com> Wed, 01 Jan 2014 17:04:45 +0000
1964+
1965+strongswan (5.1.1-0ubuntu16) trusty; urgency=low
1966+
1967+ * debian/control:
1968+ - Further splitting of plugins into subpackages (such as all EAP plugins
1969+ to their own packages).
1970+ - Added libpcsclite-dev to build-dependencies.
1971+ * debian/rules:
1972+ - Sort configure options in alphabetical order.
1973+ - Added configure option of --enable-eap-aka-3gpp2, --enable-eap-dynamic,
1974+ --enable-eap-sim-file, --enable-eap-sim-pcsc,
1975+ --enable-eap-simaka-pseudonym, --enable-eap-simaka-reauth and
1976+ --enable-eap-simaka-sql.
1977+ - Don't exclude medsrv from install.
1978+ * Moved eap-identity.so to libstrongswan package as it's used by all the
1979+ other EAP plugins.
1980+
1981+ -- Jonathan Davies <jonathan.davies@canonical.com> Tue, 31 Dec 2013 21:25:50 +0000
1982+
1983+strongswan (5.1.1-0ubuntu15) trusty; urgency=low
1984+
1985+ * debian/control:
1986+ - Split plugins from libstrongswan package into modular subpackages.
1987+ - Added libmysqlclient-dev to build-dependencies.
1988+ - strongswan-ike: Set to depend on either strongswan-plugins-openssl or
1989+ strongswan-plugins-gcrypt.
1990+ - strongswan-ike: All other plugins added to Suggests.
1991+ - Created two new TNC packages: strongswan-tnc-ifmap and
1992+ strongswan-tnc-pdp and added to tnc-imcvs Suggests.
1993+ * debian/rules: Added to CONFIGUREARGS: --enable-certexpire,
1994+ --enable-error-notify, --enable-mysql, --enable-load-tester,
1995+ --enable-radattr, --enable-tnc-pdp, and --enable-whitelist.
1996+ * debian/strongswan-ike.install: Moved eap-identity.so to -tnc-imcvs package.
1997+
1998+ -- Jonathan Davies <jonathan.davies@canonical.com> Tue, 31 Dec 2013 16:15:32 +0000
1999+
2000+strongswan (5.1.1-0ubuntu14) trusty; urgency=low
2001+
2002+ * debian/rules:
2003+ - CK_TIMEOUT_MULTIPLIER back down to 6.
2004+ - Disable unit tests on powerpc.
2005+
2006+ -- Jonathan Davies <jonathan.davies@canonical.com> Tue, 31 Dec 2013 07:39:48 +0000
2007+
2008+strongswan (5.1.1-0ubuntu13) trusty; urgency=low
2009+
2010+ * debian/rules: CK_TIMEOUT_MULTIPLIER to 10 as just powerppc is being stubborn.
2011+
2012+ -- Jonathan Davies <jonathan.davies@canonical.com> Tue, 31 Dec 2013 07:23:42 +0000
2013+
2014+strongswan (5.1.1-0ubuntu12) trusty; urgency=low
2015+
2016+ * debian/rules: Bring CK_TIMEOUT_MULTIPLIER up to 6 to fix powerppc and
2017+ armhf.
2018+
2019+ -- Jonathan Davies <jonathan.davies@canonical.com> Tue, 31 Dec 2013 07:03:40 +0000
2020+
2021+strongswan (5.1.1-0ubuntu11) trusty; urgency=low
2022+
2023+ * 02_increase-test_rsa_generate-timeout.patch: Removed - only fixed build on
2024+ one extra arch.
2025+ * debian/rules: Set CK_TIMEOUT_MULTIPLIER to 4.
2026+
2027+ -- Jonathan Davies <jonathan.davies@canonical.com> Tue, 31 Dec 2013 06:51:47 +0000
2028+
2029+strongswan (5.1.1-0ubuntu10) trusty; urgency=low
2030+
2031+ * debian/patches: Added patch 02_increase-test_rsa_generate-timeout.patch -
2032+ - Increases RSA key generate test timeout to 30 seconds so that it doesn't
2033+ fail on armhf, arm64, and powerppc.
2034+ * Contrary to what the last changelog entry says, we are still running
2035+ strongswan as root (with AppArmor protection).
2036+
2037+ -- Jonathan Davies <jonathan.davies@canonical.com> Tue, 31 Dec 2013 06:06:47 +0000
2038+
2039+strongswan (5.1.1-0ubuntu9) trusty; urgency=low
2040+
2041+ * debian/rules: Added to configure options:
2042+ - --enable-tnc-ifmap: enable TNC IF-MAP module.
2043+ - --enable-duplicheck: enable duplicheck plugin.
2044+ - --enable-imv-swid, --enable-imc-swid: Added.
2045+ - Run strongswan as it's own user.
2046+ * debian/strongswan-starter.install: Install duplicheck.
2047+ * debian/strongswan-tnc-imcvs.install: Install swidtags.
2048+
2049+ -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 30 Dec 2013 19:33:27 +0000
2050+
2051+strongswan (5.1.1-0ubuntu8) trusty; urgency=low
2052+
2053+ * debian/rules: Added to configure options:
2054+ - --enable-unit-tests: check unit testing on build.
2055+ - --enable-unbound: for validating DNS lookups.
2056+ - --enable-dnscert: for DNSCERT peer authentication.
2057+ - --enable-ipseckey: for IPSEC key authentication.
2058+ - --enable-lookip: for LookIP functionality.
2059+ - --enable-coupling: certificate coupling functionality.
2060+ * debian/control: Added check, libldns-dev, libunbound-dev to
2061+ build-dependencies.
2062+ * debian/libstrongswan.install: Install new plugin .so's.
2063+ * debian/strongswan-starter.install: Added lookip.
2064+
2065+ -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 30 Dec 2013 17:52:07 +0000
2066+
2067+strongswan (5.1.1-0ubuntu7) trusty; urgency=low
2068+
2069+ * strongswan-starter.install: Moved pt-tls-client to tnc-imcvs (to prevent
2070+ the former from depending on the latter).
2071+
2072+ -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 30 Dec 2013 17:30:19 +0000
2073+
2074+strongswan (5.1.1-0ubuntu6) trusty; urgency=low
2075+
2076+ * debian/strongswan-starter.prerm: Stop strongswan service on package
2077+ removal (as opposed to using the old init.d script).
2078+
2079+ -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 30 Dec 2013 17:22:10 +0000
2080+
2081+strongswan (5.1.1-0ubuntu5) trusty; urgency=low
2082+
2083+ * debian/rules:
2084+ - CONFIGUREARGS: Merged Debian and RPM options.
2085+ - Brings in TNC functionality.
2086+ * debian/control:
2087+ - Added build-dependency on libtspi-dev.
2088+ - Created strongswan-tnc-imcvs binary package for TNC components.
2089+ - Added strongswan-tnc-imcvs to libstrongswan's Suggests.
2090+ * debian/libstrongswan.install:
2091+ - Included newly built MD4 and SQLite libraries.
2092+ - Removed 'tnc' references (moved to TNC package).
2093+ * debian/strongswan-tnc-imcvs.install: Created - handle new TNC libraries and
2094+ binaries.
2095+ * debian/usr.lib.ipsec.charon: Allow access to TNC modules.
2096+
2097+ -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 30 Dec 2013 14:05:43 +0000
2098+
2099+strongswan (5.1.1-0ubuntu4) trusty; urgency=low
2100+
2101+ * debian/usr.lib.ipsec.charon: Added - AppArmor profile for charon.
2102+ * debian/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call.
2103+ * debian/control: strongswan-ike - Stop depending on ipsec-tools.
2104+
2105+ -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 30 Dec 2013 05:35:17 +0000
2106+
2107+strongswan (5.1.1-0ubuntu3) trusty; urgency=low
2108+
2109+ * strongswan-starter.strongswan.upstart - Only start strongSwan when a
2110+ network connection is available.
2111+ * debian/control: Downgrade build-dep version of dpkg-dev from 1.16.2 to
2112+ 1.16.1 - to make precise backporting easier.
2113+
2114+ -- Jonathan Davies <jonathan.davies@canonical.com> Thu, 12 Dec 2013 10:43:15 +0000
2115+
2116+strongswan (5.1.1-0ubuntu2) trusty; urgency=low
2117+
2118+ * strongswan-starter.strongswan.upstart - Created Upstart job for
2119+ strongSwan.
2120+ * debian/rules: Set dh_installinit to install above file.
2121+ * debian/strongswan-starter.postinit:
2122+ - Removed section about runlevel changes, it's almost 2014.
2123+ - Adapted service restart section for Upstart.
2124+ - Remove old symlinks to init.d files is necessary.
2125+ * debian/strongswan-starter.dirs: Don't touch /etc/init.d.
2126+
2127+ -- Jonathan Davies <jonathan.davies@canonical.com> Wed, 11 Dec 2013 23:10:28 +0000
2128+
2129+strongswan (5.1.1-0ubuntu1) trusty; urgency=low
2130+
2131+ * New upstream release.
2132+ * Removed: debian/patches/CVE-2013-6075, CVE-2013-6076.patch - upsteamed.
2133+ * debian/control: Updated Standards-Version to 3.9.5 and applied
2134+ XSBC-Original-Maintainer policy.
2135+ * strongswan-starter.install:
2136+ - pki tool is now in /usr/bin.
2137+ - Install pt-tls-client.
2138+ - Install manpages (LP: #1206263).
2139+
2140+ -- Jonathan Davies <jpds@ubuntu.com> Sun, 01 Dec 2013 17:43:59 +0000
2141+
2142 strongswan (5.1.0-3) unstable; urgency=high
2143
2144 * urgency=high for the security fixes.
2145diff --git a/debian/control b/debian/control
2146index df2d9f3..c82b7aa 100644
2147--- a/debian/control
2148+++ b/debian/control
2149@@ -1,7 +1,8 @@
2150 Source: strongswan
2151 Section: net
2152 Priority: optional
2153-Maintainer: strongSwan Maintainers <pkg-swan-devel@lists.alioth.debian.org>
2154+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
2155+XSBC-Original-Maintainer: strongSwan Maintainers <pkg-swan-devel@lists.alioth.debian.org>
2156 Uploaders: Yves-Alexis Perez <corsac@debian.org>
2157 Standards-Version: 4.7.1
2158 Vcs-Browser: https://salsa.debian.org/debian/strongswan
2159@@ -207,6 +208,9 @@ Description: strongSwan charon library (extra plugins)
2160 - unity (Cisco Unity extensions for IKEv1)
2161 - xauth-eap (XAuth backend that uses EAP methods to verify passwords)
2162 - xauth-pam (XAuth backend that uses PAM modules to verify passwords)
2163+ - eap-dynamic (EAP proxy plugin that dynamically selects an EAP method
2164+ requested/supported by the client (since 5.0.1))
2165+ - eap-peap (EAP-PEAP protocol handler, wraps other EAP methods securely)
2166
2167 Package: strongswan-starter
2168 Architecture: any
2169@@ -214,10 +218,10 @@ Pre-Depends: ${misc:Pre-Depends}
2170 Depends: adduser,
2171 libstrongswan (= ${binary:Version}),
2172 sysvinit-utils (>= 3.05-3),
2173+ strongswan-charon,
2174 ${misc:Depends},
2175 ${shlibs:Depends}
2176 Conflicts: libreswan
2177-Recommends: strongswan-charon
2178 Description: strongSwan daemon starter and configuration file parser
2179 The strongSwan VPN suite uses the native IPsec stack in the standard
2180 Linux kernel. It supports both the IKEv1 and IKEv2 protocols.
2181@@ -253,10 +257,10 @@ Architecture: any
2182 Pre-Depends: debconf | debconf-2.0
2183 Depends: iproute2 [linux-any] | iproute [linux-any],
2184 libstrongswan (= ${binary:Version}),
2185- strongswan-starter,
2186 ${misc:Depends},
2187 ${shlibs:Depends}
2188 Conflicts: charon-systemd
2189+Recommends: strongswan-starter,
2190 Provides: ike-server
2191 Description: strongSwan Internet Key Exchange daemon
2192 The strongSwan VPN suite uses the native IPsec stack in the standard
2193diff --git a/debian/libcharon-extra-plugins.install b/debian/libcharon-extra-plugins.install
2194index 94fbabd..91ca716 100644
2195--- a/debian/libcharon-extra-plugins.install
2196+++ b/debian/libcharon-extra-plugins.install
2197@@ -2,9 +2,11 @@
2198 usr/lib/ipsec/plugins/libstrongswan-addrblock.so
2199 usr/lib/ipsec/plugins/libstrongswan-certexpire.so
2200 usr/lib/ipsec/plugins/libstrongswan-eap-aka.so
2201+usr/lib/ipsec/plugins/libstrongswan-eap-dynamic.so
2202 usr/lib/ipsec/plugins/libstrongswan-eap-gtc.so
2203 usr/lib/ipsec/plugins/libstrongswan-eap-identity.so
2204 usr/lib/ipsec/plugins/libstrongswan-eap-md5.so
2205+usr/lib/ipsec/plugins/libstrongswan-eap-peap.so
2206 usr/lib/ipsec/plugins/libstrongswan-eap-radius.so
2207 usr/lib/ipsec/plugins/libstrongswan-eap-tls.so
2208 usr/lib/ipsec/plugins/libstrongswan-eap-tnc.so
2209@@ -25,9 +27,11 @@ usr/lib/ipsec/plugins/libstrongswan-xauth-pam.so
2210 usr/share/strongswan/templates/config/plugins/addrblock.conf
2211 usr/share/strongswan/templates/config/plugins/certexpire.conf
2212 usr/share/strongswan/templates/config/plugins/eap-aka.conf
2213+usr/share/strongswan/templates/config/plugins/eap-dynamic.conf
2214 usr/share/strongswan/templates/config/plugins/eap-gtc.conf
2215 usr/share/strongswan/templates/config/plugins/eap-identity.conf
2216 usr/share/strongswan/templates/config/plugins/eap-md5.conf
2217+usr/share/strongswan/templates/config/plugins/eap-peap.conf
2218 usr/share/strongswan/templates/config/plugins/eap-radius.conf
2219 usr/share/strongswan/templates/config/plugins/eap-tls.conf
2220 usr/share/strongswan/templates/config/plugins/eap-tnc.conf
2221@@ -49,9 +53,11 @@ etc/strongswan.d/tnc.conf
2222 etc/strongswan.d/charon/addrblock.conf
2223 etc/strongswan.d/charon/certexpire.conf
2224 etc/strongswan.d/charon/eap-aka.conf
2225+etc/strongswan.d/charon/eap-dynamic.conf
2226 etc/strongswan.d/charon/eap-gtc.conf
2227 etc/strongswan.d/charon/eap-identity.conf
2228 etc/strongswan.d/charon/eap-md5.conf
2229+etc/strongswan.d/charon/eap-peap.conf
2230 etc/strongswan.d/charon/eap-radius.conf
2231 etc/strongswan.d/charon/eap-tls.conf
2232 etc/strongswan.d/charon/eap-tnc.conf
2233diff --git a/debian/rules b/debian/rules
2234index 415178c..42a7f54 100755
2235--- a/debian/rules
2236+++ b/debian/rules
2237@@ -17,9 +17,11 @@ CONFIGUREARGS := --libdir=/usr/lib --libexecdir=/usr/lib \
2238 --enable-curve25519 \
2239 --enable-eap-aka \
2240 --enable-eap-gtc \
2241+ --enable-eap-dynamic \
2242 --enable-eap-identity \
2243 --enable-eap-md5 \
2244 --enable-eap-mschapv2 \
2245+ --enable-eap-peap \
2246 --enable-eap-radius \
2247 --enable-eap-tls \
2248 --enable-eap-tnc \
2249diff --git a/debian/tests/control b/debian/tests/control
2250index 524498c..43d9b0c 100644
2251--- a/debian/tests/control
2252+++ b/debian/tests/control
2253@@ -5,3 +5,9 @@ Restrictions: needs-root isolation-container allow-stderr
2254 Tests: daemon plugins
2255 Depends: strongswan-starter, strongswan-charon, libstrongswan-standard-plugins, libstrongswan-extra-plugins, libcharon-extra-plugins
2256 Restrictions: needs-root isolation-machine allow-stderr
2257+
2258+Tests: host-to-host
2259+Depends: strongswan-swanctl, strongswan-pki, libstrongswan-extra-plugins,
2260+ charon-systemd, lsb-release, snapd, dctrl-tools, libtss2-tcti-tabrmd0,
2261+ bind9-dnsutils
2262+Restrictions: needs-root isolation-machine allow-stderr skippable
2263diff --git a/debian/tests/host-to-host b/debian/tests/host-to-host
2264new file mode 100755
2265index 0000000..3a76da0
2266--- /dev/null
2267+++ b/debian/tests/host-to-host
2268@@ -0,0 +1,401 @@
2269+#!/bin/bash
2270+
2271+# host to host setup from https://docs.strongswan.org/docs/5.9/config/quickstart.html
2272+
2273+set -e
2274+set -o pipefail
2275+
2276+# exit early if not on Ubuntu
2277+if [ "$(lsb_release --short --id)" != "Ubuntu" ]; then
2278+ echo "This test only runs on Ubuntu, skipping."
2279+ exit 77
2280+fi
2281+
2282+cleanup() {
2283+ if [ $? -ne 0 ]; then
2284+ set +e
2285+ echo "Something failed, gathering debug info"
2286+ echo
2287+ echo "Installed strongswan packages:"
2288+ dpkg -l | grep -E "(strongswan|charon)"
2289+ echo
2290+ echo "loaded kernel modules:"
2291+ lsmod
2292+ echo
2293+ echo "journal logs from host:"
2294+ journalctl --no-pager -u strongswan.service || :
2295+ echo
2296+ echo "LXD details:"
2297+ lxc network list
2298+ lxc list
2299+ echo
2300+ for container in $(lxc list -f compact -c ns | grep -F RUNNING | awk '{print $1}'); do
2301+ echo "journal logs from container ${container}"
2302+ lxc exec "${container}" -- journalctl -u strongswan.service --no-pager || :
2303+ echo
2304+ echo "strongswan data from container ${container}"
2305+ for cmd in stats list-certs list-conns list-pols list-sas; do
2306+ echo "${cmd}:"
2307+ lxc exec "${container}" -- swanctl --${cmd} || :
2308+ echo
2309+ done
2310+ done
2311+ fi
2312+ set +e
2313+ rm -rf "${WORKDIR}"
2314+ for container in "${PEERS[@]}"; do
2315+ lxc delete --force "${container}" > /dev/null 2>&1 || :
2316+ done
2317+}
2318+
2319+trap cleanup EXIT
2320+
2321+WORKDIR=$(mktemp -d)
2322+PEERS=("moon" "sun")
2323+declare -A REMOTE
2324+REMOTE["moon"]="sun"
2325+REMOTE["sun"]="moon"
2326+PUBKEY_ALGO="ed25519"
2327+TESTNAME=$(basename "${0}")
2328+
2329+# ca
2330+CA_KEY_FILE="${WORKDIR}/strongswanKey.pem"
2331+REQ_FILE="${WORKDIR}/req.pem" # can be reused for multiple reqs
2332+CA_CERT_FILE="${WORKDIR}/strongswanCert.pem"
2333+
2334+source debian/tests/utils
2335+
2336+check_pol() {
2337+ #root@moon:~# swanctl --list-pols
2338+ #moon-sun/moon-sun, TUNNEL
2339+ # local: 10.38.71.14/32
2340+ # remote: 10.38.71.194/32
2341+ local me="${1}"
2342+ local pol="${2}"
2343+ local -i failures=0
2344+ local tunnel
2345+ local ip
2346+ local policy_ip
2347+
2348+ echo "Checking policy for:"
2349+ echo -n " we have a tunnel: "
2350+ if echo "${pol}" | head -n 1 | grep -qF TUNNEL; then
2351+ echo "OK"
2352+ else
2353+ echo "FAIL"
2354+ failures=$((failures+1))
2355+ fi
2356+
2357+ # moon-sun/moon-sun, TUNNEL -> tunnel = moon-sun
2358+ tunnel=$(echo "${pol}" | head -n 1 | cut -d , -f 1)
2359+ echo -n " tunnel matches local-remote: "
2360+ if echo "${tunnel}" | grep -qE "^${me}-${REMOTE[${me}]}/${me}-${REMOTE[${me}]}"; then
2361+ echo "OK"
2362+ else
2363+ echo "FAIL (tunnel=${tunnel})"
2364+ failures=$((failures+1))
2365+ fi
2366+
2367+ echo -n " local IP matches local peer: "
2368+ ip=$(lxc exec "${me}" -- dig +short "${me}.lxd")/32
2369+ policy_ip=$(echo "${pol}" | sed -n -r "s,^[[:blank:]]+local:[[:blank:]]+([0-9.]+/32),\1,p")
2370+ if [ "${ip}" = "${policy_ip}" ]; then
2371+ echo "OK"
2372+ else
2373+ echo "FAIL: local ip ${ip} != policy local ip ${policy_ip}"
2374+ failures=$((failures+1))
2375+ fi
2376+
2377+ echo -n " remote IP matches remote peer: "
2378+ ip=$(lxc exec "${me}" -- dig +short "${REMOTE[${me}]}.lxd")/32
2379+ policy_ip=$(echo "${pol}" | sed -n -r "s,^[[:blank:]]+remote:[[:blank:]]+([0-9.]+/32),\1,p")
2380+ if [ "${ip}" = "${policy_ip}" ]; then
2381+ echo "OK"
2382+ else
2383+ echo "FAIL: local ip ${ip} != policy local ip ${policy_ip}"
2384+ failures=$((failures+1))
2385+ fi
2386+
2387+ return ${failures}
2388+}
2389+
2390+check_sa() {
2391+ local -i failures=0
2392+ local me="${1}"
2393+ local sa="${2}"
2394+ local name=""
2395+ local sa_ip
2396+
2397+ # SAs look like this:
2398+ # moon-sun: #1, ESTABLISHED, IKEv2, f1bdc688a5078946_i* bf6e1559c5a87ab9_r
2399+ # local 'C=CH, O=strongswan, CN=moon.strongswan.org' @ 10.84.128.22[4500]
2400+ # remote 'C=CH, O=strongswan, CN=sun.strongswan.org' @ 10.84.128.191[4500]
2401+ # AES_CBC-128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/CURVE_25519
2402+ # established 11s ago, rekeying in 14147s
2403+ # moon-sun: #2, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-128
2404+ # installed 11s ago, rekeying in 3285s, expires in 3949s
2405+ # in c3bcdf8d, 168 bytes, 2 packets, 0s ago
2406+ # out caf49378, 168 bytes, 2 packets, 0s ago
2407+ # local 10.84.128.22/32
2408+ # remote 10.84.128.191/32
2409+
2410+ echo "Checking SA for:"
2411+
2412+ echo -n " established SA: "
2413+ if echo "${sa}" | grep -qE "^[[:alnum:]]+-[[:alnum:]]+:.*ESTABLISHED"; then
2414+ echo "OK"
2415+ else
2416+ echo "FAIL"
2417+ failures=$((failures+1))
2418+ fi
2419+
2420+ # parse the connection name from the first line: $local-$remote: #1,....
2421+ name=$(echo "${sa}" | head -n 1 | sed -r "s/^([[:alnum:]]+)-[[:alnum:]]+:.*/\1/")
2422+ echo -n " local DN matches CN=${name}.strongswan.org: "
2423+ if echo "${sa}" | grep -qE "^[[:blank:]]*local.*CN=${name}\.strongswan\.org"; then
2424+ echo "OK"
2425+ else
2426+ echo "FAIL"
2427+ failures=$((failures+1))
2428+ fi
2429+
2430+ # parse the connection name from the first line: $local-$remote: #1,....
2431+ name=$(echo "${sa}" | head -n 1 | sed -r "s/^[[:alnum:]]+-([[:alnum:]]+):.*/\1/")
2432+ echo -n " remote DN matches CN=${name}.strongswan.org: "
2433+ if echo "${sa}" | grep -qE "^[[:blank:]]*remote.*CN=${name}\.strongswan\.org"; then
2434+ echo "OK"
2435+ else
2436+ echo "FAIL"
2437+ failures=$((failures+1))
2438+ fi
2439+
2440+ echo -n " local IP matches local peer: "
2441+ ip=$(lxc exec "${me}" -- dig +short "${me}.lxd")/32
2442+ sa_ip=$(echo "${sa}" | sed -n -r "s,^[[:blank:]]+local[[:blank:]]+([0-9.]+/32),\1,p")
2443+ if [ "${ip}" = "${sa_ip}" ]; then
2444+ echo "OK"
2445+ else
2446+ echo "FAIL: local ip ${ip} != SA local ip ${sa_ip}"
2447+ failures=$((failures+1))
2448+ fi
2449+
2450+ echo -n " remote IP matches remote peer: "
2451+ ip=$(lxc exec "${me}" -- dig +short "${REMOTE[${me}]}.lxd")/32
2452+ sa_ip=$(echo "${sa}" | sed -n -r "s,^[[:blank:]]+remote[[:blank:]]+([0-9.]+/32),\1,p")
2453+ if [ "${ip}" = "${sa_ip}" ]; then
2454+ echo "OK"
2455+ else
2456+ echo "FAIL: remote ip ${ip} != SA remote ip ${sa_ip}"
2457+ failures=$((failures+1))
2458+ fi
2459+
2460+ # TODO: check for cipher, if it matches the algo used in the pubkey
2461+ # TODO: check for traffic, should not be zero
2462+
2463+ return ${failures}
2464+}
2465+
2466+_setup_peer() {
2467+ local peer="${1}"
2468+ local algo="${2}"
2469+ local key_file="${WORKDIR}/${peer}Key.pem"
2470+ local cert_file="${WORKDIR}/${peer}Cert.pem"
2471+
2472+ pki --gen --type "${algo}" --outform pem > "${key_file}"
2473+
2474+ pki --req --type priv --in "${key_file}" \
2475+ --dn "C=CH, O=strongswan, CN=${peer}.strongswan.org" \
2476+ --san "${peer}.strongswan.org" --outform pem > "${REQ_FILE}"
2477+
2478+ pki --issue --cacert "${CA_CERT_FILE}" --cakey "${CA_KEY_FILE}" \
2479+ --type pkcs10 --in "${REQ_FILE}" --serial 01 --lifetime 5 \
2480+ --outform pem --flag serverAuth > "${cert_file}"
2481+}
2482+
2483+_setup_lxd() {
2484+ lxd init --auto
2485+ network=$(lxc network list --format=compact | grep -E "bridge.*YES.*CREATED" | awk '{print $1}')
2486+ lxc network set "${network:-lxdbr0}" ipv6.address=none
2487+ if [ -n "${http_proxy}" ]; then
2488+ lxc config set core.proxy_http "${http_proxy}"
2489+ fi
2490+ if [ -n "${https_proxy}" ]; then
2491+ lxc config set core.proxy_https "${https_proxy}"
2492+ fi
2493+ if [ -n "${noproxy}" ]; then
2494+ lxc config set core.proxy_ignore_hosts "${noproxy}"
2495+ fi
2496+}
2497+
2498+_setup_host_containers() {
2499+ local release
2500+ local ip
2501+ local -i result=0
2502+ local -a deps
2503+
2504+ release=$(lsb_release -cs)
2505+ readarray -t deps < <(get_test_dependencies "${TESTNAME}" snapd dctrl-tools)
2506+
2507+ for container in "${PEERS[@]}"; do
2508+ echo "Launching container ${container} with release ${release}"
2509+ lxc launch "ubuntu-daily:${release}" "${container}" -c security.nesting=true -q
2510+ echo -en "Waiting for container ${container} to be ready "
2511+ wait_container_ready "${container}"
2512+
2513+ echo "Copying over /etc/apt to container ${container}"
2514+ lxc exec "${container}" -- rm -rf /etc/apt
2515+ lxc exec "${container}" -- mkdir -p /etc/apt
2516+ tar -cC /etc/apt . | lxc exec "${container}" -- tar -xC /etc/apt
2517+
2518+ echo "Installing deps in container ${container} (${deps[*]})"
2519+ output=$(lxc exec "${container}" -- apt-get update -q) || {
2520+ result=$?
2521+ echo "apt-get update failed in container ${container}"
2522+ echo "${output}"
2523+ return ${result}
2524+ }
2525+ output=$(lxc exec "${container}" --env DEBIAN_FRONTEND=noninteractive -- apt-get dist-upgrade -q -y) || {
2526+ result=$?
2527+ echo "apt-get dist-upgrade failed in container ${container}"
2528+ echo "${output}"
2529+ return ${result}
2530+ }
2531+ output=$(lxc exec "${container}" --env DEBIAN_FRONTEND=noninteractive -- apt-get install -q -y "${deps[@]}") || {
2532+ result=$?
2533+ echo "apt-get install ${deps[*]} failed in container ${container}"
2534+ echo "${output}"
2535+ return ${result}
2536+ }
2537+ echo "Done for container ${container}"
2538+ done
2539+}
2540+
2541+_setup_host_containers_certs() {
2542+ for container in "${PEERS[@]}"; do
2543+ echo "Copying ${CA_CERT_FILE} to container ${container}"
2544+ lxc file push "${CA_CERT_FILE}" "${container}/etc/swanctl/x509ca/"
2545+
2546+ echo "Copying ${container} cert and key"
2547+ lxc file push "${WORKDIR}/${container}Key.pem" "${container}/etc/swanctl/private/"
2548+ lxc file push "${WORKDIR}/${container}Cert.pem" "${container}/etc/swanctl/x509/"
2549+ done
2550+}
2551+
2552+_setup_host_containers_strongswan() {
2553+ local config
2554+
2555+ config=$(mktemp)
2556+
2557+ for peer in "${PEERS[@]}"; do
2558+ conn_name="${peer}-${REMOTE[${peer}]}"
2559+ cat > "${config}" <<EOF
2560+connections {
2561+ ${conn_name} {
2562+ remote_addrs = ${REMOTE[${peer}]}.lxd
2563+ local {
2564+ auth=pubkey
2565+ certs = ${peer}Cert.pem
2566+ }
2567+ remote {
2568+ auth = pubkey
2569+ id = "C=CH, O=strongswan, CN=${REMOTE[${peer}]}.strongswan.org"
2570+ }
2571+ children {
2572+ ${conn_name} {
2573+ start_action = trap
2574+ }
2575+ }
2576+ }
2577+}
2578+EOF
2579+ lxc file push "${config}" "${peer}/etc/swanctl/conf.d/${conn_name}.conf"
2580+ echo "Loading creds in container ${peer}"
2581+ lxc exec "${peer}" -- swanctl --load-creds
2582+ echo "Loading connections in container ${peer}"
2583+ lxc exec "${peer}" -- swanctl --load-conns
2584+ done
2585+}
2586+
2587+setup() {
2588+ local algo=${1:-ed25519}
2589+ echo "Creating a CA"
2590+ echo
2591+ echo "Generating private key for CA"
2592+ pki --gen --type "${algo}" --outform pem > "${CA_KEY_FILE}"
2593+
2594+ echo "Generating self-signed certificate for CA"
2595+ pki \
2596+ --self --ca --lifetime 10 --in "${CA_KEY_FILE}" \
2597+ --dn "C=CH, O=strongSwan, CN=strongSwan Root CA" \
2598+ --outform pem > "${CA_CERT_FILE}"
2599+ echo "Here is the CA cert:"
2600+ pki --print --in "${CA_CERT_FILE}"
2601+
2602+ for peer in "${PEERS[@]}"; do
2603+ echo "Generating key and certificate for peer ${peer}"
2604+ _setup_peer "${peer}" "${algo}"
2605+ done
2606+
2607+ echo "Setting up host LXD"
2608+ _setup_lxd
2609+
2610+ echo "Creating host containers"
2611+ _setup_host_containers
2612+
2613+ echo "Copy certificates to containers"
2614+ _setup_host_containers_certs
2615+
2616+ echo "Configuring strongswan in containers"
2617+ _setup_host_containers_strongswan
2618+}
2619+
2620+test_ping() {
2621+ for peer in "${PEERS[@]}"; do
2622+ echo "Generating traffic from ${peer} to ${REMOTE[${peer}]}"
2623+ # first ping to establish the tunnel always fails
2624+ lxc exec "${peer}" -- ping -c 2 -W 3 "${REMOTE[${peer}]}.lxd" > /dev/null 2>&1 || :
2625+ # this one must work
2626+ lxc exec "${peer}" -- ping -c 4 -W 3 "${REMOTE[${peer}]}.lxd"
2627+ echo
2628+ done
2629+}
2630+
2631+test_sa() {
2632+ for peer in "${PEERS[@]}"; do
2633+ sa=$(lxc exec "${peer}" -- swanctl --list-sas)
2634+ echo "This is the ${peer} SA:"
2635+ if [ -z "${sa}" ]; then
2636+ echo "FAILED: SA is empty (swanctl --list-sas)"
2637+ return 1
2638+ fi
2639+ echo "${sa}"
2640+ echo
2641+ check_sa "${peer}" "${sa}"
2642+ echo
2643+ done
2644+}
2645+
2646+test_pol() {
2647+ for peer in "${PEERS[@]}"; do
2648+ pol=$(lxc exec "${peer}" -- swanctl --list-pols)
2649+ echo "This is the ${peer} policy:"
2650+ if [ -z "${pol}" ]; then
2651+ echo "FAILED: pol is empty (swanctl --list-pols)"
2652+ return 1
2653+ fi
2654+ echo "${pol}"
2655+ echo
2656+ check_pol "${peer}" "${pol}"
2657+ echo
2658+ done
2659+}
2660+
2661+
2662+# the lxd deb package last existed in focal, so we install the snap
2663+snap list lxd > /dev/null 2>&1 || snap install lxd
2664+
2665+setup "${PUBKEY_ALGO}"
2666+
2667+test_ping
2668+test_sa
2669+test_pol
2670diff --git a/debian/tests/utils b/debian/tests/utils
2671new file mode 100644
2672index 0000000..e8a8584
2673--- /dev/null
2674+++ b/debian/tests/utils
2675@@ -0,0 +1,61 @@
2676+wait_container_ready() {
2677+ local container="${1}"
2678+ local -i limit=300 # seconds
2679+ local -i i=0
2680+ while /bin/true; do
2681+ ip=$(lxc list "${container}" -c 4 --format=compact | tail -1 | awk '{print $1}')
2682+ if [ -n "${ip}" ]; then
2683+ break
2684+ fi
2685+ i=$((i+1))
2686+ if [ ${i} -ge ${limit} ]; then
2687+ return 1
2688+ fi
2689+ sleep 1s
2690+ echo -n "."
2691+ done
2692+ while ! nc -z "${ip}" 22; do
2693+ echo -n "."
2694+ i=$((i+1))
2695+ if [ ${i} -ge ${limit} ]; then
2696+ return 1
2697+ fi
2698+ sleep 1s
2699+ done
2700+ # cloud-init might still be doing things...
2701+ # this call blocks, so wrap it in its own little timeout
2702+ # Give it ${limit} seconds too
2703+ output=$(lxc exec "${container}" -- timeout --verbose ${limit} cloud-init status --wait) || {
2704+ result=$?
2705+ echo "cloud-init status --wait failed on container ${container}"
2706+ echo "${output}"
2707+ return ${result}
2708+ }
2709+ echo
2710+}
2711+
2712+get_test_dependencies() {
2713+ local test_name="${1}"
2714+ shift
2715+ local exclusions="$*"
2716+ # Get test dependencies which we need to install in the containers
2717+ # we will create:
2718+ # -s: show Depends field
2719+ # -n: omit field name in output
2720+ # -X: do an exact match, instead of substring
2721+ # -F Tests: apply regexp to Tests field
2722+ depends=$(grep-dctrl -s Depends -n -F Tests -X "${test_name}" debian/tests/control | tr -d ,)
2723+ [ -n "${depends}" ] || {
2724+ echo "Failed to obtain list of dependencies for this test"
2725+ return 1
2726+ }
2727+ # remove exclusions, if any
2728+ for p in ${depends}; do
2729+ if echo "${exclusions}" | grep -qwF "${p}"; then
2730+ continue
2731+ else
2732+ echo "${p}"
2733+ fi
2734+ done
2735+}
2736+
2737diff --git a/debian/usr.sbin.swanctl b/debian/usr.sbin.swanctl
2738index 455c7cb..54c2b06 100644
2739--- a/debian/usr.sbin.swanctl
2740+++ b/debian/usr.sbin.swanctl
2741@@ -22,7 +22,7 @@
2742 /run/charon.vici rw,
2743
2744 # Allow reading own binary
2745- /usr/sbin/swanctl r,
2746+ /usr/sbin/swanctl rm,
2747
2748 # for af-alg plugin
2749 network alg seqpacket,

Subscribers

People subscribed via source and target branches