Publishing details
Changelog
strongswan (5.3.5-1ubuntu4~ubuntu14.04.1~ppa1) trusty; urgency=medium
* No-change backport to trusty
strongswan (5.3.5-1ubuntu4) yakkety; urgency=medium
* Build-depend on libjson-c-dev instead of libjson0-dev.
* Rebuild against libjson-c3.
strongswan (5.3.5-1ubuntu3) xenial; urgency=medium
* Rebuild against libmysqlclient20.
strongswan (5.3.5-1ubuntu2) xenial; urgency=medium
* debian/tests/plugins: rdrand may or may not be loaded, depending on the
cpu features.
strongswan (5.3.5-1ubuntu1) xenial; urgency=medium
* debian/{rules,control,libstrongswan-extra-plugins.install}
Enable bliss plugin
* debian/{rules,control,libstrongswan-extra-plugins.install}
Enable chapoly plugin
* debian/patches/dont-load-kernel-libipsec-plugin-by-default.patch
Upstream suggests to not load this plugin by default as it has
some limitations.
https://wiki.strongswan.org/projects/strongswan/wiki/Kernel-libipsec
* debian/patches/increase-bliss-test-timeout.patch
Under QEMU/KVM for autopkgtest bliss test takes a bit longer then default
* Update Apparmor profiles
- usr.lib.ipsec.charon
- add capability audit_write for xauth-pam (LP: #1470277)
- add capability dac_override (needed by agent plugin)
- allow priv dropping (LP: #1333655)
- allow caching CRLs (LP: #1505222)
- allow rw access to /dev/net/tun for kernel-libipsec (LP: #1309594)
- usr.lib.ipsec.stroke
- allow priv dropping (LP: #1333655)
- add local include
- usr.lib.ipsec.lookip
- add local include
* Merge from Debian, which includes fixes for all previous CVEs
Fixes (LP: #1330504, #1451091, #1448870, #1470277)
Remaining changes:
* debian/control
- Lower dpkg-dev to 1.16.1 from 1.16.2 to enable backporting to Precise
- Update Maintainer for Ubuntu
- Add build-deps
- dh-apparmor
- iptables-dev
- libjson0-dev
- libldns-dev
- libmysqlclient-dev
- libpcsclite-dev
- libsoup2.4-dev
- libtspi-dev
- libunbound-dev
- Drop build-deps
- libfcgi-dev
- clearsilver-dev
- Create virtual packages for all strongswan-plugin-* for dist-upgrade
- Set XS-Testsuite: autopkgtest
* debian/rules:
- Enforcing DEB_BUILD_OPTIONS=nostrip for library integrity checking.
- Set TESTS_REDUCED_KEYLENGTHS to one generate smallest key-lengths in
tests.
- Change init/systemd program name to strongswan
- Install AppArmor profiles
- Removed pieces on 'patching ipsec.conf' on build.
- Enablement of features per Ubuntu current config suggested from
upstream recommendation
- Unpack and sort enabled features to one-per-line
- Disable duplicheck as per
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718291#10
- Disable libfast (--disable-fast):
Requires dropping medsrv, medcli plugins which depend on libfast
- Add configure options
--with-tss=trousers
- Remove configure options:
--enable-ha (requires special kernel)
--enable-unit-test (unit tests run by default)
- Drop logcheck install
* debian/tests/*
- Add DEP8 test for strongswan service and plugins
* debian/strongswan-starter.strongswan.service
- Add new systemd file instead of patching upstream
* debian/strongswan-starter.links
- removed, use Ubuntu systemd file instead of linking to upstream
* debian/usr.lib.ipsec.{charon, lookip, stroke}
- added AppArmor profiles for charon, lookip and stroke
* debian/libcharon-extra-plugins.install
- Add plugins
- kernel-libipsec.{so, lib, conf, apparmor}
- Remove plugins
- libstrongswan-ha.so
- Relocate plugins
- libstrongswan-tnc-tnccs.so (strongswan-tnc-base.install)
* debian/libstrongswan-extra-plugins.install
- Add plugins (so, lib, conf)
- acert
- attr-sql
- coupling
- dnscert
- fips-prf
- gmp
- ipseckey
- load-tester
- mysql
- ntru
- radattr
- soup
- sqlite
- sql
- systime-fix
- unbound
- whitelist
- Relocate plugins (so, lib, conf)
- ccm (libstrongswan.install)
- test-vectors (libstrongswan.install)
* debian/libstrongswan.install
- Sort sections
- Add plugins (so, lib, conf)
- libchecksum
- ccm
- eap-identity
- md4
- test-vectors
* debian/strongswan-charon.install
- Add AppArmor profile for charon
* debian/strongswan-starter.install
- Add tools, manpages, conf
- openac
- pool
- _updown_espmark
- Add AppArmor profile for stroke
* debian/strongswan-tnc-base.install
- Add new subpackage for TNC
- remove non-existent (dropped in 5.2.1) libpts library files
* debian/strongswan-tnc-client.install
- Add new subpackage for TNC
* debian/strongswan-tnc-ifmap.install
- Add new subpackage for TNC
* debian/strongswan-tnc-pdp.install
- Add new subpackage for TNC
* debian/strongswan-tnc-server.install
- Add new subpackage for TNC
* debian/strongswan-starter.postinit:
- Removed section about runlevel changes, it's almost 2014.
- Adapted service restart section for Upstart.
- Remove old symlinks to init.d files is necessary.
* debian/strongswan-starter.dirs: Don't touch /etc/init.d.
* debian/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call.
* debian/strongswan-starter.prerm: Stop strongswan service on package
removal (as opposed to using the old init.d script).
* debian/libstrongswan.strongswan.logcheck combined into debian/strongswan.logcheck
- logcheck patterns updated to be helpful
* debian/strongswan-starter.postinst: Removed further out-dated code and
entire section on opportunistic encryption - this was never in strongSwan.
* debian/ipsec.secrets.proto: Removed ipsec.secrets.inc reference.
Drop changes:
* debian/control
- Per-plugin package breakup: Reducing packaging delta from Debian
- Don't build dhcp, farp subpackages: Reduce packging delta from Debian
* debian/watch: Already exists in Debian merge
* debian/upstream/signing-key.asc: Upstream has newer version.
strongswan (5.3.5-1) unstable; urgency=medium
* New upstream bugfix release.
strongswan (5.3.4-1) unstable; urgency=medium
* New upstream release.
* debian/patches:
- 03_systemd-service refreshed for new upstream release.
- 0001-socket-default-Refactor-setting-source-address-when-,
0001-socket-dynamic-Refactor-setting-source-address-when- and
CVE-2015-8023_eap_mschapv2_state dropped, included upstream.
strongswan (5.3.3-3) unstable; urgency=high
* Set urgency=high for security fix.
* debian/patches:
- CVE-2015-8023_eap_mschapv2_state added, fix authentication bypass when
using EAP MSCHAPv2.
strongswan (5.3.3-2) unstable; urgency=medium
* debian/rules:
- make the dh_install override arch-dependent only since it only acts on
arch:any packages, fix FTBFS on arch:all.
strongswan (5.3.3-1) unstable; urgency=medium
* debian/rules:
- enable the connmark plugin.
* debian/control:
- add build-dep on iptables-dev.
* debian/libstrongswan-standard-plugins:
- add connmark plugin to the standard-plugins package.
* New upstream release. closes: #803772
* debian/strongswan-starter.install:
- install new pki --dn manpage to ipsec-starter package.
* debian/patches:
- 0001-socket-default-Refactor-setting-source-address-when- and
0001-socket-dynamic-Refactor-setting-source-address-when- added (taken
from c761db and 9e8b4a in the 1171-socket-default-scope branch), fix
source address selection with IPv6 (upstream #1171)
strongswan (5.3.2-1) unstable; urgency=medium
* New upstream release.
* debian/patches:
- 05_ivgen-allow-reusing-same-message-id-twice dropped, included upstream.
- CVE-2015-4171_enforce_remote_auth dropped as well.
strongswan (5.3.1-1) unstable; urgency=high
* New upstream release.
* debian/patches:
- strongswan-5.2.2-5.3.0_unknown_payload dropped, included upstream.
- 05_ivgen-allow-reusing-same-message-id-twice added, allow reusing the
same message ID twice in sequential IV gen. strongSwan issue #980.
- CVE-2015-4171_enforce_remote_auth added, fix potential leak of
authentication credential to rogue server when using PSK or EAP. This is
CVE-2015-4171.
strongswan (5.3.0-2) unstable; urgency=medium
* debian/patches:
- strongswan-5.2.2-5.3.0_unknown_payload added, fixes a DoS and potential
remote code execution vulnerability (CVE-2015-3991).
* debian/strongswan-starter.lintian-overrides: add override for
command-with-path-in-maintainer-script since it's there to check for file
existence.
* Upload to unstable.
strongswan (5.3.0-1) experimental; urgency=medium
* New upstream release.
* debian/patches:
- 01_fix-manpages refreshed for new upstream release.
- 02_chunk-endianness dropped, included upstream.
- CVE-2014-9221_modp_custom dropped, included upstream.
* debian/strongswan-starter.install
- don't install the _updown and _updown_espmark manpages anymore, they're
gone.
- also remove the _updown_espmark script, gone too.
* debian/copyright updated.
strongswan (5.2.1-6) unstable; urgency=medium
* Ship /lib/systemd/system/ipsec.service as a symlink to
strongswan.service in strongswan-starter instead of using Alias= in
the service file. This makes the ipsec name available to invoke-rc.d
before the service gets actually enabled, which avoids some confusion
(closes: #781209).
strongswan (5.2.1-5) unstable; urgency=high
* debian/patches:
- debian/patches/CVE-2014-9221_modp_custom added, fix unauthenticated
denial of service in IKEv2 when using custom MODP value.
strongswan (5.2.1-4) unstable; urgency=medium
* Give up on trying to run the test suite on !amd64, it now times out on
both i386 and s390x, our chosen "fast" archs.
strongswan (5.2.1-3) unstable; urgency=medium
* Disable libtls tests again, they are still too intensive for the buildd
network...
strongswan (5.2.1-2) unstable; urgency=medium
* Cherry-pick commits 701d6ed and 1c70c6e from upstream to fix checksum
computation and FTBFS on big-endian hosts.
* Run the test suite only on amd64, i386, and s390x. It requires lots of
entropy and CPU time, which are typically hard to come by on slower
archs.
* Re-enable normal keylengths in test suite.
* Re-enable libtls tests.
* Update Dutch translation, thanks to Frans Spiesschaert (closes: #763798).
* Bump Standards-Version to 3.9.6.
strongswan (5.2.1-1) unstable; urgency=medium
* New upstream release.
* Stop shipping /etc/strongswan.conf.d in libstrongswan.
strongswan (5.2.0-2) unstable; urgency=medium
* Add systemd integration:
+ Install upstream systemd service file in strongswan-starter.
+ Alias strongswan.service to ipsec.service to match the sysv init script.
+ Drop After=syslog.target (as syslog is socket-activated nowadays), but
add After=network.target to ensure that charon gets the chance to send
deletes on exit.
+ Add ExecReload for reload action, since the starter script has one.
+ On linux-any, add build-dep on systemd to ensure that the pkg-config
metadata file can be found.
+ Add build-dep on dh-systemd, and use systemd dh addon.
* Remove debian/patches/03_include-stdint.patch.
strongswan (5.2.0-1) unstable; urgency=medium
* New upstream release.
[ Romain Francoise ]
* Amend build-dep on libgcrypt to 'libgcrypt20-dev | libgcrypt11-dev'.
* Drop hardening-wrapper from build-depends (unused since 5.0.4-1).
[ Yves-Alexis Perez ]
* debian/po:
- pt_BR.po updated, thanks Adriano Rafael Gomes. closes: #752721
* debian/patches:
03_pfkey-Always-include-stdint.h dropped, included upstream.
* debian/strongswan-starter.install:
- replace tools.conf by pki.conf and scepclient.conf.
strongswan (5.1.3-4) unstable; urgency=medium
* debian/control:
- add build-dep on pkg-config.
* debian/patches:
- 03_pfkey-Always-include-stdint.h added, cherry-picked from upstream git:
always include of stdint.h. Fix FTBFS on kFreeBSD.
strongswan (5.1.3-3) unstable; urgency=medium
* debian/watch:
- add pgpsigurlmangle to get PGP signature
* debian/upstream/signing-key.asc:
- bootstrap keyring by adding Andreas Steffen key (0xDF42C170B34DBA77)
* debian/control:
- add build-dep on libgcrypt20-dev, fix FTBFS. closes: #747796
strongswan (5.1.3-2) unstable; urgency=low
* Disable the new libtls test suite for now--it appears to be a
little too intensive for slower archs.
strongswan (5.1.3-1) unstable; urgency=low
* New upstream release.
* debian/control: make strongswan-charon depend on iproute2 | iproute,
thanks to Ryo IGARASHI <email address hidden> (closes: #744832).
strongswan (5.1.2-4) unstable; urgency=high
* debian/patches/04_cve-2014-2338.patch: added to fix CVE-2014-2338
(authentication bypass vulnerability in IKEv2 code).
* debian/control: add myself to Uploaders.
strongswan (5.1.2-3) unstable; urgency=medium
* debian/patches/
- 02_unit-tests-Fix-filtered-enumerator-tests-on-64-bit-b added, fix
testsuite failing on 64 bit big-endian platforms (s390x).
- 03_unit-tests-Fix-chunk-clear-armel added, fix testsuite failing on
armel.
strongswan (5.1.2-2) unstable; urgency=medium
* debian/rules:
- use reduced keylengths in testsuite on various arches, hopefully fixing
FTBFS when the genrsa test runs.
strongswan (5.1.2-1) unstable; urgency=medium
* New upstream release.
* debian/control:
- add conflicts against openSwan. closes: #740808
* debian/strongswan-starter,postrm:
- remove /var/lib/strongswan on purge.
* debian/ipsec.secrets.proto:
- stop lying about ipsec showhostkey command. closes: #600382
* debian/patches:
- 01_fix-manpages refreshed for new upstream.
- 02_include-strongswan.conf.d removed, strongswan.d is now supported
upstream.
* debian/rules, debian/*.install:
- install default configuration files for all plugins.
* debian/NEWS:
- fix spurious entry.
- add a NEWS entry to advertise about the new strongswan.d configuration
mechanism.
strongswan (5.1.2-0ubuntu8) xenial; urgency=medium
* Import FTBFS for s390x from Debian 5.1.2-3 upload. (LP: #1521240)
strongswan (5.1.2-0ubuntu7) xenial; urgency=medium
* SECURITY UPDATE: authentication bypass in eap-mschapv2 plugin
- debian/patches/CVE-2015-8023.patch: only succeed authentication if
MSK was established in
src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c.
- CVE-2015-8023
* debian/patches/disable_ntru_test.patch: disable test causing FTBFS
until regression is properly investigated.
strongswan (5.1.2-0ubuntu6) wily; urgency=medium
* SECURITY UPDATE: user credential disclosure to rogue servers
- debian/patches/CVE-2015-4171.patch: enforce remote authentication
config before proceeding with own authentication in
src/libcharon/sa/ikev2/tasks/ike_auth.c.
- CVE-2015-4171
* debian/rules: don't FTBFS from unused service file
strongswan (5.1.2-0ubuntu5) vivid; urgency=medium
* Add a systemd unit corresponding to strongswan-starter.strongswan.upstart.
strongswan (5.1.2-0ubuntu4) vivid; urgency=medium
* SECURITY UPDATE: denial of service via DH group 1025
- debian/patches/CVE-2014-9221.patch: define MODP_CUSTOM outside of
IKE DH range in src/libstrongswan/crypto/diffie_hellman.c,
src/libstrongswan/crypto/diffie_hellman.h.
- CVE-2014-9221
strongswan (5.1.2-0ubuntu3) utopic; urgency=low
* Added "libgcrypt20-dev | libgcrypt11-dev" to build dependencies to fix
build.
-- Oumar Aziz OUATTARA <email address hidden> Tue, 07 Jun 2016 17:39:03 +0200
Builds
Built packages
-
charon-cmd
standalone IPsec client
-
libcharon-extra-plugins
strongSwan charon library (extra plugins)
-
libstrongswan
strongSwan utility and crypto library
-
libstrongswan-extra-plugins
strongSwan utility and crypto library (extra plugins)
-
libstrongswan-standard-plugins
strongSwan utility and crypto library (standard plugins)
-
strongswan
IPsec VPN solution metapackage
-
strongswan-charon
strongSwan Internet Key Exchange daemon
-
strongswan-dbg
strongSwan library and binaries - debugging symbols
-
strongswan-ike
strongSwan Internet Key Exchange daemon (transitional package)
-
strongswan-ikev1
strongSwan IKEv1 daemon, transitional package
-
strongswan-ikev2
strongSwan IKEv2 daemon, transitional package
-
strongswan-libcharon
strongSwan charon library
-
strongswan-nm
strongSwan plugin to interact with NetworkManager
-
strongswan-plugin-af-alg
strongSwan plugin for AF_ALG Linux crypto API interface
-
strongswan-plugin-agent
strongSwan plugin for accessing private keys via ssh-agent
-
strongswan-plugin-attr-sql
strongSwan plugin for providing IKE attributes from databases
-
strongswan-plugin-certexpire
strongSwan plugin for exporting expiration dates of certificates
-
strongswan-plugin-coupling
strongSwan plugin for permanent peer certificate coupling
-
strongswan-plugin-curl
strongSwan plugin for the libcurl based HTTP/FTP fetcher
-
strongswan-plugin-dhcp
strongSwan plugin for forwarding DHCP request to a server
-
strongswan-plugin-dnscert
strongSwan plugin for authentication via CERT RRs
-
strongswan-plugin-dnskey
strongSwan plugin for parsing RFC 4034 public keys
-
strongswan-plugin-duplicheck
strongSwan plugin for duplicheck functionality
-
strongswan-plugin-eap-aka
strongSwan plugin for generic EAP-AKA protocol handling
-
strongswan-plugin-eap-aka-3gpp2
strongSwan plugin for the 3GPP2-based EAP-AKA backend
-
strongswan-plugin-eap-dynamic
strongSwan plugin for dynamic EAP method selection
-
strongswan-plugin-eap-gtc
strongSwan plugin for EAP-GTC protocol handler
-
strongswan-plugin-eap-md5
strongSwan plugin for EAP-MD5 protocol handler
-
strongswan-plugin-eap-mschapv2
strongSwan plugin for EAP-MSCHAPv2 protocol handler
-
strongswan-plugin-eap-peap
strongSwan plugin for EAP-PEAP protocol handler
-
strongswan-plugin-eap-radius
strongSwan plugin for EAP interface to a RADIUS server
-
strongswan-plugin-eap-sim
strongSwan plugin for generic EAP-SIM protocol handling
-
strongswan-plugin-eap-sim-file
strongSwan plugin for EAP-SIM credentials from files
-
strongswan-plugin-eap-sim-pcsc
strongSwan plugin for EAP-SIM credentials on smartcards
-
strongswan-plugin-eap-simaka-pseudonym
strongSwan plugin for the EAP-SIM/AKA identity database
-
strongswan-plugin-eap-simaka-reauth
strongSwan plugin for the EAP-SIM/AKA reauthentication database
-
strongswan-plugin-eap-simaka-sql
strongSwan plugin for SQL-based EAP-SIM/AKA backend reading
-
strongswan-plugin-eap-tls
strongSwan plugin for the EAP-TLS protocol handler
-
strongswan-plugin-eap-tnc
strongSwan plugin for the EAP-TNC protocol handler
-
strongswan-plugin-eap-ttls
strongSwan plugin for the EAP-TTLS protocol handler
-
strongswan-plugin-error-notify
strongSwan plugin for error notifications
-
strongswan-plugin-farp
strongSwan plugin for faking ARP responses
-
strongswan-plugin-fips-prf
strongSwan plugin for PRF specified by FIPS
-
strongswan-plugin-gcrypt
strongSwan plugin for gcrypt
-
strongswan-plugin-gmp
strongSwan plugin for libgmp based crypto
-
strongswan-plugin-ipseckey
strongSwan plugin for authentication via IPSECKEY RRs
-
strongswan-plugin-kernel-libipsec
strongSwan plugin for a IPsec backend that entirely in userland
-
strongswan-plugin-ldap
strongSwan plugin for LDAP CRL fetching
-
strongswan-plugin-led
strongSwan plugin for LEDs blinking on IKE activity
-
strongswan-plugin-load-tester
strongSwan plugin for load testing
-
strongswan-plugin-lookip
strongSwan plugin for lookip interface
-
strongswan-plugin-mysql
strongSwan plugin for MySQL
-
strongswan-plugin-ntru
strongSwan plugin for NTRU crypto
-
strongswan-plugin-openssl
strongSwan plugin for OpenSSL
-
strongswan-plugin-pgp
strongSwan plugin for PGP encoding/decoding routines
-
strongswan-plugin-pkcs11
strongSwan plugin for PKCS#11 smartcard backend
-
strongswan-plugin-pubkey
strongSwan plugin for raw public keys
-
strongswan-plugin-radattr
strongSwan plugin for custom RADIUS attribute processing
-
strongswan-plugin-soup
strongSwan plugin for the libsoup based HTTP fetcher
-
strongswan-plugin-sql
strongSwan plugin for SQL configuration and credentials
-
strongswan-plugin-sqlite
strongSwan plugin for SQLite
-
strongswan-plugin-sshkey
strongSwan plugin for SSH key decoding routines
-
strongswan-plugin-systime-fix
strongSwan plugin for system time fixing
-
strongswan-plugin-unbound
strongSwan plugin for DNSSEC-enabled resolver using libunbound
-
strongswan-plugin-unity
strongSwan plugin for IKEv1 Cisco Unity Extensions
-
strongswan-plugin-whitelist
strongSwan plugin for peer-verification against a whitelist
-
strongswan-plugin-xauth-eap
strongSwan plugin for XAuth backend using EAP methods
-
strongswan-plugin-xauth-generic
strongSwan plugin for the generic XAuth backend
-
strongswan-plugin-xauth-noauth
strongSwan plugin for the generic XAuth backend
-
strongswan-plugin-xauth-pam
strongSwan plugin for XAuth backend using PAM
-
strongswan-starter
strongSwan daemon starter and configuration file parser
-
strongswan-tnc-base
strongSwan Trusted Network Connect's (TNC) - base files
-
strongswan-tnc-client
strongSwan Trusted Network Connect's (TNC) - client files
-
strongswan-tnc-ifmap
strongSwan plugin for Trusted Network Connect's (TNC) IF-MAP client
-
strongswan-tnc-pdp
strongSwan plugin for Trusted Network Connect's (TNC) PDP
-
strongswan-tnc-server
strongSwan Trusted Network Connect's (TNC) - server files
Package files