[MIR] strongSwan

Bug #1266066 reported by Jonathan Davies on 2014-01-04
30
This bug affects 4 people
Affects Status Importance Assigned to Milestone
ldns (Ubuntu)
Undecided
Unassigned
strongswan (Ubuntu)
Undecided
Unassigned
unbound (Ubuntu)
Undecided
Unassigned

Bug Description

strongSwan IPsec VPN-solution Main Inclusion Report.

1. Availability:
 - In universe and Debian for some time.

2. Rationale:
 - We need a supported and functional IPsec VPN solution in Ubuntu.
 - At the current time, this is racoon, which hasn't updated in quite a while:

   - https://launchpad.net/ubuntu/+source/ipsec-tools

3. Security:
 - No current CVEs.
 - CVE reports in the past: fixed by upstream as seen in:

    - https://www.strongswan.org/blog/

 - But as package is in universe, no oversight from security team.
 - Ships a daemon that handles connections to IPsec clients (AppArmor'ed by profile).
 - Open privileged ports on 500 and 4500 (charon daemon above).

4. Quality assurance:
 - Current version doesn't install any working configuration, however this can be done with debconf.
 - It's simpler to do things by hand, as with openvpn.
 - Upstream is active:
   - Next release planned within a month: https://wiki.strongswan.org/projects/strongswan/roadmap
   - Respond proactively to support queries on their ticketing system: https://wiki.strongswan.org/projects/strongswan/issues
   - Release presentations from time to time: https://www.strongswan.org/documentation.html
 - Build process runs test suite.
 - Upstream runs a run test suite across all configuration scenarios: https://www.strongswan.org/uml/testresults/
 - Daily builds for Ubuntu here: https://code.launchpad.net/~strongswan/+recipe/strongswan-daily

5. UI standards:
 - Not applicable

6. Dependencies:
 - libgmp3-dev
 - libssl-dev
 - libldns-dev (universe)
 - libunbound-dev (universe)
 - libcurl4-openssl-dev | libcurl3-dev | libcurl2-dev
 - libsoup2.4-dev
 - libpcsclite-dev
 - libldap2-dev
 - libpam0g-dev
 - libkrb5-dev
 - libtspi-dev
 - libxml2-dev
 - libsqlite3-dev
 - libmysqlclient-dev

Note that the packages in universe are not part of the core strongSwan functionality and rather are linked to binary packages that are plugins (strongswan-libfast, strongswan-plugin-medsrv, strongswan-plugin-unbound).

The building of these plugins could be disabled, but I'd rather offer our users a wide range of plugins by default - rather than have them rebuild strongSwan for functionality they may need.

7. Standards compliance:
 - Shipped by Debian
 - Lintian clean
 - uses dh, source format 3.0 (quilt)

8. Maintenance:
 - Currently maintained by a team of volunteers on Debian and Ubuntu.
 - Shared git repository on git.debian.org.

Jonathan Davies (jpds) wrote :

I understand that the powerpc build currently fails with the developer release package of 5.1.2:

- https://launchpad.net/ubuntu/+source/strongswan/5.1.2~dr2-0ubuntu3/+build/5406595

This functioned fine on 5.1.1: https://launchpad.net/ubuntu/+source/strongswan/5.1.1-0ubuntu17

Upstream improved their test coverage between the releases. I have forwarded this issue upstream:

- https://wiki.strongswan.org/issues/478
- https://wiki.strongswan.org/issues/479

And I'm awaiting access to a powerpc box so I can debug this myself.

My plan for 14.04 is to ship 5.1.2 final, and if not available on time, revert to 5.1.1.

Jonathan Davies (jpds) on 2014-01-04
description: updated
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in strongswan (Ubuntu):
status: New → Confirmed
Jonathan Davies (jpds) on 2014-01-04
description: updated
Michael Terry (mterry) on 2014-01-07
Changed in strongswan (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
Jamie Strandboge (jdstrand) wrote :

Is there a technical reason why ipsec-tools is not good enough? I'd prefer not to support two ipsec solutions in Ubuntu, so if we moved to strongswan, we would want to demote ipsec-tools. What would it take to demote ipsec-tools?

Changed in strongswan (Ubuntu):
assignee: Jamie Strandboge (jdstrand) → Seth Arnold (seth-arnold)
Jonathan Davies (jpds) wrote :

> Is there a technical reason why ipsec-tools is not good enough?

ipsec-tools hasn't been touched in years. strongSwan upstream on the other hand are actively fixing the bugs I report on a daily basis:

- https://wiki.strongswan.org/projects/strongswan/activity

strongSwan lets us do other cool things, like TNC (see pages 30→44, onwards): http://strongswan.org/docs/OSTD_2013.pdf

> I'd prefer not to support two ipsec solutions in Ubuntu, so if we moved to strongswan, we would want to demote ipsec-tools. What would it take to demote ipsec-tools?

Yes, I would like ipsec-tools demoted as a part of this (and I was actually surprised that it's main).

Seth Arnold (seth-arnold) wrote :

Is ipsec-tools stagnant because it works well or because the BSD repos are where continued development happens?

Jonathan Davies (jpds) wrote :

[Dependencies libfcgi-dev and clearsilver-dev (universe) dropped as upstream recommendations against their plugin usage at this time].

description: updated
description: updated
Seth Arnold (seth-arnold) wrote :

I reviewed strongswan version 5.1.2-0ubuntu1 as checked into trusty.

This review is different from most; strongswan is significantly more
complicated than the usual tools I've audited and nearly every line
of code is highly relevant to system security. So I've reviewed only a
portion of the "prompted" lines provided by our tools and investigated
all the results provided by cppcheck.

The only issue of note from cppcheck is about referencing some
auto-allocated memory after the function that declared the space had
returned; it is a testing routine to ensure that memory scrubbing
functions properly, and while it wildly violates standards and good
practices, in this specific case it makes sense. This routine may cause
problems if we eventually use Intel's Memory Protection Extensions, so
someone keep this in mind for that day.

The strongswan documentation is fantastic, the provided examples and
automated testing performed upstream are nice, the unit tests run during
build are useful, the quality of the code that I did inspect looked high.

The packaging does have extensive lintian errors, 137 instances of
unstripped-binary-or-object and one spelling-error-in-description.

The MIR description says strongswan depends upon libldns-dev and
libunbound-dev. I've not reviewed these packages -- DNS subject-area
experts told me that these packages are high-quality if highly opinionated
about "correctness" over "compatability". Security team ACK for promoting
these packages to main if necessary.

Security team ACK for promoting strongswan to main.

We would like to demote ipsec-tools to universe to reduce potential
support burden.

Thanks

Changed in strongswan (Ubuntu):
assignee: Seth Arnold (seth-arnold) → nobody
Michael Terry (mterry) wrote :

Which of the many packages do you need in main? Just strongswan, libstrongswan, strongswan-ike, strongswan-plugin-openssl, and strongswan-starter? (those are the packages that get installed with "apt-get install strongswan")

There are a lot of debconf questions and you say that strongswang has no working config from the get go? Does the user just dpkg-reconfigure to set it up?

Changed in strongswan (Ubuntu):
status: Confirmed → Incomplete
Michael Terry (mterry) wrote :

Strongswan (and unbound / ldns) all need a team bug subscriber. What team will look after these in main?

As for unbound, I'd also be interested in an assessment of how bad bug 988513 is. And unbound is not a trivial piece of software to support considering it isn't even used by default. It's just there so we can build a couple optional plugins of strongswan. How widely used are those plugins? Could we split some of the strongswan plugins into their own source?

Changed in unbound (Ubuntu):
status: New → Incomplete
Jonathan Davies (jpds) wrote :

> The packaging does have extensive lintian errors, 137 instances of
> unstripped-binary-or-object and one spelling-error-in-description.

Packages are not stripped to enable the http://wiki.strongswan.org/projects/strongswan/wiki/IntegrityTest suite.

> Which of the many packages do you need in main? Just strongswan,
> libstrongswan, strongswan-ike, strongswan-plugin-openssl, and
> strongswan-starter? (those are the packages that get installed with
> "apt-get install strongswan")

Ideally, I'd like to see a lot more than that; a bunch that come to mind are: lookip, pkcs11 (smartcard backend [and we know from experience how much fun openvpn is with smartcards]), and the TNC (http://wiki.strongswan.org/projects/strongswan/wiki/TrustedNetworkConnect) components which can tie into Secure Boot.

> There are a lot of debconf questions and you say that strongswan
> has no working config from the get go? Does the user just
> dpkg-reconfigure to set it up?

I decided to remove the debconf pieces and just provide a commented out base template configuration file as debconf was much hassle than it was worth. OpenVPN also doesn't provide a base configuration/debconf.

> Strongswan (and unbound / ldns) all need a team bug subscriber.
> What team will look after these in main?

Looking at OpenVPN / BIND, I would say that this is the server team's realm.

> As for unbound, I'd also be interested in an assessment of how bad bug 988513 is.

This sounds like the 'these packages are [...] highly opinionated about "correctness" over "compatability"' that Seth was referring to.

> It's just there so we can build a couple optional plugins of strongswan.

I'd rather we enabled as many plugins as possible so that people don't have to recompile the source every time we leave out a plugin they need.

> Could we split some of the strongswan plugins into their own source?

That'd be a question for upstream, but it would make the package maintenance easier.

Jonathan Davies (jpds) on 2014-04-01
Changed in strongswan (Ubuntu):
status: Incomplete → Confirmed

Am 01.04.2014 02:50, schrieb Jonathan Davies:
>> The packaging does have extensive lintian errors, 137 instances of
>> unstripped-binary-or-object and one spelling-error-in-description.
>
> Packages are not stripped to enable the
> http://wiki.strongswan.org/projects/strongswan/wiki/IntegrityTest suite.

what is this supposed to check? the only reason that I can think of is file
corruption on the disk. why should strongswan be special here? you should be
able to protect against misconfigurations using dependencies. Of course this
won't help when you misconfigure strongswan itself, but why would you want to do
that?

Michael Terry (mterry) wrote :

> Ideally, I'd like to see a lot more than that; a bunch that come to mind are: lookip,
> pkcs11 (smartcard backend [and we know from experience how much fun openvpn
> is with smartcards]), and the TNC (http://wiki.strongswan.org/projects/strongswan
> /wiki/TrustedNetworkConnect) components which can tie into Secure Boot.

OK. And you want to seed those or bump those to recommends? I'd like an actual list of those you want to promote, because I'd prefer to only promote the packages we need.

> I decided to remove the debconf pieces and just provide a commented out base
> template configuration file as debconf was much hassle than it was worth.

Is this in a pending upload?

> Looking at OpenVPN / BIND, I would say that this is the server team's realm.

Can you get them to subscribe to all three packages then?

Jonathan Davies (jpds) wrote :

Am 01.04.2014 02:50, schrieb Jonathan Davies:
>>> The packaging does have extensive lintian errors, 137 instances of
>>> unstripped-binary-or-object and one spelling-error-in-description.
>>
>> Packages are not stripped to enable the
>> http://wiki.strongswan.org/projects/strongswan/wiki/IntegrityTest suite.
>
> what is this supposed to check? the only reason that I can think of is file
> corruption on the disk.

It's to be assured that the libraries and binaries you are running are what came out of the buildd and haven't been tampered with.

> why should strongswan be special here?

Because on some systems I've built, *everything* relies on the IPsec tunnel being functional for security reasons (with everything else on iptables being blocked). So the assurance above is a good to have.

This is also needed for FIPS 140-2, see here:

- http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf

Under "4.9.1 Power-Up Tests" → "Software/firmware integrity tests".

[http://wiki.strongswan.org/projects/strongswan/wiki/CryptoTest handles most of the rest of section 4.9].

>> Ideally, I'd like to see a lot more than that; a bunch that come to mind are: lookip,
>> pkcs11 (smartcard backend [and we know from experience how much fun openvpn
>> is with smartcards]), and the TNC (http://wiki.strongswan.org/projects/strongswan
>> /wiki/TrustedNetworkConnect) components which can tie into Secure Boot.
>
> OK. And you want to seed those or bump those to recommends? I'd like an actual
> list of those you want to promote, because I'd prefer to only promote the
> packages we need.

Preferably seed, I wouldn't want extra pieces installed by default. Let's go for:

 * libstrongswan
 * strongswan
 * strongswan-ike
 * strongswan-nm
 * strongswan-plugin-dhcp
 * strongswan-plugin-eap-md5
 * strongswan-plugin-eap-mschapv2
 * strongswan-plugin-eap-peap
 * strongswan-plugin-eap-radius
 * strongswan-plugin-eap-tls
 * strongswan-plugin-eap-tnc
 * strongswan-plugin-eap-ttls
 * strongswan-plugin-gmp
 * strongswan-plugin-ldap
 * strongswan-plugin-mysql
 * strongswan-plugin-openssl
 * strongswan-plugin-pkcs11
 * strongswan-plugin-radattr
 * strongswan-plugin-sql
 * strongswan-plugin-unbound
 * strongswan-starter
 * strongswan-tnc-base
 * strongswan-tnc-client
 * strongswan-tnc-pdp
 * strongswan-tnc-server

We should also grab network-manager-strongswan while we're at it for the desktop side of things.

>> I decided to remove the debconf pieces and just provide a commented out base
>> template configuration file as debconf was much hassle than it was worth.
>
> Is this in a pending upload?

The pieces removal? Yes. The packages just provided template configuration files for people to edit.

>> Looking at OpenVPN / BIND, I would say that this is the server team's realm.
>
> Can you get them to subscribe to all three packages then?

Team emailed.

Changed in network-manager-strongswan (Ubuntu):
status: New → Confirmed
Jonathan Davies (jpds) wrote :

I'd also like to add strongswan-pt-tls-client to the above package listing.

Changed in unbound (Ubuntu):
status: Incomplete → Confirmed
Michael Terry (mterry) wrote :

unbound has a new Debian version that drops the ldns dependency. It also has tests that aren't being run (./testcode/do-tests.sh seemingly). Any comment on those? They should be enabled.

Changed in unbound (Ubuntu):
status: Confirmed → Incomplete
Michael Terry (mterry) wrote :

If we do end up needing ldns, it seems OK. And Seth gave it the +1. So would be approved once we have a team subscriber.

Changed in ldns (Ubuntu):
status: New → Incomplete
Michael Terry (mterry) wrote :

network-manager-strongswan needs a team bug subscriber too, but is otherwise fine.

Changed in network-manager-strongswan (Ubuntu):
status: Confirmed → Incomplete
Michael Terry (mterry) wrote :

And strongswan itself seems OK packaging wise. Complicated, but livable. Yay for tests too! And Seth signed off for security. Just needs a team to look after its bugs.

Changed in strongswan (Ubuntu):
status: Confirmed → Incomplete
Jonathan Davies (jpds) wrote :

Server team subscribed to ldns, strongswan and unbound.

Changed in ldns (Ubuntu):
status: Incomplete → Triaged
Changed in strongswan (Ubuntu):
status: Incomplete → Triaged
Changed in unbound (Ubuntu):
status: Incomplete → Triaged
Michael Terry (mterry) wrote :

Still want to see unbound tests run or an explanation of why they can't be.

Changed in ldns (Ubuntu):
status: Triaged → Fix Committed
Changed in strongswan (Ubuntu):
status: Triaged → Fix Committed
Changed in unbound (Ubuntu):
status: Triaged → Incomplete
Jonathan Davies (jpds) wrote :

OK, unittests on unbound have been enabled as of the 1.4.22-1ubuntu2 upload.

I've identified two problems with the test case data files and reported them upstream and at bug #1302925.

Changed in unbound (Ubuntu):
status: Incomplete → Fix Committed
Jonathan Davies (jpds) on 2014-04-07
no longer affects: network-manager-strongswan (Ubuntu)
Jamie Strandboge (jdstrand) wrote :

openvswitch-ipsec Depends on racoon from ipsec-tools. This comes from openvswitch-- I thought openvswitch needed packaging updates for demoting openvswitch-ipsec, but it does not. openvswitch-ipsec is demoted.

Jamie Strandboge (jdstrand) wrote :

ipsec-tools 1:0.8.0-14ubuntu4 in trusty: main/net -> universe
ipsec-tools 1:0.8.0-14ubuntu4 in trusty amd64: main/net/extra/100% -> universe
ipsec-tools 1:0.8.0-14ubuntu4 in trusty arm64: main/net/extra/100% -> universe
ipsec-tools 1:0.8.0-14ubuntu4 in trusty armhf: main/net/extra/100% -> universe
ipsec-tools 1:0.8.0-14ubuntu4 in trusty i386: main/net/extra/100% -> universe
ipsec-tools 1:0.8.0-14ubuntu4 in trusty powerpc: main/net/extra/100% -> universe
ipsec-tools 1:0.8.0-14ubuntu4 in trusty ppc64el: main/net/extra/100% -> universe
racoon 1:0.8.0-14ubuntu4 in trusty amd64: main/net/extra/100% -> universe
racoon 1:0.8.0-14ubuntu4 in trusty arm64: main/net/extra/100% -> universe
racoon 1:0.8.0-14ubuntu4 in trusty armhf: main/net/extra/100% -> universe
racoon 1:0.8.0-14ubuntu4 in trusty i386: main/net/extra/100% -> universe
racoon 1:0.8.0-14ubuntu4 in trusty powerpc: main/net/extra/100% -> universe
racoon 1:0.8.0-14ubuntu4 in trusty ppc64el: main/net/extra/100% -> universe
Override [y|N]? y
13 publications overridden.

Jamie Strandboge (jdstrand) wrote :

Release note added for strongswan official support and ipsec-tools community support.

Jamie Strandboge (jdstrand) wrote :
Download full text (12.9 KiB)

$ ./change-override -c main strongswan strongswan-ike strongswan-plugin-dhcp strongswan-plugin-eap-md5 strongswan-plugin-eap-mschapv2 strongswan-plugin-eap-peap strongswan-plugin-eap-radius strongswan-plugin-eap-tls strongswan-plugin-eap-tnc strongswan-plugin-eap-ttls strongswan-plugin-gmp strongswan-plugin-ldap strongswan-plugin-mysql strongswan-plugin-openssl strongswan-plugin-pkcs11 strongswan-plugin-radattr strongswan-plugin-sql strongswan-plugin-unbound strongswan-pt-tls-client strongswan-tnc-base strongswan-tnc-client strongswan-tnc-pdp strongswan-tnc-server
Override component to main
strongswan 5.1.2-0ubuntu1 in trusty amd64: universe/net/optional/100% -> main
strongswan 5.1.2-0ubuntu1 in trusty arm64: universe/net/optional/100% -> main
strongswan 5.1.2-0ubuntu1 in trusty armhf: universe/net/optional/100% -> main
strongswan 5.1.2-0ubuntu1 in trusty i386: universe/net/optional/100% -> main
strongswan 5.1.2-0ubuntu1 in trusty powerpc: universe/net/optional/100% -> main
strongswan 5.1.2-0ubuntu1 in trusty ppc64el: universe/net/optional/100% -> main
strongswan-ike 5.1.2-0ubuntu1 in trusty amd64: universe/net/optional/100% -> main
strongswan-ike 5.1.2-0ubuntu1 in trusty arm64: universe/net/optional/100% -> main
strongswan-ike 5.1.2-0ubuntu1 in trusty armhf: universe/net/optional/100% -> main
strongswan-ike 5.1.2-0ubuntu1 in trusty i386: universe/net/optional/100% -> main
strongswan-ike 5.1.2-0ubuntu1 in trusty powerpc: universe/net/optional/100% -> main
strongswan-ike 5.1.2-0ubuntu1 in trusty ppc64el: universe/net/optional/100% -> main
strongswan-plugin-dhcp 5.1.2-0ubuntu1 in trusty amd64: universe/net/optional/100% -> main
strongswan-plugin-dhcp 5.1.2-0ubuntu1 in trusty arm64: universe/net/optional/100% -> main
strongswan-plugin-dhcp 5.1.2-0ubuntu1 in trusty armhf: universe/net/optional/100% -> main
strongswan-plugin-dhcp 5.1.2-0ubuntu1 in trusty i386: universe/net/optional/100% -> main
strongswan-plugin-dhcp 5.1.2-0ubuntu1 in trusty powerpc: universe/net/optional/100% -> main
strongswan-plugin-dhcp 5.1.2-0ubuntu1 in trusty ppc64el: universe/net/optional/100% -> main
strongswan-plugin-eap-md5 5.1.2-0ubuntu1 in trusty amd64: universe/net/optional/100% -> main
strongswan-plugin-eap-md5 5.1.2-0ubuntu1 in trusty arm64: universe/net/optional/100% -> main
strongswan-plugin-eap-md5 5.1.2-0ubuntu1 in trusty armhf: universe/net/optional/100% -> main
strongswan-plugin-eap-md5 5.1.2-0ubuntu1 in trusty i386: universe/net/optional/100% -> main
strongswan-plugin-eap-md5 5.1.2-0ubuntu1 in trusty powerpc: universe/net/optional/100% -> main
strongswan-plugin-eap-md5 5.1.2-0ubuntu1 in trusty ppc64el: universe/net/optional/100% -> main
strongswan-plugin-eap-mschapv2 5.1.2-0ubuntu1 in trusty amd64: universe/net/optional/100% -> main
strongswan-plugin-eap-mschapv2 5.1.2-0ubuntu1 in trusty arm64: universe/net/optional/100% -> main
strongswan-plugin-eap-mschapv2 5.1.2-0ubuntu1 in trusty armhf: universe/net/optional/100% -> main
strongswan-plugin-eap-mschapv2 5.1.2-0ubuntu1 in trusty i386: universe/net/optional/100% -> main
strongswan-plugin-eap-mschapv2 5.1.2-0ubuntu1 in trusty powerpc: universe/net/optional/100% -> main
strongswan-plugin-eap-mschapv2 5.1.2-0ubu...

Changed in strongswan (Ubuntu):
status: Fix Committed → Fix Released
Jamie Strandboge (jdstrand) wrote :

$ ./change-override -c main host libunbound2 libstrongswan strongswan-starter libldns1
Override component to main
host 1:9.9.5.dfsg-3 in trusty amd64: universe/net/optional/100% -> main
host 1:9.9.5.dfsg-3 in trusty arm64: universe/net/optional/100% -> main
host 1:9.9.5.dfsg-3 in trusty armhf: universe/net/optional/100% -> main
host 1:9.9.5.dfsg-3 in trusty i386: universe/net/optional/100% -> main
host 1:9.9.5.dfsg-3 in trusty powerpc: universe/net/optional/100% -> main
host 1:9.9.5.dfsg-3 in trusty ppc64el: universe/net/optional/100% -> main
libunbound2 1.4.22-1ubuntu4 in trusty amd64: universe/net/optional/100% -> main
libunbound2 1.4.22-1ubuntu4 in trusty arm64: universe/net/optional/100% -> main
libunbound2 1.4.22-1ubuntu4 in trusty armhf: universe/net/optional/100% -> main
libunbound2 1.4.22-1ubuntu4 in trusty i386: universe/net/optional/100% -> main
libunbound2 1.4.22-1ubuntu4 in trusty powerpc: universe/net/optional/100% -> main
libunbound2 1.4.22-1ubuntu4 in trusty ppc64el: universe/net/optional/100% -> main
libstrongswan 5.1.2-0ubuntu1 in trusty amd64: universe/net/optional/100% -> main
libstrongswan 5.1.2-0ubuntu1 in trusty arm64: universe/net/optional/100% -> main
libstrongswan 5.1.2-0ubuntu1 in trusty armhf: universe/net/optional/100% -> main
libstrongswan 5.1.2-0ubuntu1 in trusty i386: universe/net/optional/100% -> main
libstrongswan 5.1.2-0ubuntu1 in trusty powerpc: universe/net/optional/100% -> main
libstrongswan 5.1.2-0ubuntu1 in trusty ppc64el: universe/net/optional/100% -> main
strongswan-starter 5.1.2-0ubuntu1 in trusty amd64: universe/net/optional/100% -> main
strongswan-starter 5.1.2-0ubuntu1 in trusty arm64: universe/net/optional/100% -> main
strongswan-starter 5.1.2-0ubuntu1 in trusty armhf: universe/net/optional/100% -> main
strongswan-starter 5.1.2-0ubuntu1 in trusty i386: universe/net/optional/100% -> main
strongswan-starter 5.1.2-0ubuntu1 in trusty powerpc: universe/net/optional/100% -> main
strongswan-starter 5.1.2-0ubuntu1 in trusty ppc64el: universe/net/optional/100% -> main
libldns1 1.6.17-1 in trusty amd64: universe/libs/extra/100% -> main
libldns1 1.6.17-1 in trusty arm64: universe/libs/extra/100% -> main
libldns1 1.6.17-1 in trusty armhf: universe/libs/extra/100% -> main
libldns1 1.6.17-1 in trusty i386: universe/libs/extra/100% -> main
libldns1 1.6.17-1 in trusty powerpc: universe/libs/extra/100% -> main
libldns1 1.6.17-1 in trusty ppc64el: universe/libs/extra/100% -> main
Override [y|N]? y
30 publications overridden.

$ ./change-override -c main -t unbound
Override component to main
unbound 1.4.22-1ubuntu4 in trusty: universe/net -> main
Override [y|N]? y
1 publication overridden.

$ ./change-override -c main -t ldns
Override component to main
ldns 1.6.17-1 in trusty: universe/net -> main
Override [y|N]? y
1 publication overridden.

Changed in ldns (Ubuntu):
status: Fix Committed → Fix Released
Changed in unbound (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers