* Merge with Debian unstable (LP: #1717343).
Also fixes and issue with multiple psk's (LP: #1734207). Remaining changes:
+ Clean up d/strongswan-starter.postinst: section about runlevel changes
+ Clean up d/strongswan-starter.postinst: Removed entire section on
opportunistic encryption disabling - this was never in strongSwan and
won't be see upstream issue #2160.
+ Ubuntu is not using the debconf triggered private key generation
- d/rules: Removed patching ipsec.conf on build (not using the debconf-managed config.)
- d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was
used for debconf-managed include of private key).
+ Mass enablement of extra plugins and features to allow a user to use
strongswan for a variety of extra use cases without having to rebuild.
- d/control: Add required additional build-deps
- d/control: Mention addtionally enabled plugins
- d/rules: Enable features at configure stage
- d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
- d/libstrongswan.install: Add plugins (so, conf)
+ d/strongswan-starter.install: Install pool feature, which is useful since
we have attr-sql plugin enabled as well using it.
+ Add plugin kernel-libipsec to allow the use of strongswan in containers
via this userspace implementation (please do note that this is still
considered experimental by upstream).
- d/libcharon-extra-plugins.install: Add kernel-libipsec components
- d/control: List kernel-libipsec plugin at extra plugins description
- d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
upstream recommends to not load kernel-libipsec by default.
+ Relocate tnc plugin
- debian/libcharon-extra-plugins.install: Drop tnc from extra plugins
- Add new subpackage for TNC in d/strongswan-tnc-* and d/control
+ d/libstrongswan.install: Reorder conf and .so alphabetically
+ d/libstrongswan.install: Add kernel-netlink configuration files
+ Complete the disabling of libfast; This was partially accepted in Debian,
it is no more packaging medcli and medsrv, but still builds and
mentions it.
- d/rules: Add --disable-fast to avoid build time and dependencies
- d/control: Remove medcli, medsrv from package description
+ d/control: Mention mgf1 plugin which is in libstrongswan now
+ Add now built (since 5.5.1) libraries libtpmtss and nttfft to
libstrongswan-extra-plugins (no deps from default plugins).
+ Add rm_conffile for /etc/init.d/ipsec (transition from precies had
missed that, droppable after 18.04)
+ d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
plugins for the most common use cases from extra-plugins into a new
standard-plugins package. This will allow those use cases without pulling
in too much more plugins (a bit like the tnc package). Recommend that
package from strongswan-libcharon.
* Added changes:
+ d/strongswan-tnc-client.install (relocate tnc) swidtag creation changed
in 5.6
+ d/strongswan-tnc-server.install (relocate tnc) pacman no more needed
+ d/control: bump breaks/replaces from libstrongswan-extra-plugins to
libstrongswan as we dropped relocating ccm and test-vectors.
(droppable >18.04).
- d/control: add breaks/replace from libstrongswan to
libstrongswan-extra-plugins for the move of mgf1 to libstrongswan.
(droppable >18.04).
* Dropped changes:
+ Update init/service handling (debian default matches Ubuntu past now)
Dropping this fixes (LP: #1734886)
- d/rules: Change init/systemd program name to strongswan
- d/strongswan-starter.strongswan.service: Add new systemd file instead of
patching upstream
- d/strongswan-starter.links: Removed, use Ubuntu systemd file instead of
linking to upstream
+ d/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call
(this is a never failing no-op for us, no need for Delta).
+ d/strongswan-starter.prerm: Stop strongswan service on package removal
(ipsec now maps to strongswan service, so this works as-is).
+ Clean up d/strongswan-starter.postinst: rename service ipsec to
strongswan (ipsec now maps to strongswan service, so this works as-is)
+ Clean up d/strongswan-starter.postinst: daemon enable/disable (the
whole section is disabled, so no need for delta)
+ (is upstream) CVE-2017-11185 patches
+ (is upstream) FTBFS upstream fix for changed include files
+ (is upstream) debian/patches/increase-bliss-test-timeout.patch: Under
QEMU/KVM autopkgtest the bliss test takes longer than the default
+ (in Debian) add now built (since 5.5.1) mgf1 plugin to
libstrongswan-extra-plugins.
+ (in Debian) d/strongswan-starter.install: install stroke apparmor profile
+ (this was enabled as part of the former delta, squash changes to no-up)
d/rules: Disable duplicheck.
+ (not needed) Relocate plugins test-vectors from extra-plugins to
libstrongswan
- d/libstrongswan-extra-plugins.install: Remove plugins/conffiles
- d/libstrongswan.install: Add plugins/confiles
- d/control: move package descriptions and add required breaks/replaces
+ (not needed) Relocate plugins ccm from extra-plugins to libstrongswan
- d/libstrongswan-extra-plugins.install: Remove plugins/conffiles
- d/libstrongswan.install: Add plugins/confiles
- d/control: move package descriptions and add required breaks/replaces
+ (while using it requires special kernel, it does not hurt to be
available in the package) Remove ha plugin
- d/libcharon-extra-plugins.install: Stop installing ha (so, conf)
- d/rules: Do not enable ha plugin
- d/control: Drop listing the ha plugin in the package description
strongswan (5.6.1-2) unstable; urgency=medium
* move counters plugin from -starter to -libcharon. closes: #882431
strongswan (5.6.1-1) unstable; urgency=medium
* debian/control:
- remove strongswan-ike{,v1,v2} packages. closes: #878979
* New upstream version 5.6.1
- fix FTBFS with glibc 2.26+. closes: #880561
* debian/rules: explicitly enable tpm plugin
* debian/strongswan-starter.install: install counters plugin
* debian/libstrongswan.install: install MGF1 plugin
* debian/libstrongswan-extra-plugins.install: install tpm plugin
* debian/control:
- update standards version to 4.1.1
- replace dh-systemd build-dep by updated build-dep on debhelper
strongswan (5.6.0-2) unstable; urgency=medium
* debian/rules:
- only use dh_missing --fail-missing when doing an architecture dependent
packages. closes: #874152
strongswan (5.6.0-1) unstable; urgency=medium
* New upstream release.
- fix insufficient input validation in gmp plugin, which can cause a
denial of service vulnerability (CVE-2017-11185) closes: #872155
* debian/rules:
- remove .la files before install
- don't call dh_install with --fail-missing
- override dh_missing with --fail-missing to catch uninstalled files
- apply patch from Gerald Turner to restrict permissions on swanctl folder
containing private material.
- replace DEB_BUILD_* by DEB_HOST_* when needed, fix FTCBFS, for example
when building for ppc64el on x86. Thanks Helmut Grohne. closes: #866669
* debian/strongswan-swanctl.install:
- install the whole /etc/swanctl folder, including (empty) subfolders. closes: #866324
* debian/charon-systemd.install:
- install charon-systemd.conf files, thanks Gerald Turner. closes: #866325
* Add AppArmor profiles for swanctl and charon-system, thanks Gerald Turner. closes: #866327
* debian/libcharon-extra-plugins.install:
- install pt-tls-client in /u/b and also install its manpage.
* debian/strongswan-swanctl.lintian-overrides:
- add lintian overrides for private keys directories using 700
permissions.
strongswan (5.5.3-2) unstable; urgency=medium
* debian/control:
- fix typo in libstrongswan-extra-plugins long description.
* move curve25519 plugin from libcharon-extra-plugins to
libstrongswan-extra-plugins
strongswan (5.5.3-1) unstable; urgency=medium
* New upstream release.
* debian/control:
- update standards version to 4.0.0
strongswan (5.5.2-1) experimental; urgency=medium
* New upstream release.
* debian/patches/03_systemd-service refreshed.
* debian/libcharon-extra-plugins.install:
- include curve25519 plugin.
* debian/libstrongswan-extra-plugins.install:
- install libtpmtss library.
-- Christian Ehrhardt <email address hidden> Wed, 29 Nov 2017 15:55:18 +0100
This bug was fixed in the package strongswan - 5.6.1-2ubuntu1
---------------
strongswan (5.6.1-2ubuntu1) bionic; urgency=medium
* Merge with Debian unstable (LP: #1717343). starter. postinst: section about runlevel changes starter. postinst: Removed entire section on
debconf- managed config.) secrets. proto: Removed ipsec.secrets.inc reference (was n-extra- plugins. install: Add plugins (so, lib, conf) .install: Add plugins (so, conf) starter. install: Install pool feature, which is useful since extra-plugins. install: Add kernel-libipsec components load-kernel- libipsec- plugin- by-default. patch: As libcharon- extra-plugins. install: Drop tnc from extra plugins .install: Reorder conf and .so alphabetically .install: Add kernel-netlink configuration files swan-extra- plugins (no deps from default plugins). {extras, standard} -plugins. install: Move charon plugins package. This will allow those use cases without pulling libcharon. tnc-client. install (relocate tnc) swidtag creation changed tnc-server. install (relocate tnc) pacman no more needed extra-plugins to swan-extra- plugins for the move of mgf1 to libstrongswan. starter. strongswan. service: Add new systemd file instead of starter. links: Removed, use Ubuntu systemd file instead of starter. postrm: Removed 'update-rc.d ipsec remove' call starter. prerm: Stop strongswan service on package removal starter. postinst: rename service ipsec to starter. postinst: daemon enable/disable (the patches/ increase- bliss-test- timeout. patch: Under swan-extra- plugins. starter. install: install stroke apparmor profile -extra- plugins. install: Remove plugins/conffiles .install: Add plugins/confiles -extra- plugins. install: Remove plugins/conffiles .install: Add plugins/confiles extra-plugins. install: Stop installing ha (so, conf)
Also fixes and issue with multiple psk's (LP: #1734207). Remaining changes:
+ Clean up d/strongswan-
+ Clean up d/strongswan-
opportunistic encryption disabling - this was never in strongSwan and
won't be see upstream issue #2160.
+ Ubuntu is not using the debconf triggered private key generation
- d/rules: Removed patching ipsec.conf on build (not using the
- d/ipsec.
used for debconf-managed include of private key).
+ Mass enablement of extra plugins and features to allow a user to use
strongswan for a variety of extra use cases without having to rebuild.
- d/control: Add required additional build-deps
- d/control: Mention addtionally enabled plugins
- d/rules: Enable features at configure stage
- d/libbstrongswa
- d/libstrongswan
+ d/strongswan-
we have attr-sql plugin enabled as well using it.
+ Add plugin kernel-libipsec to allow the use of strongswan in containers
via this userspace implementation (please do note that this is still
considered experimental by upstream).
- d/libcharon-
- d/control: List kernel-libipsec plugin at extra plugins description
- d/p/dont-
upstream recommends to not load kernel-libipsec by default.
+ Relocate tnc plugin
- debian/
- Add new subpackage for TNC in d/strongswan-tnc-* and d/control
+ d/libstrongswan
+ d/libstrongswan
+ Complete the disabling of libfast; This was partially accepted in Debian,
it is no more packaging medcli and medsrv, but still builds and
mentions it.
- d/rules: Add --disable-fast to avoid build time and dependencies
- d/control: Remove medcli, medsrv from package description
+ d/control: Mention mgf1 plugin which is in libstrongswan now
+ Add now built (since 5.5.1) libraries libtpmtss and nttfft to
libstrong
+ Add rm_conffile for /etc/init.d/ipsec (transition from precies had
missed that, droppable after 18.04)
+ d/control, d/libcharon-
plugins for the most common use cases from extra-plugins into a new
standard-
in too much more plugins (a bit like the tnc package). Recommend that
package from strongswan-
* Added changes:
+ d/strongswan-
in 5.6
+ d/strongswan-
+ d/control: bump breaks/replaces from libstrongswan-
libstrongswan as we dropped relocating ccm and test-vectors.
(droppable >18.04).
- d/control: add breaks/replace from libstrongswan to
libstrong
(droppable >18.04).
* Dropped changes:
+ Update init/service handling (debian default matches Ubuntu past now)
Dropping this fixes (LP: #1734886)
- d/rules: Change init/systemd program name to strongswan
- d/strongswan-
patching upstream
- d/strongswan-
linking to upstream
+ d/strongswan-
(this is a never failing no-op for us, no need for Delta).
+ d/strongswan-
(ipsec now maps to strongswan service, so this works as-is).
+ Clean up d/strongswan-
strongswan (ipsec now maps to strongswan service, so this works as-is)
+ Clean up d/strongswan-
whole section is disabled, so no need for delta)
+ (is upstream) CVE-2017-11185 patches
+ (is upstream) FTBFS upstream fix for changed include files
+ (is upstream) debian/
QEMU/KVM autopkgtest the bliss test takes longer than the default
+ (in Debian) add now built (since 5.5.1) mgf1 plugin to
libstrong
+ (in Debian) d/strongswan-
+ (this was enabled as part of the former delta, squash changes to no-up)
d/rules: Disable duplicheck.
+ (not needed) Relocate plugins test-vectors from extra-plugins to
libstrongswan
- d/libstrongswan
- d/libstrongswan
- d/control: move package descriptions and add required breaks/replaces
+ (not needed) Relocate plugins ccm from extra-plugins to libstrongswan
- d/libstrongswan
- d/libstrongswan
- d/control: move package descriptions and add required breaks/replaces
+ (while using it requires special kernel, it does not hurt to be
available in the package) Remove ha plugin
- d/libcharon-
- d/rules: Do not enable ha plugin
- d/control: Drop listing the ha plugin in the package description
strongswan (5.6.1-2) unstable; urgency=medium
* move counters plugin from -starter to -libcharon. closes: #882431
strongswan (5.6.1-1) unstable; urgency=medium
* debian/control: ike{,v1, v2} packages. closes: #878979 strongswan- starter. install: install counters plugin libstrongswan. install: install MGF1 plugin libstrongswan- extra-plugins. install: install tpm plugin
- remove strongswan-
* New upstream version 5.6.1
- fix FTBFS with glibc 2.26+. closes: #880561
* debian/rules: explicitly enable tpm plugin
* debian/
* debian/
* debian/
* debian/control:
- update standards version to 4.1.1
- replace dh-systemd build-dep by updated build-dep on debhelper
strongswan (5.6.0-2) unstable; urgency=medium
* debian/rules:
- only use dh_missing --fail-missing when doing an architecture dependent
packages. closes: #874152
strongswan (5.6.0-1) unstable; urgency=medium
* New upstream release. strongswan- swanctl. install:
closes: #866324 charon- systemd. install:
closes: #866327 libcharon- extra-plugins. install: strongswan- swanctl. lintian- overrides:
- fix insufficient input validation in gmp plugin, which can cause a
denial of service vulnerability (CVE-2017-11185) closes: #872155
* debian/rules:
- remove .la files before install
- don't call dh_install with --fail-missing
- override dh_missing with --fail-missing to catch uninstalled files
- apply patch from Gerald Turner to restrict permissions on swanctl folder
containing private material.
- replace DEB_BUILD_* by DEB_HOST_* when needed, fix FTCBFS, for example
when building for ppc64el on x86. Thanks Helmut Grohne. closes: #866669
* debian/
- install the whole /etc/swanctl folder, including (empty) subfolders.
* debian/
- install charon-systemd.conf files, thanks Gerald Turner. closes: #866325
* Add AppArmor profiles for swanctl and charon-system, thanks Gerald Turner.
* debian/
- install pt-tls-client in /u/b and also install its manpage.
* debian/
- add lintian overrides for private keys directories using 700
permissions.
strongswan (5.5.3-2) unstable; urgency=medium
* debian/control: extra-plugins long description. extra-plugins to an-extra- plugins
- fix typo in libstrongswan-
* move curve25519 plugin from libcharon-
libstrongsw
strongswan (5.5.3-1) unstable; urgency=medium
* New upstream release.
* debian/control:
- update standards version to 4.0.0
strongswan (5.5.2-1) experimental; urgency=medium
* New upstream release. patches/ 03_systemd- service refreshed. libcharon- extra-plugins. install: libstrongswan- extra-plugins. install:
* debian/
* debian/
- include curve25519 plugin.
* debian/
- install libtpmtss library.
-- Christian Ehrhardt <email address hidden> Wed, 29 Nov 2017 15:55:18 +0100