-
strongswan (5.6.2-1ubuntu2.9) bionic-security; urgency=medium
* SECURITY UPDATE: Using Untrusted URIs for Revocation Checking
- debian/patches/CVE-2022-40617.patch: do online revocation checks only
after basic trust chain validation in
src/libstrongswan/credentials/credential_manager.c.
- CVE-2022-40617
-- Marc Deslauriers <email address hidden> Tue, 20 Sep 2022 14:10:27 -0400
-
strongswan (5.6.2-1ubuntu2.8) bionic-security; urgency=medium
* SECURITY UPDATE: Incorrect Handling of Early EAP-Success Messages
- debian/patches/CVE-2021-45079.patch: enforce failure if MSK
generation fails in src/libcharon/plugins/eap_gtc/eap_gtc.c,
src/libcharon/plugins/eap_md5/eap_md5.c,
src/libcharon/plugins/eap_radius/eap_radius.c,
src/libcharon/sa/eap/eap_method.h,
src/libcharon/sa/ikev2/authenticators/eap_authenticator.c.
- CVE-2021-45079
-- Marc Deslauriers <email address hidden> Tue, 11 Jan 2022 07:11:09 -0500
-
strongswan (5.6.2-1ubuntu2.7) bionic-security; urgency=medium
* SECURITY UPDATE: Integer Overflow in gmp Plugin
- debian/patches/CVE-2021-41990.patch: reject RSASSA-PSS params with
negative salt length in
src/libstrongswan/credentials/keys/signature_params.c,
src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c.
- CVE-2021-41990
* SECURITY UPDATE: Integer Overflow When Replacing Certificates in Cache
- debian/patches/CVE-2021-41991.patch: prevent crash due to integer
overflow/sign change in
src/libstrongswan/credentials/sets/cert_cache.c.
- CVE-2021-41991
-- Marc Deslauriers <email address hidden> Tue, 12 Oct 2021 13:23:35 -0400
-
strongswan (5.6.2-1ubuntu2.6) bionic; urgency=medium
* d/control: change dependency relationship between strongswan-charon and
strongswan-starter so that the charon service is started with the apparmor
profile applied (LP: #1932197)
-- Andreas Hasenack <email address hidden> Fri, 18 Jun 2021 19:58:12 +0000
-
strongswan (5.6.2-1ubuntu2.5) bionic; urgency=medium
* d/p/lp-1772705-charon-nm-Fix-building-list-of-DNS-MDNS-servers-with.patch:
fix charon-nm pushing random DNS servers (LP: #1772705)
-- Christian Ehrhardt <email address hidden> Tue, 12 Nov 2019 12:32:51 +0100
-
strongswan (5.6.2-1ubuntu2.4) bionic; urgency=medium
* fix stroke and lookip execution in containers (LP: #1780534). Binaries
need to be able to read map and execute themselves
- d/usr.lib.ipsec.lookip: add rmix to own binary
- d/usr.lib.ipsec.stroke: add rmix to own binary
* d/usr.lib.ipsec.charon: allow CLUSTERIP for ha plugin (LP: #1773956)
-- Christian Ehrhardt <email address hidden> Wed, 12 Dec 2018 15:52:43 +0100
-
strongswan (5.6.2-1ubuntu2.3) bionic-security; urgency=medium
* SECURITY UPDATE: Insufficient input validation in gmp plugin
- debian/patches/strongswan-4.4.0-5.7.0_gmp-pkcs1-overflow.patch: fix
buffer overflow with very small RSA keys in
src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c.
- CVE-2018-17540
-- Marc Deslauriers <email address hidden> Wed, 26 Sep 2018 14:36:02 -0400
-
strongswan (5.6.2-1ubuntu2.2) bionic-security; urgency=medium
* SECURITY UPDATE: Insufficient input validation in gmp plugin
- debian/patches/strongswan-5.6.1-5.6.3_gmp-pkcs1-verify.patch: don't
parse PKCS1 v1.5 RSA signatures to verify them in
src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c,
src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c.
- CVE-2018-16151
- CVE-2018-16152
* SECURITY UPDATE: remote denial of service
- debian/patches/strongswan-5.5.0-5.6.2_skeyseed_init.patch: properly
initialize variable in src/libcharon/sa/ikev2/keymat_v2.c.
- CVE-2018-10811
* SECURITY UPDATE: DoS in stroke plugin
- debian/patches/strongswan-5.1.2-5.6.2_stroke_msg_len.patch: ensure a
minimum message length in
src/libcharon/plugins/stroke/stroke_socket.c.
- CVE-2018-5388
-- Marc Deslauriers <email address hidden> Tue, 18 Sep 2018 11:03:06 +0200
-
strongswan (5.6.2-1ubuntu2) bionic; urgency=medium
* d/control: fix dependencies of strongswan-libcharon due to the move
the updown plugin.
-- Christian Ehrhardt <email address hidden> Tue, 20 Mar 2018 07:37:29 +0100
-
strongswan (5.6.2-1ubuntu1) bionic; urgency=medium
* Merge with Debian unstable (LP: #1753018). Remaining changes:
+ Clean up d/strongswan-starter.postinst: section about runlevel changes
+ Clean up d/strongswan-starter.postinst: Removed entire section on
opportunistic encryption disabling - this was never in strongSwan and
won't be see upstream issue #2160.
+ Ubuntu is not using the debconf triggered private key generation
- d/rules: Removed patching ipsec.conf on build (not using the
debconf-managed config.)
- d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was
used for debconf-managed include of private key).
+ Mass enablement of extra plugins and features to allow a user to use
strongswan for a variety of extra use cases without having to rebuild.
- d/control: Add required additional build-deps
- d/control: Mention addtionally enabled plugins
- d/rules: Enable features at configure stage
- d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
- d/libstrongswan.install: Add plugins (so, conf)
+ d/strongswan-starter.install: Install pool feature, which is useful since
we have attr-sql plugin enabled as well using it.
+ Add plugin kernel-libipsec to allow the use of strongswan in containers
via this userspace implementation (please do note that this is still
considered experimental by upstream).
- d/libcharon-extra-plugins.install: Add kernel-libipsec components
- d/control: List kernel-libipsec plugin at extra plugins description
- d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
upstream recommends to not load kernel-libipsec by default.
+ Relocate tnc plugin
- debian/libcharon-extra-plugins.install: Drop tnc from extra plugins
- Add new subpackage for TNC in d/strongswan-tnc-* and d/control
+ d/libstrongswan.install: Reorder conf and .so alphabetically
+ d/libstrongswan.install: Add kernel-netlink configuration files
+ Complete the disabling of libfast; This was partially accepted in Debian,
it is no more packaging medcli and medsrv, but still builds and
mentions it.
- d/rules: Add --disable-fast to avoid build time and dependencies
- d/control: Remove medcli, medsrv from package description
+ d/control: Mention mgf1 plugin which is in libstrongswan now
+ Add now built (since 5.5.1) libraries libtpmtss and nttfft to
libstrongswan-extra-plugins (no deps from default plugins).
+ Add rm_conffile for /etc/init.d/ipsec (transition from precies had
missed that, droppable after 18.04)
+ d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
plugins for the most common use cases from extra-plugins into a new
standard-plugins package. This will allow those use cases without pulling
in too much more plugins (a bit like the tnc package). Recommend that
package from strongswan-libcharon.
+ d/control: bump breaks/replaces from libstrongswan-extra-plugins to
libstrongswan as we dropped relocating ccm and test-vectors.
(droppable >18.04).
+ d/control: add breaks/replace from libstrongswan to
libstrongswan-extra-plugins for the move of mgf1 to libstrongswan.
(droppable >18.04).
* Added Changes:
+ d/control: bump breaks/replaces from strongswan-libcharon to strongswan-
starter as we followed Debian to move the updown plugin but need to
match Ubuntu versions (Droppable >18.04).
-- Christian Ehrhardt <email address hidden> Fri, 16 Mar 2018 11:08:47 +0100
-
strongswan (5.6.1-2ubuntu4) bionic; urgency=medium
* SECURITY UPDATE: DoS via crafted RSASSA-PSS signature
- debian/patches/CVE-2018-6459.patch: Properly handle MGF1 algorithm
identifier without parameters in
src/libstrongswan/credentials/keys/signature_params.c.
- CVE-2018-6459
-- Marc Deslauriers <email address hidden> Wed, 07 Mar 2018 14:52:02 +0100
-
strongswan (5.6.1-2ubuntu3) bionic; urgency=medium
* No-change rebuild against libcurl4
-- Steve Langasek <email address hidden> Wed, 28 Feb 2018 08:52:09 +0000
-
strongswan (5.6.1-2ubuntu2) bionic; urgency=high
* No change rebuild against openssl1.1.
-- Dimitri John Ledkov <email address hidden> Mon, 12 Feb 2018 16:00:24 +0000
-
strongswan (5.6.1-2ubuntu1) bionic; urgency=medium
* Merge with Debian unstable (LP: #1717343).
Also fixes and issue with multiple psk's (LP: #1734207). Remaining changes:
+ Clean up d/strongswan-starter.postinst: section about runlevel changes
+ Clean up d/strongswan-starter.postinst: Removed entire section on
opportunistic encryption disabling - this was never in strongSwan and
won't be see upstream issue #2160.
+ Ubuntu is not using the debconf triggered private key generation
- d/rules: Removed patching ipsec.conf on build (not using the
debconf-managed config.)
- d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was
used for debconf-managed include of private key).
+ Mass enablement of extra plugins and features to allow a user to use
strongswan for a variety of extra use cases without having to rebuild.
- d/control: Add required additional build-deps
- d/control: Mention addtionally enabled plugins
- d/rules: Enable features at configure stage
- d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
- d/libstrongswan.install: Add plugins (so, conf)
+ d/strongswan-starter.install: Install pool feature, which is useful since
we have attr-sql plugin enabled as well using it.
+ Add plugin kernel-libipsec to allow the use of strongswan in containers
via this userspace implementation (please do note that this is still
considered experimental by upstream).
- d/libcharon-extra-plugins.install: Add kernel-libipsec components
- d/control: List kernel-libipsec plugin at extra plugins description
- d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
upstream recommends to not load kernel-libipsec by default.
+ Relocate tnc plugin
- debian/libcharon-extra-plugins.install: Drop tnc from extra plugins
- Add new subpackage for TNC in d/strongswan-tnc-* and d/control
+ d/libstrongswan.install: Reorder conf and .so alphabetically
+ d/libstrongswan.install: Add kernel-netlink configuration files
+ Complete the disabling of libfast; This was partially accepted in Debian,
it is no more packaging medcli and medsrv, but still builds and
mentions it.
- d/rules: Add --disable-fast to avoid build time and dependencies
- d/control: Remove medcli, medsrv from package description
+ d/control: Mention mgf1 plugin which is in libstrongswan now
+ Add now built (since 5.5.1) libraries libtpmtss and nttfft to
libstrongswan-extra-plugins (no deps from default plugins).
+ Add rm_conffile for /etc/init.d/ipsec (transition from precies had
missed that, droppable after 18.04)
+ d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
plugins for the most common use cases from extra-plugins into a new
standard-plugins package. This will allow those use cases without pulling
in too much more plugins (a bit like the tnc package). Recommend that
package from strongswan-libcharon.
* Added changes:
+ d/strongswan-tnc-client.install (relocate tnc) swidtag creation changed
in 5.6
+ d/strongswan-tnc-server.install (relocate tnc) pacman no more needed
+ d/control: bump breaks/replaces from libstrongswan-extra-plugins to
libstrongswan as we dropped relocating ccm and test-vectors.
(droppable >18.04).
- d/control: add breaks/replace from libstrongswan to
libstrongswan-extra-plugins for the move of mgf1 to libstrongswan.
(droppable >18.04).
* Dropped changes:
+ Update init/service handling (debian default matches Ubuntu past now)
Dropping this fixes (LP: #1734886)
- d/rules: Change init/systemd program name to strongswan
- d/strongswan-starter.strongswan.service: Add new systemd file instead of
patching upstream
- d/strongswan-starter.links: Removed, use Ubuntu systemd file instead of
linking to upstream
+ d/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call
(this is a never failing no-op for us, no need for Delta).
+ d/strongswan-starter.prerm: Stop strongswan service on package removal
(ipsec now maps to strongswan service, so this works as-is).
+ Clean up d/strongswan-starter.postinst: rename service ipsec to
strongswan (ipsec now maps to strongswan service, so this works as-is)
+ Clean up d/strongswan-starter.postinst: daemon enable/disable (the
whole section is disabled, so no need for delta)
+ (is upstream) CVE-2017-11185 patches
+ (is upstream) FTBFS upstream fix for changed include files
+ (is upstream) debian/patches/increase-bliss-test-timeout.patch: Under
QEMU/KVM autopkgtest the bliss test takes longer than the default
+ (in Debian) add now built (since 5.5.1) mgf1 plugin to
libstrongswan-extra-plugins.
+ (in Debian) d/strongswan-starter.install: install stroke apparmor profile
+ (this was enabled as part of the former delta, squash changes to no-up)
d/rules: Disable duplicheck.
+ (not needed) Relocate plugins test-vectors from extra-plugins to
libstrongswan
- d/libstrongswan-extra-plugins.install: Remove plugins/conffiles
- d/libstrongswan.install: Add plugins/confiles
- d/control: move package descriptions and add required breaks/replaces
+ (not needed) Relocate plugins ccm from extra-plugins to libstrongswan
- d/libstrongswan-extra-plugins.install: Remove plugins/conffiles
- d/libstrongswan.install: Add plugins/confiles
- d/control: move package descriptions and add required breaks/replaces
+ (while using it requires special kernel, it does not hurt to be
available in the package) Remove ha plugin
- d/libcharon-extra-plugins.install: Stop installing ha (so, conf)
- d/rules: Do not enable ha plugin
- d/control: Drop listing the ha plugin in the package description
strongswan (5.6.1-2) unstable; urgency=medium
* move counters plugin from -starter to -libcharon. closes: #882431
strongswan (5.6.1-1) unstable; urgency=medium
* debian/control:
- remove strongswan-ike{,v1,v2} packages. closes: #878979
* New upstream version 5.6.1
- fix FTBFS with glibc 2.26+. closes: #880561
* debian/rules: explicitly enable tpm plugin
* debian/strongswan-starter.install: install counters plugin
* debian/libstrongswan.install: install MGF1 plugin
* debian/libstrongswan-extra-plugins.install: install tpm plugin
* debian/control:
- update standards version to 4.1.1
- replace dh-systemd build-dep by updated build-dep on debhelper
strongswan (5.6.0-2) unstable; urgency=medium
* debian/rules:
- only use dh_missing --fail-missing when doing an architecture dependent
packages. closes: #874152
strongswan (5.6.0-1) unstable; urgency=medium
* New upstream release.
- fix insufficient input validation in gmp plugin, which can cause a
denial of service vulnerability (CVE-2017-11185) closes: #872155
* debian/rules:
- remove .la files before install
- don't call dh_install with --fail-missing
- override dh_missing with --fail-missing to catch uninstalled files
- apply patch from Gerald Turner to restrict permissions on swanctl folder
containing private material.
- replace DEB_BUILD_* by DEB_HOST_* when needed, fix FTCBFS, for example
when building for ppc64el on x86. Thanks Helmut Grohne. closes: #866669
* debian/strongswan-swanctl.install:
- install the whole /etc/swanctl folder, including (empty) subfolders.
closes: #866324
* debian/charon-systemd.install:
- install charon-systemd.conf files, thanks Gerald Turner. closes: #866325
* Add AppArmor profiles for swanctl and charon-system, thanks Gerald Turner.
closes: #866327
* debian/libcharon-extra-plugins.install:
- install pt-tls-client in /u/b and also install its manpage.
* debian/strongswan-swanctl.lintian-overrides:
- add lintian overrides for private keys directories using 700
permissions.
strongswan (5.5.3-2) unstable; urgency=medium
* debian/control:
- fix typo in libstrongswan-extra-plugins long description.
* move curve25519 plugin from libcharon-extra-plugins to
libstrongswan-extra-plugins
strongswan (5.5.3-1) unstable; urgency=medium
* New upstream release.
* debian/control:
- update standards version to 4.0.0
strongswan (5.5.2-1) experimental; urgency=medium
* New upstream release.
* debian/patches/03_systemd-service refreshed.
* debian/libcharon-extra-plugins.install:
- include curve25519 plugin.
* debian/libstrongswan-extra-plugins.install:
- install libtpmtss library.
-- Christian Ehrhardt <email address hidden> Wed, 29 Nov 2017 15:55:18 +0100
-
strongswan (5.5.1-4ubuntu3) bionic; urgency=medium
* Fix Artful FTBFS due to newer glibc (LP: #1724859)
- d/p/utils-Include-stdint.h.patch: upstream fix for changed include
files.
-- Christian Ehrhardt <email address hidden> Thu, 19 Oct 2017 15:18:52 +0200
-
strongswan (5.5.1-4ubuntu2) artful; urgency=medium
* SECURITY UPDATE: Fix RSA signature verification
- debian/patches/CVE-2017-11185.patch: does some
verifications in order to avoid null-point dereference
in src/libstrongswan/gmp/gmp_rsa_public_key.c
- CVE-2017-11185
-- <email address hidden> (Leonidas S. Barbosa) Tue, 15 Aug 2017 14:49:49 -0300