[ubuntu/disco-proposed] strongswan 5.7.1-1ubuntu1 (Accepted)
Christian Ehrhardt
christian.ehrhardt at canonical.com
Thu Dec 6 08:28:15 UTC 2018
strongswan (5.7.1-1ubuntu1) disco; urgency=medium
* Merge with Debian unstable (LP: #1806401). Remaining changes:
- Clean up d/strongswan-starter.postinst: section about runlevel changes
- Clean up d/strongswan-starter.postinst: Removed entire section on
opportunistic encryption disabling - this was never in strongSwan and
won't be see upstream issue #2160.
- d/rules: Removed patching ipsec.conf on build (not using the
debconf-managed config.)
- d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was
used for debconf-managed include of private key).
- Mass enablement of extra plugins and features to allow a user to use
strongswan for a variety of extra use cases without having to rebuild.
+ d/control: Add required additional build-deps
+ d/control: Mention addtionally enabled plugins
+ d/rules: Enable features at configure stage
+ d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
+ d/libstrongswan.install: Add plugins (so, conf)
- d/strongswan-starter.install: Install pool feature, which is useful since
we have attr-sql plugin enabled as well using it.
- Add plugin kernel-libipsec to allow the use of strongswan in containers
via this userspace implementation (please do note that this is still
considered experimental by upstream).
+ d/libcharon-extra-plugins.install: Add kernel-libipsec components
+ d/control: List kernel-libipsec plugin at extra plugins description
+ d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
upstream recommends to not load kernel-libipsec by default.
- Relocate tnc plugin
+ debian/libcharon-extra-plugins.install: Drop tnc from extra plugins
+ Add new subpackage for TNC in d/strongswan-tnc-* and d/control
- d/libstrongswan.install: Reorder conf and .so alphabetically
- d/libstrongswan.install: Add kernel-netlink configuration files
- Complete the disabling of libfast; This was partially accepted in Debian,
it is no more packaging medcli and medsrv, but still builds and
mentions it.
+ d/rules: Add --disable-fast to avoid build time and dependencies
+ d/control: Remove medcli, medsrv from package description
- d/control: Mention mgf1 plugin which is in libstrongswan now
- Add now built (since 5.5.1) libraries libtpmtss and nttfft to
libstrongswan-extra-plugins (no deps from default plugins).
- d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
plugins for the most common use cases from extra-plugins into a new
standard-plugins package. This will allow those use cases without pulling
in too much more plugins (a bit like the tnc package). Recommend that
package from strongswan-libcharon.
- d/usr.sbin.charon-systemd: allow to contact mysql for sql and
attr-sql plugins (LP #1766240)
- d/usr.lib.ipsec.charon: allow reading of own FDs (LP #1786250)
* Added Changes:
- d/p/lp1795813-mysql-Don-t-release-the-connection-if-transactions-a.patch:
fix SIGSEGV when using mysql plugin (LP: #1795813)
- d/usr.sbin.charon-systemd: allow CLUSTERIP for ha plugin (LP: #1773956)
- executables need to be able to read map and execute themselves otherwise
execution in some environments e.g. containers is blocked (LP: #1780534)
+ d/usr.lib.ipsec.stroke: add rmix permission to stroke binary
+ d/usr.lib.ipsec.lookip: add rmix permission to lookip binary
- adapt "mass enablement of extra plugins" to match 5.7.x changes
+ d/rules: use new options for swima instead of swid
+ d/strongswan-tnc-server.install: add new sec updater tool
+ d/strongswan-tnc-client.install: add new sw-collector tool
* Dropped (in Debian now):
- SECURITY UPDATE: Insufficient input validation in gmp plugin
(CVE-2018-17540)
- SECURITY UPDATE: Insufficient input validation in gmp plugin
(CVE-2018-16151 CVE-2018-16152)
- d/usr.lib.ipsec.charon, d/usr/sbin/charon-systemd: Add support for
usr-merge, thanks to Christian Ehrhardt. LP #1784023
strongswan (5.7.1-1) unstable; urgency=medium
[ Ondřej Nový ]
* d/copyright: Use https protocol in Format field
* d/changelog: Remove trailing whitespaces
* d/rules: Remove trailing whitespaces
* d/control: Remove XS-Testsuite field, not needed anymore
[ Yves-Alexis Perez ]
* enable chapoly plugin (closes: #814927)
* remove unused lintian overrides
* New upstream version 5.7.1
- fix an integer underflow and subsequent heap buffer overflow in the gmp
plugin triggered by crafted certificates with RSA keys with very small
moduli (CVE-2018-17540)
strongswan (5.7.0-1) unstable; urgency=medium
* update AppArmor templates to handle usr merge (closes: #905082)
* d/gbp.conf added, following DEP-14
* New upstream version 5.7.0
- include fixes for CVE-2018-16151 and CVE-2018-16152, potential
Bleichenbacher-style low-exponent attacks leading to RSA signature forgery
in gmp plugin.
* d/control: fix typo in libstrongswan long description
Date: Mon, 03 Dec 2018 15:18:31 +0100
Changed-By: Christian Ehrhardt <christian.ehrhardt at canonical.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
https://launchpad.net/ubuntu/+source/strongswan/5.7.1-1ubuntu1
-------------- next part --------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 03 Dec 2018 15:18:31 +0100
Source: strongswan
Binary: strongswan libstrongswan libstrongswan-standard-plugins libstrongswan-extra-plugins libcharon-standard-plugins libcharon-extra-plugins strongswan-starter strongswan-libcharon strongswan-charon strongswan-nm strongswan-tnc-ifmap strongswan-tnc-base strongswan-tnc-client strongswan-tnc-server strongswan-tnc-pdp charon-cmd strongswan-pki strongswan-scepclient strongswan-swanctl charon-systemd
Architecture: source
Version: 5.7.1-1ubuntu1
Distribution: disco
Urgency: medium
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Christian Ehrhardt <christian.ehrhardt at canonical.com>
Description:
charon-cmd - standalone IPsec client
charon-systemd - strongSwan IPsec client, systemd support
libcharon-extra-plugins - strongSwan charon library (extra plugins)
libcharon-standard-plugins - strongSwan charon library (standard plugins)
libstrongswan - strongSwan utility and crypto library
libstrongswan-extra-plugins - strongSwan utility and crypto library (extra plugins)
libstrongswan-standard-plugins - strongSwan utility and crypto library (standard plugins)
strongswan - IPsec VPN solution metapackage
strongswan-charon - strongSwan Internet Key Exchange daemon
strongswan-libcharon - strongSwan charon library
strongswan-nm - strongSwan plugin to interact with NetworkManager
strongswan-pki - strongSwan IPsec client, pki command
strongswan-scepclient - strongSwan IPsec client, SCEP client
strongswan-starter - strongSwan daemon starter and configuration file parser
strongswan-swanctl - strongSwan IPsec client, swanctl command
strongswan-tnc-base - strongSwan Trusted Network Connect's (TNC) - base files
strongswan-tnc-client - strongSwan Trusted Network Connect's (TNC) - client files
strongswan-tnc-ifmap - strongSwan plugin for Trusted Network Connect's (TNC) IF-MAP clie
strongswan-tnc-pdp - strongSwan plugin for Trusted Network Connect's (TNC) PDP
strongswan-tnc-server - strongSwan Trusted Network Connect's (TNC) - server files
Closes: 814927 905082
Launchpad-Bugs-Fixed: 1773956 1780534 1795813 1806401
Changes:
strongswan (5.7.1-1ubuntu1) disco; urgency=medium
.
* Merge with Debian unstable (LP: #1806401). Remaining changes:
- Clean up d/strongswan-starter.postinst: section about runlevel changes
- Clean up d/strongswan-starter.postinst: Removed entire section on
opportunistic encryption disabling - this was never in strongSwan and
won't be see upstream issue #2160.
- d/rules: Removed patching ipsec.conf on build (not using the
debconf-managed config.)
- d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was
used for debconf-managed include of private key).
- Mass enablement of extra plugins and features to allow a user to use
strongswan for a variety of extra use cases without having to rebuild.
+ d/control: Add required additional build-deps
+ d/control: Mention addtionally enabled plugins
+ d/rules: Enable features at configure stage
+ d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
+ d/libstrongswan.install: Add plugins (so, conf)
- d/strongswan-starter.install: Install pool feature, which is useful since
we have attr-sql plugin enabled as well using it.
- Add plugin kernel-libipsec to allow the use of strongswan in containers
via this userspace implementation (please do note that this is still
considered experimental by upstream).
+ d/libcharon-extra-plugins.install: Add kernel-libipsec components
+ d/control: List kernel-libipsec plugin at extra plugins description
+ d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
upstream recommends to not load kernel-libipsec by default.
- Relocate tnc plugin
+ debian/libcharon-extra-plugins.install: Drop tnc from extra plugins
+ Add new subpackage for TNC in d/strongswan-tnc-* and d/control
- d/libstrongswan.install: Reorder conf and .so alphabetically
- d/libstrongswan.install: Add kernel-netlink configuration files
- Complete the disabling of libfast; This was partially accepted in Debian,
it is no more packaging medcli and medsrv, but still builds and
mentions it.
+ d/rules: Add --disable-fast to avoid build time and dependencies
+ d/control: Remove medcli, medsrv from package description
- d/control: Mention mgf1 plugin which is in libstrongswan now
- Add now built (since 5.5.1) libraries libtpmtss and nttfft to
libstrongswan-extra-plugins (no deps from default plugins).
- d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
plugins for the most common use cases from extra-plugins into a new
standard-plugins package. This will allow those use cases without pulling
in too much more plugins (a bit like the tnc package). Recommend that
package from strongswan-libcharon.
- d/usr.sbin.charon-systemd: allow to contact mysql for sql and
attr-sql plugins (LP #1766240)
- d/usr.lib.ipsec.charon: allow reading of own FDs (LP #1786250)
* Added Changes:
- d/p/lp1795813-mysql-Don-t-release-the-connection-if-transactions-a.patch:
fix SIGSEGV when using mysql plugin (LP: #1795813)
- d/usr.sbin.charon-systemd: allow CLUSTERIP for ha plugin (LP: #1773956)
- executables need to be able to read map and execute themselves otherwise
execution in some environments e.g. containers is blocked (LP: #1780534)
+ d/usr.lib.ipsec.stroke: add rmix permission to stroke binary
+ d/usr.lib.ipsec.lookip: add rmix permission to lookip binary
- adapt "mass enablement of extra plugins" to match 5.7.x changes
+ d/rules: use new options for swima instead of swid
+ d/strongswan-tnc-server.install: add new sec updater tool
+ d/strongswan-tnc-client.install: add new sw-collector tool
* Dropped (in Debian now):
- SECURITY UPDATE: Insufficient input validation in gmp plugin
(CVE-2018-17540)
- SECURITY UPDATE: Insufficient input validation in gmp plugin
(CVE-2018-16151 CVE-2018-16152)
- d/usr.lib.ipsec.charon, d/usr/sbin/charon-systemd: Add support for
usr-merge, thanks to Christian Ehrhardt. LP #1784023
.
strongswan (5.7.1-1) unstable; urgency=medium
.
[ Ondřej Nový ]
* d/copyright: Use https protocol in Format field
* d/changelog: Remove trailing whitespaces
* d/rules: Remove trailing whitespaces
* d/control: Remove XS-Testsuite field, not needed anymore
.
[ Yves-Alexis Perez ]
* enable chapoly plugin (closes: #814927)
* remove unused lintian overrides
* New upstream version 5.7.1
- fix an integer underflow and subsequent heap buffer overflow in the gmp
plugin triggered by crafted certificates with RSA keys with very small
moduli (CVE-2018-17540)
.
strongswan (5.7.0-1) unstable; urgency=medium
.
* update AppArmor templates to handle usr merge (closes: #905082)
* d/gbp.conf added, following DEP-14
* New upstream version 5.7.0
- include fixes for CVE-2018-16151 and CVE-2018-16152, potential
Bleichenbacher-style low-exponent attacks leading to RSA signature forgery
in gmp plugin.
* d/control: fix typo in libstrongswan long description
Checksums-Sha1:
5fbf7a12d2d40bcd1d7def95751f74fabf19cef3 3923 strongswan_5.7.1-1ubuntu1.dsc
268632905ed188e636927559403b325236bda521 4967533 strongswan_5.7.1.orig.tar.bz2
4256b9628e9f56a08f491fd09743b0551aca6579 137736 strongswan_5.7.1-1ubuntu1.debian.tar.xz
27682aa53696593b6d5ecce4f09e84f86af9b40a 9042 strongswan_5.7.1-1ubuntu1_source.buildinfo
Checksums-Sha256:
89c261bc6f8965602d4c4aca7b1a03c13079678fd0bcc54c834d0b8656dcac06 3923 strongswan_5.7.1-1ubuntu1.dsc
006f9c9126e2a2f4e7a874b5e1bd2abec1bbbb193c8b3b3a4c6ccd8c2d454bec 4967533 strongswan_5.7.1.orig.tar.bz2
f611d0ebd5550d747e4ecc2b50c7812f988f1525ecd02af0c4785a0261152ae2 137736 strongswan_5.7.1-1ubuntu1.debian.tar.xz
0b99ea9433aee020c3d80822360a262718c74c7ac99b0afff80480915570d1f6 9042 strongswan_5.7.1-1ubuntu1_source.buildinfo
Files:
47866be007c8365cbb60c0ce88289470 3923 net optional strongswan_5.7.1-1ubuntu1.dsc
86b7e9321cde075cf382268fd282e0b0 4967533 net optional strongswan_5.7.1.orig.tar.bz2
3e4facb27c275d40ec9df505697e2b43 137736 net optional strongswan_5.7.1-1ubuntu1.debian.tar.xz
613ee2b40407b207c0d56e4f9a4d309f 9042 net optional strongswan_5.7.1-1ubuntu1_source.buildinfo
Original-Maintainer: strongSwan Maintainers <pkg-swan-devel at lists.alioth.debian.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEktYY9mjyL47YC+71uj4pM4KAskIFAlwI3VkACgkQuj4pM4KA
skKBZRAAn2H8irE2Q2/xCyD1MQAKgXN32WodmyVUV8rdqwuNWGBJW2q8k7OKrFiL
NVXeh8096ktProdPrqaB3DT0yRfK+lWE4o9I3MlOgz/TQSh0eQnF1UIoTlw2+dTy
PwEuZH/mA5BqGcmCWqUANjmN/97iJzeN7YT/LWQ7+YQ85mESPtzifuym9RVovAq0
+vl4uBId+Zi5aviP4jq3h9o6FlsHhOOdGEWiLSNhUhy3DFfjf5JLD4t0EgziHXX+
H104MnEmk/yabwi/ePLuj+0aeCfWFaXG6VfHuzEII3nBNfQg+7vofWfKbzeMWk72
UrTI8mq9/nox6Xq/qkW1a/snm/Gw1wVvTH0GfpAZIOaT7jZYsTFgsOR0DaQugA8F
hml9EkJ9ciL+orzIzX9OkipxE5EGt3qTcnp9DZEMVXHmJv7RP3oBDQm/BbBRzZ/n
ZaCQbkqW4+qQQ+D42K3mkHl9k3mFQa8qq37yE9+tsW9W0k2rD/lvZxSCvNqe0KKL
pUFvmlWQU/l++3NIW2YQ5a3UrqPpyapQkftz0SVzueEBenuYBRnDhQ1Z0l4Klm3y
il0gDjMbbusu+gAOBVGss8KO7RD8AaiqlwOurc+zzI7j3zR1Cy+Eb+zYZnrxa9x/
b0GpWEi4bvbfpYdwZmoK8TB5Qgee/xQReTt67otbqMPbdqMgpFY=
=pyDC
-----END PGP SIGNATURE-----
More information about the Disco-changes
mailing list