This bug was fixed in the package strongswan - 5.6.1-2ubuntu1 --------------- strongswan (5.6.1-2ubuntu1) bionic; urgency=medium * Merge with Debian unstable (LP: #1717343). Also fixes and issue with multiple psk's (LP: #1734207). Remaining changes: + Clean up d/strongswan-starter.postinst: section about runlevel changes + Clean up d/strongswan-starter.postinst: Removed entire section on opportunistic encryption disabling - this was never in strongSwan and won't be see upstream issue #2160. + Ubuntu is not using the debconf triggered private key generation - d/rules: Removed patching ipsec.conf on build (not using the debconf-managed config.) - d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was used for debconf-managed include of private key). + Mass enablement of extra plugins and features to allow a user to use strongswan for a variety of extra use cases without having to rebuild. - d/control: Add required additional build-deps - d/control: Mention addtionally enabled plugins - d/rules: Enable features at configure stage - d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf) - d/libstrongswan.install: Add plugins (so, conf) + d/strongswan-starter.install: Install pool feature, which is useful since we have attr-sql plugin enabled as well using it. + Add plugin kernel-libipsec to allow the use of strongswan in containers via this userspace implementation (please do note that this is still considered experimental by upstream). - d/libcharon-extra-plugins.install: Add kernel-libipsec components - d/control: List kernel-libipsec plugin at extra plugins description - d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As upstream recommends to not load kernel-libipsec by default. + Relocate tnc plugin - debian/libcharon-extra-plugins.install: Drop tnc from extra plugins - Add new subpackage for TNC in d/strongswan-tnc-* and d/control + d/libstrongswan.install: Reorder conf and .so alphabetically + d/libstrongswan.install: Add kernel-netlink configuration files + Complete the disabling of libfast; This was partially accepted in Debian, it is no more packaging medcli and medsrv, but still builds and mentions it. - d/rules: Add --disable-fast to avoid build time and dependencies - d/control: Remove medcli, medsrv from package description + d/control: Mention mgf1 plugin which is in libstrongswan now + Add now built (since 5.5.1) libraries libtpmtss and nttfft to libstrongswan-extra-plugins (no deps from default plugins). + Add rm_conffile for /etc/init.d/ipsec (transition from precies had missed that, droppable after 18.04) + d/control, d/libcharon-{extras,standard}-plugins.install: Move charon plugins for the most common use cases from extra-plugins into a new standard-plugins package. This will allow those use cases without pulling in too much more plugins (a bit like the tnc package). Recommend that package from strongswan-libcharon. * Added changes: + d/strongswan-tnc-client.install (relocate tnc) swidtag creation changed in 5.6 + d/strongswan-tnc-server.install (relocate tnc) pacman no more needed + d/control: bump breaks/replaces from libstrongswan-extra-plugins to libstrongswan as we dropped relocating ccm and test-vectors. (droppable >18.04). - d/control: add breaks/replace from libstrongswan to libstrongswan-extra-plugins for the move of mgf1 to libstrongswan. (droppable >18.04). * Dropped changes: + Update init/service handling (debian default matches Ubuntu past now) Dropping this fixes (LP: #1734886) - d/rules: Change init/systemd program name to strongswan - d/strongswan-starter.strongswan.service: Add new systemd file instead of patching upstream - d/strongswan-starter.links: Removed, use Ubuntu systemd file instead of linking to upstream + d/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call (this is a never failing no-op for us, no need for Delta). + d/strongswan-starter.prerm: Stop strongswan service on package removal (ipsec now maps to strongswan service, so this works as-is). + Clean up d/strongswan-starter.postinst: rename service ipsec to strongswan (ipsec now maps to strongswan service, so this works as-is) + Clean up d/strongswan-starter.postinst: daemon enable/disable (the whole section is disabled, so no need for delta) + (is upstream) CVE-2017-11185 patches + (is upstream) FTBFS upstream fix for changed include files + (is upstream) debian/patches/increase-bliss-test-timeout.patch: Under QEMU/KVM autopkgtest the bliss test takes longer than the default + (in Debian) add now built (since 5.5.1) mgf1 plugin to libstrongswan-extra-plugins. + (in Debian) d/strongswan-starter.install: install stroke apparmor profile + (this was enabled as part of the former delta, squash changes to no-up) d/rules: Disable duplicheck. + (not needed) Relocate plugins test-vectors from extra-plugins to libstrongswan - d/libstrongswan-extra-plugins.install: Remove plugins/conffiles - d/libstrongswan.install: Add plugins/confiles - d/control: move package descriptions and add required breaks/replaces + (not needed) Relocate plugins ccm from extra-plugins to libstrongswan - d/libstrongswan-extra-plugins.install: Remove plugins/conffiles - d/libstrongswan.install: Add plugins/confiles - d/control: move package descriptions and add required breaks/replaces + (while using it requires special kernel, it does not hurt to be available in the package) Remove ha plugin - d/libcharon-extra-plugins.install: Stop installing ha (so, conf) - d/rules: Do not enable ha plugin - d/control: Drop listing the ha plugin in the package description strongswan (5.6.1-2) unstable; urgency=medium * move counters plugin from -starter to -libcharon. closes: #882431 strongswan (5.6.1-1) unstable; urgency=medium * debian/control: - remove strongswan-ike{,v1,v2} packages. closes: #878979 * New upstream version 5.6.1 - fix FTBFS with glibc 2.26+. closes: #880561 * debian/rules: explicitly enable tpm plugin * debian/strongswan-starter.install: install counters plugin * debian/libstrongswan.install: install MGF1 plugin * debian/libstrongswan-extra-plugins.install: install tpm plugin * debian/control: - update standards version to 4.1.1 - replace dh-systemd build-dep by updated build-dep on debhelper strongswan (5.6.0-2) unstable; urgency=medium * debian/rules: - only use dh_missing --fail-missing when doing an architecture dependent packages. closes: #874152 strongswan (5.6.0-1) unstable; urgency=medium * New upstream release. - fix insufficient input validation in gmp plugin, which can cause a denial of service vulnerability (CVE-2017-11185) closes: #872155 * debian/rules: - remove .la files before install - don't call dh_install with --fail-missing - override dh_missing with --fail-missing to catch uninstalled files - apply patch from Gerald Turner to restrict permissions on swanctl folder containing private material. - replace DEB_BUILD_* by DEB_HOST_* when needed, fix FTCBFS, for example when building for ppc64el on x86. Thanks Helmut Grohne. closes: #866669 * debian/strongswan-swanctl.install: - install the whole /etc/swanctl folder, including (empty) subfolders. closes: #866324 * debian/charon-systemd.install: - install charon-systemd.conf files, thanks Gerald Turner. closes: #866325 * Add AppArmor profiles for swanctl and charon-system, thanks Gerald Turner. closes: #866327 * debian/libcharon-extra-plugins.install: - install pt-tls-client in /u/b and also install its manpage. * debian/strongswan-swanctl.lintian-overrides: - add lintian overrides for private keys directories using 700 permissions. strongswan (5.5.3-2) unstable; urgency=medium * debian/control: - fix typo in libstrongswan-extra-plugins long description. * move curve25519 plugin from libcharon-extra-plugins to libstrongswan-extra-plugins strongswan (5.5.3-1) unstable; urgency=medium * New upstream release. * debian/control: - update standards version to 4.0.0 strongswan (5.5.2-1) experimental; urgency=medium * New upstream release. * debian/patches/03_systemd-service refreshed. * debian/libcharon-extra-plugins.install: - include curve25519 plugin. * debian/libstrongswan-extra-plugins.install: - install libtpmtss library. -- Christian Ehrhardt