This bug was fixed in the package strongswan - 5.7.1-1ubuntu1 --------------- strongswan (5.7.1-1ubuntu1) disco; urgency=medium * Merge with Debian unstable (LP: #1806401). Remaining changes: - Clean up d/strongswan-starter.postinst: section about runlevel changes - Clean up d/strongswan-starter.postinst: Removed entire section on opportunistic encryption disabling - this was never in strongSwan and won't be see upstream issue #2160. - d/rules: Removed patching ipsec.conf on build (not using the debconf-managed config.) - d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was used for debconf-managed include of private key). - Mass enablement of extra plugins and features to allow a user to use strongswan for a variety of extra use cases without having to rebuild. + d/control: Add required additional build-deps + d/control: Mention addtionally enabled plugins + d/rules: Enable features at configure stage + d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf) + d/libstrongswan.install: Add plugins (so, conf) - d/strongswan-starter.install: Install pool feature, which is useful since we have attr-sql plugin enabled as well using it. - Add plugin kernel-libipsec to allow the use of strongswan in containers via this userspace implementation (please do note that this is still considered experimental by upstream). + d/libcharon-extra-plugins.install: Add kernel-libipsec components + d/control: List kernel-libipsec plugin at extra plugins description + d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As upstream recommends to not load kernel-libipsec by default. - Relocate tnc plugin + debian/libcharon-extra-plugins.install: Drop tnc from extra plugins + Add new subpackage for TNC in d/strongswan-tnc-* and d/control - d/libstrongswan.install: Reorder conf and .so alphabetically - d/libstrongswan.install: Add kernel-netlink configuration files - Complete the disabling of libfast; This was partially accepted in Debian, it is no more packaging medcli and medsrv, but still builds and mentions it. + d/rules: Add --disable-fast to avoid build time and dependencies + d/control: Remove medcli, medsrv from package description - d/control: Mention mgf1 plugin which is in libstrongswan now - Add now built (since 5.5.1) libraries libtpmtss and nttfft to libstrongswan-extra-plugins (no deps from default plugins). - d/control, d/libcharon-{extras,standard}-plugins.install: Move charon plugins for the most common use cases from extra-plugins into a new standard-plugins package. This will allow those use cases without pulling in too much more plugins (a bit like the tnc package). Recommend that package from strongswan-libcharon. - d/usr.sbin.charon-systemd: allow to contact mysql for sql and attr-sql plugins (LP #1766240) - d/usr.lib.ipsec.charon: allow reading of own FDs (LP #1786250) * Added Changes: - d/p/lp1795813-mysql-Don-t-release-the-connection-if-transactions-a.patch: fix SIGSEGV when using mysql plugin (LP: #1795813) - d/usr.sbin.charon-systemd: allow CLUSTERIP for ha plugin (LP: #1773956) - executables need to be able to read map and execute themselves otherwise execution in some environments e.g. containers is blocked (LP: #1780534) + d/usr.lib.ipsec.stroke: add rmix permission to stroke binary + d/usr.lib.ipsec.lookip: add rmix permission to lookip binary - adapt "mass enablement of extra plugins" to match 5.7.x changes + d/rules: use new options for swima instead of swid + d/strongswan-tnc-server.install: add new sec updater tool + d/strongswan-tnc-client.install: add new sw-collector tool * Dropped (in Debian now): - SECURITY UPDATE: Insufficient input validation in gmp plugin (CVE-2018-17540) - SECURITY UPDATE: Insufficient input validation in gmp plugin (CVE-2018-16151 CVE-2018-16152) - d/usr.lib.ipsec.charon, d/usr/sbin/charon-systemd: Add support for usr-merge, thanks to Christian Ehrhardt. LP #1784023 strongswan (5.7.1-1) unstable; urgency=medium [ Ondřej Nový ] * d/copyright: Use https protocol in Format field * d/changelog: Remove trailing whitespaces * d/rules: Remove trailing whitespaces * d/control: Remove XS-Testsuite field, not needed anymore [ Yves-Alexis Perez ] * enable chapoly plugin (closes: #814927) * remove unused lintian overrides * New upstream version 5.7.1 - fix an integer underflow and subsequent heap buffer overflow in the gmp plugin triggered by crafted certificates with RSA keys with very small moduli (CVE-2018-17540) strongswan (5.7.0-1) unstable; urgency=medium * update AppArmor templates to handle usr merge (closes: #905082) * d/gbp.conf added, following DEP-14 * New upstream version 5.7.0 - include fixes for CVE-2018-16151 and CVE-2018-16152, potential Bleichenbacher-style low-exponent attacks leading to RSA signature forgery in gmp plugin. * d/control: fix typo in libstrongswan long description -- Christian Ehrhardt