-
strongswan (5.8.2-1ubuntu3.6) focal-security; urgency=medium
* SECURITY UPDATE: Buffer Overflow When Handling DH Public Values
- debian/patches/CVE-2023-41913.patch: Validate DH public key to fix
potential buffer overflow in
src/charon-tkm/src/tkm/tkm_diffie_hellman.c.
- CVE-2023-41913
-- Marc Deslauriers <email address hidden> Tue, 07 Nov 2023 11:46:34 +0200
-
strongswan (5.8.2-1ubuntu3.5) focal-security; urgency=medium
* SECURITY UPDATE: Using Untrusted URIs for Revocation Checking
- debian/patches/CVE-2022-40617.patch: do online revocation checks only
after basic trust chain validation in
src/libstrongswan/credentials/credential_manager.c.
- CVE-2022-40617
-- Marc Deslauriers <email address hidden> Tue, 20 Sep 2022 14:10:02 -0400
-
strongswan (5.8.2-1ubuntu3.4) focal-security; urgency=medium
* SECURITY UPDATE: Incorrect Handling of Early EAP-Success Messages
- debian/patches/CVE-2021-45079.patch: enforce failure if MSK
generation fails in src/libcharon/plugins/eap_gtc/eap_gtc.c,
src/libcharon/plugins/eap_md5/eap_md5.c,
src/libcharon/plugins/eap_radius/eap_radius.c,
src/libcharon/sa/eap/eap_method.h,
src/libcharon/sa/ikev2/authenticators/eap_authenticator.c.
- CVE-2021-45079
-- Marc Deslauriers <email address hidden> Tue, 11 Jan 2022 07:10:45 -0500
-
strongswan (5.8.2-1ubuntu3.3) focal-security; urgency=medium
* SECURITY UPDATE: Integer Overflow in gmp Plugin
- debian/patches/CVE-2021-41990.patch: reject RSASSA-PSS params with
negative salt length in
src/libstrongswan/credentials/keys/signature_params.c,
src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c.
- CVE-2021-41990
* SECURITY UPDATE: Integer Overflow When Replacing Certificates in Cache
- debian/patches/CVE-2021-41991.patch: prevent crash due to integer
overflow/sign change in
src/libstrongswan/credentials/sets/cert_cache.c.
- CVE-2021-41991
-- Marc Deslauriers <email address hidden> Tue, 12 Oct 2021 13:22:57 -0400
-
strongswan (5.8.2-1ubuntu3.2) focal; urgency=medium
* Compile the tpm plugin against the tpm2 software stack (tss2)
(Debian packaging cherry-pick, LP: #1940079)
- d/rules: add the --enable-tss-tss2 configure flag
- d/control: add Build-Depends: libtss2-dev
-- Paride Legovini <email address hidden> Fri, 17 Sep 2021 10:48:56 +0200
-
strongswan (5.8.2-1ubuntu3.1) focal; urgency=medium
* Re-enable eap-{dynamic,peap} libcharon plugins (LP: #1878887)
- d/control: update libcharon-extra-plugins description.
- d/libcharon-extra-plugins.install: install .so and conf files.
- d/rules: add plugins to the configuration arguments.
* Remove conf files of plugins removed from libcharon-extra-plugins
- The conf file of the following plugins were removed: eap-aka-3gpp2,
eap-sim-file, eap-sim-pcsc, eap-sim, eap-simaka-pseudonym,
eap-simaka-reauth, eap-simaka-sql, xauth-noauth.
- Created d/libcharon-extra-plugins.maintscript to handle the removals
properly.
* Add patches to fix the chunk_from_chars() macro compiled with GCC 9+
(LP: #1879692)
- Patches backported from upstream: lp-1879692-{1,2,3,4,5}.patch.
- Fix the pki CA certificate creation issue.
-- Lucas Kanashiro <email address hidden> Fri, 22 May 2020 10:53:07 -0300
-
strongswan (5.8.2-1ubuntu3) focal; urgency=medium
* Reverting part of 5.8.2-1ubuntu2 changes to remove BLISS again as
there is a potential local side-channel attack on strongSwan's BLISS
implementation (https://eprint.iacr.org/2017/505). (LP: #1866765)
-- Christian Ehrhardt <email address hidden> Tue, 10 Mar 2020 07:56:56 +0100
-
strongswan (5.8.2-1ubuntu2) focal; urgency=medium
* re-add post-quantum computer signature scheme (BLISS) and encryption
algorithm (NTRU) as well as the dependent nttfft library (LP: #1863749)
- d/control: mention plugins in package description
- d/rules: enable ntru and bliss at build time
- d/libstrongswan-extra-plugins.install: ship config and shared objects
-- Christian Ehrhardt <email address hidden> Wed, 04 Mar 2020 07:54:26 +0100
-
strongswan (5.8.2-1ubuntu1) focal; urgency=medium
* Merge with Debian unstable (LP: #1861971). Remaining changes:
- d/control: Transition from strongswan-tnc-* being in extra packages
to libcharon-extra-plugins (drop after 20.04)
- d/control: Transition from former Ubuntu only libcharon-standard-plugins
to common libcharon-extauth-plugins (drop after 20.04)
- d/control: strongswan-starter hard-depends on strongswan-charon,
therefore bump the dependency from Recommends to Depends. At the same
time avoid a circular dependency by dropping
strongswan-charon->strongswan-starter from Depends to Recommends as the
binaries can work without the services but not vice versa.
* Added Changes
- d/control: build-depend on libiptc-dev to avoid FTBFS (LP: #1861975)
This is needed due to changes in regard to Debian bug 947176 and 939243
and can later be dropped again.
strongswan (5.8.2-1) unstable; urgency=medium
[ Jean-Michel Vourgère ]
* README.Debian: Fixed typo
[ Yves-Alexis Perez ]
* d/control: replace iptables-dev b-dep by libip{4,6}tc-dev (Closes: #946148)
* d/watch: use uscan special strings
* New upstream version 5.8.2
* d/control: update dh compat level to 12
* strongswan-nm: update path for dbus service file
* install DRBG plugin to libstrongswan
* d/control: add ${misc:Pre-Depends} to strongswan-starter
-- Christian Ehrhardt <email address hidden> Wed, 05 Feb 2020 08:28:30 +0100
-
strongswan (5.8.1-1ubuntu1) focal; urgency=medium
* Merge with Debian unstable (LP: #1852579). Remaining changes:
- d/control: Transition from strongswan-tnc-* being in extra packages
to libcharon-extra-plugins
* Added Changes:
- d/control: Transition from former Ubuntu only libcharon-standard-plugins
to common libcharon-extauth-plugins (drop after 20.04)
- d/control: strongswan-starter hard-depends on strongswan-charon,
therefore bump the dependency from Recommends to Depends. At the same
time avoid a circular dependency by dropping
strongswan-charon->strongswan-starter from Depends to Recommends as the
binaries can work without the services but not vice versa.
* Dropped Changes (now in Debian):
- Clean up d/strongswan-starter.postinst: section about runlevel changes
- Clean up d/strongswan-starter.postinst: Removed entire section on
opportunistic encryption disabling - this was never in strongSwan and
won't be see upstream issue #2160.
- d/rules: Removed patching ipsec.conf on build (not using the
debconf-managed config.)
- d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was
used for debconf-managed include of private key).
- Add plugin kernel-libipsec to allow the use of strongswan in containers
via this userspace implementation (please do note that this is still
considered experimental by upstream).
+ d/libcharon-extra-plugins.install: Add kernel-libipsec components
+ d/control: List kernel-libipsec plugin at extra plugins description
+ d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
upstream recommends to not load kernel-libipsec by default.
- d/control: Mention mgf1 plugin which is in libstrongswan now
- Complete the disabling of libfast; This was partially accepted in Debian,
it is no more packaging medcli and medsrv, but still builds and
mentions it.
+ d/rules: Add --disable-fast to avoid build time and dependencies
+ d/control: Remove medcli, medsrv from package description
- Add now built (since 5.5.1) libraries libtpmtss and nttfft to
libstrongswan-extra-plugins (no deps from default plugins).
- d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
plugins for the most common use cases from extra-plugins into a new
standard-plugins package. This will allow those use cases without pulling
in too much more plugins (a bit like the tnc package). Recommend that
package from strongswan-libcharon.
- d/usr.lib.ipsec.charon: allow reading of own FDs (LP 1786250)
- d/usr.sbin.charon-systemd: allow CLUSTERIP for ha plugin (LP 1773956)
- executables need to be able to read map and execute themselves otherwise
execution in some environments e.g. containers is blocked (LP 1780534)
+ d/usr.lib.ipsec.stroke: add rmix permission to stroke binary
+ d/usr.lib.ipsec.lookip: add rmix permission to lookip binary
- d/usr.lib.ipsec.charon, d/usr.sbin.charon-systemd: resync apparmor
profiles of both ways to start charon (LP 1807664)
- d/usr.sbin.swanctl: add apparmor rule for af-alg plugin (LP 1807962)
- We fixed up tpmtss and nttfft in the past, but tpmtss is now packaged in
Debian so this part was be dropped. Two changes remain
- d/control: fix the mentioning of tpmtss in d/control
- apparmor fixes for container and root usage (LP 1826238)
+ d/usr.sbin.swanctl: allow reading own binary
+ d/usr.sbin.charon-systemd: allow accessing the binary
+ d/usr.sbin.swanctl: add attach_disconnected to work inside containers
+ d/usr.lib.ipsec.charon, d/usr.sbin.charon-systemd: add CAP_SETPCAP
to apparmor to allow dropping caps
* Dropped Changes (too uncommon to support by default)
- d/libstrongswan.install: Add kernel-netlink configuration files
- d/usr.sbin.charon-systemd: allow to contact mysql for sql and
attr-sql plugins (LP 1766240) - no more needed as itisn't enabled.
- Mass enablement of extra plugins and features to allow a user to use
strongswan for a variety of extra use cases without having to rebuild.
+ d/control: Add required additional build-deps
+ d/control: Mention addtionally enabled plugins
+ d/rules: Enable features at configure stage
+ d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
+ d/libstrongswan.install: Add plugins (so, conf)
+ d/strongswan-starter.install: Install pool feature, which is useful
since we now have attr-sql plugin enabled it.
- Enable additional TNC plugins and add them to libcharon-extra-plugins
strongswan (5.8.1-1) unstable; urgency=medium
* d/rules: disable http and stream tests under CI
* New upstream version 5.8.1
strongswan (5.8.0-2) unstable; urgency=medium
[ Christian Ehrhardt ]
* d/control: Mention mgf1 plugin which is in libstrongswan now
* Complete the disabling of libfast
* Clean up d/strongswan-starter.postinst: section about runlevel changes
* Clean up d/strongswan-starter.postinst: opportunistic encryption
* Enable kernel-libipsec for use of strongswan in containers
* d/control, d/libcharon-{extras,extauth}-plugins.install: Add
extauth-plugins package (Recommends)
* apparmor: d/usr.lib.ipsec.charon: sync notify rule from charon-systemd
* apparmor: fix apparmor denies reading the own FDs (LP: 1786250)
* apparmor: d/usr.sbin.charon-systemd: allow CLUSTERIP for ha plugin
(LP: 1773956)
* apparmor: d/usr.lib.ipsec.stroke: executables need to be able to read map
and execute themselves
* apparmor: d/usr.lib.ipsec.lookip: executables need to be able to read map
and execute themselves
* apparmor: d/usr.sbin.swanctl: add apparmor rule for af-alg plugin
(LP: 1807962)
* d/control: libtpmtss is actually packaged in libstrongswan-extra-plugins
[ Ryan Harper ]
* Remove code related to unused debconf managed config
[ Yves-Alexis Perez ]
* ship xfrmi only on Linux, fix FTBFS on kfreebsd
* d/libcharon-extra-plugins.install: drop plugins disabled in Debian
* d/control: update standards version to 4.4.1
* d/strongswan-starter.templates: drop runlevel_changes
* let dh_installinit handle update-rc.d calls
* d/salsa-ci.yml: add a salsa pipeline config
* d/rules: drop dbgsym migration
* strongswan-starter: update line number in lintian override
strongswan (5.8.0-1) unstable; urgency=medium
[ Christian Ehrhardt ]
* Fix fails in debian CI (Closes: #926479)
[ Simon Deziel ]
* d/usr.lib.ipsec.charon, d/usr.sbin.charon-systemd: add CAP_SETPCAP to
apparmor to allow dropping caps
* d/usr.sbin.swanctl: add attach_disconnected to work inside containers
* d/usr.sbin.charon-systemd: allow accessing the binary
* d/usr.sbin.swanctl: allow reading own binary
[ Yves-Alexis Perez ]
* New upstream version 5.8.0
* d/control: update standards version to 4.4.0
* use debhelper-compat b-d for dh compat level
* d/control: bump dh compat level to 11
* d/rules: drop systemd addon, useless in compat 11
* strongswan-libcharon: install xfrmi binary
* d/patches refreshed for new upstream release
* handle renaming of systemd service files
* d/control: remove obsolete breaks/replaces
-- Christian Ehrhardt <email address hidden> Thu, 14 Nov 2019 15:00:15 +0100
-
strongswan (5.7.2-1ubuntu3) eoan; urgency=medium
* No change rebuild for libmysqlclient21.
-- Christian Ehrhardt <email address hidden> Thu, 15 Aug 2019 09:34:34 +0200