Ubuntu
strongswan package

Merge ~slyon/ubuntu/+source/strongswan:merge-lp2125990-resolute into ubuntu/+source/strongswan:debian/sid

  1. Git
  2. lp:~slyon/ubuntu/+source/strongswan
  3. merge-lp2125990-resolute
  4. Merge into debian/sid
Proposed by Lukas Märdian
Status: Merged
Approved by: git-ubuntu bot
Approved revision: not available
Merge reported by: Lukas Märdian
Merged at revision: 328a08f3926ae82768b04d8059789ec9561596f9
Proposed branch: ~slyon/ubuntu/+source/strongswan:merge-lp2125990-resolute
Merge into: ubuntu/+source/strongswan:debian/sid
Diff against target: 2817 lines (+2527/-4)
8 files modified
debian/changelog (+2043/-0)
debian/control (+7/-3)
debian/libcharon-extra-plugins.install (+6/-0)
debian/rules (+2/-0)
debian/tests/control (+6/-0)
debian/tests/host-to-host (+401/-0)
debian/tests/utils (+61/-0)
debian/usr.sbin.swanctl (+1/-1)
Reviewer Review Type Date Requested Status
git-ubuntu bot Approve
Jonas Jelten (community) Approve
Canonical Server Reporter Pending
Review via email: mp+496258@code.launchpad.net

Description of the change

PPA: https://launchpad.net/~slyon/+archive/ubuntu/merge-lp2125990-strongswan/+packages

DEP-8:
$ ppa tests ppa:slyon/merge-lp2125990-strongswan -r resolute

Range-diff:
$ git range-diff lp2125990/old/debian..lp2125990/logical/6.0.1-6ubuntu5 lp2125990/new/debian..merge-lp2125990-resolute

To post a comment you must log in.
Revision history for this message
Jonas Jelten (jj) wrote :

- host-to-host test fails with "Command not found"
- generated? test files are in the source package
- apart from that looks great!

Review Symbols:
+ = OK
! = Not OK
? = Question
N = Not applicable
S = Skipped

* Changelog:
  - [+] Changelog entry has correct version and targeted codename
  - [+] Correct formatting of changelog items
  - [+] Bug references correct
  - [+] Old content and logical tag match as expected (Package Merge)

* Release notes and Documentation
  - [N] Added, updated, or enqueued relevant documentation.
  - [N] Added, updated, or enqueued relevant release notes.

* Package Merge - indirect changes:
  - [+] No upstream changes that need adapting due to Ubuntu's design
  - [+] No further upstream version/changes to consider
  - [+] Debian changes are compatible with the Ubuntu implementation
  - [+] update-maintainer has been run

* Package Merge - old delta:
  - [+] Dropped changes are OK to be dropped
  - [+] Nothing else to drop
  - [+] Old delta was forwarded to upstream/Debian or marked as Ubuntu-only

* New delta in debian/*:
  - [N] New changes in debian/* are OK
  - [N] New delta was forwarded to Debian or marked as Ubuntu-only

* New patches:
  - [+] No new patches added
  - [S] Patches match those proposed/committed upstream
  - [S] Patches correctly included in debian/patches/series
  - [S] Patches have correct DEP-3 metadata
  - [S] Patches follow our style choices
  - [S] New code not from upstream was forwarded or marked as Ubuntu-only

* Git/maintenance:
  - [+] Commits are properly split (more important on -dev than on SRUs)

* Build/Test:
  - [+] Build is OK
  - [N] This is an SRU, the validation instructions are ok
  - [N] Testcases added or adapted (N/A if not strictly required or already present)
  - [!] autopkgtest against the PPA package passes (if possible, evidence was provided already)
  - [+] Based on PPA builds and the build-log, no new component mismatch expected
  - [+] Verified PPA package installs/uninstalls
  - [!] Verified PPA source package matches Merge Proposal source package
        Only in src-deb/testing/tests/*/*/hosts/*/etc/swanctl: rsa
        Only in src-deb/testing/tests/*/*/hosts/*/etc/swanctl: x509
        Only in src-deb/testing/tests/*/*/hosts/*/etc/swanctl: x509ca
  - [S] Verified function manually

review: Approve
Revision history for this message
git-ubuntu bot (git-ubuntu-bot) wrote :

Approvers: slyon, jj
Uploaders: slyon
MP auto-approved

review: Approve
Revision history for this message
Lukas Märdian (slyon) wrote :

I think the additional test files are fine: those are just showing up because they are in .gitignore, and still added to the git tree.

When comparing to the orig.tar.bz2 file, I do only see changes in .git/ and debian/ – as expected:
$ git diff --no-index ../strongswan-6.0.4/ . |diffstat

The failing test needs to be investigated. I'm upgrading to the latest 6.0.4 to see if this makes any difference..

Revision history for this message
Lukas Märdian (slyon) wrote :

The interesting part of the test failure seems to be this:

1386s Creating host containers
1386s Launching container moon with release resolute
1402s Waiting for container moon to be ready ..Connection to 10.6.149.96 22 port [tcp/ssh] succeeded!
1402s 2025-11-25 15:27:41,994 - util.py[WARNING]: Failed loading yaml blob. Yaml load allows (<class 'dict'>,) root types, but got str instead
1403s cloud-init status --wait failed on container moon

from debian/tests/utils:wait_container_ready

It's receiving a YAML string instead of a dict :-/

Revision history for this message
Jonas Jelten (jj) wrote :

That looks like bug 2131809, which should be fixed in resolute?

Revision history for this message
Lukas Märdian (slyon) wrote :

Indeed, very much so! Also, it seems like a re-run of the DEP-8 test is passing. Still I see failures locally, but those might be unrelated local config issues.

I rebased on 6.0.4 to get the latest security updates and triggered another PPA build. I'd assume those tests to be green, once ready, and I'll upload after 6.0.4 DEP-8 is confirmed.

Revision history for this message
Lukas Märdian (slyon) wrote :

DEP-8 on 6.0.4 is now green, I'm uploading.

$ ppa tests ppa:slyon/merge-lp2125990-strongswan
[...]
* Results:
  - strongswan: resolute/strongswan/6.0.4-1ubuntu1~ppa1 [amd64]
    + ✅ strongswan on resolute for amd64 @ 20.01.26 10:41:58 Log️ 🗒️
  - strongswan: resolute/strongswan/6.0.4-1ubuntu1~ppa1 [arm64]
    + ✅ strongswan on resolute for arm64 @ 20.01.26 10:42:05 Log️ 🗒️
  - strongswan: resolute/strongswan/6.0.4-1ubuntu1~ppa1 [armhf]
    + ✅ strongswan on resolute for armhf @ 20.01.26 10:35:24 Log️ 🗒️
  - strongswan: resolute/strongswan/6.0.4-1ubuntu1~ppa1 [ppc64el]
    + ✅ strongswan on resolute for ppc64el @ 20.01.26 10:40:17 Log️ 🗒️
  - strongswan: resolute/strongswan/6.0.4-1ubuntu1~ppa1 [s390x]
    + Pending ...

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/debian/changelog b/debian/changelog
index 08a0691..563f2cc 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,33 @@
1strongswan (6.0.4-1ubuntu1) resolute; urgency=medium
2
3 * Merge with Debian unstable (LP: #2125990). Remaining changes:
4 - d/control: strongswan-starter hard-depends on strongswan-charon,
5 therefore bump the dependency from Recommends to Depends. At the same
6 time avoid a circular dependency by dropping
7 strongswan-charon->strongswan-starter from Depends to Recommends as the
8 binaries can work without the services but not vice versa.
9 - Re-enable eap-{dynamic,peap} libcharon plugins (LP #1878887)
10 + d/control: update libcharon-extra-plugins description.
11 + d/libcharon-extra-plugins.install: install .so and conf files.
12 + d/rules: add plugins to the configuration arguments.
13 - d/t/{control,host-to-host,utils}: new host-to-host test (LP #1999525)
14 - d/usr.sbin.swanctl: allow "m" flag for /usr/sbin/swanctl (LP #1999935)
15 * Dropped changes:
16 - Cherry-pick upstream commits to fix FTBFS with GCC-15 C23.
17 [applied in 6.0.2]
18 + debian/patches/gcc15-compat/*
19 - d/t/host-to-host: disable DNSSEC via negative trust anchor for lxd domain
20 (LP #2119652)
21 [not needed anymore, as DNSSEC allow-downgrade was dropped by default]
22 - SECURITY UPDATE: Buffer Overflow When Handling EAP-MSCHAPv2 Failure.
23 Requests
24 [applied in 6.0.3]
25 + debian/patches/CVE-2025-62291.patch: fix length check for Failure
26 Request packets on the client in
27 src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c.
28
29 -- Lukas Märdian <slyon@ubuntu.com> Tue, 20 Jan 2026 09:58:16 +0100
30
1strongswan (6.0.4-1) unstable; urgency=medium31strongswan (6.0.4-1) unstable; urgency=medium
232
3 * New upstream version 6.0.4 (Closes: #1122971)33 * New upstream version 6.0.4 (Closes: #1122971)
@@ -22,6 +52,61 @@ strongswan (6.0.2-1) unstable; urgency=medium
2252
23 -- Yves-Alexis Perez <corsac@debian.org> Fri, 22 Aug 2025 10:45:05 +020053 -- Yves-Alexis Perez <corsac@debian.org> Fri, 22 Aug 2025 10:45:05 +0200
2454
55strongswan (6.0.1-6ubuntu5) resolute; urgency=medium
56
57 * SECURITY UPDATE: Buffer Overflow When Handling EAP-MSCHAPv2 Failure
58 Requests
59 - debian/patches/CVE-2025-62291.patch: fix length check for Failure
60 Request packets on the client in
61 src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c.
62 - CVE-2025-62291
63
64 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 21 Oct 2025 10:11:00 -0400
65
66strongswan (6.0.1-6ubuntu4) questing; urgency=medium
67
68 * d/t/host-to-host: configure negative trust anchor for lxd domain
69 Do this instead of disabling DNSSEC per-interface (LP: #2119652)
70
71 -- Nick Rosbrook <enr0n@ubuntu.com> Thu, 21 Aug 2025 12:46:41 -0400
72
73strongswan (6.0.1-6ubuntu3) questing; urgency=medium
74
75 * d/t/host-to-host: disable DNSSEC in container during test (LP: #2119652)
76
77 -- Nick Rosbrook <enr0n@ubuntu.com> Tue, 19 Aug 2025 10:26:51 -0400
78
79strongswan (6.0.1-6ubuntu2) questing; urgency=medium
80
81 * Cherry-pick upstream commits to fix FTBFS with GCC-15 C23.
82 - debian/patches/gcc15-compat/*
83
84 -- Lukas Märdian <slyon@ubuntu.com> Thu, 31 Jul 2025 09:47:21 +0200
85
86strongswan (6.0.1-6ubuntu1) questing; urgency=medium
87
88 * Merge with Debian unstable (LP: #2110449). Remaining changes:
89 - d/control: strongswan-starter hard-depends on strongswan-charon,
90 therefore bump the dependency from Recommends to Depends. At the same
91 time avoid a circular dependency by dropping
92 strongswan-charon->strongswan-starter from Depends to Recommends as the
93 binaries can work without the services but not vice versa.
94 - Re-enable eap-{dynamic,peap} libcharon plugins (LP #1878887)
95 + d/control: update libcharon-extra-plugins description.
96 + d/libcharon-extra-plugins.install: install .so and conf files.
97 + d/rules: add plugins to the configuration arguments.
98 - d/t/{control,host-to-host,utils}: new host-to-host test
99 (LP #1999525)
100 - d/usr.sbin.swanctl: allow "m" flag for /usr/sbin/swanctl
101 (LP #1999935)
102 * Drop changes:
103 - re-add post-quantum encryption algorithm (NTRU) (LP #1863749)
104 [ deprecated & dropped upstream as of 6.0.0 ]
105 - Remove conf files of plugins removed from libcharon-extra-plugins
106 [ Not relevant anymore after > 1 LTS cyle ]
107
108 -- Lukas Märdian <slyon@ubuntu.com> Thu, 24 Jul 2025 15:43:37 +0200
109
25strongswan (6.0.1-6) unstable; urgency=medium110strongswan (6.0.1-6) unstable; urgency=medium
26111
27 * d/control: keep strongswan-charon and strongswan-starter as acceptable112 * d/control: keep strongswan-charon and strongswan-starter as acceptable
@@ -102,6 +187,59 @@ strongswan (6.0.0-1) unstable; urgency=medium
102187
103 -- Yves-Alexis Perez <corsac@debian.org> Fri, 21 Feb 2025 14:09:27 +0100188 -- Yves-Alexis Perez <corsac@debian.org> Fri, 21 Feb 2025 14:09:27 +0100
104189
190strongswan (5.9.13-2ubuntu5) questing; urgency=medium
191
192 * No-change rebuild for libxml2 soname change.
193
194 -- Matthias Klose <doko@ubuntu.com> Tue, 20 May 2025 12:22:36 +0200
195
196strongswan (5.9.13-2ubuntu4) noble; urgency=medium
197
198 * No-change rebuild for CVE-2024-3094
199
200 -- William Grant <wgrant@ubuntu.com> Mon, 01 Apr 2024 15:55:30 +1100
201
202strongswan (5.9.13-2ubuntu3) noble; urgency=medium
203
204 * No-change rebuild against libcurl4t64
205
206 -- Steve Langasek <steve.langasek@ubuntu.com> Sat, 16 Mar 2024 07:03:41 +0000
207
208strongswan (5.9.13-2ubuntu2) noble; urgency=medium
209
210 * No-change rebuild against libssl3t64
211
212 -- Steve Langasek <steve.langasek@ubuntu.com> Mon, 04 Mar 2024 21:28:04 +0000
213
214strongswan (5.9.13-2ubuntu1) noble; urgency=medium
215
216 * Merge with Debian unstable (LP: #2050099). Remaining changes:
217 - d/control: strongswan-starter hard-depends on strongswan-charon,
218 therefore bump the dependency from Recommends to Depends. At the same
219 time avoid a circular dependency by dropping
220 strongswan-charon->strongswan-starter from Depends to Recommends as the
221 binaries can work without the services but not vice versa.
222 - re-add post-quantum encryption algorithm (NTRU) (LP #1863749)
223 + d/control: mention plugins in package description
224 + d/rules: enable ntru at build time
225 + d/libstrongswan-extra-plugins.install: ship config and shared objects
226 - Re-enable eap-{dynamic,peap} libcharon plugins (LP #1878887)
227 + d/control: update libcharon-extra-plugins description.
228 + d/libcharon-extra-plugins.install: install .so and conf files.
229 + d/rules: add plugins to the configuration arguments.
230 - Remove conf files of plugins removed from libcharon-extra-plugins
231 + The conf file of the following plugins were removed: eap-aka-3gpp2,
232 eap-sim-file, eap-sim-pcsc, eap-sim, eap-simaka-pseudonym,
233 eap-simaka-reauth, eap-simaka-sql, xauth-noauth.
234 + Created d/libcharon-extra-plugins.maintscript to handle the removals
235 properly.
236 - d/t/{control,host-to-host,utils}: new host-to-host test
237 (LP #1999525)
238 - d/usr.sbin.swanctl: allow "m" flag for /usr/sbin/swanctl
239 (LP #1999935)
240
241 -- Andreas Hasenack <andreas@canonical.com> Mon, 22 Jan 2024 11:48:33 -0300
242
105strongswan (5.9.13-2) unstable; urgency=medium243strongswan (5.9.13-2) unstable; urgency=medium
106244
107 * d/control: drop build-dep on systemd (Closes: #1060509)245 * d/control: drop build-dep on systemd (Closes: #1060509)
@@ -114,6 +252,42 @@ strongswan (5.9.13-1) unstable; urgency=medium
114252
115 -- Yves-Alexis Perez <corsac@debian.org> Thu, 11 Jan 2024 17:09:17 +0100253 -- Yves-Alexis Perez <corsac@debian.org> Thu, 11 Jan 2024 17:09:17 +0100
116254
255strongswan (5.9.12-1ubuntu1) noble; urgency=medium
256
257 * Merge with Debian unstable (LP: #2040430). Remaining changes:
258 - d/control: strongswan-starter hard-depends on strongswan-charon,
259 therefore bump the dependency from Recommends to Depends. At the same
260 time avoid a circular dependency by dropping
261 strongswan-charon->strongswan-starter from Depends to Recommends as the
262 binaries can work without the services but not vice versa.
263 - re-add post-quantum encryption algorithm (NTRU) (LP #1863749)
264 + d/control: mention plugins in package description
265 + d/rules: enable ntru at build time
266 + d/libstrongswan-extra-plugins.install: ship config and shared objects
267 - Re-enable eap-{dynamic,peap} libcharon plugins (LP #1878887)
268 + d/control: update libcharon-extra-plugins description.
269 + d/libcharon-extra-plugins.install: install .so and conf files.
270 + d/rules: add plugins to the configuration arguments.
271 - Remove conf files of plugins removed from libcharon-extra-plugins
272 + The conf file of the following plugins were removed: eap-aka-3gpp2,
273 eap-sim-file, eap-sim-pcsc, eap-sim, eap-simaka-pseudonym,
274 eap-simaka-reauth, eap-simaka-sql, xauth-noauth.
275 + Created d/libcharon-extra-plugins.maintscript to handle the removals
276 properly.
277 - d/t/{control,host-to-host,utils}: new host-to-host test
278 (LP #1999525)
279 - d/usr.sbin.swanctl: allow "m" flag for /usr/sbin/swanctl
280 (LP #1999935)
281 * Dropped:
282 - SECURITY UPDATE: Buffer Overflow When Handling DH Public Values
283 + debian/patches/CVE-2023-41913.patch: Validate DH public key to fix
284 potential buffer overflow in
285 src/charon-tkm/src/tkm/tkm_diffie_hellman.c.
286 + CVE-2023-41913
287 [Fixed upstream in 5.9.12]
288
289 -- Andreas Hasenack <andreas@canonical.com> Thu, 04 Jan 2024 10:25:23 -0300
290
117strongswan (5.9.12-1) unstable; urgency=medium291strongswan (5.9.12-1) unstable; urgency=medium
118292
119 * New upstream version 5.9.12293 * New upstream version 5.9.12
@@ -130,6 +304,52 @@ strongswan (5.9.11-2) unstable; urgency=medium
130304
131 -- Yves-Alexis Perez <corsac@debian.org> Mon, 13 Nov 2023 20:22:47 +0100305 -- Yves-Alexis Perez <corsac@debian.org> Mon, 13 Nov 2023 20:22:47 +0100
132306
307strongswan (5.9.11-1ubuntu2) noble; urgency=medium
308
309 * SECURITY UPDATE: Buffer Overflow When Handling DH Public Values
310 - debian/patches/CVE-2023-41913.patch: Validate DH public key to fix
311 potential buffer overflow in
312 src/charon-tkm/src/tkm/tkm_diffie_hellman.c.
313 - CVE-2023-41913
314
315 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 07 Nov 2023 11:43:00 +0200
316
317strongswan (5.9.11-1ubuntu1) mantic; urgency=medium
318
319 * Merge with Debian unstable (LP: #2018113). Remaining changes:
320 - d/control: strongswan-starter hard-depends on strongswan-charon,
321 therefore bump the dependency from Recommends to Depends. At the same
322 time avoid a circular dependency by dropping
323 strongswan-charon->strongswan-starter from Depends to Recommends as the
324 binaries can work without the services but not vice versa.
325 - re-add post-quantum encryption algorithm (NTRU) (LP #1863749)
326 + d/control: mention plugins in package description
327 + d/rules: enable ntru at build time
328 + d/libstrongswan-extra-plugins.install: ship config and shared objects
329 - Re-enable eap-{dynamic,peap} libcharon plugins (LP #1878887)
330 + d/control: update libcharon-extra-plugins description.
331 + d/libcharon-extra-plugins.install: install .so and conf files.
332 + d/rules: add plugins to the configuration arguments.
333 - Remove conf files of plugins removed from libcharon-extra-plugins
334 + The conf file of the following plugins were removed: eap-aka-3gpp2,
335 eap-sim-file, eap-sim-pcsc, eap-sim, eap-simaka-pseudonym,
336 eap-simaka-reauth, eap-simaka-sql, xauth-noauth.
337 + Created d/libcharon-extra-plugins.maintscript to handle the removals
338 properly.
339 - d/t/{control,host-to-host,utils}: new host-to-host test
340 (LP #1999525)
341 - d/usr.sbin.swanctl: allow "m" flag for /usr/sbin/swanctl
342 (LP #1999935)
343 * Dropped:
344 - SECURITY UPDATE: Incorrectly Accepted Untrusted Public Key With
345 Incorrect Refcount
346 + debian/patches/CVE-2023-26463.patch: fix authentication bypass and
347 expired pointer dereference in src/libtls/tls_server.c.
348 + CVE-2023-26463
349 [Fixed upstream in 5.9.10]
350
351 -- Andreas Hasenack <andreas@canonical.com> Fri, 23 Jun 2023 14:05:18 -0300
352
133strongswan (5.9.11-1) unstable; urgency=medium353strongswan (5.9.11-1) unstable; urgency=medium
134354
135 * New upstream version 5.9.10355 * New upstream version 5.9.10
@@ -149,6 +369,66 @@ strongswan (5.9.8-4) unstable; urgency=medium
149369
150 -- Yves-Alexis Perez <corsac@debian.org> Sun, 26 Feb 2023 09:40:09 +0100370 -- Yves-Alexis Perez <corsac@debian.org> Sun, 26 Feb 2023 09:40:09 +0100
151371
372strongswan (5.9.8-3ubuntu4) lunar; urgency=medium
373
374 * d/t/utils: also give `cloud-init status --wait` the same amount of
375 ${limit} seconds to complete, and bump limit to 5min. The logs show
376 the container started up fine, with an IP.
377
378 -- Andreas Hasenack <andreas@canonical.com> Mon, 06 Mar 2023 11:00:58 -0300
379
380strongswan (5.9.8-3ubuntu3) lunar; urgency=medium
381
382 * SECURITY UPDATE: Incorrectly Accepted Untrusted Public Key With
383 Incorrect Refcount
384 - debian/patches/CVE-2023-26463.patch: fix authentication bypass and
385 expired pointer dereference in src/libtls/tls_server.c.
386 - CVE-2023-26463
387
388 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 02 Mar 2023 12:58:47 -0500
389
390strongswan (5.9.8-3ubuntu2) lunar; urgency=medium
391
392 * d/usr.sbin.swanctl: allow "m" flag for /usr/sbin/swanctl
393 (LP: #1999935)
394
395 -- Andreas Hasenack <andreas@canonical.com> Fri, 16 Dec 2022 16:07:51 -0300
396
397strongswan (5.9.8-3ubuntu1) lunar; urgency=medium
398
399 * Merge with Debian unstable (LP: #1993449). Remaining changes:
400 - d/control: strongswan-starter hard-depends on strongswan-charon,
401 therefore bump the dependency from Recommends to Depends. At the same
402 time avoid a circular dependency by dropping
403 strongswan-charon->strongswan-starter from Depends to Recommends as the
404 binaries can work without the services but not vice versa.
405 - re-add post-quantum encryption algorithm (NTRU) (LP #1863749)
406 + d/control: mention plugins in package description
407 + d/rules: enable ntru at build time
408 + d/libstrongswan-extra-plugins.install: ship config and shared objects
409 - Re-enable eap-{dynamic,peap} libcharon plugins (LP #1878887)
410 + d/control: update libcharon-extra-plugins description.
411 + d/libcharon-extra-plugins.install: install .so and conf files.
412 + d/rules: add plugins to the configuration arguments.
413 - Remove conf files of plugins removed from libcharon-extra-plugins
414 + The conf file of the following plugins were removed: eap-aka-3gpp2,
415 eap-sim-file, eap-sim-pcsc, eap-sim, eap-simaka-pseudonym,
416 eap-simaka-reauth, eap-simaka-sql, xauth-noauth.
417 + Created d/libcharon-extra-plugins.maintscript to handle the removals
418 properly.
419 * Dropped:
420 - SECURITY UPDATE: Using Untrusted URIs for Revocation Checking
421 + debian/patches/CVE-2022-40617.patch: do online revocation checks only
422 after basic trust chain validation in
423 src/libstrongswan/credentials/credential_manager.c.
424 + CVE-2022-40617
425 [Included upstream in 5.9.8]
426 * Added:
427 - d/t/{control,host-to-host,utils}: new host-to-host test
428 (LP: #1999525)
429
430 -- Andreas Hasenack <andreas@canonical.com> Tue, 13 Dec 2022 11:04:24 -0300
431
152strongswan (5.9.8-3) unstable; urgency=medium432strongswan (5.9.8-3) unstable; urgency=medium
153433
154 * d/tests: also drop _copyright test since the util is gone as well434 * d/tests: also drop _copyright test since the util is gone as well
@@ -177,6 +457,46 @@ strongswan (5.9.8-1) unstable; urgency=medium
177457
178 -- Yves-Alexis Perez <corsac@debian.org> Wed, 05 Oct 2022 15:25:18 +0200458 -- Yves-Alexis Perez <corsac@debian.org> Wed, 05 Oct 2022 15:25:18 +0200
179459
460strongswan (5.9.6-1ubuntu2) kinetic; urgency=medium
461
462 * SECURITY UPDATE: Using Untrusted URIs for Revocation Checking
463 - debian/patches/CVE-2022-40617.patch: do online revocation checks only
464 after basic trust chain validation in
465 src/libstrongswan/credentials/credential_manager.c.
466 - CVE-2022-40617
467
468 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 05 Oct 2022 08:11:03 -0400
469
470strongswan (5.9.6-1ubuntu1) kinetic; urgency=medium
471
472 * Merge with Debian unstable (LP: #1971328). Remaining changes:
473 - d/control: strongswan-starter hard-depends on strongswan-charon,
474 therefore bump the dependency from Recommends to Depends. At the same
475 time avoid a circular dependency by dropping
476 strongswan-charon->strongswan-starter from Depends to Recommends as the
477 binaries can work without the services but not vice versa.
478 - re-add post-quantum encryption algorithm (NTRU) (LP #1863749)
479 + d/control: mention plugins in package description
480 + d/rules: enable ntru at build time
481 + d/libstrongswan-extra-plugins.install: ship config and shared objects
482 - Re-enable eap-{dynamic,peap} libcharon plugins (LP #1878887)
483 + d/control: update libcharon-extra-plugins description.
484 + d/libcharon-extra-plugins.install: install .so and conf files.
485 + d/rules: add plugins to the configuration arguments.
486 - Remove conf files of plugins removed from libcharon-extra-plugins
487 + The conf file of the following plugins were removed: eap-aka-3gpp2,
488 eap-sim-file, eap-sim-pcsc, eap-sim, eap-simaka-pseudonym,
489 eap-simaka-reauth, eap-simaka-sql, xauth-noauth.
490 + Created d/libcharon-extra-plugins.maintscript to handle the removals
491 properly.
492 * Dropped:
493 - d/p/lp1964977-fix-ipsec-pki-segfault.patch: Fix "ipsec pki"
494 segmentation fault; don't access OpenSSL objects inside atexit()
495 handlers. (LP #1964977)
496 [included by upstream in version 5.9.6]
497
498 -- Lucas Kanashiro <kanashiro@ubuntu.com> Fri, 10 Jun 2022 15:03:17 -0300
499
180strongswan (5.9.6-1) unstable; urgency=medium500strongswan (5.9.6-1) unstable; urgency=medium
181501
182 * New upstream version 5.9.6502 * New upstream version 5.9.6
@@ -185,6 +505,42 @@ strongswan (5.9.6-1) unstable; urgency=medium
185505
186 -- Yves-Alexis Perez <corsac@debian.org> Sat, 07 May 2022 20:19:18 +0200506 -- Yves-Alexis Perez <corsac@debian.org> Sat, 07 May 2022 20:19:18 +0200
187507
508strongswan (5.9.5-2ubuntu2) jammy; urgency=medium
509
510 * d/p/lp1964977-fix-ipsec-pki-segfault.patch: Fix "ipsec pki"
511 segmentation fault; don't access OpenSSL objects inside atexit()
512 handlers. (LP: #1964977)
513
514 -- Sergio Durigan Junior <sergio.durigan@canonical.com> Fri, 18 Mar 2022 14:24:34 -0400
515
516strongswan (5.9.5-2ubuntu1) jammy; urgency=medium
517
518 * Merge with Debian unstable. Remaining changes:
519 - d/control: strongswan-starter hard-depends on strongswan-charon,
520 therefore bump the dependency from Recommends to Depends. At the same
521 time avoid a circular dependency by dropping
522 strongswan-charon->strongswan-starter from Depends to Recommends as the
523 binaries can work without the services but not vice versa.
524 - re-add post-quantum encryption algorithm (NTRU) (LP #1863749)
525 + d/control: mention plugins in package description
526 + d/rules: enable ntru at build time
527 + d/libstrongswan-extra-plugins.install: ship config and shared objects
528 - Re-enable eap-{dynamic,peap} libcharon plugins (LP: 1878887)
529 + d/control: update libcharon-extra-plugins description.
530 + d/libcharon-extra-plugins.install: install .so and conf files.
531 + d/rules: add plugins to the configuration arguments.
532 - Remove conf files of plugins removed from libcharon-extra-plugins
533 + The conf file of the following plugins were removed: eap-aka-3gpp2,
534 eap-sim-file, eap-sim-pcsc, eap-sim, eap-simaka-pseudonym,
535 eap-simaka-reauth, eap-simaka-sql, xauth-noauth.
536 + Created d/libcharon-extra-plugins.maintscript to handle the removals
537 properly.
538 * Dropped patches included in new version:
539 - debian/patches/CVE-2021-45079.patch
540 - debian/patches/load-legacy-provider-in-openssl3.patch
541
542 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 03 Feb 2022 10:49:49 -0500
543
188strongswan (5.9.5-2) unstable; urgency=medium544strongswan (5.9.5-2) unstable; urgency=medium
189545
190 * actually fix lintian overrides546 * actually fix lintian overrides
@@ -200,6 +556,60 @@ strongswan (5.9.5-1) unstable; urgency=medium
200556
201 -- Yves-Alexis Perez <corsac@debian.org> Wed, 26 Jan 2022 14:38:54 +0100557 -- Yves-Alexis Perez <corsac@debian.org> Wed, 26 Jan 2022 14:38:54 +0100
202558
559strongswan (5.9.4-1ubuntu4) jammy; urgency=medium
560
561 * SECURITY UPDATE: Incorrect Handling of Early EAP-Success Messages
562 - debian/patches/CVE-2021-45079.patch: enforce failure if MSK
563 generation fails in src/libcharon/plugins/eap_gtc/eap_gtc.c,
564 src/libcharon/plugins/eap_md5/eap_md5.c,
565 src/libcharon/plugins/eap_radius/eap_radius.c,
566 src/libcharon/sa/eap/eap_method.h,
567 src/libcharon/sa/ikev2/authenticators/eap_authenticator.c.
568 - CVE-2021-45079
569
570 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 01 Feb 2022 07:23:37 -0500
571
572strongswan (5.9.4-1ubuntu3) jammy; urgency=medium
573
574 * No-change rebuild against libssl3
575
576 -- Steve Langasek <steve.langasek@ubuntu.com> Thu, 09 Dec 2021 00:19:38 +0000
577
578strongswan (5.9.4-1ubuntu2) jammy; urgency=medium
579
580 * Add d/p/load-legacy-provider-in-openssl3.patch.
581 Upstream cherry-pick to fix FTBFS against OpenSSL 3.0. (LP: #1946213)
582
583 -- Paride Legovini <paride@ubuntu.com> Wed, 17 Nov 2021 17:04:27 +0100
584
585strongswan (5.9.4-1ubuntu1) jammy; urgency=medium
586
587 * Merge with Debian unstable. Remaining changes:
588 - d/control: strongswan-starter hard-depends on strongswan-charon,
589 therefore bump the dependency from Recommends to Depends. At the same
590 time avoid a circular dependency by dropping
591 strongswan-charon->strongswan-starter from Depends to Recommends as the
592 binaries can work without the services but not vice versa.
593 - re-add post-quantum encryption algorithm (NTRU) (LP #1863749)
594 + d/control: mention plugins in package description
595 + d/rules: enable ntru at build time
596 + d/libstrongswan-extra-plugins.install: ship config and shared objects
597 - Re-enable eap-{dynamic,peap} libcharon plugins (LP: 1878887)
598 + d/control: update libcharon-extra-plugins description.
599 + d/libcharon-extra-plugins.install: install .so and conf files.
600 + d/rules: add plugins to the configuration arguments.
601 - Remove conf files of plugins removed from libcharon-extra-plugins
602 + The conf file of the following plugins were removed: eap-aka-3gpp2,
603 eap-sim-file, eap-sim-pcsc, eap-sim, eap-simaka-pseudonym,
604 eap-simaka-reauth, eap-simaka-sql, xauth-noauth.
605 + Created d/libcharon-extra-plugins.maintscript to handle the removals
606 properly.
607 * Dropped changes:
608 - Compile the tpm plugin against the tpm2 software stack (tss2).
609 Merged in Debian (5.9.4-1).
610
611 -- Paride Legovini <paride@ubuntu.com> Fri, 12 Nov 2021 12:34:30 +0100
612
203strongswan (5.9.4-1) unstable; urgency=medium613strongswan (5.9.4-1) unstable; urgency=medium
204614
205 [ Paride Legovini ]615 [ Paride Legovini ]
@@ -216,6 +626,62 @@ strongswan (5.9.4-1) unstable; urgency=medium
216626
217 -- Yves-Alexis Perez <corsac@debian.org> Tue, 19 Oct 2021 22:34:40 +0200627 -- Yves-Alexis Perez <corsac@debian.org> Tue, 19 Oct 2021 22:34:40 +0200
218628
629strongswan (5.9.1-1ubuntu3.1) impish-security; urgency=medium
630
631 * SECURITY UPDATE: Integer Overflow in gmp Plugin
632 - debian/patches/CVE-2021-41990.patch: reject RSASSA-PSS params with
633 negative salt length in
634 src/libstrongswan/credentials/keys/signature_params.c,
635 src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c.
636 - CVE-2021-41990
637 * SECURITY UPDATE: Integer Overflow When Replacing Certificates in Cache
638 - debian/patches/CVE-2021-41991.patch: prevent crash due to integer
639 overflow/sign change in
640 src/libstrongswan/credentials/sets/cert_cache.c.
641 - CVE-2021-41991
642
643 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 18 Oct 2021 13:10:30 -0400
644
645strongswan (5.9.1-1ubuntu3) impish; urgency=medium
646
647 * Compile the tpm plugin against the tpm2 software stack (tss2)
648 (Debian packaging cherry-pick, LP: #1940079)
649 - d/rules: add the --enable-tss-tss2 configure flag
650 - d/control: add Build-Depends: libtss2-dev
651
652 -- Paride Legovini <paride@ubuntu.com> Thu, 16 Sep 2021 11:40:38 +0200
653
654strongswan (5.9.1-1ubuntu2) impish; urgency=medium
655
656 * No-change rebuild due to OpenLDAP soname bump.
657
658 -- Sergio Durigan Junior <sergio.durigan@canonical.com> Mon, 21 Jun 2021 18:09:22 -0400
659
660strongswan (5.9.1-1ubuntu1) hirsute; urgency=medium
661
662 * Merge with Debian unstable. Remaining changes:
663 - d/control: strongswan-starter hard-depends on strongswan-charon,
664 therefore bump the dependency from Recommends to Depends. At the same
665 time avoid a circular dependency by dropping
666 strongswan-charon->strongswan-starter from Depends to Recommends as the
667 binaries can work without the services but not vice versa.
668 - re-add post-quantum encryption algorithm (NTRU) (LP: 1863749)
669 + d/control: mention plugins in package description
670 + d/rules: enable ntru at build time
671 + d/libstrongswan-extra-plugins.install: ship config and shared objects
672 - Re-enable eap-{dynamic,peap} libcharon plugins (LP: 1878887)
673 + d/control: update libcharon-extra-plugins description.
674 + d/libcharon-extra-plugins.install: install .so and conf files.
675 + d/rules: add plugins to the configuration arguments.
676 - Remove conf files of plugins removed from libcharon-extra-plugins
677 + The conf file of the following plugins were removed: eap-aka-3gpp2,
678 eap-sim-file, eap-sim-pcsc, eap-sim, eap-simaka-pseudonym,
679 eap-simaka-reauth, eap-simaka-sql, xauth-noauth.
680 + Created d/libcharon-extra-plugins.maintscript to handle the removals
681 properly.
682
683 -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Tue, 19 Jan 2021 12:39:11 +0100
684
219strongswan (5.9.1-1) unstable; urgency=medium685strongswan (5.9.1-1) unstable; urgency=medium
220686
221 * New upstream version 5.9.1687 * New upstream version 5.9.1
@@ -230,6 +696,45 @@ strongswan (5.9.0-1) unstable; urgency=medium
230696
231 -- Yves-Alexis Perez <corsac@debian.org> Thu, 17 Sep 2020 10:21:30 +0200697 -- Yves-Alexis Perez <corsac@debian.org> Thu, 17 Sep 2020 10:21:30 +0200
232698
699strongswan (5.8.4-1ubuntu2) groovy; urgency=medium
700
701 * Re-enable eap-{dynamic,peap} libcharon plugins (LP: #1878887)
702 - d/control: update libcharon-extra-plugins description.
703 - d/libcharon-extra-plugins.install: install .so and conf files.
704 - d/rules: add plugins to the configuration arguments.
705 * Remove conf files of plugins removed from libcharon-extra-plugins
706 - The conf file of the following plugins were removed: eap-aka-3gpp2,
707 eap-sim-file, eap-sim-pcsc, eap-sim, eap-simaka-pseudonym,
708 eap-simaka-reauth, eap-simaka-sql, xauth-noauth.
709 - Created d/libcharon-extra-plugins.maintscript to handle the removals
710 properly.
711
712 -- Lucas Kanashiro <kanashiro@ubuntu.com> Thu, 21 May 2020 14:53:05 -0300
713
714strongswan (5.8.4-1ubuntu1) groovy; urgency=medium
715
716 * Merge with Debian unstable. Remaining changes:
717 - d/control: strongswan-starter hard-depends on strongswan-charon,
718 therefore bump the dependency from Recommends to Depends. At the same
719 time avoid a circular dependency by dropping
720 strongswan-charon->strongswan-starter from Depends to Recommends as the
721 binaries can work without the services but not vice versa.
722 - re-add post-quantum encryption algorithm (NTRU) (LP: 1863749)
723 + d/control: mention plugins in package description
724 + d/rules: enable ntru at build time
725 + d/libstrongswan-extra-plugins.install: ship config and shared objects
726 * Dropped:
727 - d/control: build-depend on libiptc-dev to avoid FTBFS (LP: #1861975)
728 This is needed due to changes in regard to Debian bug 947176 and 939243
729 and can later be dropped again.
730 [applied by Debian in version 5.8.2-2]
731 - d/control: Transition from former Ubuntu only libcharon-standard-plugins
732 to common libcharon-extauth-plugins (drop after 20.04)
733 - d/control: Transition from strongswan-tnc-* being in extra packages
734 to libcharon-extra-plugins (drop after 20.04)
735
736 -- Lucas Kanashiro <lucas.kanashiro@canonical.com> Thu, 30 Apr 2020 18:06:55 -0300
737
233strongswan (5.8.4-1) unstable; urgency=medium738strongswan (5.8.4-1) unstable; urgency=medium
234739
235 * New upstream version 5.8.4 (Closes: #956446)740 * New upstream version 5.8.4 (Closes: #956446)
@@ -245,6 +750,43 @@ strongswan (5.8.2-2) unstable; urgency=medium
245750
246 -- Yves-Alexis Perez <corsac@debian.org> Thu, 13 Feb 2020 22:46:40 +0100751 -- Yves-Alexis Perez <corsac@debian.org> Thu, 13 Feb 2020 22:46:40 +0100
247752
753strongswan (5.8.2-1ubuntu3) focal; urgency=medium
754
755 * Reverting part of 5.8.2-1ubuntu2 changes to remove BLISS again as
756 there is a potential local side-channel attack on strongSwan's BLISS
757 implementation (https://eprint.iacr.org/2017/505). (LP: #1866765)
758
759 -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Tue, 10 Mar 2020 07:56:56 +0100
760
761strongswan (5.8.2-1ubuntu2) focal; urgency=medium
762
763 * re-add post-quantum computer signature scheme (BLISS) and encryption
764 algorithm (NTRU) as well as the dependent nttfft library (LP: #1863749)
765 - d/control: mention plugins in package description
766 - d/rules: enable ntru and bliss at build time
767 - d/libstrongswan-extra-plugins.install: ship config and shared objects
768
769 -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Wed, 04 Mar 2020 07:54:26 +0100
770
771strongswan (5.8.2-1ubuntu1) focal; urgency=medium
772
773 * Merge with Debian unstable (LP: #1861971). Remaining changes:
774 - d/control: Transition from strongswan-tnc-* being in extra packages
775 to libcharon-extra-plugins (drop after 20.04)
776 - d/control: Transition from former Ubuntu only libcharon-standard-plugins
777 to common libcharon-extauth-plugins (drop after 20.04)
778 - d/control: strongswan-starter hard-depends on strongswan-charon,
779 therefore bump the dependency from Recommends to Depends. At the same
780 time avoid a circular dependency by dropping
781 strongswan-charon->strongswan-starter from Depends to Recommends as the
782 binaries can work without the services but not vice versa.
783 * Added Changes
784 - d/control: build-depend on libiptc-dev to avoid FTBFS (LP: #1861975)
785 This is needed due to changes in regard to Debian bug 947176 and 939243
786 and can later be dropped again.
787
788 -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Wed, 05 Feb 2020 08:28:30 +0100
789
248strongswan (5.8.2-1) unstable; urgency=medium790strongswan (5.8.2-1) unstable; urgency=medium
249791
250 [ Jean-Michel Vourgère ]792 [ Jean-Michel Vourgère ]
@@ -261,6 +803,83 @@ strongswan (5.8.2-1) unstable; urgency=medium
261803
262 -- Yves-Alexis Perez <corsac@debian.org> Wed, 01 Jan 2020 14:35:46 +0100804 -- Yves-Alexis Perez <corsac@debian.org> Wed, 01 Jan 2020 14:35:46 +0100
263805
806strongswan (5.8.1-1ubuntu1) focal; urgency=medium
807
808 * Merge with Debian unstable (LP: #1852579). Remaining changes:
809 - d/control: Transition from strongswan-tnc-* being in extra packages
810 to libcharon-extra-plugins
811 * Added Changes:
812 - d/control: Transition from former Ubuntu only libcharon-standard-plugins
813 to common libcharon-extauth-plugins (drop after 20.04)
814 - d/control: strongswan-starter hard-depends on strongswan-charon,
815 therefore bump the dependency from Recommends to Depends. At the same
816 time avoid a circular dependency by dropping
817 strongswan-charon->strongswan-starter from Depends to Recommends as the
818 binaries can work without the services but not vice versa.
819 * Dropped Changes (now in Debian):
820 - Clean up d/strongswan-starter.postinst: section about runlevel changes
821 - Clean up d/strongswan-starter.postinst: Removed entire section on
822 opportunistic encryption disabling - this was never in strongSwan and
823 won't be see upstream issue #2160.
824 - d/rules: Removed patching ipsec.conf on build (not using the
825 debconf-managed config.)
826 - d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was
827 used for debconf-managed include of private key).
828 - Add plugin kernel-libipsec to allow the use of strongswan in containers
829 via this userspace implementation (please do note that this is still
830 considered experimental by upstream).
831 + d/libcharon-extra-plugins.install: Add kernel-libipsec components
832 + d/control: List kernel-libipsec plugin at extra plugins description
833 + d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
834 upstream recommends to not load kernel-libipsec by default.
835 - d/control: Mention mgf1 plugin which is in libstrongswan now
836 - Complete the disabling of libfast; This was partially accepted in Debian,
837 it is no more packaging medcli and medsrv, but still builds and
838 mentions it.
839 + d/rules: Add --disable-fast to avoid build time and dependencies
840 + d/control: Remove medcli, medsrv from package description
841 - Add now built (since 5.5.1) libraries libtpmtss and nttfft to
842 libstrongswan-extra-plugins (no deps from default plugins).
843 - d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
844 plugins for the most common use cases from extra-plugins into a new
845 standard-plugins package. This will allow those use cases without pulling
846 in too much more plugins (a bit like the tnc package). Recommend that
847 package from strongswan-libcharon.
848 - d/usr.lib.ipsec.charon: allow reading of own FDs (LP 1786250)
849 - d/usr.sbin.charon-systemd: allow CLUSTERIP for ha plugin (LP 1773956)
850 - executables need to be able to read map and execute themselves otherwise
851 execution in some environments e.g. containers is blocked (LP 1780534)
852 + d/usr.lib.ipsec.stroke: add rmix permission to stroke binary
853 + d/usr.lib.ipsec.lookip: add rmix permission to lookip binary
854 - d/usr.lib.ipsec.charon, d/usr.sbin.charon-systemd: resync apparmor
855 profiles of both ways to start charon (LP 1807664)
856 - d/usr.sbin.swanctl: add apparmor rule for af-alg plugin (LP 1807962)
857 - We fixed up tpmtss and nttfft in the past, but tpmtss is now packaged in
858 Debian so this part was be dropped. Two changes remain
859 - d/control: fix the mentioning of tpmtss in d/control
860 - apparmor fixes for container and root usage (LP 1826238)
861 + d/usr.sbin.swanctl: allow reading own binary
862 + d/usr.sbin.charon-systemd: allow accessing the binary
863 + d/usr.sbin.swanctl: add attach_disconnected to work inside containers
864 + d/usr.lib.ipsec.charon, d/usr.sbin.charon-systemd: add CAP_SETPCAP
865 to apparmor to allow dropping caps
866 * Dropped Changes (too uncommon to support by default)
867 - d/libstrongswan.install: Add kernel-netlink configuration files
868 - d/usr.sbin.charon-systemd: allow to contact mysql for sql and
869 attr-sql plugins (LP 1766240) - no more needed as itisn't enabled.
870 - Mass enablement of extra plugins and features to allow a user to use
871 strongswan for a variety of extra use cases without having to rebuild.
872 + d/control: Add required additional build-deps
873 + d/control: Mention addtionally enabled plugins
874 + d/rules: Enable features at configure stage
875 + d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
876 + d/libstrongswan.install: Add plugins (so, conf)
877 + d/strongswan-starter.install: Install pool feature, which is useful
878 since we now have attr-sql plugin enabled it.
879 - Enable additional TNC plugins and add them to libcharon-extra-plugins
880
881 -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Thu, 14 Nov 2019 15:00:15 +0100
882
264strongswan (5.8.1-1) unstable; urgency=medium883strongswan (5.8.1-1) unstable; urgency=medium
265884
266 * d/rules: disable http and stream tests under CI885 * d/rules: disable http and stream tests under CI
@@ -330,6 +949,99 @@ strongswan (5.8.0-1) unstable; urgency=medium
330949
331 -- Yves-Alexis Perez <corsac@debian.org> Mon, 26 Aug 2019 12:58:23 +0200950 -- Yves-Alexis Perez <corsac@debian.org> Mon, 26 Aug 2019 12:58:23 +0200
332951
952strongswan (5.7.2-1ubuntu3) eoan; urgency=medium
953
954 * No change rebuild for libmysqlclient21.
955
956 -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Thu, 15 Aug 2019 09:34:34 +0200
957
958strongswan (5.7.2-1ubuntu2) eoan; urgency=medium
959
960 * Rebuild against new libjson-c4.
961
962 -- Gianfranco Costamagna <locutusofborg@debian.org> Mon, 01 Jul 2019 10:53:07 +0200
963
964strongswan (5.7.2-1ubuntu1) eoan; urgency=medium
965
966 [ Christian Ehrhardt ]
967 * Merge with Debian unstable. Remaining changes:
968 - Clean up d/strongswan-starter.postinst: section about runlevel changes
969 - Clean up d/strongswan-starter.postinst: Removed entire section on
970 opportunistic encryption disabling - this was never in strongSwan and
971 won't be see upstream issue #2160.
972 - d/rules: Removed patching ipsec.conf on build (not using the
973 debconf-managed config.)
974 - d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was
975 used for debconf-managed include of private key).
976 - Mass enablement of extra plugins and features to allow a user to use
977 strongswan for a variety of extra use cases without having to rebuild.
978 + d/control: Add required additional build-deps
979 + d/control: Mention addtionally enabled plugins
980 + d/rules: Enable features at configure stage
981 + d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
982 + d/libstrongswan.install: Add plugins (so, conf)
983 + d/strongswan-starter.install: Install pool feature, which is useful
984 since we now have attr-sql plugin enabled it.
985 - Add plugin kernel-libipsec to allow the use of strongswan in containers
986 via this userspace implementation (please do note that this is still
987 considered experimental by upstream).
988 + d/libcharon-extra-plugins.install: Add kernel-libipsec components
989 + d/control: List kernel-libipsec plugin at extra plugins description
990 + d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
991 upstream recommends to not load kernel-libipsec by default.
992 - d/libstrongswan.install: Add kernel-netlink configuration files
993 - Complete the disabling of libfast; This was partially accepted in Debian,
994 it is no more packaging medcli and medsrv, but still builds and
995 mentions it.
996 + d/rules: Add --disable-fast to avoid build time and dependencies
997 + d/control: Remove medcli, medsrv from package description
998 - d/control: Mention mgf1 plugin which is in libstrongswan now
999 - Add now built (since 5.5.1) libraries libtpmtss and nttfft to
1000 libstrongswan-extra-plugins (no deps from default plugins).
1001 - d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
1002 plugins for the most common use cases from extra-plugins into a new
1003 standard-plugins package. This will allow those use cases without pulling
1004 in too much more plugins (a bit like the tnc package). Recommend that
1005 package from strongswan-libcharon.
1006 - d/usr.sbin.charon-systemd: allow to contact mysql for sql and
1007 attr-sql plugins (LP #1766240)
1008 - d/usr.lib.ipsec.charon: allow reading of own FDs (LP #1786250)
1009 - d/usr.sbin.charon-systemd: allow CLUSTERIP for ha plugin (LP: 1773956)
1010 - executables need to be able to read map and execute themselves otherwise
1011 execution in some environments e.g. containers is blocked (LP: 1780534)
1012 + d/usr.lib.ipsec.stroke: add rmix permission to stroke binary
1013 + d/usr.lib.ipsec.lookip: add rmix permission to lookip binary
1014 - d/usr.lib.ipsec.charon, d/usr.sbin.charon-systemd: resync apparmor
1015 profiles of both ways to start charon (LP: 1807664)
1016 - d/usr.sbin.swanctl: add apparmor rule for af-alg plugin (LP: 1807962)
1017 * Dropped changes
1018 - d/p/lp1795813-mysql-Don-t-release-the-connection-if-transactions-a.patch:
1019 fix SIGSEGV when using mysql plugin (LP: 1795813)
1020 [upstream in 5.7.2]
1021 - d/libstrongswan.install: Reorder conf and .so alphabetically
1022 [was a non functional change, dropped to avoid merge noise]
1023 - Relocate tnc plugin
1024 [TNC is back at libcharon-extra-plugins as it is in Debian]
1025 * Added changes:
1026 - We fixed up tpmtss and nttfft in the past, but tpmtss is now packaged in
1027 Debian so this part was be dropped. Two changes remain
1028 - d/control: fix the mentioning of tpmtss in d/control
1029 - add nttfft (can be merged with the mass enablement change later)
1030 - Transitional packages to go back from strongswan-tnc-* being in extra
1031 packages to be part of libcharon-extra-plugins.
1032 [can be dropped after 20.04]
1033
1034 [ Simon Deziel ]
1035 * Added changes:
1036 - apparmor fixes for container and root usage (LP: #1826238)
1037 + d/usr.sbin.swanctl: allow reading own binary
1038 + d/usr.sbin.charon-systemd: allow accessing the binary
1039 + d/usr.sbin.swanctl: add attach_disconnected to work inside containers
1040 + d/usr.lib.ipsec.charon, d/usr.sbin.charon-systemd: add CAP_SETPCAP
1041 to apparmor to allow dropping caps
1042
1043 -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Fri, 26 Apr 2019 11:31:17 +0200
1044
333strongswan (5.7.2-1) unstable; urgency=medium1045strongswan (5.7.2-1) unstable; urgency=medium
3341046
335 * d/control: remove Rene from Uploaders, thanks!1047 * d/control: remove Rene from Uploaders, thanks!
@@ -348,6 +1060,86 @@ strongswan (5.7.2-1) unstable; urgency=medium
3481060
349 -- Yves-Alexis Perez <corsac@debian.org> Wed, 02 Jan 2019 13:02:11 +01001061 -- Yves-Alexis Perez <corsac@debian.org> Wed, 02 Jan 2019 13:02:11 +0100
3501062
1063strongswan (5.7.1-1ubuntu2) disco; urgency=medium
1064
1065 * d/usr.sbin.charon-systemd: fix rule for CLUSTERIP to match effective
1066 path (LP: #1773956)
1067 * d/usr.lib.ipsec.charon, d/usr.sbin.charon-systemd: resync apparmor
1068 profiles of both ways to start charon (LP: #1807664)
1069 * d/usr.sbin.swanctl: add apparmor rule for af-alg plugin (LP: #1807962)
1070
1071 -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 10 Dec 2018 08:30:01 +0100
1072
1073strongswan (5.7.1-1ubuntu1) disco; urgency=medium
1074
1075 * Merge with Debian unstable (LP: #1806401). Remaining changes:
1076 - Clean up d/strongswan-starter.postinst: section about runlevel changes
1077 - Clean up d/strongswan-starter.postinst: Removed entire section on
1078 opportunistic encryption disabling - this was never in strongSwan and
1079 won't be see upstream issue #2160.
1080 - d/rules: Removed patching ipsec.conf on build (not using the
1081 debconf-managed config.)
1082 - d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was
1083 used for debconf-managed include of private key).
1084 - Mass enablement of extra plugins and features to allow a user to use
1085 strongswan for a variety of extra use cases without having to rebuild.
1086 + d/control: Add required additional build-deps
1087 + d/control: Mention addtionally enabled plugins
1088 + d/rules: Enable features at configure stage
1089 + d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
1090 + d/libstrongswan.install: Add plugins (so, conf)
1091 - d/strongswan-starter.install: Install pool feature, which is useful since
1092 we have attr-sql plugin enabled as well using it.
1093 - Add plugin kernel-libipsec to allow the use of strongswan in containers
1094 via this userspace implementation (please do note that this is still
1095 considered experimental by upstream).
1096 + d/libcharon-extra-plugins.install: Add kernel-libipsec components
1097 + d/control: List kernel-libipsec plugin at extra plugins description
1098 + d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
1099 upstream recommends to not load kernel-libipsec by default.
1100 - Relocate tnc plugin
1101 + debian/libcharon-extra-plugins.install: Drop tnc from extra plugins
1102 + Add new subpackage for TNC in d/strongswan-tnc-* and d/control
1103 - d/libstrongswan.install: Reorder conf and .so alphabetically
1104 - d/libstrongswan.install: Add kernel-netlink configuration files
1105 - Complete the disabling of libfast; This was partially accepted in Debian,
1106 it is no more packaging medcli and medsrv, but still builds and
1107 mentions it.
1108 + d/rules: Add --disable-fast to avoid build time and dependencies
1109 + d/control: Remove medcli, medsrv from package description
1110 - d/control: Mention mgf1 plugin which is in libstrongswan now
1111 - Add now built (since 5.5.1) libraries libtpmtss and nttfft to
1112 libstrongswan-extra-plugins (no deps from default plugins).
1113 - d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
1114 plugins for the most common use cases from extra-plugins into a new
1115 standard-plugins package. This will allow those use cases without pulling
1116 in too much more plugins (a bit like the tnc package). Recommend that
1117 package from strongswan-libcharon.
1118 - d/usr.sbin.charon-systemd: allow to contact mysql for sql and
1119 attr-sql plugins (LP #1766240)
1120 - d/usr.lib.ipsec.charon: allow reading of own FDs (LP #1786250)
1121 * Added Changes:
1122 - d/p/lp1795813-mysql-Don-t-release-the-connection-if-transactions-a.patch:
1123 fix SIGSEGV when using mysql plugin (LP: #1795813)
1124 - d/usr.sbin.charon-systemd: allow CLUSTERIP for ha plugin (LP: #1773956)
1125 - executables need to be able to read map and execute themselves otherwise
1126 execution in some environments e.g. containers is blocked (LP: #1780534)
1127 + d/usr.lib.ipsec.stroke: add rmix permission to stroke binary
1128 + d/usr.lib.ipsec.lookip: add rmix permission to lookip binary
1129 - adapt "mass enablement of extra plugins" to match 5.7.x changes
1130 + d/rules: use new options for swima instead of swid
1131 + d/strongswan-tnc-server.install: add new sec updater tool
1132 + d/strongswan-tnc-client.install: add new sw-collector tool
1133 * Dropped (in Debian now):
1134 - SECURITY UPDATE: Insufficient input validation in gmp plugin
1135 (CVE-2018-17540)
1136 - SECURITY UPDATE: Insufficient input validation in gmp plugin
1137 (CVE-2018-16151 CVE-2018-16152)
1138 - d/usr.lib.ipsec.charon, d/usr/sbin/charon-systemd: Add support for
1139 usr-merge, thanks to Christian Ehrhardt. LP #1784023
1140
1141 -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 03 Dec 2018 15:18:31 +0100
1142
351strongswan (5.7.1-1) unstable; urgency=medium1143strongswan (5.7.1-1) unstable; urgency=medium
3521144
353 [ Ondřej Nový ]1145 [ Ondřej Nový ]
@@ -378,6 +1170,96 @@ strongswan (5.7.0-1) unstable; urgency=medium
3781170
379 -- Yves-Alexis Perez <corsac@debian.org> Mon, 24 Sep 2018 16:36:28 +02001171 -- Yves-Alexis Perez <corsac@debian.org> Mon, 24 Sep 2018 16:36:28 +0200
3801172
1173strongswan (5.6.3-1ubuntu5) disco; urgency=medium
1174
1175 * No-change rebuild against libunbound8
1176
1177 -- Steve Langasek <steve.langasek@ubuntu.com> Sun, 11 Nov 2018 09:01:53 +0000
1178
1179strongswan (5.6.3-1ubuntu4) cosmic; urgency=medium
1180
1181 * d/usr.lib.ipsec.charon: allow reading of own FDs (LP: #1786250)
1182 Thanks to Matt Callaghan.
1183
1184 -- Andreas Hasenack <andreas@canonical.com> Thu, 04 Oct 2018 10:34:01 -0300
1185
1186strongswan (5.6.3-1ubuntu3) cosmic; urgency=medium
1187
1188 * SECURITY UPDATE: Insufficient input validation in gmp plugin
1189 - debian/patches/strongswan-4.4.0-5.7.0_gmp-pkcs1-overflow.patch: fix
1190 buffer overflow with very small RSA keys in
1191 src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c.
1192 - CVE-2018-17540
1193
1194 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 01 Oct 2018 13:23:59 -0400
1195
1196strongswan (5.6.3-1ubuntu2) cosmic; urgency=medium
1197
1198 * SECURITY UPDATE: Insufficient input validation in gmp plugin
1199 - debian/patches/strongswan-5.6.1-5.6.3_gmp-pkcs1-verify.patch: don't
1200 parse PKCS1 v1.5 RSA signatures to verify them in
1201 src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c,
1202 src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c.
1203 - CVE-2018-16151
1204 - CVE-2018-16152
1205
1206 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 25 Sep 2018 10:16:15 -0400
1207
1208strongswan (5.6.3-1ubuntu1) cosmic; urgency=medium
1209
1210 * Merge with Debian unstable. Remaining changes:
1211 - Clean up d/strongswan-starter.postinst: section about runlevel changes
1212 - Clean up d/strongswan-starter.postinst: Removed entire section on
1213 opportunistic encryption disabling - this was never in strongSwan and
1214 won't be see upstream issue #2160.
1215 - d/rules: Removed patching ipsec.conf on build (not using the
1216 debconf-managed config.)
1217 - d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was
1218 used for debconf-managed include of private key).
1219 - Mass enablement of extra plugins and features to allow a user to use
1220 strongswan for a variety of extra use cases without having to rebuild.
1221 + d/control: Add required additional build-deps
1222 + d/control: Mention addtionally enabled plugins
1223 + d/rules: Enable features at configure stage
1224 + d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
1225 + d/libstrongswan.install: Add plugins (so, conf)
1226 - d/strongswan-starter.install: Install pool feature, which is useful since
1227 we have attr-sql plugin enabled as well using it.
1228 - Add plugin kernel-libipsec to allow the use of strongswan in containers
1229 via this userspace implementation (please do note that this is still
1230 considered experimental by upstream).
1231 + d/libcharon-extra-plugins.install: Add kernel-libipsec components
1232 + d/control: List kernel-libipsec plugin at extra plugins description
1233 + d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
1234 upstream recommends to not load kernel-libipsec by default.
1235 - Relocate tnc plugin
1236 + debian/libcharon-extra-plugins.install: Drop tnc from extra plugins
1237 + Add new subpackage for TNC in d/strongswan-tnc-* and d/control
1238 - d/libstrongswan.install: Reorder conf and .so alphabetically
1239 - d/libstrongswan.install: Add kernel-netlink configuration files
1240 - Complete the disabling of libfast; This was partially accepted in Debian,
1241 it is no more packaging medcli and medsrv, but still builds and
1242 mentions it.
1243 + d/rules: Add --disable-fast to avoid build time and dependencies
1244 + d/control: Remove medcli, medsrv from package description
1245 - d/control: Mention mgf1 plugin which is in libstrongswan now
1246 - Add now built (since 5.5.1) libraries libtpmtss and nttfft to
1247 libstrongswan-extra-plugins (no deps from default plugins).
1248 - d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
1249 plugins for the most common use cases from extra-plugins into a new
1250 standard-plugins package. This will allow those use cases without pulling
1251 in too much more plugins (a bit like the tnc package). Recommend that
1252 package from strongswan-libcharon.
1253 - d/usr.sbin.charon-systemd: allow to contact mysql for sql and
1254 attr-sql plugins (LP #1766240)
1255 - d/usr.lib.ipsec.charon, d/usr/sbin/charon-systemd: Add support for
1256 usr-merge, thanks to Christian Ehrhardt. LP #1784023
1257 * Dropped:
1258 - d/usr.sbin.charon-systemd: allow systemd notifications (LP: #1765652)
1259 [Fixed in 5.6.3-1]
1260
1261 -- Andreas Hasenack <andreas@canonical.com> Thu, 23 Aug 2018 13:05:11 -0300
1262
381strongswan (5.6.3-1) unstable; urgency=medium1263strongswan (5.6.3-1) unstable; urgency=medium
3821264
383 * New upstream version 5.6.21265 * New upstream version 5.6.2
@@ -393,6 +1275,78 @@ strongswan (5.6.3-1) unstable; urgency=medium
3931275
394 -- Yves-Alexis Perez <corsac@debian.org> Mon, 04 Jun 2018 10:23:22 +02001276 -- Yves-Alexis Perez <corsac@debian.org> Mon, 04 Jun 2018 10:23:22 +0200
3951277
1278strongswan (5.6.2-2ubuntu2) cosmic; urgency=medium
1279
1280 * Add support for usr-merge, thanks to Christian Ehrhardt. LP: #1784023
1281
1282 -- Dimitri John Ledkov <xnox@ubuntu.com> Tue, 21 Aug 2018 00:42:38 +0100
1283
1284strongswan (5.6.2-2ubuntu1) cosmic; urgency=medium
1285
1286 * Merge with Debian unstable, closes LP: #1773814 and LP: #1772705.
1287 Remaining changes:
1288 + Clean up d/strongswan-starter.postinst: section about runlevel changes
1289 + Clean up d/strongswan-starter.postinst: Removed entire section on
1290 opportunistic encryption disabling - this was never in strongSwan and
1291 won't be see upstream issue #2160.
1292 + d/rules: Removed patching ipsec.conf on build (not using the
1293 debconf-managed config.)
1294 + d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was
1295 used for debconf-managed include of private key).
1296 + Mass enablement of extra plugins and features to allow a user to use
1297 strongswan for a variety of extra use cases without having to rebuild.
1298 - d/control: Add required additional build-deps
1299 - d/control: Mention addtionally enabled plugins
1300 - d/rules: Enable features at configure stage
1301 - d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
1302 - d/libstrongswan.install: Add plugins (so, conf)
1303 + d/strongswan-starter.install: Install pool feature, which is useful since
1304 we have attr-sql plugin enabled as well using it.
1305 + Add plugin kernel-libipsec to allow the use of strongswan in containers
1306 via this userspace implementation (please do note that this is still
1307 considered experimental by upstream).
1308 - d/libcharon-extra-plugins.install: Add kernel-libipsec components
1309 - d/control: List kernel-libipsec plugin at extra plugins description
1310 - d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
1311 upstream recommends to not load kernel-libipsec by default.
1312 + Relocate tnc plugin
1313 - debian/libcharon-extra-plugins.install: Drop tnc from extra plugins
1314 - Add new subpackage for TNC in d/strongswan-tnc-* and d/control
1315 + d/libstrongswan.install: Reorder conf and .so alphabetically
1316 + d/libstrongswan.install: Add kernel-netlink configuration files
1317 + Complete the disabling of libfast; This was partially accepted in Debian,
1318 it is no more packaging medcli and medsrv, but still builds and
1319 mentions it.
1320 - d/rules: Add --disable-fast to avoid build time and dependencies
1321 - d/control: Remove medcli, medsrv from package description
1322 + d/control: Mention mgf1 plugin which is in libstrongswan now
1323 + Add now built (since 5.5.1) libraries libtpmtss and nttfft to
1324 libstrongswan-extra-plugins (no deps from default plugins).
1325 + d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
1326 plugins for the most common use cases from extra-plugins into a new
1327 standard-plugins package. This will allow those use cases without pulling
1328 in too much more plugins (a bit like the tnc package). Recommend that
1329 package from strongswan-libcharon.
1330 * Dropped Changes (no more needed after 18.04)
1331 + Add rm_conffile for /etc/init.d/ipsec (transition from precies had
1332 missed that, droppable after 18.04)
1333 + d/control: bump breaks/replaces from libstrongswan-extra-plugins to
1334 libstrongswan as we dropped relocating ccm and test-vectors.
1335 (droppable >18.04).
1336 + d/control: add breaks/replace from libstrongswan to
1337 libstrongswan-extra-plugins for the move of mgf1 to libstrongswan.
1338 (droppable >18.04).
1339 + d/control: bump breaks/replaces for the move of the updown plugin
1340 (Missed Changelog entry on last merge)
1341 + d/control: fix dependencies of strongswan-libcharon due to the move
1342 the updown plugin (droppable >18.04).
1343 * Added Changes:
1344 + d/usr.sbin.charon-systemd: allow to contact mysql for sql and
1345 attr-sql plugins (LP: #1766240)
1346 + d/usr.sbin.charon-systemd: allow systemd notifications (LP: #1765652)
1347
1348 -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Tue, 29 May 2018 08:21:42 +0200
1349
396strongswan (5.6.2-2) unstable; urgency=medium1350strongswan (5.6.2-2) unstable; urgency=medium
3971351
398 * charon-nm: Fix building list of DNS/MDNS servers with libnm1352 * charon-nm: Fix building list of DNS/MDNS servers with libnm
@@ -403,6 +1357,74 @@ strongswan (5.6.2-2) unstable; urgency=medium
4031357
404 -- Yves-Alexis Perez <corsac@debian.org> Fri, 13 Apr 2018 13:46:04 +02001358 -- Yves-Alexis Perez <corsac@debian.org> Fri, 13 Apr 2018 13:46:04 +0200
4051359
1360strongswan (5.6.2-1ubuntu2) bionic; urgency=medium
1361
1362 * d/control: fix dependencies of strongswan-libcharon due to the move
1363 the updown plugin.
1364
1365 -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Tue, 20 Mar 2018 07:37:29 +0100
1366
1367strongswan (5.6.2-1ubuntu1) bionic; urgency=medium
1368
1369 * Merge with Debian unstable (LP: #1753018). Remaining changes:
1370 + Clean up d/strongswan-starter.postinst: section about runlevel changes
1371 + Clean up d/strongswan-starter.postinst: Removed entire section on
1372 opportunistic encryption disabling - this was never in strongSwan and
1373 won't be see upstream issue #2160.
1374 + Ubuntu is not using the debconf triggered private key generation
1375 - d/rules: Removed patching ipsec.conf on build (not using the
1376 debconf-managed config.)
1377 - d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was
1378 used for debconf-managed include of private key).
1379 + Mass enablement of extra plugins and features to allow a user to use
1380 strongswan for a variety of extra use cases without having to rebuild.
1381 - d/control: Add required additional build-deps
1382 - d/control: Mention addtionally enabled plugins
1383 - d/rules: Enable features at configure stage
1384 - d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
1385 - d/libstrongswan.install: Add plugins (so, conf)
1386 + d/strongswan-starter.install: Install pool feature, which is useful since
1387 we have attr-sql plugin enabled as well using it.
1388 + Add plugin kernel-libipsec to allow the use of strongswan in containers
1389 via this userspace implementation (please do note that this is still
1390 considered experimental by upstream).
1391 - d/libcharon-extra-plugins.install: Add kernel-libipsec components
1392 - d/control: List kernel-libipsec plugin at extra plugins description
1393 - d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
1394 upstream recommends to not load kernel-libipsec by default.
1395 + Relocate tnc plugin
1396 - debian/libcharon-extra-plugins.install: Drop tnc from extra plugins
1397 - Add new subpackage for TNC in d/strongswan-tnc-* and d/control
1398 + d/libstrongswan.install: Reorder conf and .so alphabetically
1399 + d/libstrongswan.install: Add kernel-netlink configuration files
1400 + Complete the disabling of libfast; This was partially accepted in Debian,
1401 it is no more packaging medcli and medsrv, but still builds and
1402 mentions it.
1403 - d/rules: Add --disable-fast to avoid build time and dependencies
1404 - d/control: Remove medcli, medsrv from package description
1405 + d/control: Mention mgf1 plugin which is in libstrongswan now
1406 + Add now built (since 5.5.1) libraries libtpmtss and nttfft to
1407 libstrongswan-extra-plugins (no deps from default plugins).
1408 + Add rm_conffile for /etc/init.d/ipsec (transition from precies had
1409 missed that, droppable after 18.04)
1410 + d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
1411 plugins for the most common use cases from extra-plugins into a new
1412 standard-plugins package. This will allow those use cases without pulling
1413 in too much more plugins (a bit like the tnc package). Recommend that
1414 package from strongswan-libcharon.
1415 + d/control: bump breaks/replaces from libstrongswan-extra-plugins to
1416 libstrongswan as we dropped relocating ccm and test-vectors.
1417 (droppable >18.04).
1418 + d/control: add breaks/replace from libstrongswan to
1419 libstrongswan-extra-plugins for the move of mgf1 to libstrongswan.
1420 (droppable >18.04).
1421 * Added Changes:
1422 + d/control: bump breaks/replaces from strongswan-libcharon to strongswan-
1423 starter as we followed Debian to move the updown plugin but need to
1424 match Ubuntu versions (Droppable >18.04).
1425
1426 -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Fri, 16 Mar 2018 11:08:47 +0100
1427
406strongswan (5.6.2-1) unstable; urgency=medium1428strongswan (5.6.2-1) unstable; urgency=medium
4071429
408 * d/NEWS: add information about disabled algorithms (closes: #883072)1430 * d/NEWS: add information about disabled algorithms (closes: #883072)
@@ -425,6 +1447,129 @@ strongswan (5.6.1-3) unstable; urgency=medium
4251447
426 -- Yves-Alexis Perez <corsac@debian.org> Sun, 17 Dec 2017 16:40:39 +01001448 -- Yves-Alexis Perez <corsac@debian.org> Sun, 17 Dec 2017 16:40:39 +0100
4271449
1450strongswan (5.6.1-2ubuntu4) bionic; urgency=medium
1451
1452 * SECURITY UPDATE: DoS via crafted RSASSA-PSS signature
1453 - debian/patches/CVE-2018-6459.patch: Properly handle MGF1 algorithm
1454 identifier without parameters in
1455 src/libstrongswan/credentials/keys/signature_params.c.
1456 - CVE-2018-6459
1457
1458 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 07 Mar 2018 14:52:02 +0100
1459
1460strongswan (5.6.1-2ubuntu3) bionic; urgency=medium
1461
1462 * No-change rebuild against libcurl4
1463
1464 -- Steve Langasek <steve.langasek@ubuntu.com> Wed, 28 Feb 2018 08:52:09 +0000
1465
1466strongswan (5.6.1-2ubuntu2) bionic; urgency=high
1467
1468 * No change rebuild against openssl1.1.
1469
1470 -- Dimitri John Ledkov <xnox@ubuntu.com> Mon, 12 Feb 2018 16:00:24 +0000
1471
1472strongswan (5.6.1-2ubuntu1) bionic; urgency=medium
1473
1474 * Merge with Debian unstable (LP: #1717343).
1475 Also fixes and issue with multiple psk's (LP: #1734207). Remaining changes:
1476 + Clean up d/strongswan-starter.postinst: section about runlevel changes
1477 + Clean up d/strongswan-starter.postinst: Removed entire section on
1478 opportunistic encryption disabling - this was never in strongSwan and
1479 won't be see upstream issue #2160.
1480 + Ubuntu is not using the debconf triggered private key generation
1481 - d/rules: Removed patching ipsec.conf on build (not using the
1482 debconf-managed config.)
1483 - d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was
1484 used for debconf-managed include of private key).
1485 + Mass enablement of extra plugins and features to allow a user to use
1486 strongswan for a variety of extra use cases without having to rebuild.
1487 - d/control: Add required additional build-deps
1488 - d/control: Mention addtionally enabled plugins
1489 - d/rules: Enable features at configure stage
1490 - d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
1491 - d/libstrongswan.install: Add plugins (so, conf)
1492 + d/strongswan-starter.install: Install pool feature, which is useful since
1493 we have attr-sql plugin enabled as well using it.
1494 + Add plugin kernel-libipsec to allow the use of strongswan in containers
1495 via this userspace implementation (please do note that this is still
1496 considered experimental by upstream).
1497 - d/libcharon-extra-plugins.install: Add kernel-libipsec components
1498 - d/control: List kernel-libipsec plugin at extra plugins description
1499 - d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
1500 upstream recommends to not load kernel-libipsec by default.
1501 + Relocate tnc plugin
1502 - debian/libcharon-extra-plugins.install: Drop tnc from extra plugins
1503 - Add new subpackage for TNC in d/strongswan-tnc-* and d/control
1504 + d/libstrongswan.install: Reorder conf and .so alphabetically
1505 + d/libstrongswan.install: Add kernel-netlink configuration files
1506 + Complete the disabling of libfast; This was partially accepted in Debian,
1507 it is no more packaging medcli and medsrv, but still builds and
1508 mentions it.
1509 - d/rules: Add --disable-fast to avoid build time and dependencies
1510 - d/control: Remove medcli, medsrv from package description
1511 + d/control: Mention mgf1 plugin which is in libstrongswan now
1512 + Add now built (since 5.5.1) libraries libtpmtss and nttfft to
1513 libstrongswan-extra-plugins (no deps from default plugins).
1514 + Add rm_conffile for /etc/init.d/ipsec (transition from precies had
1515 missed that, droppable after 18.04)
1516 + d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
1517 plugins for the most common use cases from extra-plugins into a new
1518 standard-plugins package. This will allow those use cases without pulling
1519 in too much more plugins (a bit like the tnc package). Recommend that
1520 package from strongswan-libcharon.
1521 * Added changes:
1522 + d/strongswan-tnc-client.install (relocate tnc) swidtag creation changed
1523 in 5.6
1524 + d/strongswan-tnc-server.install (relocate tnc) pacman no more needed
1525 + d/control: bump breaks/replaces from libstrongswan-extra-plugins to
1526 libstrongswan as we dropped relocating ccm and test-vectors.
1527 (droppable >18.04).
1528 - d/control: add breaks/replace from libstrongswan to
1529 libstrongswan-extra-plugins for the move of mgf1 to libstrongswan.
1530 (droppable >18.04).
1531 * Dropped changes:
1532 + Update init/service handling (debian default matches Ubuntu past now)
1533 Dropping this fixes (LP: #1734886)
1534 - d/rules: Change init/systemd program name to strongswan
1535 - d/strongswan-starter.strongswan.service: Add new systemd file instead of
1536 patching upstream
1537 - d/strongswan-starter.links: Removed, use Ubuntu systemd file instead of
1538 linking to upstream
1539 + d/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call
1540 (this is a never failing no-op for us, no need for Delta).
1541 + d/strongswan-starter.prerm: Stop strongswan service on package removal
1542 (ipsec now maps to strongswan service, so this works as-is).
1543 + Clean up d/strongswan-starter.postinst: rename service ipsec to
1544 strongswan (ipsec now maps to strongswan service, so this works as-is)
1545 + Clean up d/strongswan-starter.postinst: daemon enable/disable (the
1546 whole section is disabled, so no need for delta)
1547 + (is upstream) CVE-2017-11185 patches
1548 + (is upstream) FTBFS upstream fix for changed include files
1549 + (is upstream) debian/patches/increase-bliss-test-timeout.patch: Under
1550 QEMU/KVM autopkgtest the bliss test takes longer than the default
1551 + (in Debian) add now built (since 5.5.1) mgf1 plugin to
1552 libstrongswan-extra-plugins.
1553 + (in Debian) d/strongswan-starter.install: install stroke apparmor profile
1554 + (this was enabled as part of the former delta, squash changes to no-up)
1555 d/rules: Disable duplicheck.
1556 + (not needed) Relocate plugins test-vectors from extra-plugins to
1557 libstrongswan
1558 - d/libstrongswan-extra-plugins.install: Remove plugins/conffiles
1559 - d/libstrongswan.install: Add plugins/confiles
1560 - d/control: move package descriptions and add required breaks/replaces
1561 + (not needed) Relocate plugins ccm from extra-plugins to libstrongswan
1562 - d/libstrongswan-extra-plugins.install: Remove plugins/conffiles
1563 - d/libstrongswan.install: Add plugins/confiles
1564 - d/control: move package descriptions and add required breaks/replaces
1565 + (while using it requires special kernel, it does not hurt to be
1566 available in the package) Remove ha plugin
1567 - d/libcharon-extra-plugins.install: Stop installing ha (so, conf)
1568 - d/rules: Do not enable ha plugin
1569 - d/control: Drop listing the ha plugin in the package description
1570
1571 -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Wed, 29 Nov 2017 15:55:18 +0100
1572
428strongswan (5.6.1-2) unstable; urgency=medium1573strongswan (5.6.1-2) unstable; urgency=medium
4291574
430 * move counters plugin from -starter to -libcharon. closes: #8824311575 * move counters plugin from -starter to -libcharon. closes: #882431
@@ -511,6 +1656,213 @@ strongswan (5.5.2-1) experimental; urgency=medium
5111656
512 -- Yves-Alexis Perez <corsac@debian.org> Fri, 19 May 2017 11:32:00 +02001657 -- Yves-Alexis Perez <corsac@debian.org> Fri, 19 May 2017 11:32:00 +0200
5131658
1659strongswan (5.5.1-4ubuntu3) bionic; urgency=medium
1660
1661 * Fix Artful FTBFS due to newer glibc (LP: #1724859)
1662 - d/p/utils-Include-stdint.h.patch: upstream fix for changed include
1663 files.
1664
1665 -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Thu, 19 Oct 2017 15:18:52 +0200
1666
1667strongswan (5.5.1-4ubuntu2) artful; urgency=medium
1668
1669 * SECURITY UPDATE: Fix RSA signature verification
1670 - debian/patches/CVE-2017-11185.patch: does some
1671 verifications in order to avoid null-point dereference
1672 in src/libstrongswan/gmp/gmp_rsa_public_key.c
1673 - CVE-2017-11185
1674
1675 -- Leonidas S. Barbosa <leo.barbosa@canonical.com> Tue, 15 Aug 2017 14:49:49 -0300
1676
1677strongswan (5.5.1-4ubuntu1) artful; urgency=medium
1678
1679 * Merge from Debian to pick up latest security changes (CVE-2017-9022,
1680 CVE-2017-9023).
1681 * Remaining Changes:
1682 + Update init/service handling
1683 - d/rules: Change init/systemd program name to strongswan
1684 - d/strongswan-starter.strongswan.service: Add new systemd file instead of
1685 patching upstream
1686 - d/strongswan-starter.links: Removed, use Ubuntu systemd file instead of
1687 linking to upstream
1688 - d/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call.
1689 - d/strongswan-starter.prerm: Stop strongswan service on package
1690 removal (as opposed to using the old init.d script).
1691 + Clean up d/strongswan-starter.postinst:
1692 - Removed section about runlevel changes
1693 - Adapted service restart section for Upstart (kept to be Trusty
1694 backportable).
1695 - Remove old symlinks to init.d files is necessary.
1696 - Removed further out-dated code
1697 - Removed entire section on opportunistic encryption - this was never in
1698 strongSwan.
1699 + d/rules: Removed pieces on 'patching ipsec.conf' on build.
1700 + Mass enablement of extra plugins and features to allow a user to use
1701 strongswan for a variety of use cases without having to rebuild.
1702 - d/control: Add required additional build-deps
1703 - d/rules: Enable features at configure stage
1704 - d/control: Mention addtionally enabled plugins
1705 - d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
1706 - d/libstrongswan.install: Add plugins (so, conf)
1707 + d/rules: Disable duplicheck as per
1708 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718291#10
1709 + Remove ha plugin (requires special kernel)
1710 - d/libcharon-extra-plugins.install: Stop installing ha (so, conf)
1711 - d/rules: Do not enable ha plugin
1712 - d/control: Drop listing the ha plugin in the package description
1713 + Add plugin kernel-libipsec to allow the use of strongswan in containers
1714 via this userspace implementation (please do note that this is still
1715 considered experimental by upstream).
1716 - d/libcharon-extra-plugins.install: Add kernel-libipsec components
1717 - d/control: List kernel-libipsec plugin at extra plugins description
1718 - d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
1719 upstream recommends to not load kernel-libipsec by default.
1720 + Relocate tnc plugin
1721 - debian/libcharon-extra-plugins.install: Drop tnc from extra plugins
1722 - Add new subpackage for TNC in d/strongswan-tnc-* and d/control
1723 + d/strongswan-starter.install: Install pool feature, that useful due to
1724 having attr-sql plugin that is enabled now.
1725 + Relocate plugins test-vectors and ccm from extra-plugins to libstrongswan
1726 - d/libstrongswan-extra-plugins.install: Remove plugins/conffiles
1727 - d/libstrongswan.install: Add plugins/confiles
1728 - d/control: move package descriptions and add required breaks/replaces
1729 + d/libstrongswan.install: Reorder conf and .so alphabetically
1730 + d/libstrongswan.install: Add kernel-netlink configuration files
1731 + d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference.
1732 + debian/patches/increase-bliss-test-timeout.patch: Under QEMU/KVM
1733 autopkgtest the bliss test takes longer than the default (Upstream in
1734 5.5.2 via issue 2204)
1735 + Complete the disabling of libfast; This was partially accepted in Debian,
1736 it is no more packaging medcli and medsrv, but still builds and
1737 mentions it.
1738 - d/rules: Add --disable-fast to avoid build time and dependencies
1739 - d/control: Remove medcli, medsrv from package description
1740 + Add now built (5.5.1 vs 5.3.5) mgf1 plugin to libstrongswan-extra-plugins.
1741 "only" to extra-plugins Mgf1 is not listed as default plugin at
1742 https://wiki.strongswan.org/projects/strongswan/wiki/Pluginlist.
1743 + Add now built (5.5.1 vs 5.3.5) libraries libtpmtss and nttfft to
1744 libstrongswan-extra-plugins.
1745 + Add missing mention of md4 plugin in d/control
1746 + Add rm_conffile for /etc/init.d/ipsec (transition from precies had
1747 missed that)
1748 + d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
1749 plugins for the most common use cases from extra-plugins into a new
1750 standard-plugins package. This will allow those use cases without pulling
1751 in too much more plugins (a bit like the tnc package). Recommend that
1752 package from strongswan-libcharon.
1753
1754 -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Wed, 31 May 2017 15:57:54 +0200
1755
1756strongswan (5.5.1-3ubuntu1) artful; urgency=medium
1757
1758 * Merge from Debian to pick up latest changes. Among others this includes:
1759 - a lot of the Delta we upstreamed to Debian (more discussions are ongoing
1760 but likely have to wait until Debian stretch was released)
1761 - enabling mediation support (LP: #1657413)
1762 * Remaining Changes:
1763 + Update init/service handling
1764 - d/rules: Change init/systemd program name to strongswan
1765 - d/strongswan-starter.strongswan.service: Add new systemd file instead of
1766 patching upstream
1767 - d/strongswan-starter.links: Removed, use Ubuntu systemd file instead of
1768 linking to upstream
1769 - d/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call.
1770 - d/strongswan-starter.prerm: Stop strongswan service on package
1771 removal (as opposed to using the old init.d script).
1772 + Clean up d/strongswan-starter.postinst:
1773 - Removed section about runlevel changes
1774 - Adapted service restart section for Upstart (kept to be Trusty
1775 backportable).
1776 - Remove old symlinks to init.d files is necessary.
1777 - Removed further out-dated code
1778 - Removed entire section on opportunistic encryption - this was never in
1779 strongSwan.
1780 + d/rules: Removed pieces on 'patching ipsec.conf' on build.
1781 + Mass enablement of extra plugins and features to allow a user to use
1782 strongswan for a variety of use cases without having to rebuild.
1783 - d/control: Add required additional build-deps
1784 - d/rules: Enable features at configure stage
1785 - d/control: Mention addtionally enabled plugins
1786 - d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
1787 - d/libstrongswan.install: Add plugins (so, conf)
1788 + d/rules: Disable duplicheck as per
1789 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718291#10
1790 + Remove ha plugin (requires special kernel)
1791 - d/libcharon-extra-plugins.install: Stop installing ha (so, conf)
1792 - d/rules: Do not enable ha plugin
1793 - d/control: Drop listing the ha plugin in the package description
1794 + Add plugin kernel-libipsec to allow the use of strongswan in containers
1795 via this userspace implementation (please do note that this is still
1796 considered experimental by upstream).
1797 - d/libcharon-extra-plugins.install: Add kernel-libipsec components
1798 - d/control: List kernel-libipsec plugin at extra plugins description
1799 - d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
1800 upstream recommends to not load kernel-libipsec by default.
1801 + Relocate tnc plugin
1802 - debian/libcharon-extra-plugins.install: Drop tnc from extra plugins
1803 - Add new subpackage for TNC in d/strongswan-tnc-* and d/control
1804 + d/strongswan-starter.install: Install pool feature, that useful due to
1805 having attr-sql plugin that is enabled now.
1806 + Relocate plugins test-vectors and ccm from extra-plugins to libstrongswan
1807 - d/libstrongswan-extra-plugins.install: Remove plugins/conffiles
1808 - d/libstrongswan.install: Add plugins/confiles
1809 - d/control: move package descriptions and add required breaks/replaces
1810 + d/libstrongswan.install: Reorder conf and .so alphabetically
1811 + d/libstrongswan.install: Add kernel-netlink configuration files
1812 + d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference.
1813 + debian/patches/increase-bliss-test-timeout.patch: Under QEMU/KVM
1814 autopkgtest the bliss test takes longer than the default (Upstream in
1815 5.5.2 via issue 2204)
1816 + Complete the disabling of libfast; This was partially accepted in Debian,
1817 it is no more packaging medcli and medsrv, but still builds and
1818 mentions it.
1819 - d/rules: Add --disable-fast to avoid build time and dependencies
1820 - d/control: Remove medcli, medsrv from package description
1821 + Add now built (5.5.1 vs 5.3.5) mgf1 plugin to libstrongswan-extra-plugins.
1822 "only" to extra-plugins Mgf1 is not listed as default plugin at
1823 https://wiki.strongswan.org/projects/strongswan/wiki/Pluginlist.
1824 + Add now built (5.5.1 vs 5.3.5) libraries libtpmtss and nttfft to
1825 libstrongswan-extra-plugins.
1826 + Add missing mention of md4 plugin in d/control
1827 + Add rm_conffile for /etc/init.d/ipsec (transition from precies had
1828 missed that)
1829 + d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
1830 plugins for the most common use cases from extra-plugins into a new
1831 standard-plugins package. This will allow those use cases without pulling
1832 in too much more plugins (a bit like the tnc package). Recommend that
1833 package from strongswan-libcharon.
1834 * Dropped Changes:
1835 + Add and install apparmor profiles (in Debian)
1836 - d/rules: Install AppArmor profiles
1837 - d/control: Add dh-apparmor build-dep
1838 - d/usr.lib.ipsec.{charon, lookip, stroke}: Add latest AppArmor profiles
1839 for charon, lookip and stroke
1840 - d/libcharon-extra-plugins.install: Install profile for lookip
1841 - d/strongswan-charon.install: Install profile for charon
1842 - d/strongswan-starter.install: Install profile for stroke
1843 - Fix strongswan ipsec status issue with apparmor
1844 - Fix Dep8 tests for the now extra strongswan-pki package for pki
1845 - Fix Dep8 tests for the now extra strongswan-scepclient package
1846 + d/rules: Sorted and only one enable option per configure line (in
1847 Debian)
1848 + Add updated logcheck rules (in Debian)
1849 - debian/libstrongswan.strongswan.logcheck.*: Remove outdated files
1850 - debian/strongswan.logcheck: Add updated logcheck rules
1851 + Add updated DEP8 tests (in Debian)
1852 - d/tests/*: Add DEP8 tests
1853 - d/control: Enable autotestpkg
1854 + d/rules: do not strip for library integrity checking (After Discussion
1855 with Debian this isn't acceptable there, but at the same time it turned
1856 out the real use-case of this never uses this lib but instead third
1857 party checks of checksums for e.g. FIPS cert; so drop the Delta)
1858 - Use override_dh_strip to to avoid overwriting user build flags.
1859 - Add missing mention of libchecksum integrity test in d/control
1860 + d/rules: Set TESTS_REDUCED_KEYLENGTHS to one generate smallest key-lengths
1861 in tests to avoid issues in low entropy environments. (Debian has
1862 disabled !x86 tests for the same reason, one solution is enough)
1863
1864 -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Thu, 04 May 2017 14:06:23 +0200
1865
514strongswan (5.5.1-3) unstable; urgency=medium1866strongswan (5.5.1-3) unstable; urgency=medium
5151867
516 [ Christian Ehrhardt ]1868 [ Christian Ehrhardt ]
@@ -544,6 +1896,136 @@ strongswan (5.5.1-2) unstable; urgency=medium
5441896
545 -- Yves-Alexis Perez <corsac@debian.org> Wed, 07 Dec 2016 08:34:52 +01001897 -- Yves-Alexis Perez <corsac@debian.org> Wed, 07 Dec 2016 08:34:52 +0100
5461898
1899strongswan (5.5.1-1ubuntu2) zesty; urgency=medium
1900
1901 * Update Maintainers which was missed while merging 5.5.1-1.
1902
1903 -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 19 Dec 2016 16:02:40 +0100
1904
1905strongswan (5.5.1-1ubuntu1) zesty; urgency=medium
1906
1907 * Merge from Debian (complex delta, discussions and broken out changes can be
1908 found in the merge proposal linked from the merge bug LP: #1631198)
1909 * Remaining Changes:
1910 + d/rules: Enforcing DEB_BUILD_OPTIONS=nostrip for library integrity
1911 checking.
1912 + d/rules: Set TESTS_REDUCED_KEYLENGTHS to one generate smallest key-lengths
1913 in tests to avoid issues in low entropy environments.
1914 + Update init/service handling
1915 - d/rules: Change init/systemd program name to strongswan
1916 - d/strongswan-starter.strongswan.service: Add new systemd file instead of
1917 patching upstream
1918 - d/strongswan-starter.links: Removed, use Ubuntu systemd file instead of
1919 linking to upstream
1920 - d/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call.
1921 - d/strongswan-starter.prerm: Stop strongswan service on package
1922 removal (as opposed to using the old init.d script).
1923 + Clean up d/strongswan-starter.postinst:
1924 - Removed section about runlevel changes
1925 - Adapted service restart section for Upstart (kept to be Trusty
1926 backportable).
1927 - Remove old symlinks to init.d files is necessary.
1928 - Removed further out-dated code
1929 - Removed entire section on opportunistic encryption - this was never in
1930 strongSwan.
1931 + Add and install apparmor profiles
1932 - d/rules: Install AppArmor profiles
1933 - d/control: Add dh-apparmor build-dep
1934 - d/usr.lib.ipsec.{charon, lookip, stroke}: Add latest AppArmor profiles
1935 for charon, lookip and stroke
1936 - d/libcharon-extra-plugins.install: Install profile for lookip
1937 - d/strongswan-charon.install: Install profile for charon
1938 - d/strongswan-starter.install: Install profile for stroke
1939 + d/rules: Removed pieces on 'patching ipsec.conf' on build.
1940 + d/rules: Sorted and only one enable option per configure line
1941 + Mass enablement of extra plugins and features to allow a user to use
1942 strongswan for a variety of use cases without having to rebuild.
1943 - d/control: Add required additional build-deps
1944 - d/rules: Enable features at configure stage
1945 - d/control: Mention addtionally enabled plugins
1946 - d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
1947 - d/libstrongswan.install: Add plugins (so, conf)
1948 + d/rules: Disable duplicheck as per
1949 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718291#10
1950 + Remove ha plugin (requires special kernel)
1951 - d/libcharon-extra-plugins.install: Stop installing ha (so, conf)
1952 - d/rules: Do not enable ha plugin
1953 - d/control: Drop listing the ha plugin in the package description
1954 + Add plugin kernel-libipsec to allow the use of strongswan in containers
1955 via this userspace implementation (please do note that this is still
1956 considered experimental by upstream).
1957 - d/libcharon-extra-plugins.install: Add kernel-libipsec components
1958 - d/control: List kernel-libipsec plugin at extra plugins description
1959 - d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
1960 upstream recommends to not load kernel-libipsec by default.
1961 + Relocate tnc plugin
1962 - debian/libcharon-extra-plugins.install: Drop tnc from extra plugins
1963 - Add new subpackage for TNC in d/strongswan-tnc-* and d/control
1964 + d/strongswan-starter.install: Install pool feature, that useful due to
1965 having attr-sql plugin that is enabled now.
1966 + Relocate plugins test-vectors and ccm from extra-plugins to libstrongswan
1967 - d/libstrongswan-extra-plugins.install: Remove plugins
1968 - d/libstrongswan.install: Add plugins
1969 + d/libstrongswan.install: Reorder conf and .so alphabetically
1970 + d/libstrongswan.install: Add kernel-netlink configuration files
1971 + d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference.
1972 + Add updated logcheck rules
1973 - debian/libstrongswan.strongswan.logcheck.*: Remove outdated files
1974 - debian/strongswan.logcheck: Add updated logcheck rules
1975 + Add updated DEP8 tests
1976 - d/tests/*: Add DEP8 tests
1977 - d/control: Enable autotestpkg
1978 + debian/patches/increase-bliss-test-timeout.patch: Under QEMU/KVM
1979 autopkgtest the bliss test takes longer than the default
1980 + Complete the disabling of libfast
1981 - Note: This was partially accepted in Debian, it is no more
1982 packaging medcli and medsrv, but still builds and mentions it
1983 - d/rules: Add --disable-fast to avoid build time and dependencies
1984 - d/control: Remove medcli, medsrv from package description
1985 * Dropped Changes:
1986 + Adding build-dep to iptables-dev (no change, was only in Changelog)
1987 + Dropping of build deps libfcgi-dev, clearsilver-dev (in Debian)
1988 + Adding strongswan-plugin-* virtual packages for dist-upgrade (no
1989 upgrade path left needing them)
1990 + Most of "disabling libfast" (Debian dropped it from package content)
1991 + Transition for ipsec service (no upgrade path left)
1992 + Reverted part of the cleanup to d/strongswan-starter.postinst as using
1993 service should rather use invoke-rc.d (so it is a partial revert of our
1994 delta)
1995 + Transition handling (breaks/replaces) from per-plugin packages to the
1996 three grouped plugin packages (no upgrade path left)
1997 + debian/strongswan-starter.dirs: Don't touch /etc/init.d. (while "correct"
1998 it is effectively a no-op still, so not worth the delta)
1999 + Lower dpkg-dev to 1.16.1 from 1.16.2 to enable backporting to Precise
2000 (no more needed)
2001 + d/rules: Remove configure option --enable-unit-test (unit tests run by
2002 default)
2003 * Added Changes:
2004 + Fix strongswan ipsec status issue with apparmor (LP: #1587886)
2005 + d/control, d/libstrongswan.install, d/libstrongswan-extra-plugins: Fixup
2006 the relocation of the ccm plugin which missed to move the conffiles.
2007 + Complete move of test-vectors (was missing in d/control)
2008 + Add now built (5.5.1 vs 5.3.5) mgf1 plugin to libstrongswan-extra-plugins.
2009 "only" to extra-plugins Mgf1 is not listed as default plugin at
2010 https://wiki.strongswan.org/projects/strongswan/wiki/Pluginlist.
2011 + Add now built (5.5.1 vs 5.3.5) libraries libtpmtss and nttfft to
2012 libstrongswan-extra-plugins.
2013 + Add missing mention of md4 plugin in d/control
2014 + Add missing mention of libchecksum integrity test in d/control
2015 + Add rm_conffile for /etc/init.d/ipsec (transition from precies had
2016 missed that)
2017 + Use override_dh_strip to to fix library integrity checking instead of
2018 DEB_BUILD_OPTION to avoid overwriting user build flags.
2019 + d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
2020 plugins for the most common use cases from extra-plugins into a new
2021 standard-plugins package. This will allow those use cases without pulling
2022 in too much more plugins (a bit like the tnc package). Recommend that
2023 package from strongswan-libcharon (LP: #1640826).
2024 + Fix Dep8 tests for the now extra strongswan-pki package for pki
2025 + Fix Dep8 tests for the now extra strongswan-scepclient package
2026
2027 -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 07 Nov 2016 16:16:41 +0100
2028
547strongswan (5.5.1-1) unstable; urgency=medium2029strongswan (5.5.1-1) unstable; urgency=medium
5482030
549 * New upstream bugfix release.2031 * New upstream bugfix release.
@@ -660,6 +2142,177 @@ strongswan (5.3.5-2) unstable; urgency=medium
6602142
661 -- Yves-Alexis Perez <corsac@debian.org> Mon, 14 Mar 2016 23:53:34 +01002143 -- Yves-Alexis Perez <corsac@debian.org> Mon, 14 Mar 2016 23:53:34 +0100
6622144
2145strongswan (5.3.5-1ubuntu4) yakkety; urgency=medium
2146
2147 * Build-depend on libjson-c-dev instead of libjson0-dev.
2148 * Rebuild against libjson-c3.
2149
2150 -- Graham Inggs <ginggs@ubuntu.com> Fri, 29 Apr 2016 19:04:22 +0200
2151
2152strongswan (5.3.5-1ubuntu3) xenial; urgency=medium
2153
2154 * Rebuild against libmysqlclient20.
2155
2156 -- Robie Basak <robie.basak@ubuntu.com> Tue, 05 Apr 2016 13:02:48 +0000
2157
2158strongswan (5.3.5-1ubuntu2) xenial; urgency=medium
2159
2160 * debian/tests/plugins: rdrand may or may not be loaded, depending on the
2161 cpu features.
2162
2163 -- Iain Lane <iain@orangesquash.org.uk> Mon, 22 Feb 2016 17:13:01 +0000
2164
2165strongswan (5.3.5-1ubuntu1) xenial; urgency=medium
2166
2167 * debian/{rules,control,libstrongswan-extra-plugins.install}
2168 Enable bliss plugin
2169 * debian/{rules,control,libstrongswan-extra-plugins.install}
2170 Enable chapoly plugin
2171 * debian/patches/dont-load-kernel-libipsec-plugin-by-default.patch
2172 Upstream suggests to not load this plugin by default as it has
2173 some limitations.
2174 https://wiki.strongswan.org/projects/strongswan/wiki/Kernel-libipsec
2175 * debian/patches/increase-bliss-test-timeout.patch
2176 Under QEMU/KVM for autopkgtest bliss test takes a bit longer then default
2177 * Update Apparmor profiles
2178 - usr.lib.ipsec.charon
2179 - add capability audit_write for xauth-pam (LP: #1470277)
2180 - add capability dac_override (needed by agent plugin)
2181 - allow priv dropping (LP: #1333655)
2182 - allow caching CRLs (LP: #1505222)
2183 - allow rw access to /dev/net/tun for kernel-libipsec (LP: #1309594)
2184 - usr.lib.ipsec.stroke
2185 - allow priv dropping (LP: #1333655)
2186 - add local include
2187 - usr.lib.ipsec.lookip
2188 - add local include
2189 * Merge from Debian, which includes fixes for all previous CVEs
2190 Fixes (LP: #1330504, #1451091, #1448870, #1470277)
2191 Remaining changes:
2192 * debian/control
2193 - Lower dpkg-dev to 1.16.1 from 1.16.2 to enable backporting to Precise
2194 - Update Maintainer for Ubuntu
2195 - Add build-deps
2196 - dh-apparmor
2197 - iptables-dev
2198 - libjson0-dev
2199 - libldns-dev
2200 - libmysqlclient-dev
2201 - libpcsclite-dev
2202 - libsoup2.4-dev
2203 - libtspi-dev
2204 - libunbound-dev
2205 - Drop build-deps
2206 - libfcgi-dev
2207 - clearsilver-dev
2208 - Create virtual packages for all strongswan-plugin-* for dist-upgrade
2209 - Set XS-Testsuite: autopkgtest
2210 * debian/rules:
2211 - Enforcing DEB_BUILD_OPTIONS=nostrip for library integrity checking.
2212 - Set TESTS_REDUCED_KEYLENGTHS to one generate smallest key-lengths in
2213 tests.
2214 - Change init/systemd program name to strongswan
2215 - Install AppArmor profiles
2216 - Removed pieces on 'patching ipsec.conf' on build.
2217 - Enablement of features per Ubuntu current config suggested from
2218 upstream recommendation
2219 - Unpack and sort enabled features to one-per-line
2220 - Disable duplicheck as per
2221 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718291#10
2222 - Disable libfast (--disable-fast):
2223 Requires dropping medsrv, medcli plugins which depend on libfast
2224 - Add configure options
2225 --with-tss=trousers
2226 - Remove configure options:
2227 --enable-ha (requires special kernel)
2228 --enable-unit-test (unit tests run by default)
2229 - Drop logcheck install
2230 * debian/tests/*
2231 - Add DEP8 test for strongswan service and plugins
2232 * debian/strongswan-starter.strongswan.service
2233 - Add new systemd file instead of patching upstream
2234 * debian/strongswan-starter.links
2235 - removed, use Ubuntu systemd file instead of linking to upstream
2236 * debian/usr.lib.ipsec.{charon, lookip, stroke}
2237 - added AppArmor profiles for charon, lookip and stroke
2238 * debian/libcharon-extra-plugins.install
2239 - Add plugins
2240 - kernel-libipsec.{so, lib, conf, apparmor}
2241 - Remove plugins
2242 - libstrongswan-ha.so
2243 - Relocate plugins
2244 - libstrongswan-tnc-tnccs.so (strongswan-tnc-base.install)
2245 * debian/libstrongswan-extra-plugins.install
2246 - Add plugins (so, lib, conf)
2247 - acert
2248 - attr-sql
2249 - coupling
2250 - dnscert
2251 - fips-prf
2252 - gmp
2253 - ipseckey
2254 - load-tester
2255 - mysql
2256 - ntru
2257 - radattr
2258 - soup
2259 - sqlite
2260 - sql
2261 - systime-fix
2262 - unbound
2263 - whitelist
2264 - Relocate plugins (so, lib, conf)
2265 - ccm (libstrongswan.install)
2266 - test-vectors (libstrongswan.install)
2267 * debian/libstrongswan.install
2268 - Sort sections
2269 - Add plugins (so, lib, conf)
2270 - libchecksum
2271 - ccm
2272 - eap-identity
2273 - md4
2274 - test-vectors
2275 * debian/strongswan-charon.install
2276 - Add AppArmor profile for charon
2277 * debian/strongswan-starter.install
2278 - Add tools, manpages, conf
2279 - openac
2280 - pool
2281 - _updown_espmark
2282 - Add AppArmor profile for stroke
2283 * debian/strongswan-tnc-base.install
2284 - Add new subpackage for TNC
2285 - remove non-existent (dropped in 5.2.1) libpts library files
2286 * debian/strongswan-tnc-client.install
2287 - Add new subpackage for TNC
2288 * debian/strongswan-tnc-ifmap.install
2289 - Add new subpackage for TNC
2290 * debian/strongswan-tnc-pdp.install
2291 - Add new subpackage for TNC
2292 * debian/strongswan-tnc-server.install
2293 - Add new subpackage for TNC
2294 * debian/strongswan-starter.postinit:
2295 - Removed section about runlevel changes, it's almost 2014.
2296 - Adapted service restart section for Upstart.
2297 - Remove old symlinks to init.d files is necessary.
2298 * debian/strongswan-starter.dirs: Don't touch /etc/init.d.
2299 * debian/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call.
2300 * debian/strongswan-starter.prerm: Stop strongswan service on package
2301 removal (as opposed to using the old init.d script).
2302 * debian/libstrongswan.strongswan.logcheck combined into debian/strongswan.logcheck
2303 - logcheck patterns updated to be helpful
2304 * debian/strongswan-starter.postinst: Removed further out-dated code and
2305 entire section on opportunistic encryption - this was never in strongSwan.
2306 * debian/ipsec.secrets.proto: Removed ipsec.secrets.inc reference.
2307 Drop changes:
2308 * debian/control
2309 - Per-plugin package breakup: Reducing packaging delta from Debian
2310 - Don't build dhcp, farp subpackages: Reduce packging delta from Debian
2311 * debian/watch: Already exists in Debian merge
2312 * debian/upstream/signing-key.asc: Upstream has newer version.
2313
2314 -- Ryan Harper <ryan.harper@canonical.com> Fri, 12 Feb 2016 11:24:53 -0600
2315
663strongswan (5.3.5-1) unstable; urgency=medium2316strongswan (5.3.5-1) unstable; urgency=medium
6642317
665 * New upstream bugfix release.2318 * New upstream bugfix release.
@@ -932,6 +2585,210 @@ strongswan (5.1.2-1) unstable; urgency=medium
9322585
933 -- Yves-Alexis Perez <corsac@debian.org> Wed, 12 Mar 2014 11:22:38 +01002586 -- Yves-Alexis Perez <corsac@debian.org> Wed, 12 Mar 2014 11:22:38 +0100
9342587
2588strongswan (5.1.2-0ubuntu8) xenial; urgency=medium
2589
2590 * Import FTBFS for s390x from Debian 5.1.2-3 upload. (LP: #1521240)
2591
2592 -- Dimitri John Ledkov <xnox@ubuntu.com> Mon, 30 Nov 2015 15:46:06 +0000
2593
2594strongswan (5.1.2-0ubuntu7) xenial; urgency=medium
2595
2596 * SECURITY UPDATE: authentication bypass in eap-mschapv2 plugin
2597 - debian/patches/CVE-2015-8023.patch: only succeed authentication if
2598 MSK was established in
2599 src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c.
2600 - CVE-2015-8023
2601 * debian/patches/disable_ntru_test.patch: disable test causing FTBFS
2602 until regression is properly investigated.
2603
2604 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 19 Nov 2015 14:00:17 -0500
2605
2606strongswan (5.1.2-0ubuntu6) wily; urgency=medium
2607
2608 * SECURITY UPDATE: user credential disclosure to rogue servers
2609 - debian/patches/CVE-2015-4171.patch: enforce remote authentication
2610 config before proceeding with own authentication in
2611 src/libcharon/sa/ikev2/tasks/ike_auth.c.
2612 - CVE-2015-4171
2613 * debian/rules: don't FTBFS from unused service file
2614
2615 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 08 Jun 2015 12:50:38 -0400
2616
2617strongswan (5.1.2-0ubuntu5) vivid; urgency=medium
2618
2619 * Add a systemd unit corresponding to strongswan-starter.strongswan.upstart.
2620
2621 -- Martin Pitt <martin.pitt@ubuntu.com> Fri, 16 Jan 2015 08:27:54 +0100
2622
2623strongswan (5.1.2-0ubuntu4) vivid; urgency=medium
2624
2625 * SECURITY UPDATE: denial of service via DH group 1025
2626 - debian/patches/CVE-2014-9221.patch: define MODP_CUSTOM outside of
2627 IKE DH range in src/libstrongswan/crypto/diffie_hellman.c,
2628 src/libstrongswan/crypto/diffie_hellman.h.
2629 - CVE-2014-9221
2630
2631 -- Tyler Hicks <tyhicks@canonical.com> Mon, 05 Jan 2015 08:25:29 -0500
2632
2633strongswan (5.1.2-0ubuntu3) utopic; urgency=low
2634
2635 * Added "libgcrypt20-dev | libgcrypt11-dev" to build dependencies to fix
2636 build.
2637
2638 -- Jonathan Davies <jonathan.davies@canonical.com> Wed, 15 Oct 2014 16:49:18 +0000
2639
2640strongswan (5.1.2-0ubuntu2) trusty; urgency=medium
2641
2642 * SECURITY UPDATE: remote authentication bypass
2643 - debian/patches/CVE-2014-2338.patch: reject CREATE_CHILD_SA exchange
2644 on unestablished IKE_SAs in src/libcharon/sa/ikev2/task_manager_v2.c.
2645 - CVE-2014-2338
2646
2647 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 14 Apr 2014 11:24:34 -0400
2648
2649strongswan (5.1.2-0ubuntu1) trusty; urgency=low
2650
2651 * New upstream release.
2652
2653 -- Jonathan Davies <jonathan.davies@canonical.com> Sat, 01 Mar 2014 08:53:17 +0000
2654
2655strongswan (5.1.2~rc2-0ubuntu2) trusty; urgency=low
2656
2657 * debian/ipsec.secrets.proto: Removed ipsec.secrets.inc reference.
2658 * debian/usr.lib.ipsec.charon: Allow read access to /run/charon.
2659
2660 -- Jonathan Davies <jonathan.davies@canonical.com> Wed, 19 Feb 2014 13:07:16 +0000
2661
2662strongswan (5.1.2~rc2-0ubuntu1) trusty; urgency=low
2663
2664 * New upstream release candidate.
2665
2666 -- Jonathan Davies <jonathan.davies@canonical.com> Wed, 19 Feb 2014 12:59:21 +0000
2667
2668strongswan (5.1.2~rc1-0ubuntu4) trusty; urgency=medium
2669
2670 * debian/strongswan-tnc-*.install: Fixed files so libraries go into correct
2671 packages.
2672 * debian/usr.lib.ipsec.stroke: Allow access to strongswan.d directories.
2673
2674 -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 17 Feb 2014 18:12:38 +0000
2675
2676strongswan (5.1.2~rc1-0ubuntu3) trusty; urgency=low
2677
2678 * debian/rules: Exclude rdrand.conf in dh_install's --fail-missing.
2679
2680 -- Jonathan Davies <jonathan.davies@canonical.com> Sat, 15 Feb 2014 15:46:46 +0000
2681
2682strongswan (5.1.2~rc1-0ubuntu2) trusty; urgency=low
2683
2684 * debian/libstrongswan.install: Moved rdrand plugin configuration to rules
2685 as it's only useful on amd64.
2686 * debian/watch: Added opts=pgpsigurlmangle option.
2687 * debian/upstream/signing-key.asc: Added key: 0xB34DBA77.
2688
2689 -- Jonathan Davies <jonathan.davies@canonical.com> Sat, 15 Feb 2014 15:32:10 +0000
2690
2691strongswan (5.1.2~rc1-0ubuntu1) trusty; urgency=medium
2692
2693 * New upstream release candidate.
2694 * debian/*.install - include new configuration files for plugins in
2695 appropiate packages.
2696
2697 -- Jonathan Davies <jonathan.davies@canonical.com> Sat, 15 Feb 2014 15:03:14 +0000
2698
2699strongswan (5.1.2~dr3+git20130120-0ubuntu3) trusty; urgency=low
2700
2701 * debian/control:
2702 - Added Breaks/Replaces for all library files which have been moved
2703 about (LP: #1278176).
2704 - Removed build-dependency on check and added one on dh-apparmor.
2705 * debian/strongswan-starter.postinst: Removed further out-dated code and
2706 entire section on opportunistic encryption - this was never in strongSwan.
2707 * debian/rules: Removed pieces on 'patching ipsec.conf' on build.
2708
2709 -- Jonathan Davies <jonathan.davies@canonical.com> Sun, 09 Feb 2014 23:53:23 +0000
2710
2711strongswan (5.1.2~dr3+git20130120-0ubuntu2) trusty; urgency=low
2712
2713 * debian/control: Fixed references to plugin-fips-prf.
2714
2715 -- Jonathan Davies <jonathan.davies@canonical.com> Wed, 22 Jan 2014 11:22:14 +0000
2716
2717strongswan (5.1.2~dr3+git20130120-0ubuntu1) trusty; urgency=low
2718
2719 * Upstream Git snapshot for build fixes with regards to entropy.
2720 * debian/rules:
2721 - Enforcing DEB_BUILD_OPTIONS=nostrip for library integrity checking.
2722 - Set TESTS_REDUCED_KEYLENGTHS to one generate smallest key-lengths in
2723 tests.
2724
2725 -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 20 Jan 2014 19:00:59 +0000
2726
2727strongswan (5.1.2~dr3-0ubuntu1) trusty; urgency=low
2728
2729 * New upstream developer release.
2730 * Made changes to packaging per upstream suggestions.
2731 - Dropped medcli and medsrv packages - not recommended by upstream at this
2732 time.
2733 - Dropped ha plugin - needs special kernel.
2734 - Improved all package descriptions in general.
2735 - Drop build-dep on clearsilver-dev and libfcgi-dev - no longer needed.
2736 - Removed debian/*logcheck* files - not relevant to strongSwan.
2737 - Split dhcp and farp packages into sub-packages.
2738 - Build kernel-libipsec, ntru, systime-fix, and xauth-noauth plugins.
2739 - Changes to TNC-related packages.
2740 * Created AppArmor profiles for lookip and stroke.
2741
2742 -- Jonathan Davies <jonathan.davies@canonical.com> Wed, 15 Jan 2014 22:52:53 +0000
2743
2744strongswan (5.1.2~dr2+git20130106-0ubuntu2) trusty; urgency=low
2745
2746 * libstrongswan.install: Removed lingering unit-tester.so reference.
2747
2748 -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 06 Jan 2014 20:29:59 +0000
2749
2750strongswan (5.1.2~dr2+git20130106-0ubuntu1) trusty; urgency=low
2751
2752 * Git snapshot of commit 94e10f15e51ead788d9947e966878ebfdc95b7ce.
2753 Incorporates upstream fixes for:
2754 - Integrity testing.
2755 - Unit test failures on little endian systems.
2756 * Dropped debian/patches/02_test_asn1_fix_32bit_time_test.patch - fixed
2757 upstream.
2758 * debian/rules:
2759 - Stop using CK_TIMEOUT_MULTIPLIER.
2760 - Stop enabling the test suite only on non-powerpc arches (it runs
2761 anyway).
2762
2763 -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 06 Jan 2014 20:17:20 +0000
2764
2765strongswan (5.1.2~dr2-0ubuntu3) trusty; urgency=low
2766
2767 * debian/control: Reinstate missing comma in dependencies.
2768
2769 -- Jonathan Davies <jonathan.davies@canonical.com> Fri, 03 Jan 2014 05:39:13 +0000
2770
2771strongswan (5.1.2~dr2-0ubuntu2) trusty; urgency=low
2772
2773 * Added debian/patches/02_test_asn1_fix_32bit_time_test.patch - fixes issue
2774 where test for >2038 tests on 32-bit platforms is broken.
2775 - Reported upstream: https://wiki.strongswan.org/issues/477
2776 * debian/control: Added strongswan-plugin-ntru to strongswan-ike Suggests.
2777
2778 -- Jonathan Davies <jonathan.davies@canonical.com> Fri, 03 Jan 2014 05:02:32 +0000
2779
2780strongswan (5.1.2~dr2-0ubuntu1) trusty; urgency=low
2781
2782 * New upstream developer release.
2783 * debian/rules: Configure with: --enable-af-alg, --enable-ntru, --enable-soup,
2784 and --enable-unity.
2785 * debian/control:
2786 - New plugin packages created for the above
2787 - Split fips-prf into its own package.
2788 - Added build-dependency on libsoup2.4-dev.
2789
2790 -- Jonathan Davies <jonathan.davies@canonical.com> Thu, 02 Jan 2014 17:37:33 +0000
2791
935strongswan (5.1.1-3) unstable; urgency=low2792strongswan (5.1.1-3) unstable; urgency=low
9362793
937 * Upload to unstable.2794 * Upload to unstable.
@@ -1023,6 +2880,192 @@ strongswan (5.1.1-1) unstable; urgency=low
10232880
1024 -- Yves-Alexis Perez <corsac@debian.org> Fri, 24 Jan 2014 21:22:32 +01002881 -- Yves-Alexis Perez <corsac@debian.org> Fri, 24 Jan 2014 21:22:32 +0100
10252882
2883strongswan (5.1.1-0ubuntu17) trusty; urgency=low
2884
2885 * debian/control:
2886 - Make strongswan-ike depend on iproute2.
2887 - Added xauth plugin dependency on strongswan-plugin-eap-gtc.
2888 - Created strongswan-libfast package.
2889
2890 -- Jonathan Davies <jonathan.davies@canonical.com> Wed, 01 Jan 2014 17:04:45 +0000
2891
2892strongswan (5.1.1-0ubuntu16) trusty; urgency=low
2893
2894 * debian/control:
2895 - Further splitting of plugins into subpackages (such as all EAP plugins
2896 to their own packages).
2897 - Added libpcsclite-dev to build-dependencies.
2898 * debian/rules:
2899 - Sort configure options in alphabetical order.
2900 - Added configure option of --enable-eap-aka-3gpp2, --enable-eap-dynamic,
2901 --enable-eap-sim-file, --enable-eap-sim-pcsc,
2902 --enable-eap-simaka-pseudonym, --enable-eap-simaka-reauth and
2903 --enable-eap-simaka-sql.
2904 - Don't exclude medsrv from install.
2905 * Moved eap-identity.so to libstrongswan package as it's used by all the
2906 other EAP plugins.
2907
2908 -- Jonathan Davies <jonathan.davies@canonical.com> Tue, 31 Dec 2013 21:25:50 +0000
2909
2910strongswan (5.1.1-0ubuntu15) trusty; urgency=low
2911
2912 * debian/control:
2913 - Split plugins from libstrongswan package into modular subpackages.
2914 - Added libmysqlclient-dev to build-dependencies.
2915 - strongswan-ike: Set to depend on either strongswan-plugins-openssl or
2916 strongswan-plugins-gcrypt.
2917 - strongswan-ike: All other plugins added to Suggests.
2918 - Created two new TNC packages: strongswan-tnc-ifmap and
2919 strongswan-tnc-pdp and added to tnc-imcvs Suggests.
2920 * debian/rules: Added to CONFIGUREARGS: --enable-certexpire,
2921 --enable-error-notify, --enable-mysql, --enable-load-tester,
2922 --enable-radattr, --enable-tnc-pdp, and --enable-whitelist.
2923 * debian/strongswan-ike.install: Moved eap-identity.so to -tnc-imcvs package.
2924
2925 -- Jonathan Davies <jonathan.davies@canonical.com> Tue, 31 Dec 2013 16:15:32 +0000
2926
2927strongswan (5.1.1-0ubuntu14) trusty; urgency=low
2928
2929 * debian/rules:
2930 - CK_TIMEOUT_MULTIPLIER back down to 6.
2931 - Disable unit tests on powerpc.
2932
2933 -- Jonathan Davies <jonathan.davies@canonical.com> Tue, 31 Dec 2013 07:39:48 +0000
2934
2935strongswan (5.1.1-0ubuntu13) trusty; urgency=low
2936
2937 * debian/rules: CK_TIMEOUT_MULTIPLIER to 10 as just powerppc is being stubborn.
2938
2939 -- Jonathan Davies <jonathan.davies@canonical.com> Tue, 31 Dec 2013 07:23:42 +0000
2940
2941strongswan (5.1.1-0ubuntu12) trusty; urgency=low
2942
2943 * debian/rules: Bring CK_TIMEOUT_MULTIPLIER up to 6 to fix powerppc and
2944 armhf.
2945
2946 -- Jonathan Davies <jonathan.davies@canonical.com> Tue, 31 Dec 2013 07:03:40 +0000
2947
2948strongswan (5.1.1-0ubuntu11) trusty; urgency=low
2949
2950 * 02_increase-test_rsa_generate-timeout.patch: Removed - only fixed build on
2951 one extra arch.
2952 * debian/rules: Set CK_TIMEOUT_MULTIPLIER to 4.
2953
2954 -- Jonathan Davies <jonathan.davies@canonical.com> Tue, 31 Dec 2013 06:51:47 +0000
2955
2956strongswan (5.1.1-0ubuntu10) trusty; urgency=low
2957
2958 * debian/patches: Added patch 02_increase-test_rsa_generate-timeout.patch -
2959 - Increases RSA key generate test timeout to 30 seconds so that it doesn't
2960 fail on armhf, arm64, and powerppc.
2961 * Contrary to what the last changelog entry says, we are still running
2962 strongswan as root (with AppArmor protection).
2963
2964 -- Jonathan Davies <jonathan.davies@canonical.com> Tue, 31 Dec 2013 06:06:47 +0000
2965
2966strongswan (5.1.1-0ubuntu9) trusty; urgency=low
2967
2968 * debian/rules: Added to configure options:
2969 - --enable-tnc-ifmap: enable TNC IF-MAP module.
2970 - --enable-duplicheck: enable duplicheck plugin.
2971 - --enable-imv-swid, --enable-imc-swid: Added.
2972 - Run strongswan as it's own user.
2973 * debian/strongswan-starter.install: Install duplicheck.
2974 * debian/strongswan-tnc-imcvs.install: Install swidtags.
2975
2976 -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 30 Dec 2013 19:33:27 +0000
2977
2978strongswan (5.1.1-0ubuntu8) trusty; urgency=low
2979
2980 * debian/rules: Added to configure options:
2981 - --enable-unit-tests: check unit testing on build.
2982 - --enable-unbound: for validating DNS lookups.
2983 - --enable-dnscert: for DNSCERT peer authentication.
2984 - --enable-ipseckey: for IPSEC key authentication.
2985 - --enable-lookip: for LookIP functionality.
2986 - --enable-coupling: certificate coupling functionality.
2987 * debian/control: Added check, libldns-dev, libunbound-dev to
2988 build-dependencies.
2989 * debian/libstrongswan.install: Install new plugin .so's.
2990 * debian/strongswan-starter.install: Added lookip.
2991
2992 -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 30 Dec 2013 17:52:07 +0000
2993
2994strongswan (5.1.1-0ubuntu7) trusty; urgency=low
2995
2996 * strongswan-starter.install: Moved pt-tls-client to tnc-imcvs (to prevent
2997 the former from depending on the latter).
2998
2999 -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 30 Dec 2013 17:30:19 +0000
3000
3001strongswan (5.1.1-0ubuntu6) trusty; urgency=low
3002
3003 * debian/strongswan-starter.prerm: Stop strongswan service on package
3004 removal (as opposed to using the old init.d script).
3005
3006 -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 30 Dec 2013 17:22:10 +0000
3007
3008strongswan (5.1.1-0ubuntu5) trusty; urgency=low
3009
3010 * debian/rules:
3011 - CONFIGUREARGS: Merged Debian and RPM options.
3012 - Brings in TNC functionality.
3013 * debian/control:
3014 - Added build-dependency on libtspi-dev.
3015 - Created strongswan-tnc-imcvs binary package for TNC components.
3016 - Added strongswan-tnc-imcvs to libstrongswan's Suggests.
3017 * debian/libstrongswan.install:
3018 - Included newly built MD4 and SQLite libraries.
3019 - Removed 'tnc' references (moved to TNC package).
3020 * debian/strongswan-tnc-imcvs.install: Created - handle new TNC libraries and
3021 binaries.
3022 * debian/usr.lib.ipsec.charon: Allow access to TNC modules.
3023
3024 -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 30 Dec 2013 14:05:43 +0000
3025
3026strongswan (5.1.1-0ubuntu4) trusty; urgency=low
3027
3028 * debian/usr.lib.ipsec.charon: Added - AppArmor profile for charon.
3029 * debian/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call.
3030 * debian/control: strongswan-ike - Stop depending on ipsec-tools.
3031
3032 -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 30 Dec 2013 05:35:17 +0000
3033
3034strongswan (5.1.1-0ubuntu3) trusty; urgency=low
3035
3036 * strongswan-starter.strongswan.upstart - Only start strongSwan when a
3037 network connection is available.
3038 * debian/control: Downgrade build-dep version of dpkg-dev from 1.16.2 to
3039 1.16.1 - to make precise backporting easier.
3040
3041 -- Jonathan Davies <jonathan.davies@canonical.com> Thu, 12 Dec 2013 10:43:15 +0000
3042
3043strongswan (5.1.1-0ubuntu2) trusty; urgency=low
3044
3045 * strongswan-starter.strongswan.upstart - Created Upstart job for
3046 strongSwan.
3047 * debian/rules: Set dh_installinit to install above file.
3048 * debian/strongswan-starter.postinit:
3049 - Removed section about runlevel changes, it's almost 2014.
3050 - Adapted service restart section for Upstart.
3051 - Remove old symlinks to init.d files is necessary.
3052 * debian/strongswan-starter.dirs: Don't touch /etc/init.d.
3053
3054 -- Jonathan Davies <jonathan.davies@canonical.com> Wed, 11 Dec 2013 23:10:28 +0000
3055
3056strongswan (5.1.1-0ubuntu1) trusty; urgency=low
3057
3058 * New upstream release.
3059 * Removed: debian/patches/CVE-2013-6075, CVE-2013-6076.patch - upsteamed.
3060 * debian/control: Updated Standards-Version to 3.9.5 and applied
3061 XSBC-Original-Maintainer policy.
3062 * strongswan-starter.install:
3063 - pki tool is now in /usr/bin.
3064 - Install pt-tls-client.
3065 - Install manpages (LP: #1206263).
3066
3067 -- Jonathan Davies <jpds@ubuntu.com> Sun, 01 Dec 2013 17:43:59 +0000
3068
1026strongswan (5.1.0-3) unstable; urgency=high3069strongswan (5.1.0-3) unstable; urgency=high
10273070
1028 * urgency=high for the security fixes.3071 * urgency=high for the security fixes.
diff --git a/debian/control b/debian/control
index df2d9f3..c82b7aa 100644
--- a/debian/control
+++ b/debian/control
@@ -1,7 +1,8 @@
1Source: strongswan1Source: strongswan
2Section: net2Section: net
3Priority: optional3Priority: optional
4Maintainer: strongSwan Maintainers <pkg-swan-devel@lists.alioth.debian.org>4Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
5XSBC-Original-Maintainer: strongSwan Maintainers <pkg-swan-devel@lists.alioth.debian.org>
5Uploaders: Yves-Alexis Perez <corsac@debian.org>6Uploaders: Yves-Alexis Perez <corsac@debian.org>
6Standards-Version: 4.7.17Standards-Version: 4.7.1
7Vcs-Browser: https://salsa.debian.org/debian/strongswan8Vcs-Browser: https://salsa.debian.org/debian/strongswan
@@ -207,6 +208,9 @@ Description: strongSwan charon library (extra plugins)
207 - unity (Cisco Unity extensions for IKEv1)208 - unity (Cisco Unity extensions for IKEv1)
208 - xauth-eap (XAuth backend that uses EAP methods to verify passwords)209 - xauth-eap (XAuth backend that uses EAP methods to verify passwords)
209 - xauth-pam (XAuth backend that uses PAM modules to verify passwords)210 - xauth-pam (XAuth backend that uses PAM modules to verify passwords)
211 - eap-dynamic (EAP proxy plugin that dynamically selects an EAP method
212 requested/supported by the client (since 5.0.1))
213 - eap-peap (EAP-PEAP protocol handler, wraps other EAP methods securely)
210214
211Package: strongswan-starter215Package: strongswan-starter
212Architecture: any216Architecture: any
@@ -214,10 +218,10 @@ Pre-Depends: ${misc:Pre-Depends}
214Depends: adduser,218Depends: adduser,
215 libstrongswan (= ${binary:Version}),219 libstrongswan (= ${binary:Version}),
216 sysvinit-utils (>= 3.05-3),220 sysvinit-utils (>= 3.05-3),
221 strongswan-charon,
217 ${misc:Depends},222 ${misc:Depends},
218 ${shlibs:Depends}223 ${shlibs:Depends}
219Conflicts: libreswan224Conflicts: libreswan
220Recommends: strongswan-charon
221Description: strongSwan daemon starter and configuration file parser225Description: strongSwan daemon starter and configuration file parser
222 The strongSwan VPN suite uses the native IPsec stack in the standard226 The strongSwan VPN suite uses the native IPsec stack in the standard
223 Linux kernel. It supports both the IKEv1 and IKEv2 protocols.227 Linux kernel. It supports both the IKEv1 and IKEv2 protocols.
@@ -253,10 +257,10 @@ Architecture: any
253Pre-Depends: debconf | debconf-2.0257Pre-Depends: debconf | debconf-2.0
254Depends: iproute2 [linux-any] | iproute [linux-any],258Depends: iproute2 [linux-any] | iproute [linux-any],
255 libstrongswan (= ${binary:Version}),259 libstrongswan (= ${binary:Version}),
256 strongswan-starter,
257 ${misc:Depends},260 ${misc:Depends},
258 ${shlibs:Depends}261 ${shlibs:Depends}
259Conflicts: charon-systemd262Conflicts: charon-systemd
263Recommends: strongswan-starter,
260Provides: ike-server264Provides: ike-server
261Description: strongSwan Internet Key Exchange daemon265Description: strongSwan Internet Key Exchange daemon
262 The strongSwan VPN suite uses the native IPsec stack in the standard266 The strongSwan VPN suite uses the native IPsec stack in the standard
diff --git a/debian/libcharon-extra-plugins.install b/debian/libcharon-extra-plugins.install
index 94fbabd..91ca716 100644
--- a/debian/libcharon-extra-plugins.install
+++ b/debian/libcharon-extra-plugins.install
@@ -2,9 +2,11 @@
2usr/lib/ipsec/plugins/libstrongswan-addrblock.so2usr/lib/ipsec/plugins/libstrongswan-addrblock.so
3usr/lib/ipsec/plugins/libstrongswan-certexpire.so3usr/lib/ipsec/plugins/libstrongswan-certexpire.so
4usr/lib/ipsec/plugins/libstrongswan-eap-aka.so4usr/lib/ipsec/plugins/libstrongswan-eap-aka.so
5usr/lib/ipsec/plugins/libstrongswan-eap-dynamic.so
5usr/lib/ipsec/plugins/libstrongswan-eap-gtc.so6usr/lib/ipsec/plugins/libstrongswan-eap-gtc.so
6usr/lib/ipsec/plugins/libstrongswan-eap-identity.so7usr/lib/ipsec/plugins/libstrongswan-eap-identity.so
7usr/lib/ipsec/plugins/libstrongswan-eap-md5.so8usr/lib/ipsec/plugins/libstrongswan-eap-md5.so
9usr/lib/ipsec/plugins/libstrongswan-eap-peap.so
8usr/lib/ipsec/plugins/libstrongswan-eap-radius.so10usr/lib/ipsec/plugins/libstrongswan-eap-radius.so
9usr/lib/ipsec/plugins/libstrongswan-eap-tls.so11usr/lib/ipsec/plugins/libstrongswan-eap-tls.so
10usr/lib/ipsec/plugins/libstrongswan-eap-tnc.so12usr/lib/ipsec/plugins/libstrongswan-eap-tnc.so
@@ -25,9 +27,11 @@ usr/lib/ipsec/plugins/libstrongswan-xauth-pam.so
25usr/share/strongswan/templates/config/plugins/addrblock.conf27usr/share/strongswan/templates/config/plugins/addrblock.conf
26usr/share/strongswan/templates/config/plugins/certexpire.conf28usr/share/strongswan/templates/config/plugins/certexpire.conf
27usr/share/strongswan/templates/config/plugins/eap-aka.conf29usr/share/strongswan/templates/config/plugins/eap-aka.conf
30usr/share/strongswan/templates/config/plugins/eap-dynamic.conf
28usr/share/strongswan/templates/config/plugins/eap-gtc.conf31usr/share/strongswan/templates/config/plugins/eap-gtc.conf
29usr/share/strongswan/templates/config/plugins/eap-identity.conf32usr/share/strongswan/templates/config/plugins/eap-identity.conf
30usr/share/strongswan/templates/config/plugins/eap-md5.conf33usr/share/strongswan/templates/config/plugins/eap-md5.conf
34usr/share/strongswan/templates/config/plugins/eap-peap.conf
31usr/share/strongswan/templates/config/plugins/eap-radius.conf35usr/share/strongswan/templates/config/plugins/eap-radius.conf
32usr/share/strongswan/templates/config/plugins/eap-tls.conf36usr/share/strongswan/templates/config/plugins/eap-tls.conf
33usr/share/strongswan/templates/config/plugins/eap-tnc.conf37usr/share/strongswan/templates/config/plugins/eap-tnc.conf
@@ -49,9 +53,11 @@ etc/strongswan.d/tnc.conf
49etc/strongswan.d/charon/addrblock.conf53etc/strongswan.d/charon/addrblock.conf
50etc/strongswan.d/charon/certexpire.conf54etc/strongswan.d/charon/certexpire.conf
51etc/strongswan.d/charon/eap-aka.conf55etc/strongswan.d/charon/eap-aka.conf
56etc/strongswan.d/charon/eap-dynamic.conf
52etc/strongswan.d/charon/eap-gtc.conf57etc/strongswan.d/charon/eap-gtc.conf
53etc/strongswan.d/charon/eap-identity.conf58etc/strongswan.d/charon/eap-identity.conf
54etc/strongswan.d/charon/eap-md5.conf59etc/strongswan.d/charon/eap-md5.conf
60etc/strongswan.d/charon/eap-peap.conf
55etc/strongswan.d/charon/eap-radius.conf61etc/strongswan.d/charon/eap-radius.conf
56etc/strongswan.d/charon/eap-tls.conf62etc/strongswan.d/charon/eap-tls.conf
57etc/strongswan.d/charon/eap-tnc.conf63etc/strongswan.d/charon/eap-tnc.conf
diff --git a/debian/rules b/debian/rules
index 415178c..42a7f54 100755
--- a/debian/rules
+++ b/debian/rules
@@ -17,9 +17,11 @@ CONFIGUREARGS := --libdir=/usr/lib --libexecdir=/usr/lib \
17 --enable-curve25519 \17 --enable-curve25519 \
18 --enable-eap-aka \18 --enable-eap-aka \
19 --enable-eap-gtc \19 --enable-eap-gtc \
20 --enable-eap-dynamic \
20 --enable-eap-identity \21 --enable-eap-identity \
21 --enable-eap-md5 \22 --enable-eap-md5 \
22 --enable-eap-mschapv2 \23 --enable-eap-mschapv2 \
24 --enable-eap-peap \
23 --enable-eap-radius \25 --enable-eap-radius \
24 --enable-eap-tls \26 --enable-eap-tls \
25 --enable-eap-tnc \27 --enable-eap-tnc \
diff --git a/debian/tests/control b/debian/tests/control
index 524498c..43d9b0c 100644
--- a/debian/tests/control
+++ b/debian/tests/control
@@ -5,3 +5,9 @@ Restrictions: needs-root isolation-container allow-stderr
5Tests: daemon plugins5Tests: daemon plugins
6Depends: strongswan-starter, strongswan-charon, libstrongswan-standard-plugins, libstrongswan-extra-plugins, libcharon-extra-plugins6Depends: strongswan-starter, strongswan-charon, libstrongswan-standard-plugins, libstrongswan-extra-plugins, libcharon-extra-plugins
7Restrictions: needs-root isolation-machine allow-stderr7Restrictions: needs-root isolation-machine allow-stderr
8
9Tests: host-to-host
10Depends: strongswan-swanctl, strongswan-pki, libstrongswan-extra-plugins,
11 charon-systemd, lsb-release, snapd, dctrl-tools, libtss2-tcti-tabrmd0,
12 bind9-dnsutils
13Restrictions: needs-root isolation-machine allow-stderr skippable
diff --git a/debian/tests/host-to-host b/debian/tests/host-to-host
8new file mode 10075514new file mode 100755
index 0000000..3a76da0
--- /dev/null
+++ b/debian/tests/host-to-host
@@ -0,0 +1,401 @@
1#!/bin/bash
2
3# host to host setup from https://docs.strongswan.org/docs/5.9/config/quickstart.html
4
5set -e
6set -o pipefail
7
8# exit early if not on Ubuntu
9if [ "$(lsb_release --short --id)" != "Ubuntu" ]; then
10 echo "This test only runs on Ubuntu, skipping."
11 exit 77
12fi
13
14cleanup() {
15 if [ $? -ne 0 ]; then
16 set +e
17 echo "Something failed, gathering debug info"
18 echo
19 echo "Installed strongswan packages:"
20 dpkg -l | grep -E "(strongswan|charon)"
21 echo
22 echo "loaded kernel modules:"
23 lsmod
24 echo
25 echo "journal logs from host:"
26 journalctl --no-pager -u strongswan.service || :
27 echo
28 echo "LXD details:"
29 lxc network list
30 lxc list
31 echo
32 for container in $(lxc list -f compact -c ns | grep -F RUNNING | awk '{print $1}'); do
33 echo "journal logs from container ${container}"
34 lxc exec "${container}" -- journalctl -u strongswan.service --no-pager || :
35 echo
36 echo "strongswan data from container ${container}"
37 for cmd in stats list-certs list-conns list-pols list-sas; do
38 echo "${cmd}:"
39 lxc exec "${container}" -- swanctl --${cmd} || :
40 echo
41 done
42 done
43 fi
44 set +e
45 rm -rf "${WORKDIR}"
46 for container in "${PEERS[@]}"; do
47 lxc delete --force "${container}" > /dev/null 2>&1 || :
48 done
49}
50
51trap cleanup EXIT
52
53WORKDIR=$(mktemp -d)
54PEERS=("moon" "sun")
55declare -A REMOTE
56REMOTE["moon"]="sun"
57REMOTE["sun"]="moon"
58PUBKEY_ALGO="ed25519"
59TESTNAME=$(basename "${0}")
60
61# ca
62CA_KEY_FILE="${WORKDIR}/strongswanKey.pem"
63REQ_FILE="${WORKDIR}/req.pem" # can be reused for multiple reqs
64CA_CERT_FILE="${WORKDIR}/strongswanCert.pem"
65
66source debian/tests/utils
67
68check_pol() {
69 #root@moon:~# swanctl --list-pols
70 #moon-sun/moon-sun, TUNNEL
71 # local: 10.38.71.14/32
72 # remote: 10.38.71.194/32
73 local me="${1}"
74 local pol="${2}"
75 local -i failures=0
76 local tunnel
77 local ip
78 local policy_ip
79
80 echo "Checking policy for:"
81 echo -n " we have a tunnel: "
82 if echo "${pol}" | head -n 1 | grep -qF TUNNEL; then
83 echo "OK"
84 else
85 echo "FAIL"
86 failures=$((failures+1))
87 fi
88
89 # moon-sun/moon-sun, TUNNEL -> tunnel = moon-sun
90 tunnel=$(echo "${pol}" | head -n 1 | cut -d , -f 1)
91 echo -n " tunnel matches local-remote: "
92 if echo "${tunnel}" | grep -qE "^${me}-${REMOTE[${me}]}/${me}-${REMOTE[${me}]}"; then
93 echo "OK"
94 else
95 echo "FAIL (tunnel=${tunnel})"
96 failures=$((failures+1))
97 fi
98
99 echo -n " local IP matches local peer: "
100 ip=$(lxc exec "${me}" -- dig +short "${me}.lxd")/32
101 policy_ip=$(echo "${pol}" | sed -n -r "s,^[[:blank:]]+local:[[:blank:]]+([0-9.]+/32),\1,p")
102 if [ "${ip}" = "${policy_ip}" ]; then
103 echo "OK"
104 else
105 echo "FAIL: local ip ${ip} != policy local ip ${policy_ip}"
106 failures=$((failures+1))
107 fi
108
109 echo -n " remote IP matches remote peer: "
110 ip=$(lxc exec "${me}" -- dig +short "${REMOTE[${me}]}.lxd")/32
111 policy_ip=$(echo "${pol}" | sed -n -r "s,^[[:blank:]]+remote:[[:blank:]]+([0-9.]+/32),\1,p")
112 if [ "${ip}" = "${policy_ip}" ]; then
113 echo "OK"
114 else
115 echo "FAIL: local ip ${ip} != policy local ip ${policy_ip}"
116 failures=$((failures+1))
117 fi
118
119 return ${failures}
120}
121
122check_sa() {
123 local -i failures=0
124 local me="${1}"
125 local sa="${2}"
126 local name=""
127 local sa_ip
128
129 # SAs look like this:
130 # moon-sun: #1, ESTABLISHED, IKEv2, f1bdc688a5078946_i* bf6e1559c5a87ab9_r
131 # local 'C=CH, O=strongswan, CN=moon.strongswan.org' @ 10.84.128.22[4500]
132 # remote 'C=CH, O=strongswan, CN=sun.strongswan.org' @ 10.84.128.191[4500]
133 # AES_CBC-128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/CURVE_25519
134 # established 11s ago, rekeying in 14147s
135 # moon-sun: #2, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-128
136 # installed 11s ago, rekeying in 3285s, expires in 3949s
137 # in c3bcdf8d, 168 bytes, 2 packets, 0s ago
138 # out caf49378, 168 bytes, 2 packets, 0s ago
139 # local 10.84.128.22/32
140 # remote 10.84.128.191/32
141
142 echo "Checking SA for:"
143
144 echo -n " established SA: "
145 if echo "${sa}" | grep -qE "^[[:alnum:]]+-[[:alnum:]]+:.*ESTABLISHED"; then
146 echo "OK"
147 else
148 echo "FAIL"
149 failures=$((failures+1))
150 fi
151
152 # parse the connection name from the first line: $local-$remote: #1,....
153 name=$(echo "${sa}" | head -n 1 | sed -r "s/^([[:alnum:]]+)-[[:alnum:]]+:.*/\1/")
154 echo -n " local DN matches CN=${name}.strongswan.org: "
155 if echo "${sa}" | grep -qE "^[[:blank:]]*local.*CN=${name}\.strongswan\.org"; then
156 echo "OK"
157 else
158 echo "FAIL"
159 failures=$((failures+1))
160 fi
161
162 # parse the connection name from the first line: $local-$remote: #1,....
163 name=$(echo "${sa}" | head -n 1 | sed -r "s/^[[:alnum:]]+-([[:alnum:]]+):.*/\1/")
164 echo -n " remote DN matches CN=${name}.strongswan.org: "
165 if echo "${sa}" | grep -qE "^[[:blank:]]*remote.*CN=${name}\.strongswan\.org"; then
166 echo "OK"
167 else
168 echo "FAIL"
169 failures=$((failures+1))
170 fi
171
172 echo -n " local IP matches local peer: "
173 ip=$(lxc exec "${me}" -- dig +short "${me}.lxd")/32
174 sa_ip=$(echo "${sa}" | sed -n -r "s,^[[:blank:]]+local[[:blank:]]+([0-9.]+/32),\1,p")
175 if [ "${ip}" = "${sa_ip}" ]; then
176 echo "OK"
177 else
178 echo "FAIL: local ip ${ip} != SA local ip ${sa_ip}"
179 failures=$((failures+1))
180 fi
181
182 echo -n " remote IP matches remote peer: "
183 ip=$(lxc exec "${me}" -- dig +short "${REMOTE[${me}]}.lxd")/32
184 sa_ip=$(echo "${sa}" | sed -n -r "s,^[[:blank:]]+remote[[:blank:]]+([0-9.]+/32),\1,p")
185 if [ "${ip}" = "${sa_ip}" ]; then
186 echo "OK"
187 else
188 echo "FAIL: remote ip ${ip} != SA remote ip ${sa_ip}"
189 failures=$((failures+1))
190 fi
191
192 # TODO: check for cipher, if it matches the algo used in the pubkey
193 # TODO: check for traffic, should not be zero
194
195 return ${failures}
196}
197
198_setup_peer() {
199 local peer="${1}"
200 local algo="${2}"
201 local key_file="${WORKDIR}/${peer}Key.pem"
202 local cert_file="${WORKDIR}/${peer}Cert.pem"
203
204 pki --gen --type "${algo}" --outform pem > "${key_file}"
205
206 pki --req --type priv --in "${key_file}" \
207 --dn "C=CH, O=strongswan, CN=${peer}.strongswan.org" \
208 --san "${peer}.strongswan.org" --outform pem > "${REQ_FILE}"
209
210 pki --issue --cacert "${CA_CERT_FILE}" --cakey "${CA_KEY_FILE}" \
211 --type pkcs10 --in "${REQ_FILE}" --serial 01 --lifetime 5 \
212 --outform pem --flag serverAuth > "${cert_file}"
213}
214
215_setup_lxd() {
216 lxd init --auto
217 network=$(lxc network list --format=compact | grep -E "bridge.*YES.*CREATED" | awk '{print $1}')
218 lxc network set "${network:-lxdbr0}" ipv6.address=none
219 if [ -n "${http_proxy}" ]; then
220 lxc config set core.proxy_http "${http_proxy}"
221 fi
222 if [ -n "${https_proxy}" ]; then
223 lxc config set core.proxy_https "${https_proxy}"
224 fi
225 if [ -n "${noproxy}" ]; then
226 lxc config set core.proxy_ignore_hosts "${noproxy}"
227 fi
228}
229
230_setup_host_containers() {
231 local release
232 local ip
233 local -i result=0
234 local -a deps
235
236 release=$(lsb_release -cs)
237 readarray -t deps < <(get_test_dependencies "${TESTNAME}" snapd dctrl-tools)
238
239 for container in "${PEERS[@]}"; do
240 echo "Launching container ${container} with release ${release}"
241 lxc launch "ubuntu-daily:${release}" "${container}" -c security.nesting=true -q
242 echo -en "Waiting for container ${container} to be ready "
243 wait_container_ready "${container}"
244
245 echo "Copying over /etc/apt to container ${container}"
246 lxc exec "${container}" -- rm -rf /etc/apt
247 lxc exec "${container}" -- mkdir -p /etc/apt
248 tar -cC /etc/apt . | lxc exec "${container}" -- tar -xC /etc/apt
249
250 echo "Installing deps in container ${container} (${deps[*]})"
251 output=$(lxc exec "${container}" -- apt-get update -q) || {
252 result=$?
253 echo "apt-get update failed in container ${container}"
254 echo "${output}"
255 return ${result}
256 }
257 output=$(lxc exec "${container}" --env DEBIAN_FRONTEND=noninteractive -- apt-get dist-upgrade -q -y) || {
258 result=$?
259 echo "apt-get dist-upgrade failed in container ${container}"
260 echo "${output}"
261 return ${result}
262 }
263 output=$(lxc exec "${container}" --env DEBIAN_FRONTEND=noninteractive -- apt-get install -q -y "${deps[@]}") || {
264 result=$?
265 echo "apt-get install ${deps[*]} failed in container ${container}"
266 echo "${output}"
267 return ${result}
268 }
269 echo "Done for container ${container}"
270 done
271}
272
273_setup_host_containers_certs() {
274 for container in "${PEERS[@]}"; do
275 echo "Copying ${CA_CERT_FILE} to container ${container}"
276 lxc file push "${CA_CERT_FILE}" "${container}/etc/swanctl/x509ca/"
277
278 echo "Copying ${container} cert and key"
279 lxc file push "${WORKDIR}/${container}Key.pem" "${container}/etc/swanctl/private/"
280 lxc file push "${WORKDIR}/${container}Cert.pem" "${container}/etc/swanctl/x509/"
281 done
282}
283
284_setup_host_containers_strongswan() {
285 local config
286
287 config=$(mktemp)
288
289 for peer in "${PEERS[@]}"; do
290 conn_name="${peer}-${REMOTE[${peer}]}"
291 cat > "${config}" <<EOF
292connections {
293 ${conn_name} {
294 remote_addrs = ${REMOTE[${peer}]}.lxd
295 local {
296 auth=pubkey
297 certs = ${peer}Cert.pem
298 }
299 remote {
300 auth = pubkey
301 id = "C=CH, O=strongswan, CN=${REMOTE[${peer}]}.strongswan.org"
302 }
303 children {
304 ${conn_name} {
305 start_action = trap
306 }
307 }
308 }
309}
310EOF
311 lxc file push "${config}" "${peer}/etc/swanctl/conf.d/${conn_name}.conf"
312 echo "Loading creds in container ${peer}"
313 lxc exec "${peer}" -- swanctl --load-creds
314 echo "Loading connections in container ${peer}"
315 lxc exec "${peer}" -- swanctl --load-conns
316 done
317}
318
319setup() {
320 local algo=${1:-ed25519}
321 echo "Creating a CA"
322 echo
323 echo "Generating private key for CA"
324 pki --gen --type "${algo}" --outform pem > "${CA_KEY_FILE}"
325
326 echo "Generating self-signed certificate for CA"
327 pki \
328 --self --ca --lifetime 10 --in "${CA_KEY_FILE}" \
329 --dn "C=CH, O=strongSwan, CN=strongSwan Root CA" \
330 --outform pem > "${CA_CERT_FILE}"
331 echo "Here is the CA cert:"
332 pki --print --in "${CA_CERT_FILE}"
333
334 for peer in "${PEERS[@]}"; do
335 echo "Generating key and certificate for peer ${peer}"
336 _setup_peer "${peer}" "${algo}"
337 done
338
339 echo "Setting up host LXD"
340 _setup_lxd
341
342 echo "Creating host containers"
343 _setup_host_containers
344
345 echo "Copy certificates to containers"
346 _setup_host_containers_certs
347
348 echo "Configuring strongswan in containers"
349 _setup_host_containers_strongswan
350}
351
352test_ping() {
353 for peer in "${PEERS[@]}"; do
354 echo "Generating traffic from ${peer} to ${REMOTE[${peer}]}"
355 # first ping to establish the tunnel always fails
356 lxc exec "${peer}" -- ping -c 2 -W 3 "${REMOTE[${peer}]}.lxd" > /dev/null 2>&1 || :
357 # this one must work
358 lxc exec "${peer}" -- ping -c 4 -W 3 "${REMOTE[${peer}]}.lxd"
359 echo
360 done
361}
362
363test_sa() {
364 for peer in "${PEERS[@]}"; do
365 sa=$(lxc exec "${peer}" -- swanctl --list-sas)
366 echo "This is the ${peer} SA:"
367 if [ -z "${sa}" ]; then
368 echo "FAILED: SA is empty (swanctl --list-sas)"
369 return 1
370 fi
371 echo "${sa}"
372 echo
373 check_sa "${peer}" "${sa}"
374 echo
375 done
376}
377
378test_pol() {
379 for peer in "${PEERS[@]}"; do
380 pol=$(lxc exec "${peer}" -- swanctl --list-pols)
381 echo "This is the ${peer} policy:"
382 if [ -z "${pol}" ]; then
383 echo "FAILED: pol is empty (swanctl --list-pols)"
384 return 1
385 fi
386 echo "${pol}"
387 echo
388 check_pol "${peer}" "${pol}"
389 echo
390 done
391}
392
393
394# the lxd deb package last existed in focal, so we install the snap
395snap list lxd > /dev/null 2>&1 || snap install lxd
396
397setup "${PUBKEY_ALGO}"
398
399test_ping
400test_sa
401test_pol
diff --git a/debian/tests/utils b/debian/tests/utils
0new file mode 100644402new file mode 100644
index 0000000..e8a8584
--- /dev/null
+++ b/debian/tests/utils
@@ -0,0 +1,61 @@
1wait_container_ready() {
2 local container="${1}"
3 local -i limit=300 # seconds
4 local -i i=0
5 while /bin/true; do
6 ip=$(lxc list "${container}" -c 4 --format=compact | tail -1 | awk '{print $1}')
7 if [ -n "${ip}" ]; then
8 break
9 fi
10 i=$((i+1))
11 if [ ${i} -ge ${limit} ]; then
12 return 1
13 fi
14 sleep 1s
15 echo -n "."
16 done
17 while ! nc -z "${ip}" 22; do
18 echo -n "."
19 i=$((i+1))
20 if [ ${i} -ge ${limit} ]; then
21 return 1
22 fi
23 sleep 1s
24 done
25 # cloud-init might still be doing things...
26 # this call blocks, so wrap it in its own little timeout
27 # Give it ${limit} seconds too
28 output=$(lxc exec "${container}" -- timeout --verbose ${limit} cloud-init status --wait) || {
29 result=$?
30 echo "cloud-init status --wait failed on container ${container}"
31 echo "${output}"
32 return ${result}
33 }
34 echo
35}
36
37get_test_dependencies() {
38 local test_name="${1}"
39 shift
40 local exclusions="$*"
41 # Get test dependencies which we need to install in the containers
42 # we will create:
43 # -s: show Depends field
44 # -n: omit field name in output
45 # -X: do an exact match, instead of substring
46 # -F Tests: apply regexp to Tests field
47 depends=$(grep-dctrl -s Depends -n -F Tests -X "${test_name}" debian/tests/control | tr -d ,)
48 [ -n "${depends}" ] || {
49 echo "Failed to obtain list of dependencies for this test"
50 return 1
51 }
52 # remove exclusions, if any
53 for p in ${depends}; do
54 if echo "${exclusions}" | grep -qwF "${p}"; then
55 continue
56 else
57 echo "${p}"
58 fi
59 done
60}
61
diff --git a/debian/usr.sbin.swanctl b/debian/usr.sbin.swanctl
index 455c7cb..54c2b06 100644
--- a/debian/usr.sbin.swanctl
+++ b/debian/usr.sbin.swanctl
@@ -22,7 +22,7 @@
22 /run/charon.vici rw,22 /run/charon.vici rw,
2323
24 # Allow reading own binary24 # Allow reading own binary
25 /usr/sbin/swanctl r,25 /usr/sbin/swanctl rm,
2626
27 # for af-alg plugin27 # for af-alg plugin
28 network alg seqpacket,28 network alg seqpacket,

Subscribers

People subscribed via source and target branches