strongswan (5.3.5-1ubuntu1) xenial; urgency=medium
* debian/{rules,control,libstrongswan-extra-plugins.install}
Enable bliss plugin
* debian/{rules,control,libstrongswan-extra-plugins.install}
Enable chapoly plugin
* debian/patches/dont-load-kernel-libipsec-plugin-by-default.patch
Upstream suggests to not load this plugin by default as it has
some limitations.
https://wiki.strongswan.org/projects/strongswan/wiki/Kernel-libipsec
* debian/patches/increase-bliss-test-timeout.patch
Under QEMU/KVM for autopkgtest bliss test takes a bit longer then default
* Update Apparmor profiles
- usr.lib.ipsec.charon
- add capability audit_write for xauth-pam (LP: #1470277)
- add capability dac_override (needed by agent plugin)
- allow priv dropping (LP: #1333655)
- allow caching CRLs (LP: #1505222)
- allow rw access to /dev/net/tun for kernel-libipsec (LP: #1309594)
- usr.lib.ipsec.stroke
- allow priv dropping (LP: #1333655)
- add local include
- usr.lib.ipsec.lookip
- add local include
* Merge from Debian, which includes fixes for all previous CVEs
Fixes (LP: #1330504, #1451091, #1448870, #1470277)
Remaining changes:
* debian/control
- Lower dpkg-dev to 1.16.1 from 1.16.2 to enable backporting to Precise
- Update Maintainer for Ubuntu
- Add build-deps
- dh-apparmor
- iptables-dev
- libjson0-dev
- libldns-dev
- libmysqlclient-dev
- libpcsclite-dev
- libsoup2.4-dev
- libtspi-dev
- libunbound-dev
- Drop build-deps
- libfcgi-dev
- clearsilver-dev
- Create virtual packages for all strongswan-plugin-* for dist-upgrade
- Set XS-Testsuite: autopkgtest
* debian/rules:
- Enforcing DEB_BUILD_OPTIONS=nostrip for library integrity checking.
- Set TESTS_REDUCED_KEYLENGTHS to one generate smallest key-lengths in
tests.
- Change init/systemd program name to strongswan
- Install AppArmor profiles
- Removed pieces on 'patching ipsec.conf' on build.
- Enablement of features per Ubuntu current config suggested from
upstream recommendation
- Unpack and sort enabled features to one-per-line
- Disable duplicheck as per
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718291#10
- Disable libfast (--disable-fast):
Requires dropping medsrv, medcli plugins which depend on libfast
- Add configure options
--with-tss=trousers
- Remove configure options:
--enable-ha (requires special kernel)
--enable-unit-test (unit tests run by default)
- Drop logcheck install
* debian/tests/*
- Add DEP8 test for strongswan service and plugins
* debian/strongswan-starter.strongswan.service
- Add new systemd file instead of patching upstream
* debian/strongswan-starter.links
- removed, use Ubuntu systemd file instead of linking to upstream
* debian/usr.lib.ipsec.{charon, lookip, stroke}
- added AppArmor profiles for charon, lookip and stroke
* debian/libcharon-extra-plugins.install
- Add plugins
- kernel-libipsec.{so, lib, conf, apparmor}
- Remove plugins
- libstrongswan-ha.so
- Relocate plugins
- libstrongswan-tnc-tnccs.so (strongswan-tnc-base.install)
* debian/libstrongswan-extra-plugins.install
- Add plugins (so, lib, conf)
- acert
- attr-sql
- coupling
- dnscert
- fips-prf
- gmp
- ipseckey
- load-tester
- mysql
- ntru
- radattr
- soup
- sqlite
- sql
- systime-fix
- unbound
- whitelist
- Relocate plugins (so, lib, conf)
- ccm (libstrongswan.install)
- test-vectors (libstrongswan.install)
* debian/libstrongswan.install
- Sort sections
- Add plugins (so, lib, conf)
- libchecksum
- ccm
- eap-identity
- md4
- test-vectors
* debian/strongswan-charon.install
- Add AppArmor profile for charon
* debian/strongswan-starter.install
- Add tools, manpages, conf
- openac
- pool
- _updown_espmark
- Add AppArmor profile for stroke
* debian/strongswan-tnc-base.install
- Add new subpackage for TNC
- remove non-existent (dropped in 5.2.1) libpts library files
* debian/strongswan-tnc-client.install
- Add new subpackage for TNC
* debian/strongswan-tnc-ifmap.install
- Add new subpackage for TNC
* debian/strongswan-tnc-pdp.install
- Add new subpackage for TNC
* debian/strongswan-tnc-server.install
- Add new subpackage for TNC
* debian/strongswan-starter.postinit:
- Removed section about runlevel changes, it's almost 2014.
- Adapted service restart section for Upstart.
- Remove old symlinks to init.d files is necessary.
* debian/strongswan-starter.dirs: Don't touch /etc/init.d.
* debian/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call.
* debian/strongswan-starter.prerm: Stop strongswan service on package
removal (as opposed to using the old init.d script).
* debian/libstrongswan.strongswan.logcheck combined into debian/strongswan.logcheck
- logcheck patterns updated to be helpful
* debian/strongswan-starter.postinst: Removed further out-dated code and
entire section on opportunistic encryption - this was never in strongSwan.
* debian/ipsec.secrets.proto: Removed ipsec.secrets.inc reference.
Drop changes:
* debian/control
- Per-plugin package breakup: Reducing packaging delta from Debian
- Don't build dhcp, farp subpackages: Reduce packging delta from Debian
* debian/watch: Already exists in Debian merge
* debian/upstream/signing-key.asc: Upstream has newer version.
strongswan (5.3.5-1) unstable; urgency=medium
* New upstream bugfix release.
strongswan (5.3.4-1) unstable; urgency=medium
* New upstream release.
* debian/patches:
- 03_systemd-service refreshed for new upstream release.
- 0001-socket-default-Refactor-setting-source-address-when-,
0001-socket-dynamic-Refactor-setting-source-address-when- and
CVE-2015-8023_eap_mschapv2_state dropped, included upstream.
strongswan (5.3.3-3) unstable; urgency=high
* Set urgency=high for security fix.
* debian/patches:
- CVE-2015-8023_eap_mschapv2_state added, fix authentication bypass when
using EAP MSCHAPv2.
strongswan (5.3.3-2) unstable; urgency=medium
* debian/rules:
- make the dh_install override arch-dependent only since it only acts on
arch:any packages, fix FTBFS on arch:all.
strongswan (5.3.3-1) unstable; urgency=medium
* debian/rules:
- enable the connmark plugin.
* debian/control:
- add build-dep on iptables-dev.
* debian/libstrongswan-standard-plugins:
- add connmark plugin to the standard-plugins package.
* New upstream release. closes: #803772
* debian/strongswan-starter.install:
- install new pki --dn manpage to ipsec-starter package.
* debian/patches:
- 0001-socket-default-Refactor-setting-source-address-when- and
0001-socket-dynamic-Refactor-setting-source-address-when- added (taken
from c761db and 9e8b4a in the 1171-socket-default-scope branch), fix
source address selection with IPv6 (upstream #1171)
strongswan (5.3.2-1) unstable; urgency=medium
* New upstream release.
* debian/patches:
- 05_ivgen-allow-reusing-same-message-id-twice dropped, included upstream.
- CVE-2015-4171_enforce_remote_auth dropped as well.
strongswan (5.3.1-1) unstable; urgency=high
* New upstream release.
* debian/patches:
- strongswan-5.2.2-5.3.0_unknown_payload dropped, included upstream.
- 05_ivgen-allow-reusing-same-message-id-twice added, allow reusing the
same message ID twice in sequential IV gen. strongSwan issue #980.
- CVE-2015-4171_enforce_remote_auth added, fix potential leak of
authentication credential to rogue server when using PSK or EAP. This is
CVE-2015-4171.
strongswan (5.3.0-2) unstable; urgency=medium
* debian/patches:
- strongswan-5.2.2-5.3.0_unknown_payload added, fixes a DoS and potential
remote code execution vulnerability (CVE-2015-3991).
* debian/strongswan-starter.lintian-overrides: add override for
command-with-path-in-maintainer-script since it's there to check for file
existence.
* Upload to unstable.
strongswan (5.3.0-1) experimental; urgency=medium
* New upstream release.
* debian/patches:
- 01_fix-manpages refreshed for new upstream release.
- 02_chunk-endianness dropped, included upstream.
- CVE-2014-9221_modp_custom dropped, included upstream.
* debian/strongswan-starter.install
- don't install the _updown and _updown_espmark manpages anymore, they're
gone.
- also remove the _updown_espmark script, gone too.
* debian/copyright updated.
strongswan (5.2.1-6) unstable; urgency=medium
* Ship /lib/systemd/system/ipsec.service as a symlink to
strongswan.service in strongswan-starter instead of using Alias= in
the service file. This makes the ipsec name available to invoke-rc.d
before the service gets actually enabled, which avoids some confusion
(closes: #781209).
strongswan (5.2.1-5) unstable; urgency=high
* debian/patches:
- debian/patches/CVE-2014-9221_modp_custom added, fix unauthenticated
denial of service in IKEv2 when using custom MODP value.
strongswan (5.2.1-4) unstable; urgency=medium
* Give up on trying to run the test suite on !amd64, it now times out on
both i386 and s390x, our chosen "fast" archs.
strongswan (5.2.1-3) unstable; urgency=medium
* Disable libtls tests again, they are still too intensive for the buildd
network...
strongswan (5.2.1-2) unstable; urgency=medium
* Cherry-pick commits 701d6ed and 1c70c6e from upstream to fix checksum
computation and FTBFS on big-endian hosts.
* Run the test suite only on amd64, i386, and s390x. It requires lots of
entropy and CPU time, which are typically hard to come by on slower
archs.
* Re-enable normal keylengths in test suite.
* Re-enable libtls tests.
* Update Dutch translation, thanks to Frans Spiesschaert (closes: #763798).
* Bump Standards-Version to 3.9.6.
strongswan (5.2.1-1) unstable; urgency=medium
* New upstream release.
* Stop shipping /etc/strongswan.conf.d in libstrongswan.
strongswan (5.2.0-2) unstable; urgency=medium
* Add systemd integration:
+ Install upstream systemd service file in strongswan-starter.
+ Alias strongswan.service to ipsec.service to match the sysv init script.
+ Drop After=syslog.target (as syslog is socket-activated nowadays), but
add After=network.target to ensure that charon gets the chance to send
deletes on exit.
+ Add ExecReload for reload action, since the starter script has one.
+ On linux-any, add build-dep on systemd to ensure that the pkg-config
metadata file can be found.
+ Add build-dep on dh-systemd, and use systemd dh addon.
* Remove debian/patches/03_include-stdint.patch.
strongswan (5.2.0-1) unstable; urgency=medium
* New upstream release.
[ Romain Francoise ]
* Amend build-dep on libgcrypt to 'libgcrypt20-dev | libgcrypt11-dev'.
* Drop hardening-wrapper from build-depends (unused since 5.0.4-1).
[ Yves-Alexis Perez ]
* debian/po:
- pt_BR.po updated, thanks Adriano Rafael Gomes. closes: #752721
* debian/patches:
03_pfkey-Always-include-stdint.h dropped, included upstream.
* debian/strongswan-starter.install:
- replace tools.conf by pki.conf and scepclient.conf.
strongswan (5.1.3-4) unstable; urgency=medium
* debian/control:
- add build-dep on pkg-config.
* debian/patches:
- 03_pfkey-Always-include-stdint.h added, cherry-picked from upstream git:
always include of stdint.h. Fix FTBFS on kFreeBSD.
strongswan (5.1.3-3) unstable; urgency=medium
* debian/watch:
- add pgpsigurlmangle to get PGP signature
* debian/upstream/signing-key.asc:
- bootstrap keyring by adding Andreas Steffen key (0xDF42C170B34DBA77)
* debian/control:
- add build-dep on libgcrypt20-dev, fix FTBFS. closes: #747796
strongswan (5.1.3-2) unstable; urgency=low
* Disable the new libtls test suite for now--it appears to be a
little too intensive for slower archs.
strongswan (5.1.3-1) unstable; urgency=low
* New upstream release.
* debian/control: make strongswan-charon depend on iproute2 | iproute,
thanks to Ryo IGARASHI <email address hidden> (closes: #744832).
strongswan (5.1.2-4) unstable; urgency=high
* debian/patches/04_cve-2014-2338.patch: added to fix CVE-2014-2338
(authentication bypass vulnerability in IKEv2 code).
* debian/control: add myself to Uploaders.
strongswan (5.1.2-3) unstable; urgency=medium
* debian/patches/
- 02_unit-tests-Fix-filtered-enumerator-tests-on-64-bit-b added, fix
testsuite failing on 64 bit big-endian platforms (s390x).
- 03_unit-tests-Fix-chunk-clear-armel added, fix testsuite failing on
armel.
strongswan (5.1.2-2) unstable; urgency=medium
* debian/rules:
- use reduced keylengths in testsuite on various arches, hopefully fixing
FTBFS when the genrsa test runs.
strongswan (5.1.2-1) unstable; urgency=medium
* New upstream release.
* debian/control:
- add conflicts against openSwan. closes: #740808
* debian/strongswan-starter,postrm:
- remove /var/lib/strongswan on purge.
* debian/ipsec.secrets.proto:
- stop lying about ipsec showhostkey command. closes: #600382
* debian/patches:
- 01_fix-manpages refreshed for new upstream.
- 02_include-strongswan.conf.d removed, strongswan.d is now supported
upstream.
* debian/rules, debian/*.install:
- install default configuration files for all plugins.
* debian/NEWS:
- fix spurious entry.
- add a NEWS entry to advertise about the new strongswan.d configuration
mechanism.
-- Ryan Harper <email address hidden> Fri, 12 Feb 2016 11:24:53 -0600
