-
strongswan (5.5.1-1ubuntu3.3) zesty; urgency=medium
* d/p/ikev1-First-do-PSK-lookups-lp1734207.patch ensure evaluation
with resolvable hostnames selects the right PSK (LP: #1734207).
-- Christian Ehrhardt <email address hidden> Mon, 18 Dec 2017 11:13:53 +0100
-
strongswan (5.5.1-1ubuntu3.2) zesty-security; urgency=medium
* SECURITY UPDATE: Fix RSA signature verification
- debian/patches/CVE-2017-11185.patch: does some
verifications in order to avoid null-point dereference
in src/libstrongswan/gmp/gmp_rsa_public_key.c
- CVE-2017-11185
-- <email address hidden> (Leonidas S. Barbosa) Tue, 15 Aug 2017 15:00:33 -0300
-
strongswan (5.5.1-1ubuntu3.1) zesty-security; urgency=medium
* SECURITY UPDATE: Insufficient Input Validation in gmp Plugin
- debian/patches/CVE-2017-9022.patch: make sure the modulus is odd and
the exponent not zero in
src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c.
- CVE-2017-9022
* SECURITY UPDATE: Incorrect Handling of CHOICE types in ASN.1 parser and
x509 plugin
- debian/patches/CVE-2017-9023.patch: fix CHOICE parsing in
src/libstrongswan/asn1/asn1_parser.*,
src/libstrongswan/plugins/x509/x509_cert.c.
- CVE-2017-9023
-- Marc Deslauriers <email address hidden> Wed, 24 May 2017 14:53:29 -0400
-
strongswan (5.5.1-1ubuntu3) zesty; urgency=medium
* Rebuild against new libldns2.
-- Gianfranco Costamagna <email address hidden> Mon, 10 Apr 2017 10:56:49 +0200
-
strongswan (5.5.1-1ubuntu2) zesty; urgency=medium
* Update Maintainers which was missed while merging 5.5.1-1.
-- Christian Ehrhardt <email address hidden> Mon, 19 Dec 2016 16:02:40 +0100
-
strongswan (5.5.1-1ubuntu1) zesty; urgency=medium
* Merge from Debian (complex delta, discussions and broken out changes can be
found in the merge proposal linked from the merge bug LP: #1631198)
* Remaining Changes:
+ d/rules: Enforcing DEB_BUILD_OPTIONS=nostrip for library integrity
checking.
+ d/rules: Set TESTS_REDUCED_KEYLENGTHS to one generate smallest key-lengths
in tests to avoid issues in low entropy environments.
+ Update init/service handling
- d/rules: Change init/systemd program name to strongswan
- d/strongswan-starter.strongswan.service: Add new systemd file instead of
patching upstream
- d/strongswan-starter.links: Removed, use Ubuntu systemd file instead of
linking to upstream
- d/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call.
- d/strongswan-starter.prerm: Stop strongswan service on package
removal (as opposed to using the old init.d script).
+ Clean up d/strongswan-starter.postinst:
- Removed section about runlevel changes
- Adapted service restart section for Upstart (kept to be Trusty
backportable).
- Remove old symlinks to init.d files is necessary.
- Removed further out-dated code
- Removed entire section on opportunistic encryption - this was never in
strongSwan.
+ Add and install apparmor profiles
- d/rules: Install AppArmor profiles
- d/control: Add dh-apparmor build-dep
- d/usr.lib.ipsec.{charon, lookip, stroke}: Add latest AppArmor profiles
for charon, lookip and stroke
- d/libcharon-extra-plugins.install: Install profile for lookip
- d/strongswan-charon.install: Install profile for charon
- d/strongswan-starter.install: Install profile for stroke
+ d/rules: Removed pieces on 'patching ipsec.conf' on build.
+ d/rules: Sorted and only one enable option per configure line
+ Mass enablement of extra plugins and features to allow a user to use
strongswan for a variety of use cases without having to rebuild.
- d/control: Add required additional build-deps
- d/rules: Enable features at configure stage
- d/control: Mention addtionally enabled plugins
- d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
- d/libstrongswan.install: Add plugins (so, conf)
+ d/rules: Disable duplicheck as per
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718291#10
+ Remove ha plugin (requires special kernel)
- d/libcharon-extra-plugins.install: Stop installing ha (so, conf)
- d/rules: Do not enable ha plugin
- d/control: Drop listing the ha plugin in the package description
+ Add plugin kernel-libipsec to allow the use of strongswan in containers
via this userspace implementation (please do note that this is still
considered experimental by upstream).
- d/libcharon-extra-plugins.install: Add kernel-libipsec components
- d/control: List kernel-libipsec plugin at extra plugins description
- d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
upstream recommends to not load kernel-libipsec by default.
+ Relocate tnc plugin
- debian/libcharon-extra-plugins.install: Drop tnc from extra plugins
- Add new subpackage for TNC in d/strongswan-tnc-* and d/control
+ d/strongswan-starter.install: Install pool feature, that useful due to
having attr-sql plugin that is enabled now.
+ Relocate plugins test-vectors and ccm from extra-plugins to libstrongswan
- d/libstrongswan-extra-plugins.install: Remove plugins
- d/libstrongswan.install: Add plugins
+ d/libstrongswan.install: Reorder conf and .so alphabetically
+ d/libstrongswan.install: Add kernel-netlink configuration files
+ d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference.
+ Add updated logcheck rules
- debian/libstrongswan.strongswan.logcheck.*: Remove outdated files
- debian/strongswan.logcheck: Add updated logcheck rules
+ Add updated DEP8 tests
- d/tests/*: Add DEP8 tests
- d/control: Enable autotestpkg
+ debian/patches/increase-bliss-test-timeout.patch: Under QEMU/KVM
autopkgtest the bliss test takes longer than the default
+ Complete the disabling of libfast
- Note: This was partially accepted in Debian, it is no more
packaging medcli and medsrv, but still builds and mentions it
- d/rules: Add --disable-fast to avoid build time and dependencies
- d/control: Remove medcli, medsrv from package description
* Dropped Changes:
+ Adding build-dep to iptables-dev (no change, was only in Changelog)
+ Dropping of build deps libfcgi-dev, clearsilver-dev (in Debian)
+ Adding strongswan-plugin-* virtual packages for dist-upgrade (no
upgrade path left needing them)
+ Most of "disabling libfast" (Debian dropped it from package content)
+ Transition for ipsec service (no upgrade path left)
+ Reverted part of the cleanup to d/strongswan-starter.postinst as using
service should rather use invoke-rc.d (so it is a partial revert of our
delta)
+ Transition handling (breaks/replaces) from per-plugin packages to the
three grouped plugin packages (no upgrade path left)
+ debian/strongswan-starter.dirs: Don't touch /etc/init.d. (while "correct"
it is effectively a no-op still, so not worth the delta)
+ Lower dpkg-dev to 1.16.1 from 1.16.2 to enable backporting to Precise
(no more needed)
+ d/rules: Remove configure option --enable-unit-test (unit tests run by
default)
* Added Changes:
+ Fix strongswan ipsec status issue with apparmor (LP: #1587886)
+ d/control, d/libstrongswan.install, d/libstrongswan-extra-plugins: Fixup
the relocation of the ccm plugin which missed to move the conffiles.
+ Complete move of test-vectors (was missing in d/control)
+ Add now built (5.5.1 vs 5.3.5) mgf1 plugin to libstrongswan-extra-plugins.
"only" to extra-plugins Mgf1 is not listed as default plugin at
https://wiki.strongswan.org/projects/strongswan/wiki/Pluginlist.
+ Add now built (5.5.1 vs 5.3.5) libraries libtpmtss and nttfft to
libstrongswan-extra-plugins.
+ Add missing mention of md4 plugin in d/control
+ Add missing mention of libchecksum integrity test in d/control
+ Add rm_conffile for /etc/init.d/ipsec (transition from precies had
missed that)
+ Use override_dh_strip to to fix library integrity checking instead of
DEB_BUILD_OPTION to avoid overwriting user build flags.
+ d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
plugins for the most common use cases from extra-plugins into a new
standard-plugins package. This will allow those use cases without pulling
in too much more plugins (a bit like the tnc package). Recommend that
package from strongswan-libcharon (LP: #1640826).
+ Fix Dep8 tests for the now extra strongswan-pki package for pki
+ Fix Dep8 tests for the now extra strongswan-scepclient package
-- Christian Ehrhardt <email address hidden> Mon, 07 Nov 2016 16:16:41 +0100
-
strongswan (5.3.5-1ubuntu4) yakkety; urgency=medium
* Build-depend on libjson-c-dev instead of libjson0-dev.
* Rebuild against libjson-c3.
-- Graham Inggs <email address hidden> Fri, 29 Apr 2016 19:04:22 +0200
