strongSwan 5.1.3

Bug #1330504 reported by Jonathan Davies on 2014-06-16
This bug affects 4 people
Affects Status Importance Assigned to Milestone
strongswan (Ubuntu)
Jonathan Davies

Bug Description

There's a new version of strongSwan out: 5.1.3.

Jonathan Davies (jpds) wrote :
Robie Basak (racb) wrote :

Debian has 5.1.3-4, so shouldn't this be a merge instead of an -0ubuntu1?

Changed in strongswan (Ubuntu):
status: New → Triaged
importance: Undecided → Medium
tags: added: upgrade-software-version
Robie Basak (racb) wrote :

(I can't upload/am not a sponsor, BTW)

Chris J Arges (arges) wrote :

The merge report is here:

$ grep-merges strongswan
strongswan Marc Deslauriers <email address hidden>

I would sync with Marc, see if you can help with the merge.

Jonathan Davies (jpds) wrote :

> Debian has 5.1.3-4, so shouldn't this be a merge instead of an -0ubuntu1?

The Debian and Ubuntu packages have significant difference between them. They came about as I revamped the Ubuntu packaging and then the Debian guys decided to do something else with regards to plugin management and they also don't enable certain plugins like the TNC stack.

Jamie Strandboge (jdstrand) wrote :

Two entries were missing from the changelog:
* debian/libstrongswan.install: install new acert.* files
* debian/usr.lib.ipsec.stroke: add capability dac_override

I'm still going through the package, but will simply add these as part of the sponsoring process.

Jamie Strandboge (jdstrand) wrote :

Comparing build logs looks good. Comparing binaries looks good. Changes look fine (excepting the two minor issues I mentioned). The test suites pass during the build. ACK with my changes (uploading now).

Changed in strongswan (Ubuntu):
status: Triaged → Fix Committed
Jonathan Davies (jpds) wrote :

Already working with upstream on it:

Matthias Klose (doko) wrote :

fails to build on armhf and ppc64el, setting back to confirmed.
5.2.0 in Debian does not fail

Changed in strongswan (Ubuntu):
status: Fix Committed → Confirmed
importance: Medium → High
assignee: nobody → Jonathan Davies (jpds)
milestone: none → ubuntu-14.09
tags: added: ftbfs
Robie Basak (racb) wrote :


How is this an upstream bug? Deleting the bug task.

Martin Packman (gz) on 2015-05-01
affects: strongswan → obsolete-junk
no longer affects: obsolete-junk
Robert Sander (gurubert) wrote :

I am currently affected by which should be fixed in 5.1.3

Jacques (caramba696) wrote :

Strongswan 5.1.2 from Trusty is also affected by which is fixed in 5.1.3

Changed in strongswan (Ubuntu):
milestone: ubuntu-14.09 → later
Dimitri John Ledkov (xnox) wrote :

FTBFS on s390x, building 5.3.5-1 from debian cannot be tested yet, as missing new (universe) dependencies.

tags: added: s390x
Dimitri John Ledkov (xnox) wrote :

Cherry-picking patch from debian upload 5.1.2-3 fixing the build failure, thus removing s390x tag for now.

tags: removed: s390x
Launchpad Janitor (janitor) wrote :
Download full text (14.3 KiB)

This bug was fixed in the package strongswan - 5.3.5-1ubuntu1

strongswan (5.3.5-1ubuntu1) xenial; urgency=medium

  * debian/{rules,control,libstrongswan-extra-plugins.install}
    Enable bliss plugin
  * debian/{rules,control,libstrongswan-extra-plugins.install}
    Enable chapoly plugin
  * debian/patches/dont-load-kernel-libipsec-plugin-by-default.patch
    Upstream suggests to not load this plugin by default as it has
    some limitations.
  * debian/patches/increase-bliss-test-timeout.patch
    Under QEMU/KVM for autopkgtest bliss test takes a bit longer then default
  * Update Apparmor profiles
    - usr.lib.ipsec.charon
      - add capability audit_write for xauth-pam (LP: #1470277)
      - add capability dac_override (needed by agent plugin)
      - allow priv dropping (LP: #1333655)
      - allow caching CRLs (LP: #1505222)
      - allow rw access to /dev/net/tun for kernel-libipsec (LP: #1309594)
    - usr.lib.ipsec.stroke
      - allow priv dropping (LP: #1333655)
      - add local include
    - usr.lib.ipsec.lookip
      - add local include
  * Merge from Debian, which includes fixes for all previous CVEs
    Fixes (LP: #1330504, #1451091, #1448870, #1470277)
    Remaining changes:
      * debian/control
        - Lower dpkg-dev to 1.16.1 from 1.16.2 to enable backporting to Precise
        - Update Maintainer for Ubuntu
        - Add build-deps
          - dh-apparmor
          - iptables-dev
          - libjson0-dev
          - libldns-dev
          - libmysqlclient-dev
          - libpcsclite-dev
          - libsoup2.4-dev
          - libtspi-dev
          - libunbound-dev
        - Drop build-deps
          - libfcgi-dev
          - clearsilver-dev
        - Create virtual packages for all strongswan-plugin-* for dist-upgrade
        - Set XS-Testsuite: autopkgtest
      * debian/rules:
        - Enforcing DEB_BUILD_OPTIONS=nostrip for library integrity checking.
        - Set TESTS_REDUCED_KEYLENGTHS to one generate smallest key-lengths in
        - Change init/systemd program name to strongswan
        - Install AppArmor profiles
        - Removed pieces on 'patching ipsec.conf' on build.
        - Enablement of features per Ubuntu current config suggested from
          upstream recommendation
        - Unpack and sort enabled features to one-per-line
        - Disable duplicheck as per

        - Disable libfast (--disable-fast):
          Requires dropping medsrv, medcli plugins which depend on libfast
        - Add configure options
        - Remove configure options:
          --enable-ha (requires special kernel)
          --enable-unit-test (unit tests run by default)
        - Drop logcheck install
      * debian/tests/*
        - Add DEP8 test for strongswan service and plugins
      * debian/strongswan-starter.strongswan.service
        - Add new systemd file instead of patching upstream
      * debian/strongswan-starter.links
        - removed, use Ubuntu systemd file instead of linking to upstream
      * debia...

Changed in strongswan (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.