* Merge with Debian unstable (LP: #1806401). Remaining changes:
- Clean up d/strongswan-starter.postinst: section about runlevel changes
- Clean up d/strongswan-starter.postinst: Removed entire section on
opportunistic encryption disabling - this was never in strongSwan and
won't be see upstream issue #2160.
- d/rules: Removed patching ipsec.conf on build (not using the
debconf-managed config.)
- d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was
used for debconf-managed include of private key).
- Mass enablement of extra plugins and features to allow a user to use
strongswan for a variety of extra use cases without having to rebuild.
+ d/control: Add required additional build-deps
+ d/control: Mention addtionally enabled plugins
+ d/rules: Enable features at configure stage
+ d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
+ d/libstrongswan.install: Add plugins (so, conf)
- d/strongswan-starter.install: Install pool feature, which is useful since
we have attr-sql plugin enabled as well using it.
- Add plugin kernel-libipsec to allow the use of strongswan in containers
via this userspace implementation (please do note that this is still
considered experimental by upstream).
+ d/libcharon-extra-plugins.install: Add kernel-libipsec components
+ d/control: List kernel-libipsec plugin at extra plugins description
+ d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
upstream recommends to not load kernel-libipsec by default.
- Relocate tnc plugin
+ debian/libcharon-extra-plugins.install: Drop tnc from extra plugins
+ Add new subpackage for TNC in d/strongswan-tnc-* and d/control
- d/libstrongswan.install: Reorder conf and .so alphabetically
- d/libstrongswan.install: Add kernel-netlink configuration files
- Complete the disabling of libfast; This was partially accepted in Debian,
it is no more packaging medcli and medsrv, but still builds and
mentions it.
+ d/rules: Add --disable-fast to avoid build time and dependencies
+ d/control: Remove medcli, medsrv from package description
- d/control: Mention mgf1 plugin which is in libstrongswan now
- Add now built (since 5.5.1) libraries libtpmtss and nttfft to
libstrongswan-extra-plugins (no deps from default plugins).
- d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
plugins for the most common use cases from extra-plugins into a new
standard-plugins package. This will allow those use cases without pulling
in too much more plugins (a bit like the tnc package). Recommend that
package from strongswan-libcharon.
- d/usr.sbin.charon-systemd: allow to contact mysql for sql and
attr-sql plugins (LP #1766240)
- d/usr.lib.ipsec.charon: allow reading of own FDs (LP #1786250)
* Added Changes:
- d/p/lp1795813-mysql-Don-t-release-the-connection-if-transactions-a.patch:
fix SIGSEGV when using mysql plugin (LP: #1795813)
- d/usr.sbin.charon-systemd: allow CLUSTERIP for ha plugin (LP: #1773956)
- executables need to be able to read map and execute themselves otherwise
execution in some environments e.g. containers is blocked (LP: #1780534)
+ d/usr.lib.ipsec.stroke: add rmix permission to stroke binary
+ d/usr.lib.ipsec.lookip: add rmix permission to lookip binary
- adapt "mass enablement of extra plugins" to match 5.7.x changes
+ d/rules: use new options for swima instead of swid
+ d/strongswan-tnc-server.install: add new sec updater tool
+ d/strongswan-tnc-client.install: add new sw-collector tool
* Dropped (in Debian now):
- SECURITY UPDATE: Insufficient input validation in gmp plugin
(CVE-2018-17540)
- SECURITY UPDATE: Insufficient input validation in gmp plugin
(CVE-2018-16151 CVE-2018-16152)
- d/usr.lib.ipsec.charon, d/usr/sbin/charon-systemd: Add support for
usr-merge, thanks to Christian Ehrhardt. LP #1784023
strongswan (5.7.1-1) unstable; urgency=medium
[ Ondřej Nový ]
* d/copyright: Use https protocol in Format field
* d/changelog: Remove trailing whitespaces
* d/rules: Remove trailing whitespaces
* d/control: Remove XS-Testsuite field, not needed anymore
[ Yves-Alexis Perez ]
* enable chapoly plugin (closes: #814927)
* remove unused lintian overrides
* New upstream version 5.7.1
- fix an integer underflow and subsequent heap buffer overflow in the gmp
plugin triggered by crafted certificates with RSA keys with very small
moduli (CVE-2018-17540)
strongswan (5.7.0-1) unstable; urgency=medium
* update AppArmor templates to handle usr merge (closes: #905082)
* d/gbp.conf added, following DEP-14
* New upstream version 5.7.0
- include fixes for CVE-2018-16151 and CVE-2018-16152, potential
Bleichenbacher-style low-exponent attacks leading to RSA signature forgery
in gmp plugin.
* d/control: fix typo in libstrongswan long description
-- Christian Ehrhardt <email address hidden> Mon, 03 Dec 2018 15:18:31 +0100
This bug was fixed in the package strongswan - 5.7.1-1ubuntu1
---------------
strongswan (5.7.1-1ubuntu1) disco; urgency=medium
* Merge with Debian unstable (LP: #1806401). Remaining changes: starter. postinst: section about runlevel changes starter. postinst: Removed entire section on managed config.) secrets. proto: Removed ipsec.secrets.inc reference (was n-extra- plugins. install: Add plugins (so, lib, conf) .install: Add plugins (so, conf) starter. install: Install pool feature, which is useful since extra-plugins. install: Add kernel-libipsec components load-kernel- libipsec- plugin- by-default. patch: As libcharon- extra-plugins. install: Drop tnc from extra plugins .install: Reorder conf and .so alphabetically .install: Add kernel-netlink configuration files swan-extra- plugins (no deps from default plugins). {extras, standard} -plugins. install: Move charon plugins package. This will allow those use cases without pulling libcharon. charon- systemd: allow to contact mysql for sql and ipsec.charon: allow reading of own FDs (LP #1786250) mysql-Don- t-release- the-connection- if-transactions -a.patch: charon- systemd: allow CLUSTERIP for ha plugin (LP: #1773956) ipsec.stroke: add rmix permission to stroke binary ipsec.lookip: add rmix permission to lookip binary tnc-server. install: add new sec updater tool tnc-client. install: add new sw-collector tool CVE-2018- 17540) CVE-2018- 16151 CVE-2018-16152) ipsec.charon, d/usr/sbin/ charon- systemd: Add support for
- Clean up d/strongswan-
- Clean up d/strongswan-
opportunistic encryption disabling - this was never in strongSwan and
won't be see upstream issue #2160.
- d/rules: Removed patching ipsec.conf on build (not using the
debconf-
- d/ipsec.
used for debconf-managed include of private key).
- Mass enablement of extra plugins and features to allow a user to use
strongswan for a variety of extra use cases without having to rebuild.
+ d/control: Add required additional build-deps
+ d/control: Mention addtionally enabled plugins
+ d/rules: Enable features at configure stage
+ d/libbstrongswa
+ d/libstrongswan
- d/strongswan-
we have attr-sql plugin enabled as well using it.
- Add plugin kernel-libipsec to allow the use of strongswan in containers
via this userspace implementation (please do note that this is still
considered experimental by upstream).
+ d/libcharon-
+ d/control: List kernel-libipsec plugin at extra plugins description
+ d/p/dont-
upstream recommends to not load kernel-libipsec by default.
- Relocate tnc plugin
+ debian/
+ Add new subpackage for TNC in d/strongswan-tnc-* and d/control
- d/libstrongswan
- d/libstrongswan
- Complete the disabling of libfast; This was partially accepted in Debian,
it is no more packaging medcli and medsrv, but still builds and
mentions it.
+ d/rules: Add --disable-fast to avoid build time and dependencies
+ d/control: Remove medcli, medsrv from package description
- d/control: Mention mgf1 plugin which is in libstrongswan now
- Add now built (since 5.5.1) libraries libtpmtss and nttfft to
libstrong
- d/control, d/libcharon-
plugins for the most common use cases from extra-plugins into a new
standard-
in too much more plugins (a bit like the tnc package). Recommend that
package from strongswan-
- d/usr.sbin.
attr-sql plugins (LP #1766240)
- d/usr.lib.
* Added Changes:
- d/p/lp1795813-
fix SIGSEGV when using mysql plugin (LP: #1795813)
- d/usr.sbin.
- executables need to be able to read map and execute themselves otherwise
execution in some environments e.g. containers is blocked (LP: #1780534)
+ d/usr.lib.
+ d/usr.lib.
- adapt "mass enablement of extra plugins" to match 5.7.x changes
+ d/rules: use new options for swima instead of swid
+ d/strongswan-
+ d/strongswan-
* Dropped (in Debian now):
- SECURITY UPDATE: Insufficient input validation in gmp plugin
(
- SECURITY UPDATE: Insufficient input validation in gmp plugin
(
- d/usr.lib.
usr-merge, thanks to Christian Ehrhardt. LP #1784023
strongswan (5.7.1-1) unstable; urgency=medium
[ Ondřej Nový ]
* d/copyright: Use https protocol in Format field
* d/changelog: Remove trailing whitespaces
* d/rules: Remove trailing whitespaces
* d/control: Remove XS-Testsuite field, not needed anymore
[ Yves-Alexis Perez ]
* enable chapoly plugin (closes: #814927)
* remove unused lintian overrides
* New upstream version 5.7.1
- fix an integer underflow and subsequent heap buffer overflow in the gmp
plugin triggered by crafted certificates with RSA keys with very small
moduli (CVE-2018-17540)
strongswan (5.7.0-1) unstable; urgency=medium
* update AppArmor templates to handle usr merge (closes: #905082) her-style low-exponent attacks leading to RSA signature forgery
* d/gbp.conf added, following DEP-14
* New upstream version 5.7.0
- include fixes for CVE-2018-16151 and CVE-2018-16152, potential
Bleichenbac
in gmp plugin.
* d/control: fix typo in libstrongswan long description
-- Christian Ehrhardt <email address hidden> Mon, 03 Dec 2018 15:18:31 +0100