Change log for strongswan package in Debian
| 1 → 50 of 131 results | First • Previous • Next • Last |
strongswan (5.9.11-1) unstable; urgency=medium
* New upstream version 5.9.10
* d/patches: 0005-libtls-Fix-authentication-bypass-and-expired-pointer
dropped, included upstream
* New upstream version 5.9.11
* d/patches: rebase against new upstream
-- Yves-Alexis Perez <email address hidden> Sun, 18 Jun 2023 11:53:15 +0200
strongswan (5.9.8-5) unstable; urgency=medium * No-change upload for source-only upload. -- Yves-Alexis Perez <email address hidden> Fri, 03 Mar 2023 18:56:58 +0100
strongswan (5.9.8-4) unstable; urgency=medium
* d/patches: libtls-Fix-authentication-bypass-and-expired-pointer added.
Fix authentication bypass and use-after-free in libtls (CVE-2023-26463)
* d/control: replace lsb-base dependency by sysvinit-utils
* d/control: update standards version to 4.6.2
-- Yves-Alexis Perez <email address hidden> Sun, 26 Feb 2023 09:40:09 +0100
| Published in bullseye-release |
strongswan (5.9.1-1+deb11u3) bullseye-security; urgency=medium
* d/p/0009-credential-manager-Do-online-revocation-checks-only- added.
Fix CVE-2022-40617, denial of service due to revocation plugin
potentially using untrusted OCSP URIs and CRL distribution in
certificates (Closes: #1021271)
-- Yves-Alexis Perez <email address hidden> Thu, 06 Oct 2022 09:36:12 +0200
strongswan (5.9.8-3) unstable; urgency=medium * d/tests: also drop _copyright test since the util is gone as well -- Yves-Alexis Perez <email address hidden> Thu, 03 Nov 2022 18:17:42 +0100
strongswan (5.9.8-2) unstable; urgency=medium * d/tests: remove scepclient tests since it's gone (Closes: #1023224) -- Yves-Alexis Perez <email address hidden> Thu, 03 Nov 2022 13:05:27 +0100
strongswan (5.9.8-1) unstable; urgency=medium
* New upstream version 5.9.8
- Includes fix for CVE-2022-40617, denial of service due to the
revocation plugin potentially using untrusted OCSP URIs and CRL
distribution points in CRLs. (closes: #1021271)
* Remove strongswan-scepclient package, replaced by a pki(1) command
* d/p/0006-fix-format-string-issue-in-enum_flags_to_string dropped, included
upstream
* remove dropped _copyright utility
* d/strongswan-pki.install: install est/estca manpages (RFC 7070)
* d/s-{started,swanctl}.lintian-overrides updated for new lintian
* d/copyright updated for new upstream release
-- Yves-Alexis Perez <email address hidden> Wed, 05 Oct 2022 15:25:18 +0200
strongswan (5.9.6-1) unstable; urgency=medium * New upstream version 5.9.6 * d/p/0006-fix-format-string-issue-in-enum_flags_to_string added * d/libstrongswan.install: install kdf plugin in libstrongswan -- Yves-Alexis Perez <email address hidden> Sat, 07 May 2022 20:19:18 +0200
| Published in buster-release |
strongswan (5.7.2-1+deb10u2) buster-security; urgency=medium
* gbp.conf: revert upstream branch name change for now
* eap-authenticator: Enforce failure if MSK generation fails
- Fix incorrect handling of Early EAP-Success Messages (CVE-2021-45079)
-- Yves-Alexis Perez <email address hidden> Fri, 21 Jan 2022 15:45:18 +0100
| Superseded in bullseye-release |
strongswan (5.9.1-1+deb11u2) bullseye-security; urgency=medium
* gbp: revert upstream branch name change
* eap-authenticator: Enforce failure if MSK generation fails
- Fix incorrect handling of Early EAP-Success Messages (CVE-2021-45079)
-- Yves-Alexis Perez <email address hidden> Fri, 21 Jan 2022 15:55:38 +0100
strongswan (5.9.5-2) unstable; urgency=medium * actually fix lintian overrides -- Yves-Alexis Perez <email address hidden> Wed, 26 Jan 2022 16:29:17 +0100
strongswan (5.9.5-1) unstable; urgency=medium
* New upstream version 5.9.5
- eap-authenticator: Enforce failure if MSK generation fails
Fix incorrect handling of Early EAP-Success Messages (CVE-2021-45079)
* update lintian overrides to match RUNPATH
-- Yves-Alexis Perez <email address hidden> Wed, 26 Jan 2022 14:38:54 +0100
| Superseded in bullseye-release |
strongswan (5.9.1-1+deb11u1) bullseye-security; urgency=medium
* Reject RSASSA-PSS params with negative salt length
- fix remote denial of service (CVE-2021-41990)
* Prevent crash due to integer overflow / sign change
- fix remote denial of service (CVE-2021-41991)
* d/gpp.conf: track bullseye branches
-- Yves-Alexis Perez <email address hidden> Thu, 14 Oct 2021 22:36:24 +0200
strongswan (5.9.4-1) unstable; urgency=medium
[ Paride Legovini ]
* tpm plugin: compile against the tpm2 software stack (tss2)
(Closes: #994396, Ubuntu#1940079)
[ Yves-Alexis Perez ]
* New upstream version 5.9.4
* d/patches rebased against new upstream
* Enable forecast plugin (Closes: #943457)
* update lintian overrides for new lintian
* d/control: update standards version to 4.6.0
* d/s-starter.postrm: use which to check for command existence
-- Yves-Alexis Perez <email address hidden> Tue, 19 Oct 2021 22:34:40 +0200
strongswan (5.9.1-1) unstable; urgency=medium * New upstream version 5.9.1 * d/patches: rebase against new upstream version * d/watch: update to version 4 -- Yves-Alexis Perez <email address hidden> Wed, 11 Nov 2020 17:54:34 +0100
strongswan (5.9.0-1) unstable; urgency=medium * New upstream version 5.9.0 -- Yves-Alexis Perez <email address hidden> Thu, 17 Sep 2020 10:21:30 +0200
strongswan (5.8.4-1) unstable; urgency=medium * New upstream version 5.8.4 (Closes: #956446) * d/rules: drop --as-needed from linker flags * d/control: update standards version to 4.5.0 -- Yves-Alexis Perez <email address hidden> Thu, 30 Apr 2020 08:57:26 +0200
strongswan (5.8.2-2) unstable; urgency=medium
* d/control: replace libip{4,6}tc-dev by libiptc-dev (Closes: #951016)
* d/copyright updated
-- Yves-Alexis Perez <email address hidden> Thu, 13 Feb 2020 22:46:40 +0100
strongswan (5.8.2-1) unstable; urgency=medium
[ Jean-Michel Vourgère ]
* README.Debian: Fixed typo
[ Yves-Alexis Perez ]
* d/control: replace iptables-dev b-dep by libip{4,6}tc-dev (Closes: #946148)
* d/watch: use uscan special strings
* New upstream version 5.8.2
* d/control: update dh compat level to 12
* strongswan-nm: update path for dbus service file
* install DRBG plugin to libstrongswan
* d/control: add ${misc:Pre-Depends} to strongswan-starter
-- Yves-Alexis Perez <email address hidden> Wed, 01 Jan 2020 14:35:46 +0100
strongswan (5.8.1-1) unstable; urgency=medium * d/rules: disable http and stream tests under CI * New upstream version 5.8.1 -- Yves-Alexis Perez <email address hidden> Fri, 18 Oct 2019 16:44:27 +0200
strongswan (5.8.0-2) unstable; urgency=medium
[ Christian Ehrhardt ]
* d/control: Mention mgf1 plugin which is in libstrongswan now
* Complete the disabling of libfast
* Clean up d/strongswan-starter.postinst: section about runlevel changes
* Clean up d/strongswan-starter.postinst: opportunistic encryption
* Enable kernel-libipsec for use of strongswan in containers
* d/control, d/libcharon-{extras,extauth}-plugins.install: Add
extauth-plugins package (Recommends)
* apparmor: d/usr.lib.ipsec.charon: sync notify rule from charon-systemd
* apparmor: fix apparmor denies reading the own FDs (LP: 1786250)
* apparmor: d/usr.sbin.charon-systemd: allow CLUSTERIP for ha plugin
(LP: 1773956)
* apparmor: d/usr.lib.ipsec.stroke: executables need to be able to read map
and execute themselves
* apparmor: d/usr.lib.ipsec.lookip: executables need to be able to read map
and execute themselves
* apparmor: d/usr.sbin.swanctl: add apparmor rule for af-alg plugin
(LP: 1807962)
* d/control: libtpmtss is actually packaged in libstrongswan-extra-plugins
[ Ryan Harper ]
* Remove code related to unused debconf managed config
[ Yves-Alexis Perez ]
* ship xfrmi only on Linux, fix FTBFS on kfreebsd
* d/libcharon-extra-plugins.install: drop plugins disabled in Debian
* d/control: update standards version to 4.4.1
* d/strongswan-starter.templates: drop runlevel_changes
* let dh_installinit handle update-rc.d calls
* d/salsa-ci.yml: add a salsa pipeline config
* d/rules: drop dbgsym migration
* strongswan-starter: update line number in lintian override
-- Yves-Alexis Perez <email address hidden> Sat, 05 Oct 2019 15:03:59 +0200
strongswan (5.8.0-1) unstable; urgency=medium
[ Christian Ehrhardt ]
* Fix fails in debian CI (Closes: #926479)
[ Simon Deziel ]
* d/usr.lib.ipsec.charon, d/usr.sbin.charon-systemd: add CAP_SETPCAP to
apparmor to allow dropping caps
* d/usr.sbin.swanctl: add attach_disconnected to work inside containers
* d/usr.sbin.charon-systemd: allow accessing the binary
* d/usr.sbin.swanctl: allow reading own binary
[ Yves-Alexis Perez ]
* New upstream version 5.8.0
* d/control: update standards version to 4.4.0
* use debhelper-compat b-d for dh compat level
* d/control: bump dh compat level to 11
* d/rules: drop systemd addon, useless in compat 11
* strongswan-libcharon: install xfrmi binary
* d/patches refreshed for new upstream release
* handle renaming of systemd service files
* d/control: remove obsolete breaks/replaces
-- Yves-Alexis Perez <email address hidden> Mon, 26 Aug 2019 12:58:23 +0200
strongswan (5.7.2-1) unstable; urgency=medium * d/control: remove Rene from Uploaders, thanks! * d/copyright: fix typos * d/watch: use HTTPS protocol * d/control: update standards version to 4.2.1 * drop unused debconf template * use a clean export for upstream signing key * d/copyright update * New upstream version 5.7.2 * d/copyright updated * d/control: update standards version to 4.3.0 * d/libstrongswan.dirs: drop lintian overrides dir * d/u/signing-key.asc: strip signatures from upstream signing key * d/patches: import patches in gbp pq -- Yves-Alexis Perez <email address hidden> Wed, 02 Jan 2019 13:02:11 +0100
| Published in stretch-release |
strongswan (5.5.1-4+deb9u4) stretch-security; urgency=medium
* d/p/CVE-2018-17540_gmp-pkcs1-overflow added, fix an integer underflow and
subsequent heap buffer overflow vulnerability in the gmp plugin triggered
by crafted certificates with RSA keys with very small moduli
(CVE-2018-17540)
-- Yves-Alexis Perez <email address hidden> Mon, 01 Oct 2018 22:51:38 +0200
strongswan (5.7.1-1) unstable; urgency=medium
[ Ondřej Nový ]
* d/copyright: Use https protocol in Format field
* d/changelog: Remove trailing whitespaces
* d/rules: Remove trailing whitespaces
* d/control: Remove XS-Testsuite field, not needed anymore
[ Yves-Alexis Perez ]
* enable chapoly plugin (closes: #814927)
* remove unused lintian overrides
* New upstream version 5.7.1
- fix an integer underflow and subsequent heap buffer overflow in the gmp
plugin triggered by crafted certificates with RSA keys with very small
moduli (CVE-2018-17540)
-- Yves-Alexis Perez <email address hidden> Mon, 01 Oct 2018 22:34:53 +0200
strongswan (5.7.0-1) unstable; urgency=medium
* update AppArmor templates to handle usr merge (closes: #905082)
* d/gbp.conf added, following DEP-14
* New upstream version 5.7.0
- include fixes for CVE-2018-16151 and CVE-2018-16152, potential
Bleichenbacher-style low-exponent attacks leading to RSA signature forgery
in gmp plugin.
* d/control: fix typo in libstrongswan long description
-- Yves-Alexis Perez <email address hidden> Mon, 24 Sep 2018 16:36:28 +0200
| Superseded in stretch-release |
strongswan (5.5.1-4+deb9u2) stretch-security; urgency=medium
* debian/patches:
- CVE-2018-10811 added, fix missing initialization of a variable in IKEv2
key derivation (CVE-2018-10811)
- CVE-2018-5388 added, fix insufficient validation in the stroke plugin
(CVE-2018-5388)
-- Yves-Alexis Perez <email address hidden> Mon, 04 Jun 2018 17:55:33 +0200
| Published in jessie-release |
strongswan (5.2.1-6+deb8u6) jessie-security; urgency=medium
* d/p/CVE-2018-10811.patch added, fix missing initialization of a variable
in IKEv2 key derivation (CVE-2018-10811)
* d/p/CVE-2018-5388 added, fix insufficient validation in the stroke plugin
(CVE-2018-5388)
-- Yves-Alexis Perez <email address hidden> Thu, 14 Jun 2018 10:13:44 +0200
strongswan (5.6.3-1) unstable; urgency=medium
* New upstream version 5.6.2
* update charon-systemd AppArmor profile (closes: #896813)
* New upstream version 5.6.3
- fix a DoS vulnerability in the IKEv2 key derivation if the openssl
plugin is used in FIPS mode and HMAC-MD5 is negotiated as PRF
(CVE-2018-10811)
- fix a vulnerability in the stroke plugin, which did not check the
received length before reading a message from the control socket
(CVE-2018-5388)
* d/p/05_charon-nm-Fix-building-list-of-DNS-MDNS-servers-with removed
-- Yves-Alexis Perez <email address hidden> Mon, 04 Jun 2018 10:23:22 +0200
strongswan (5.6.2-2) unstable; urgency=medium
* charon-nm: Fix building list of DNS/MDNS servers with libnm
* d/control: drop b-d on n-m-dev and make libnm-dev linux-any
(closes: #895434)
* d/compat bumped to 10
* d/rules: drop parallel and autoreconf from dh, done with compat 10
-- Yves-Alexis Perez <email address hidden> Fri, 13 Apr 2018 13:46:04 +0200
strongswan (5.6.2-1) unstable; urgency=medium
* d/NEWS: add information about disabled algorithms (closes: #883072)
* d/control: remove Romain Françoise from uploaders
* strongswan-libcharon: add bypass-lan plugin
* New upstream version 5.6.2
- Fix denial of service vulnerability in the parser for PKCS#1 RSASSA-PSS
signatures (CVE-2018-6459)
* d/control: move Vcs to salsa
* d/control: update build-deps for libnm port (closes: #862885)
* install tpm_extendpcr binary in libstrongswan-extra-plugins
-- Yves-Alexis Perez <email address hidden> Tue, 20 Feb 2018 12:26:54 +0100
strongswan (5.6.1-3) unstable; urgency=medium
* move updown plugin from -starter to -libcharon. closes: #884578
* debian/control:
- update standards version to 4.1.2.
-- Yves-Alexis Perez <email address hidden> Sun, 17 Dec 2017 16:40:39 +0100
| Superseded in jessie-release |
strongswan (5.2.1-6+deb8u5) jessie-security; urgency=medium
* debian/patches:
- CVE-2017-11185 added, fix insufficient validation in gmp plugin
(CVE-2017-11185)
-- Yves-Alexis Perez <email address hidden> Thu, 03 Aug 2017 21:00:12 +0200
strongswan (5.6.1-2) unstable; urgency=medium * move counters plugin from -starter to -libcharon. closes: #882431 -- Yves-Alexis Perez <email address hidden> Thu, 23 Nov 2017 20:52:19 +0100
strongswan (5.6.1-1) unstable; urgency=medium
* debian/control:
- remove strongswan-ike{,v1,v2} packages. closes: #878979
* New upstream version 5.6.1
- fix FTBFS with glibc 2.26+. closes: #880561
* debian/rules: explicitly enable tpm plugin
* debian/strongswan-starter.install: install counters plugin
* debian/libstrongswan.install: install MGF1 plugin
* debian/libstrongswan-extra-plugins.install: install tpm plugin
* debian/control:
- update standards version to 4.1.1
- replace dh-systemd build-dep by updated build-dep on debhelper
-- Yves-Alexis Perez <email address hidden> Tue, 21 Nov 2017 13:16:32 +0100
| Superseded in stretch-release |
strongswan (5.5.1-4+deb9u1) stretch-security; urgency=medium
* debian/patches:
- CVE-2017-11185 added, fix insufficient input validation in gmp plugin
which could lead to denial of service (CVE-2017-11185)
- convert CVE-2017-9022_insufficient_input_validation_gmp_plugin and
CVE-2017-9023_incorrect_handling_of_choice_types_in_asn1_parser to the
UNIX file format.
-- Yves-Alexis Perez <email address hidden> Thu, 03 Aug 2017 23:14:29 +0200
strongswan (5.6.0-2) unstable; urgency=medium
* debian/rules:
- only use dh_missing --fail-missing when doing an architecture dependent
packages. closes: #874152
-- Yves-Alexis Perez <email address hidden> Sun, 03 Sep 2017 19:24:55 +0200
strongswan (5.6.0-1) unstable; urgency=medium
* New upstream release.
- fix insufficient input validation in gmp plugin, which can cause a
denial of service vulnerability (CVE-2017-11185) closes: #872155
* debian/rules:
- remove .la files before install
- don't call dh_install with --fail-missing
- override dh_missing with --fail-missing to catch uninstalled files
- apply patch from Gerald Turner to restrict permissions on swanctl folder
containing private material.
- replace DEB_BUILD_* by DEB_HOST_* when needed, fix FTCBFS, for example
when building for ppc64el on x86. Thanks Helmut Grohne. closes: #866669
* debian/strongswan-swanctl.install:
- install the whole /etc/swanctl folder, including (empty) subfolders.
closes: #866324
* debian/charon-systemd.install:
- install charon-systemd.conf files, thanks Gerald Turner. closes: #866325
* Add AppArmor profiles for swanctl and charon-system, thanks Gerald Turner.
closes: #866327
* debian/libcharon-extra-plugins.install:
- install pt-tls-client in /u/b and also install its manpage.
* debian/strongswan-swanctl.lintian-overrides:
- add lintian overrides for private keys directories using 700
permissions.
-- Yves-Alexis Perez <email address hidden> Sun, 03 Sep 2017 14:38:09 +0200
| Superseded in jessie-release |
strongswan (5.2.1-6+deb8u4) jessie-security; urgency=medium
* debian/rules:
- revert disabling of vectors test
* debian/patches:
- 0001-openssl-Don-t-pre-initialize-OpenSSL-HMAC-with-an-em added,
backported from upstream, fix HMAC initialization with recent OpenSSL.
-- Yves-Alexis Perez <email address hidden> Tue, 30 May 2017 10:07:29 +0200
strongswan (5.5.3-2) unstable; urgency=medium
* debian/control:
- fix typo in libstrongswan-extra-plugins long description.
* move curve25519 plugin from libcharon-extra-plugins to
libstrongswan-extra-plugins
-- Yves-Alexis Perez <email address hidden> Wed, 28 Jun 2017 13:07:19 +0200
strongswan (5.5.3-1) unstable; urgency=medium
* New upstream release.
* debian/control:
- update standards version to 4.0.0
-- Yves-Alexis Perez <email address hidden> Fri, 23 Jun 2017 14:07:42 +0200
strongswan (5.5.1-4) unstable; urgency=high
* Urgency=high for the security fix.
* debian/patches:
- CVE-2017-9022_insufficient_input_validation_gmp_plugin added, fix
insufficient input validation in gmp plugin which could lead to denial of
service (CVE-2017-9022).
- CVE-2017-9023_incorrect_handling_of_choice_types_in_asn1_parser added,
fix incorrect handling of CHOICE types in ASN.1 parser and x509 plugin
whch could lead to an infinite loop and a denial of service
(CVE-2017-9023).
-- Yves-Alexis Perez <email address hidden> Mon, 29 May 2017 21:52:41 +0200
| Deleted in experimental-release (Reason: None provided.) |
strongswan (5.5.2-1) experimental; urgency=medium
* New upstream release.
* debian/patches/03_systemd-service refreshed.
* debian/libcharon-extra-plugins.install:
- include curve25519 plugin.
* debian/libstrongswan-extra-plugins.install:
- install libtpmtss library.
-- Yves-Alexis Perez <email address hidden> Fri, 19 May 2017 11:32:00 +0200
strongswan (5.5.1-3) unstable; urgency=medium
[ Christian Ehrhardt ]
* d/rules: Reorganize to ease maintenance
- one enable option per line
- sort enable options
* Add and install strongswan apparmor profiles
- d/rules install AppArmor profiles
- d/control add dh-apparmor as build-dep
- d/usr.lib.ipsec.{charon, lookip, stroke} add latest AppArmor profiles
for charon, lookip and stroke
* Add basic DEP8 tests
- d/tests/* add DEP8 tests
- d/control enable autotestpkg
* Add updated logcheck rules to match recent strongswan output
- debian/libstrongswan.strongswan.logcheck.* Remove outdated logcheck files
- debian/{rules,strongswan.logcheck}: Add updated logcheck rules
- this does no more provide different logcheck levels, but marks all
common output to be acceptable
[ Yves-Alexis Perez ]
* debian/rules:
- re-enable mediation (but not medcli/medsrv) closes: #851507
-- Yves-Alexis Perez <email address hidden> Mon, 16 Jan 2017 12:58:26 +0100
strongswan (5.5.1-2) unstable; urgency=medium
* debian/control:
- make the systemd build-dep linux-only.
-- Yves-Alexis Perez <email address hidden> Wed, 07 Dec 2016 08:34:52 +0100
strongswan (5.5.1-1) unstable; urgency=medium
* New upstream bugfix release.
* debian/patches:
- 05_network-manager-strongswan-1.4 dropped, included upstream.
* debian/strongswan-starter.install:
- install the new,empty /etc/ipsec.secrets
* debian/strongswan-nm.install:
- install /etc/dbus-1/system.d/nm-strongswan-service.conf
* debian/control:
- add a Replaces on n-m-strongswan because it used to ship the Dbus service.
- add dependency on lsb-base to strongswan-starter because the init script
uses /lib/lsb/init-functions
-- Yves-Alexis Perez <email address hidden> Sat, 22 Oct 2016 21:33:46 +0200
strongswan (5.5.0-3) unstable; urgency=medium
* debian/control:
- add build-dep on tzdata, fix FTBFS when absent. closes: #839459
-- Yves-Alexis Perez <email address hidden> Sun, 02 Oct 2016 15:22:54 +0200
strongswan (5.5.0-2) unstable; urgency=medium
* debian/rules:
- add patch from Raphaël Geissert to use /etc/ssl/certs instead of
/usr/share/ca-certificates for strongswan-nm. closes: #835095
- update argument name for dh_strip dbgsym migration
* debian/control:
- update debhelper dependency to a version which supports dbgsym
migration.
* debian/patches:
- 05_network-manager-strongswan-1.4 added, backport two upstream patches
to support network-manager-strongswan 1.4 in charon-nm. closes: #838194
-- Yves-Alexis Perez <email address hidden> Sun, 18 Sep 2016 13:47:41 +0200
strongswan (5.5.0-1) unstable; urgency=medium
* New upstream release.
* debian/control:
- add build-dep on systemd. closes: #828945
* debian/patches:
- 05_port-openssl-1.1.0 dropped, included upstream.
-- Yves-Alexis Perez <email address hidden> Sat, 16 Jul 2016 15:32:04 +0200
strongswan (5.4.0-3) unstable; urgency=medium
* debian/patches:
- 05_port-openssl-1.1.0 added, port to OpenSSL 1.1.0. closes: #828561
* debian/control:
- update standards version to 3.9.8.
* debian/NEWS: fix spelling error.
-- Yves-Alexis Perez <email address hidden> Thu, 07 Jul 2016 10:23:59 +0200
| 1 → 50 of 131 results | First • Previous • Next • Last |
