[ubuntu/xenial-proposed] strongswan 5.3.5-1ubuntu1 (Accepted)
Ryan Harper
ryan.harper at canonical.com
Thu Feb 18 04:34:18 UTC 2016
strongswan (5.3.5-1ubuntu1) xenial; urgency=medium
* debian/{rules,control,libstrongswan-extra-plugins.install}
Enable bliss plugin
* debian/{rules,control,libstrongswan-extra-plugins.install}
Enable chapoly plugin
* debian/patches/dont-load-kernel-libipsec-plugin-by-default.patch
Upstream suggests to not load this plugin by default as it has
some limitations.
https://wiki.strongswan.org/projects/strongswan/wiki/Kernel-libipsec
* debian/patches/increase-bliss-test-timeout.patch
Under QEMU/KVM for autopkgtest bliss test takes a bit longer then default
* Update Apparmor profiles
- usr.lib.ipsec.charon
- add capability audit_write for xauth-pam (LP: #1470277)
- add capability dac_override (needed by agent plugin)
- allow priv dropping (LP: #1333655)
- allow caching CRLs (LP: #1505222)
- allow rw access to /dev/net/tun for kernel-libipsec (LP: #1309594)
- usr.lib.ipsec.stroke
- allow priv dropping (LP: #1333655)
- add local include
- usr.lib.ipsec.lookip
- add local include
* Merge from Debian, which includes fixes for all previous CVEs
Fixes (LP: #1330504, #1451091, #1448870, #1470277)
Remaining changes:
* debian/control
- Lower dpkg-dev to 1.16.1 from 1.16.2 to enable backporting to Precise
- Update Maintainer for Ubuntu
- Add build-deps
- dh-apparmor
- iptables-dev
- libjson0-dev
- libldns-dev
- libmysqlclient-dev
- libpcsclite-dev
- libsoup2.4-dev
- libtspi-dev
- libunbound-dev
- Drop build-deps
- libfcgi-dev
- clearsilver-dev
- Create virtual packages for all strongswan-plugin-* for dist-upgrade
- Set XS-Testsuite: autopkgtest
* debian/rules:
- Enforcing DEB_BUILD_OPTIONS=nostrip for library integrity checking.
- Set TESTS_REDUCED_KEYLENGTHS to one generate smallest key-lengths in
tests.
- Change init/systemd program name to strongswan
- Install AppArmor profiles
- Removed pieces on 'patching ipsec.conf' on build.
- Enablement of features per Ubuntu current config suggested from
upstream recommendation
- Unpack and sort enabled features to one-per-line
- Disable duplicheck as per
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718291#10
- Disable libfast (--disable-fast):
Requires dropping medsrv, medcli plugins which depend on libfast
- Add configure options
--with-tss=trousers
- Remove configure options:
--enable-ha (requires special kernel)
--enable-unit-test (unit tests run by default)
- Drop logcheck install
* debian/tests/*
- Add DEP8 test for strongswan service and plugins
* debian/strongswan-starter.strongswan.service
- Add new systemd file instead of patching upstream
* debian/strongswan-starter.links
- removed, use Ubuntu systemd file instead of linking to upstream
* debian/usr.lib.ipsec.{charon, lookip, stroke}
- added AppArmor profiles for charon, lookip and stroke
* debian/libcharon-extra-plugins.install
- Add plugins
- kernel-libipsec.{so, lib, conf, apparmor}
- Remove plugins
- libstrongswan-ha.so
- Relocate plugins
- libstrongswan-tnc-tnccs.so (strongswan-tnc-base.install)
* debian/libstrongswan-extra-plugins.install
- Add plugins (so, lib, conf)
- acert
- attr-sql
- coupling
- dnscert
- fips-prf
- gmp
- ipseckey
- load-tester
- mysql
- ntru
- radattr
- soup
- sqlite
- sql
- systime-fix
- unbound
- whitelist
- Relocate plugins (so, lib, conf)
- ccm (libstrongswan.install)
- test-vectors (libstrongswan.install)
* debian/libstrongswan.install
- Sort sections
- Add plugins (so, lib, conf)
- libchecksum
- ccm
- eap-identity
- md4
- test-vectors
* debian/strongswan-charon.install
- Add AppArmor profile for charon
* debian/strongswan-starter.install
- Add tools, manpages, conf
- openac
- pool
- _updown_espmark
- Add AppArmor profile for stroke
* debian/strongswan-tnc-base.install
- Add new subpackage for TNC
- remove non-existent (dropped in 5.2.1) libpts library files
* debian/strongswan-tnc-client.install
- Add new subpackage for TNC
* debian/strongswan-tnc-ifmap.install
- Add new subpackage for TNC
* debian/strongswan-tnc-pdp.install
- Add new subpackage for TNC
* debian/strongswan-tnc-server.install
- Add new subpackage for TNC
* debian/strongswan-starter.postinit:
- Removed section about runlevel changes, it's almost 2014.
- Adapted service restart section for Upstart.
- Remove old symlinks to init.d files is necessary.
* debian/strongswan-starter.dirs: Don't touch /etc/init.d.
* debian/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call.
* debian/strongswan-starter.prerm: Stop strongswan service on package
removal (as opposed to using the old init.d script).
* debian/libstrongswan.strongswan.logcheck combined into debian/strongswan.logcheck
- logcheck patterns updated to be helpful
* debian/strongswan-starter.postinst: Removed further out-dated code and
entire section on opportunistic encryption - this was never in strongSwan.
* debian/ipsec.secrets.proto: Removed ipsec.secrets.inc reference.
Drop changes:
* debian/control
- Per-plugin package breakup: Reducing packaging delta from Debian
- Don't build dhcp, farp subpackages: Reduce packging delta from Debian
* debian/watch: Already exists in Debian merge
* debian/upstream/signing-key.asc: Upstream has newer version.
strongswan (5.3.5-1) unstable; urgency=medium
* New upstream bugfix release.
strongswan (5.3.4-1) unstable; urgency=medium
* New upstream release.
* debian/patches:
- 03_systemd-service refreshed for new upstream release.
- 0001-socket-default-Refactor-setting-source-address-when-,
0001-socket-dynamic-Refactor-setting-source-address-when- and
CVE-2015-8023_eap_mschapv2_state dropped, included upstream.
strongswan (5.3.3-3) unstable; urgency=high
* Set urgency=high for security fix.
* debian/patches:
- CVE-2015-8023_eap_mschapv2_state added, fix authentication bypass when
using EAP MSCHAPv2.
strongswan (5.3.3-2) unstable; urgency=medium
* debian/rules:
- make the dh_install override arch-dependent only since it only acts on
arch:any packages, fix FTBFS on arch:all.
strongswan (5.3.3-1) unstable; urgency=medium
* debian/rules:
- enable the connmark plugin.
* debian/control:
- add build-dep on iptables-dev.
* debian/libstrongswan-standard-plugins:
- add connmark plugin to the standard-plugins package.
* New upstream release. closes: #803772
* debian/strongswan-starter.install:
- install new pki --dn manpage to ipsec-starter package.
* debian/patches:
- 0001-socket-default-Refactor-setting-source-address-when- and
0001-socket-dynamic-Refactor-setting-source-address-when- added (taken
from c761db and 9e8b4a in the 1171-socket-default-scope branch), fix
source address selection with IPv6 (upstream #1171)
strongswan (5.3.2-1) unstable; urgency=medium
* New upstream release.
* debian/patches:
- 05_ivgen-allow-reusing-same-message-id-twice dropped, included upstream.
- CVE-2015-4171_enforce_remote_auth dropped as well.
strongswan (5.3.1-1) unstable; urgency=high
* New upstream release.
* debian/patches:
- strongswan-5.2.2-5.3.0_unknown_payload dropped, included upstream.
- 05_ivgen-allow-reusing-same-message-id-twice added, allow reusing the
same message ID twice in sequential IV gen. strongSwan issue #980.
- CVE-2015-4171_enforce_remote_auth added, fix potential leak of
authentication credential to rogue server when using PSK or EAP. This is
CVE-2015-4171.
strongswan (5.3.0-2) unstable; urgency=medium
* debian/patches:
- strongswan-5.2.2-5.3.0_unknown_payload added, fixes a DoS and potential
remote code execution vulnerability (CVE-2015-3991).
* debian/strongswan-starter.lintian-overrides: add override for
command-with-path-in-maintainer-script since it's there to check for file
existence.
* Upload to unstable.
strongswan (5.3.0-1) experimental; urgency=medium
* New upstream release.
* debian/patches:
- 01_fix-manpages refreshed for new upstream release.
- 02_chunk-endianness dropped, included upstream.
- CVE-2014-9221_modp_custom dropped, included upstream.
* debian/strongswan-starter.install
- don't install the _updown and _updown_espmark manpages anymore, they're
gone.
- also remove the _updown_espmark script, gone too.
* debian/copyright updated.
strongswan (5.2.1-6) unstable; urgency=medium
* Ship /lib/systemd/system/ipsec.service as a symlink to
strongswan.service in strongswan-starter instead of using Alias= in
the service file. This makes the ipsec name available to invoke-rc.d
before the service gets actually enabled, which avoids some confusion
(closes: #781209).
strongswan (5.2.1-5) unstable; urgency=high
* debian/patches:
- debian/patches/CVE-2014-9221_modp_custom added, fix unauthenticated
denial of service in IKEv2 when using custom MODP value.
strongswan (5.2.1-4) unstable; urgency=medium
* Give up on trying to run the test suite on !amd64, it now times out on
both i386 and s390x, our chosen "fast" archs.
strongswan (5.2.1-3) unstable; urgency=medium
* Disable libtls tests again, they are still too intensive for the buildd
network...
strongswan (5.2.1-2) unstable; urgency=medium
* Cherry-pick commits 701d6ed and 1c70c6e from upstream to fix checksum
computation and FTBFS on big-endian hosts.
* Run the test suite only on amd64, i386, and s390x. It requires lots of
entropy and CPU time, which are typically hard to come by on slower
archs.
* Re-enable normal keylengths in test suite.
* Re-enable libtls tests.
* Update Dutch translation, thanks to Frans Spiesschaert (closes: #763798).
* Bump Standards-Version to 3.9.6.
strongswan (5.2.1-1) unstable; urgency=medium
* New upstream release.
* Stop shipping /etc/strongswan.conf.d in libstrongswan.
strongswan (5.2.0-2) unstable; urgency=medium
* Add systemd integration:
+ Install upstream systemd service file in strongswan-starter.
+ Alias strongswan.service to ipsec.service to match the sysv init script.
+ Drop After=syslog.target (as syslog is socket-activated nowadays), but
add After=network.target to ensure that charon gets the chance to send
deletes on exit.
+ Add ExecReload for reload action, since the starter script has one.
+ On linux-any, add build-dep on systemd to ensure that the pkg-config
metadata file can be found.
+ Add build-dep on dh-systemd, and use systemd dh addon.
* Remove debian/patches/03_include-stdint.patch.
strongswan (5.2.0-1) unstable; urgency=medium
* New upstream release.
[ Romain Francoise ]
* Amend build-dep on libgcrypt to 'libgcrypt20-dev | libgcrypt11-dev'.
* Drop hardening-wrapper from build-depends (unused since 5.0.4-1).
[ Yves-Alexis Perez ]
* debian/po:
- pt_BR.po updated, thanks Adriano Rafael Gomes. closes: #752721
* debian/patches:
03_pfkey-Always-include-stdint.h dropped, included upstream.
* debian/strongswan-starter.install:
- replace tools.conf by pki.conf and scepclient.conf.
strongswan (5.1.3-4) unstable; urgency=medium
* debian/control:
- add build-dep on pkg-config.
* debian/patches:
- 03_pfkey-Always-include-stdint.h added, cherry-picked from upstream git:
always include of stdint.h. Fix FTBFS on kFreeBSD.
strongswan (5.1.3-3) unstable; urgency=medium
* debian/watch:
- add pgpsigurlmangle to get PGP signature
* debian/upstream/signing-key.asc:
- bootstrap keyring by adding Andreas Steffen key (0xDF42C170B34DBA77)
* debian/control:
- add build-dep on libgcrypt20-dev, fix FTBFS. closes: #747796
strongswan (5.1.3-2) unstable; urgency=low
* Disable the new libtls test suite for now--it appears to be a
little too intensive for slower archs.
strongswan (5.1.3-1) unstable; urgency=low
* New upstream release.
* debian/control: make strongswan-charon depend on iproute2 | iproute,
thanks to Ryo IGARASHI <rigarash at gmail.com> (closes: #744832).
strongswan (5.1.2-4) unstable; urgency=high
* debian/patches/04_cve-2014-2338.patch: added to fix CVE-2014-2338
(authentication bypass vulnerability in IKEv2 code).
* debian/control: add myself to Uploaders.
strongswan (5.1.2-3) unstable; urgency=medium
* debian/patches/
- 02_unit-tests-Fix-filtered-enumerator-tests-on-64-bit-b added, fix
testsuite failing on 64 bit big-endian platforms (s390x).
- 03_unit-tests-Fix-chunk-clear-armel added, fix testsuite failing on
armel.
strongswan (5.1.2-2) unstable; urgency=medium
* debian/rules:
- use reduced keylengths in testsuite on various arches, hopefully fixing
FTBFS when the genrsa test runs.
strongswan (5.1.2-1) unstable; urgency=medium
* New upstream release.
* debian/control:
- add conflicts against openSwan. closes: #740808
* debian/strongswan-starter,postrm:
- remove /var/lib/strongswan on purge.
* debian/ipsec.secrets.proto:
- stop lying about ipsec showhostkey command. closes: #600382
* debian/patches:
- 01_fix-manpages refreshed for new upstream.
- 02_include-strongswan.conf.d removed, strongswan.d is now supported
upstream.
* debian/rules, debian/*.install:
- install default configuration files for all plugins.
* debian/NEWS:
- fix spurious entry.
- add a NEWS entry to advertise about the new strongswan.d configuration
mechanism.
Date: Fri, 12 Feb 2016 11:24:53 -0600
Changed-By: Ryan Harper <ryan.harper at canonical.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Signed-By: Serge Hallyn <serge.hallyn at ubuntu.com>
https://launchpad.net/ubuntu/+source/strongswan/5.3.5-1ubuntu1
-------------- next part --------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 12 Feb 2016 11:24:53 -0600
Source: strongswan
Binary: strongswan libstrongswan libstrongswan-standard-plugins strongswan-plugin-dnskey strongswan-plugin-fips-prf strongswan-plugin-gmp strongswan-plugin-pgp strongswan-plugin-pubkey strongswan-plugin-sshkey libstrongswan-extra-plugins libcharon-extra-plugins strongswan-dbg strongswan-starter strongswan-libcharon strongswan-charon strongswan-ike strongswan-nm strongswan-tnc-ifmap strongswan-tnc-base strongswan-tnc-client strongswan-tnc-server strongswan-tnc-pdp strongswan-ikev1 strongswan-ikev2 charon-cmd strongswan-plugin-agent strongswan-plugin-openssl strongswan-plugin-af-alg strongswan-plugin-attr-sql strongswan-plugin-coupling strongswan-plugin-curl strongswan-plugin-dnscert strongswan-plugin-gcrypt strongswan-plugin-ipseckey strongswan-plugin-ldap strongswan-plugin-load-tester strongswan-plugin-mysql strongswan-plugin-ntru strongswan-plugin-pkcs11 strongswan-plugin-radattr strongswan-plugin-sql strongswan-plugin-sqlite strongswan-plugin-soup
strongswan-plugin-systime-fix strongswan-plugin-unbound strongswan-plugin-whitelist strongswan-plugin-dhcp strongswan-plugin-certexpire strongswan-plugin-eap-aka strongswan-plugin-eap-gtc strongswan-plugin-eap-md5 strongswan-plugin-eap-mschapv2 strongswan-plugin-eap-radius strongswan-plugin-eap-tls strongswan-plugin-eap-tnc strongswan-plugin-eap-ttls strongswan-plugin-error-notify strongswan-plugin-kernel-libipsec strongswan-plugin-led strongswan-plugin-lookip strongswan-plugin-unity strongswan-plugin-xauth-eap strongswan-plugin-xauth-generic strongswan-plugin-xauth-pam strongswan-plugin-eap-aka-3gpp2 strongswan-plugin-eap-dynamic strongswan-plugin-eap-peap strongswan-plugin-eap-sim strongswan-plugin-eap-sim-file strongswan-plugin-eap-sim-pcsc strongswan-plugin-eap-simaka-pseudonym strongswan-plugin-eap-simaka-reauth strongswan-plugin-eap-simaka-sql strongswan-plugin-farp strongswan-plugin-xauth-noauth
strongswan-plugin-duplicheck
Architecture: source
Version: 5.3.5-1ubuntu1
Distribution: xenial
Urgency: high
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Ryan Harper <ryan.harper at canonical.com>
Description:
charon-cmd - standalone IPsec client
libcharon-extra-plugins - strongSwan charon library (extra plugins)
libstrongswan - strongSwan utility and crypto library
libstrongswan-extra-plugins - strongSwan utility and crypto library (extra plugins)
libstrongswan-standard-plugins - strongSwan utility and crypto library (standard plugins)
strongswan - IPsec VPN solution metapackage
strongswan-charon - strongSwan Internet Key Exchange daemon
strongswan-dbg - strongSwan library and binaries - debugging symbols
strongswan-ike - strongSwan Internet Key Exchange daemon (transitional package)
strongswan-ikev1 - strongSwan IKEv1 daemon, transitional package
strongswan-ikev2 - strongSwan IKEv2 daemon, transitional package
strongswan-libcharon - strongSwan charon library
strongswan-nm - strongSwan plugin to interact with NetworkManager
strongswan-plugin-af-alg - strongSwan plugin for AF_ALG Linux crypto API interface
strongswan-plugin-agent - strongSwan plugin for accessing private keys via ssh-agent
strongswan-plugin-attr-sql - strongSwan plugin for providing IKE attributes from databases
strongswan-plugin-certexpire - strongSwan plugin for exporting expiration dates of certificates
strongswan-plugin-coupling - strongSwan plugin for permanent peer certificate coupling
strongswan-plugin-curl - strongSwan plugin for the libcurl based HTTP/FTP fetcher
strongswan-plugin-dhcp - strongSwan plugin for forwarding DHCP request to a server
strongswan-plugin-dnscert - strongSwan plugin for authentication via CERT RRs
strongswan-plugin-dnskey - strongSwan plugin for parsing RFC 4034 public keys
strongswan-plugin-duplicheck - strongSwan plugin for duplicheck functionality
strongswan-plugin-eap-aka - strongSwan plugin for generic EAP-AKA protocol handling
strongswan-plugin-eap-aka-3gpp2 - strongSwan plugin for the 3GPP2-based EAP-AKA backend
strongswan-plugin-eap-dynamic - strongSwan plugin for dynamic EAP method selection
strongswan-plugin-eap-gtc - strongSwan plugin for EAP-GTC protocol handler
strongswan-plugin-eap-md5 - strongSwan plugin for EAP-MD5 protocol handler
strongswan-plugin-eap-mschapv2 - strongSwan plugin for EAP-MSCHAPv2 protocol handler
strongswan-plugin-eap-peap - strongSwan plugin for EAP-PEAP protocol handler
strongswan-plugin-eap-radius - strongSwan plugin for EAP interface to a RADIUS server
strongswan-plugin-eap-sim - strongSwan plugin for generic EAP-SIM protocol handling
strongswan-plugin-eap-sim-file - strongSwan plugin for EAP-SIM credentials from files
strongswan-plugin-eap-sim-pcsc - strongSwan plugin for EAP-SIM credentials on smartcards
strongswan-plugin-eap-simaka-pseudonym - strongSwan plugin for the EAP-SIM/AKA identity database
strongswan-plugin-eap-simaka-reauth - strongSwan plugin for the EAP-SIM/AKA reauthentication database
strongswan-plugin-eap-simaka-sql - strongSwan plugin for SQL-based EAP-SIM/AKA backend reading
strongswan-plugin-eap-tls - strongSwan plugin for the EAP-TLS protocol handler
strongswan-plugin-eap-tnc - strongSwan plugin for the EAP-TNC protocol handler
strongswan-plugin-eap-ttls - strongSwan plugin for the EAP-TTLS protocol handler
strongswan-plugin-error-notify - strongSwan plugin for error notifications
strongswan-plugin-farp - strongSwan plugin for faking ARP responses
strongswan-plugin-fips-prf - strongSwan plugin for PRF specified by FIPS
strongswan-plugin-gcrypt - strongSwan plugin for gcrypt
strongswan-plugin-gmp - strongSwan plugin for libgmp based crypto
strongswan-plugin-ipseckey - strongSwan plugin for authentication via IPSECKEY RRs
strongswan-plugin-kernel-libipsec - strongSwan plugin for a IPsec backend that entirely in userland
strongswan-plugin-ldap - strongSwan plugin for LDAP CRL fetching
strongswan-plugin-led - strongSwan plugin for LEDs blinking on IKE activity
strongswan-plugin-load-tester - strongSwan plugin for load testing
strongswan-plugin-lookip - strongSwan plugin for lookip interface
strongswan-plugin-mysql - strongSwan plugin for MySQL
strongswan-plugin-ntru - strongSwan plugin for NTRU crypto
strongswan-plugin-openssl - strongSwan plugin for OpenSSL
strongswan-plugin-pgp - strongSwan plugin for PGP encoding/decoding routines
strongswan-plugin-pkcs11 - strongSwan plugin for PKCS#11 smartcard backend
strongswan-plugin-pubkey - strongSwan plugin for raw public keys
strongswan-plugin-radattr - strongSwan plugin for custom RADIUS attribute processing
strongswan-plugin-soup - strongSwan plugin for the libsoup based HTTP fetcher
strongswan-plugin-sql - strongSwan plugin for SQL configuration and credentials
strongswan-plugin-sqlite - strongSwan plugin for SQLite
strongswan-plugin-sshkey - strongSwan plugin for SSH key decoding routines
strongswan-plugin-systime-fix - strongSwan plugin for system time fixing
strongswan-plugin-unbound - strongSwan plugin for DNSSEC-enabled resolver using libunbound
strongswan-plugin-unity - strongSwan plugin for IKEv1 Cisco Unity Extensions
strongswan-plugin-whitelist - strongSwan plugin for peer-verification against a whitelist
strongswan-plugin-xauth-eap - strongSwan plugin for XAuth backend using EAP methods
strongswan-plugin-xauth-generic - strongSwan plugin for the generic XAuth backend
strongswan-plugin-xauth-noauth - strongSwan plugin for the generic XAuth backend
strongswan-plugin-xauth-pam - strongSwan plugin for XAuth backend using PAM
strongswan-starter - strongSwan daemon starter and configuration file parser
strongswan-tnc-base - strongSwan Trusted Network Connect's (TNC) - base files
strongswan-tnc-client - strongSwan Trusted Network Connect's (TNC) - client files
strongswan-tnc-ifmap - strongSwan plugin for Trusted Network Connect's (TNC) IF-MAP clie
strongswan-tnc-pdp - strongSwan plugin for Trusted Network Connect's (TNC) PDP
strongswan-tnc-server - strongSwan Trusted Network Connect's (TNC) - server files
Closes: 600382 740808 744832 747796 752721 763798 781209 803772
Launchpad-Bugs-Fixed: 1309594 1330504 1333655 1448870 1451091 1470277 1505222
Changes:
strongswan (5.3.5-1ubuntu1) xenial; urgency=medium
.
* debian/{rules,control,libstrongswan-extra-plugins.install}
Enable bliss plugin
* debian/{rules,control,libstrongswan-extra-plugins.install}
Enable chapoly plugin
* debian/patches/dont-load-kernel-libipsec-plugin-by-default.patch
Upstream suggests to not load this plugin by default as it has
some limitations.
https://wiki.strongswan.org/projects/strongswan/wiki/Kernel-libipsec
* debian/patches/increase-bliss-test-timeout.patch
Under QEMU/KVM for autopkgtest bliss test takes a bit longer then default
* Update Apparmor profiles
- usr.lib.ipsec.charon
- add capability audit_write for xauth-pam (LP: #1470277)
- add capability dac_override (needed by agent plugin)
- allow priv dropping (LP: #1333655)
- allow caching CRLs (LP: #1505222)
- allow rw access to /dev/net/tun for kernel-libipsec (LP: #1309594)
- usr.lib.ipsec.stroke
- allow priv dropping (LP: #1333655)
- add local include
- usr.lib.ipsec.lookip
- add local include
* Merge from Debian, which includes fixes for all previous CVEs
Fixes (LP: #1330504, #1451091, #1448870, #1470277)
Remaining changes:
* debian/control
- Lower dpkg-dev to 1.16.1 from 1.16.2 to enable backporting to Precise
- Update Maintainer for Ubuntu
- Add build-deps
- dh-apparmor
- iptables-dev
- libjson0-dev
- libldns-dev
- libmysqlclient-dev
- libpcsclite-dev
- libsoup2.4-dev
- libtspi-dev
- libunbound-dev
- Drop build-deps
- libfcgi-dev
- clearsilver-dev
- Create virtual packages for all strongswan-plugin-* for dist-upgrade
- Set XS-Testsuite: autopkgtest
* debian/rules:
- Enforcing DEB_BUILD_OPTIONS=nostrip for library integrity checking.
- Set TESTS_REDUCED_KEYLENGTHS to one generate smallest key-lengths in
tests.
- Change init/systemd program name to strongswan
- Install AppArmor profiles
- Removed pieces on 'patching ipsec.conf' on build.
- Enablement of features per Ubuntu current config suggested from
upstream recommendation
- Unpack and sort enabled features to one-per-line
- Disable duplicheck as per
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718291#10
- Disable libfast (--disable-fast):
Requires dropping medsrv, medcli plugins which depend on libfast
- Add configure options
--with-tss=trousers
- Remove configure options:
--enable-ha (requires special kernel)
--enable-unit-test (unit tests run by default)
- Drop logcheck install
* debian/tests/*
- Add DEP8 test for strongswan service and plugins
* debian/strongswan-starter.strongswan.service
- Add new systemd file instead of patching upstream
* debian/strongswan-starter.links
- removed, use Ubuntu systemd file instead of linking to upstream
* debian/usr.lib.ipsec.{charon, lookip, stroke}
- added AppArmor profiles for charon, lookip and stroke
* debian/libcharon-extra-plugins.install
- Add plugins
- kernel-libipsec.{so, lib, conf, apparmor}
- Remove plugins
- libstrongswan-ha.so
- Relocate plugins
- libstrongswan-tnc-tnccs.so (strongswan-tnc-base.install)
* debian/libstrongswan-extra-plugins.install
- Add plugins (so, lib, conf)
- acert
- attr-sql
- coupling
- dnscert
- fips-prf
- gmp
- ipseckey
- load-tester
- mysql
- ntru
- radattr
- soup
- sqlite
- sql
- systime-fix
- unbound
- whitelist
- Relocate plugins (so, lib, conf)
- ccm (libstrongswan.install)
- test-vectors (libstrongswan.install)
* debian/libstrongswan.install
- Sort sections
- Add plugins (so, lib, conf)
- libchecksum
- ccm
- eap-identity
- md4
- test-vectors
* debian/strongswan-charon.install
- Add AppArmor profile for charon
* debian/strongswan-starter.install
- Add tools, manpages, conf
- openac
- pool
- _updown_espmark
- Add AppArmor profile for stroke
* debian/strongswan-tnc-base.install
- Add new subpackage for TNC
- remove non-existent (dropped in 5.2.1) libpts library files
* debian/strongswan-tnc-client.install
- Add new subpackage for TNC
* debian/strongswan-tnc-ifmap.install
- Add new subpackage for TNC
* debian/strongswan-tnc-pdp.install
- Add new subpackage for TNC
* debian/strongswan-tnc-server.install
- Add new subpackage for TNC
* debian/strongswan-starter.postinit:
- Removed section about runlevel changes, it's almost 2014.
- Adapted service restart section for Upstart.
- Remove old symlinks to init.d files is necessary.
* debian/strongswan-starter.dirs: Don't touch /etc/init.d.
* debian/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call.
* debian/strongswan-starter.prerm: Stop strongswan service on package
removal (as opposed to using the old init.d script).
* debian/libstrongswan.strongswan.logcheck combined into debian/strongswan.logcheck
- logcheck patterns updated to be helpful
* debian/strongswan-starter.postinst: Removed further out-dated code and
entire section on opportunistic encryption - this was never in strongSwan.
* debian/ipsec.secrets.proto: Removed ipsec.secrets.inc reference.
Drop changes:
* debian/control
- Per-plugin package breakup: Reducing packaging delta from Debian
- Don't build dhcp, farp subpackages: Reduce packging delta from Debian
* debian/watch: Already exists in Debian merge
* debian/upstream/signing-key.asc: Upstream has newer version.
.
strongswan (5.3.5-1) unstable; urgency=medium
.
* New upstream bugfix release.
.
strongswan (5.3.4-1) unstable; urgency=medium
.
* New upstream release.
* debian/patches:
- 03_systemd-service refreshed for new upstream release.
- 0001-socket-default-Refactor-setting-source-address-when-,
0001-socket-dynamic-Refactor-setting-source-address-when- and
CVE-2015-8023_eap_mschapv2_state dropped, included upstream.
.
strongswan (5.3.3-3) unstable; urgency=high
.
* Set urgency=high for security fix.
* debian/patches:
- CVE-2015-8023_eap_mschapv2_state added, fix authentication bypass when
using EAP MSCHAPv2.
.
strongswan (5.3.3-2) unstable; urgency=medium
.
* debian/rules:
- make the dh_install override arch-dependent only since it only acts on
arch:any packages, fix FTBFS on arch:all.
.
strongswan (5.3.3-1) unstable; urgency=medium
.
* debian/rules:
- enable the connmark plugin.
* debian/control:
- add build-dep on iptables-dev.
* debian/libstrongswan-standard-plugins:
- add connmark plugin to the standard-plugins package.
* New upstream release. closes: #803772
* debian/strongswan-starter.install:
- install new pki --dn manpage to ipsec-starter package.
* debian/patches:
- 0001-socket-default-Refactor-setting-source-address-when- and
0001-socket-dynamic-Refactor-setting-source-address-when- added (taken
from c761db and 9e8b4a in the 1171-socket-default-scope branch), fix
source address selection with IPv6 (upstream #1171)
.
strongswan (5.3.2-1) unstable; urgency=medium
.
* New upstream release.
* debian/patches:
- 05_ivgen-allow-reusing-same-message-id-twice dropped, included upstream.
- CVE-2015-4171_enforce_remote_auth dropped as well.
.
strongswan (5.3.1-1) unstable; urgency=high
.
* New upstream release.
* debian/patches:
- strongswan-5.2.2-5.3.0_unknown_payload dropped, included upstream.
- 05_ivgen-allow-reusing-same-message-id-twice added, allow reusing the
same message ID twice in sequential IV gen. strongSwan issue #980.
- CVE-2015-4171_enforce_remote_auth added, fix potential leak of
authentication credential to rogue server when using PSK or EAP. This is
CVE-2015-4171.
.
strongswan (5.3.0-2) unstable; urgency=medium
.
* debian/patches:
- strongswan-5.2.2-5.3.0_unknown_payload added, fixes a DoS and potential
remote code execution vulnerability (CVE-2015-3991).
* debian/strongswan-starter.lintian-overrides: add override for
command-with-path-in-maintainer-script since it's there to check for file
existence.
* Upload to unstable.
.
strongswan (5.3.0-1) experimental; urgency=medium
.
* New upstream release.
* debian/patches:
- 01_fix-manpages refreshed for new upstream release.
- 02_chunk-endianness dropped, included upstream.
- CVE-2014-9221_modp_custom dropped, included upstream.
* debian/strongswan-starter.install
- don't install the _updown and _updown_espmark manpages anymore, they're
gone.
- also remove the _updown_espmark script, gone too.
* debian/copyright updated.
.
strongswan (5.2.1-6) unstable; urgency=medium
.
* Ship /lib/systemd/system/ipsec.service as a symlink to
strongswan.service in strongswan-starter instead of using Alias= in
the service file. This makes the ipsec name available to invoke-rc.d
before the service gets actually enabled, which avoids some confusion
(closes: #781209).
.
strongswan (5.2.1-5) unstable; urgency=high
.
* debian/patches:
- debian/patches/CVE-2014-9221_modp_custom added, fix unauthenticated
denial of service in IKEv2 when using custom MODP value.
.
strongswan (5.2.1-4) unstable; urgency=medium
.
* Give up on trying to run the test suite on !amd64, it now times out on
both i386 and s390x, our chosen "fast" archs.
.
strongswan (5.2.1-3) unstable; urgency=medium
.
* Disable libtls tests again, they are still too intensive for the buildd
network...
.
strongswan (5.2.1-2) unstable; urgency=medium
.
* Cherry-pick commits 701d6ed and 1c70c6e from upstream to fix checksum
computation and FTBFS on big-endian hosts.
* Run the test suite only on amd64, i386, and s390x. It requires lots of
entropy and CPU time, which are typically hard to come by on slower
archs.
* Re-enable normal keylengths in test suite.
* Re-enable libtls tests.
* Update Dutch translation, thanks to Frans Spiesschaert (closes: #763798).
* Bump Standards-Version to 3.9.6.
.
strongswan (5.2.1-1) unstable; urgency=medium
.
* New upstream release.
* Stop shipping /etc/strongswan.conf.d in libstrongswan.
.
strongswan (5.2.0-2) unstable; urgency=medium
.
* Add systemd integration:
+ Install upstream systemd service file in strongswan-starter.
+ Alias strongswan.service to ipsec.service to match the sysv init script.
+ Drop After=syslog.target (as syslog is socket-activated nowadays), but
add After=network.target to ensure that charon gets the chance to send
deletes on exit.
+ Add ExecReload for reload action, since the starter script has one.
+ On linux-any, add build-dep on systemd to ensure that the pkg-config
metadata file can be found.
+ Add build-dep on dh-systemd, and use systemd dh addon.
* Remove debian/patches/03_include-stdint.patch.
.
strongswan (5.2.0-1) unstable; urgency=medium
.
* New upstream release.
[ Romain Francoise ]
* Amend build-dep on libgcrypt to 'libgcrypt20-dev | libgcrypt11-dev'.
* Drop hardening-wrapper from build-depends (unused since 5.0.4-1).
.
[ Yves-Alexis Perez ]
* debian/po:
- pt_BR.po updated, thanks Adriano Rafael Gomes. closes: #752721
* debian/patches:
03_pfkey-Always-include-stdint.h dropped, included upstream.
* debian/strongswan-starter.install:
- replace tools.conf by pki.conf and scepclient.conf.
.
strongswan (5.1.3-4) unstable; urgency=medium
.
* debian/control:
- add build-dep on pkg-config.
* debian/patches:
- 03_pfkey-Always-include-stdint.h added, cherry-picked from upstream git:
always include of stdint.h. Fix FTBFS on kFreeBSD.
.
strongswan (5.1.3-3) unstable; urgency=medium
.
* debian/watch:
- add pgpsigurlmangle to get PGP signature
* debian/upstream/signing-key.asc:
- bootstrap keyring by adding Andreas Steffen key (0xDF42C170B34DBA77)
* debian/control:
- add build-dep on libgcrypt20-dev, fix FTBFS. closes: #747796
.
strongswan (5.1.3-2) unstable; urgency=low
.
* Disable the new libtls test suite for now--it appears to be a
little too intensive for slower archs.
.
strongswan (5.1.3-1) unstable; urgency=low
.
* New upstream release.
* debian/control: make strongswan-charon depend on iproute2 | iproute,
thanks to Ryo IGARASHI <rigarash at gmail.com> (closes: #744832).
.
strongswan (5.1.2-4) unstable; urgency=high
.
* debian/patches/04_cve-2014-2338.patch: added to fix CVE-2014-2338
(authentication bypass vulnerability in IKEv2 code).
* debian/control: add myself to Uploaders.
.
strongswan (5.1.2-3) unstable; urgency=medium
.
* debian/patches/
- 02_unit-tests-Fix-filtered-enumerator-tests-on-64-bit-b added, fix
testsuite failing on 64 bit big-endian platforms (s390x).
- 03_unit-tests-Fix-chunk-clear-armel added, fix testsuite failing on
armel.
.
strongswan (5.1.2-2) unstable; urgency=medium
.
* debian/rules:
- use reduced keylengths in testsuite on various arches, hopefully fixing
FTBFS when the genrsa test runs.
.
strongswan (5.1.2-1) unstable; urgency=medium
.
* New upstream release.
* debian/control:
- add conflicts against openSwan. closes: #740808
* debian/strongswan-starter,postrm:
- remove /var/lib/strongswan on purge.
* debian/ipsec.secrets.proto:
- stop lying about ipsec showhostkey command. closes: #600382
* debian/patches:
- 01_fix-manpages refreshed for new upstream.
- 02_include-strongswan.conf.d removed, strongswan.d is now supported
upstream.
* debian/rules, debian/*.install:
- install default configuration files for all plugins.
* debian/NEWS:
- fix spurious entry.
- add a NEWS entry to advertise about the new strongswan.d configuration
mechanism.
Checksums-Sha1:
cc4370526f569a481d7301837e3133498ce2b532 8527 strongswan_5.3.5-1ubuntu1.dsc
80fbd22d4ddb6c0545103c05015f80013e9ad43f 4415297 strongswan_5.3.5.orig.tar.bz2
ce34294ec3d15a8b53199570e24bcaf0d29bf699 131496 strongswan_5.3.5-1ubuntu1.debian.tar.xz
Checksums-Sha256:
2cd1fb1c31252055c1a63743681e695bdc236941db8a71f38aabe2a98fb58ed6 8527 strongswan_5.3.5-1ubuntu1.dsc
2c84b663da652b1ff180a1a73c24a3d7b9fc4b9b8ba6bd07f94a1e33092e6350 4415297 strongswan_5.3.5.orig.tar.bz2
acb6bd0db213526c3ceea5a394455a8b531a1859a0dea3c7a317e465ede41069 131496 strongswan_5.3.5-1ubuntu1.debian.tar.xz
Files:
2c7b042fb324077419d7c08235a24d05 8527 net optional strongswan_5.3.5-1ubuntu1.dsc
a2f9ea185f27e7f8413d4cd2ee61efe4 4415297 net optional strongswan_5.3.5.orig.tar.bz2
fa725858ee45e6fce97616acd54dd12e 131496 net optional strongswan_5.3.5-1ubuntu1.debian.tar.xz
Original-Maintainer: strongSwan Maintainers <pkg-swan-devel at lists.alioth.debian.org>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBCgAGBQJWxUTxAAoJEOn+6gaoXj+dga8H/Rzl6qTvyYvQYHAz6nkTzZPz
4Ikdxo8MCFGCx94xnTwkFgNJBYDg+bXxO/AZAf0FMEkAtOlmKvYOS/eFd6/zLl4j
QflFO5BPtDn5CwkGWgPflxkWw+tFl/EX4vlJ1l789yQEhXpIxIXyJb+NwfXb1t6q
NJkWOtscAK5wOVFMUVSftz3CnbLnn3wng8fAihXe2qeH4exS2D3kFsTteGAU5ykk
EvyxkiFxHRnhFYFXHQ4/ldYO2gJ327pVW205InbR7iml+5uQWTnzwgpGPUhUuDXN
ClwucO9kSU1dwfajwWAi0tT81l/urzxqW8oCVvN9mfLAYA3oIaOZ/4D+Tj38XYE=
=ao5h
-----END PGP SIGNATURE-----
More information about the Xenial-changes
mailing list