[ubuntu/bionic-proposed] strongswan 5.6.1-2ubuntu1 (Accepted)
Christian Ehrhardt
christian.ehrhardt at canonical.com
Thu Dec 14 14:02:14 UTC 2017
strongswan (5.6.1-2ubuntu1) bionic; urgency=medium
* Merge with Debian unstable (LP: #1717343).
Also fixes and issue with multiple psk's (LP: #1734207). Remaining changes:
+ Clean up d/strongswan-starter.postinst: section about runlevel changes
+ Clean up d/strongswan-starter.postinst: Removed entire section on
opportunistic encryption disabling - this was never in strongSwan and
won't be see upstream issue #2160.
+ Ubuntu is not using the debconf triggered private key generation
- d/rules: Removed patching ipsec.conf on build (not using the
debconf-managed config.)
- d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was
used for debconf-managed include of private key).
+ Mass enablement of extra plugins and features to allow a user to use
strongswan for a variety of extra use cases without having to rebuild.
- d/control: Add required additional build-deps
- d/control: Mention addtionally enabled plugins
- d/rules: Enable features at configure stage
- d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
- d/libstrongswan.install: Add plugins (so, conf)
+ d/strongswan-starter.install: Install pool feature, which is useful since
we have attr-sql plugin enabled as well using it.
+ Add plugin kernel-libipsec to allow the use of strongswan in containers
via this userspace implementation (please do note that this is still
considered experimental by upstream).
- d/libcharon-extra-plugins.install: Add kernel-libipsec components
- d/control: List kernel-libipsec plugin at extra plugins description
- d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
upstream recommends to not load kernel-libipsec by default.
+ Relocate tnc plugin
- debian/libcharon-extra-plugins.install: Drop tnc from extra plugins
- Add new subpackage for TNC in d/strongswan-tnc-* and d/control
+ d/libstrongswan.install: Reorder conf and .so alphabetically
+ d/libstrongswan.install: Add kernel-netlink configuration files
+ Complete the disabling of libfast; This was partially accepted in Debian,
it is no more packaging medcli and medsrv, but still builds and
mentions it.
- d/rules: Add --disable-fast to avoid build time and dependencies
- d/control: Remove medcli, medsrv from package description
+ d/control: Mention mgf1 plugin which is in libstrongswan now
+ Add now built (since 5.5.1) libraries libtpmtss and nttfft to
libstrongswan-extra-plugins (no deps from default plugins).
+ Add rm_conffile for /etc/init.d/ipsec (transition from precies had
missed that, droppable after 18.04)
+ d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
plugins for the most common use cases from extra-plugins into a new
standard-plugins package. This will allow those use cases without pulling
in too much more plugins (a bit like the tnc package). Recommend that
package from strongswan-libcharon.
* Added changes:
+ d/strongswan-tnc-client.install (relocate tnc) swidtag creation changed
in 5.6
+ d/strongswan-tnc-server.install (relocate tnc) pacman no more needed
+ d/control: bump breaks/replaces from libstrongswan-extra-plugins to
libstrongswan as we dropped relocating ccm and test-vectors.
(droppable >18.04).
- d/control: add breaks/replace from libstrongswan to
libstrongswan-extra-plugins for the move of mgf1 to libstrongswan.
(droppable >18.04).
* Dropped changes:
+ Update init/service handling (debian default matches Ubuntu past now)
Dropping this fixes (LP: #1734886)
- d/rules: Change init/systemd program name to strongswan
- d/strongswan-starter.strongswan.service: Add new systemd file instead of
patching upstream
- d/strongswan-starter.links: Removed, use Ubuntu systemd file instead of
linking to upstream
+ d/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call
(this is a never failing no-op for us, no need for Delta).
+ d/strongswan-starter.prerm: Stop strongswan service on package removal
(ipsec now maps to strongswan service, so this works as-is).
+ Clean up d/strongswan-starter.postinst: rename service ipsec to
strongswan (ipsec now maps to strongswan service, so this works as-is)
+ Clean up d/strongswan-starter.postinst: daemon enable/disable (the
whole section is disabled, so no need for delta)
+ (is upstream) CVE-2017-11185 patches
+ (is upstream) FTBFS upstream fix for changed include files
+ (is upstream) debian/patches/increase-bliss-test-timeout.patch: Under
QEMU/KVM autopkgtest the bliss test takes longer than the default
+ (in Debian) add now built (since 5.5.1) mgf1 plugin to
libstrongswan-extra-plugins.
+ (in Debian) d/strongswan-starter.install: install stroke apparmor profile
+ (this was enabled as part of the former delta, squash changes to no-up)
d/rules: Disable duplicheck.
+ (not needed) Relocate plugins test-vectors from extra-plugins to
libstrongswan
- d/libstrongswan-extra-plugins.install: Remove plugins/conffiles
- d/libstrongswan.install: Add plugins/confiles
- d/control: move package descriptions and add required breaks/replaces
+ (not needed) Relocate plugins ccm from extra-plugins to libstrongswan
- d/libstrongswan-extra-plugins.install: Remove plugins/conffiles
- d/libstrongswan.install: Add plugins/confiles
- d/control: move package descriptions and add required breaks/replaces
+ (while using it requires special kernel, it does not hurt to be
available in the package) Remove ha plugin
- d/libcharon-extra-plugins.install: Stop installing ha (so, conf)
- d/rules: Do not enable ha plugin
- d/control: Drop listing the ha plugin in the package description
strongswan (5.6.1-2) unstable; urgency=medium
* move counters plugin from -starter to -libcharon. closes: #882431
strongswan (5.6.1-1) unstable; urgency=medium
* debian/control:
- remove strongswan-ike{,v1,v2} packages. closes: #878979
* New upstream version 5.6.1
- fix FTBFS with glibc 2.26+. closes: #880561
* debian/rules: explicitly enable tpm plugin
* debian/strongswan-starter.install: install counters plugin
* debian/libstrongswan.install: install MGF1 plugin
* debian/libstrongswan-extra-plugins.install: install tpm plugin
* debian/control:
- update standards version to 4.1.1
- replace dh-systemd build-dep by updated build-dep on debhelper
strongswan (5.6.0-2) unstable; urgency=medium
* debian/rules:
- only use dh_missing --fail-missing when doing an architecture dependent
packages. closes: #874152
strongswan (5.6.0-1) unstable; urgency=medium
* New upstream release.
- fix insufficient input validation in gmp plugin, which can cause a
denial of service vulnerability (CVE-2017-11185) closes: #872155
* debian/rules:
- remove .la files before install
- don't call dh_install with --fail-missing
- override dh_missing with --fail-missing to catch uninstalled files
- apply patch from Gerald Turner to restrict permissions on swanctl folder
containing private material.
- replace DEB_BUILD_* by DEB_HOST_* when needed, fix FTCBFS, for example
when building for ppc64el on x86. Thanks Helmut Grohne. closes: #866669
* debian/strongswan-swanctl.install:
- install the whole /etc/swanctl folder, including (empty) subfolders.
closes: #866324
* debian/charon-systemd.install:
- install charon-systemd.conf files, thanks Gerald Turner. closes: #866325
* Add AppArmor profiles for swanctl and charon-system, thanks Gerald Turner.
closes: #866327
* debian/libcharon-extra-plugins.install:
- install pt-tls-client in /u/b and also install its manpage.
* debian/strongswan-swanctl.lintian-overrides:
- add lintian overrides for private keys directories using 700
permissions.
strongswan (5.5.3-2) unstable; urgency=medium
* debian/control:
- fix typo in libstrongswan-extra-plugins long description.
* move curve25519 plugin from libcharon-extra-plugins to
libstrongswan-extra-plugins
strongswan (5.5.3-1) unstable; urgency=medium
* New upstream release.
* debian/control:
- update standards version to 4.0.0
strongswan (5.5.2-1) experimental; urgency=medium
* New upstream release.
* debian/patches/03_systemd-service refreshed.
* debian/libcharon-extra-plugins.install:
- include curve25519 plugin.
* debian/libstrongswan-extra-plugins.install:
- install libtpmtss library.
Date: Wed, 29 Nov 2017 15:55:18 +0100
Changed-By: Christian Ehrhardt <christian.ehrhardt at canonical.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
https://launchpad.net/ubuntu/+source/strongswan/5.6.1-2ubuntu1
-------------- next part --------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 29 Nov 2017 15:55:18 +0100
Source: strongswan
Binary: strongswan libstrongswan libstrongswan-standard-plugins libstrongswan-extra-plugins libcharon-standard-plugins libcharon-extra-plugins strongswan-starter strongswan-libcharon strongswan-charon strongswan-nm strongswan-tnc-ifmap strongswan-tnc-base strongswan-tnc-client strongswan-tnc-server strongswan-tnc-pdp charon-cmd strongswan-pki strongswan-scepclient strongswan-swanctl charon-systemd
Architecture: source
Version: 5.6.1-2ubuntu1
Distribution: bionic
Urgency: medium
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Christian Ehrhardt <christian.ehrhardt at canonical.com>
Description:
charon-cmd - standalone IPsec client
charon-systemd - strongSwan IPsec client, systemd support
libcharon-extra-plugins - strongSwan charon library (extra plugins)
libcharon-standard-plugins - strongSwan charon library (standard plugins)
libstrongswan - strongSwan utility and crypto library
libstrongswan-extra-plugins - strongSwan utility and crypto library (extra plugins)
libstrongswan-standard-plugins - strongSwan utility and crypto library (standard plugins)
strongswan - IPsec VPN solution metapackage
strongswan-charon - strongSwan Internet Key Exchange daemon
strongswan-libcharon - strongSwan charon library
strongswan-nm - strongSwan plugin to interact with NetworkManager
strongswan-pki - strongSwan IPsec client, pki command
strongswan-scepclient - strongSwan IPsec client, SCEP client
strongswan-starter - strongSwan daemon starter and configuration file parser
strongswan-swanctl - strongSwan IPsec client, swanctl command
strongswan-tnc-base - strongSwan Trusted Network Connect's (TNC) - base files
strongswan-tnc-client - strongSwan Trusted Network Connect's (TNC) - client files
strongswan-tnc-ifmap - strongSwan plugin for Trusted Network Connect's (TNC) IF-MAP clie
strongswan-tnc-pdp - strongSwan plugin for Trusted Network Connect's (TNC) PDP
strongswan-tnc-server - strongSwan Trusted Network Connect's (TNC) - server files
Closes: 866324 866325 866327 866669 872155 874152 878979 880561 882431
Launchpad-Bugs-Fixed: 1717343 1734207 1734886
Changes:
strongswan (5.6.1-2ubuntu1) bionic; urgency=medium
.
* Merge with Debian unstable (LP: #1717343).
Also fixes and issue with multiple psk's (LP: #1734207). Remaining changes:
+ Clean up d/strongswan-starter.postinst: section about runlevel changes
+ Clean up d/strongswan-starter.postinst: Removed entire section on
opportunistic encryption disabling - this was never in strongSwan and
won't be see upstream issue #2160.
+ Ubuntu is not using the debconf triggered private key generation
- d/rules: Removed patching ipsec.conf on build (not using the
debconf-managed config.)
- d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was
used for debconf-managed include of private key).
+ Mass enablement of extra plugins and features to allow a user to use
strongswan for a variety of extra use cases without having to rebuild.
- d/control: Add required additional build-deps
- d/control: Mention addtionally enabled plugins
- d/rules: Enable features at configure stage
- d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
- d/libstrongswan.install: Add plugins (so, conf)
+ d/strongswan-starter.install: Install pool feature, which is useful since
we have attr-sql plugin enabled as well using it.
+ Add plugin kernel-libipsec to allow the use of strongswan in containers
via this userspace implementation (please do note that this is still
considered experimental by upstream).
- d/libcharon-extra-plugins.install: Add kernel-libipsec components
- d/control: List kernel-libipsec plugin at extra plugins description
- d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
upstream recommends to not load kernel-libipsec by default.
+ Relocate tnc plugin
- debian/libcharon-extra-plugins.install: Drop tnc from extra plugins
- Add new subpackage for TNC in d/strongswan-tnc-* and d/control
+ d/libstrongswan.install: Reorder conf and .so alphabetically
+ d/libstrongswan.install: Add kernel-netlink configuration files
+ Complete the disabling of libfast; This was partially accepted in Debian,
it is no more packaging medcli and medsrv, but still builds and
mentions it.
- d/rules: Add --disable-fast to avoid build time and dependencies
- d/control: Remove medcli, medsrv from package description
+ d/control: Mention mgf1 plugin which is in libstrongswan now
+ Add now built (since 5.5.1) libraries libtpmtss and nttfft to
libstrongswan-extra-plugins (no deps from default plugins).
+ Add rm_conffile for /etc/init.d/ipsec (transition from precies had
missed that, droppable after 18.04)
+ d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
plugins for the most common use cases from extra-plugins into a new
standard-plugins package. This will allow those use cases without pulling
in too much more plugins (a bit like the tnc package). Recommend that
package from strongswan-libcharon.
* Added changes:
+ d/strongswan-tnc-client.install (relocate tnc) swidtag creation changed
in 5.6
+ d/strongswan-tnc-server.install (relocate tnc) pacman no more needed
+ d/control: bump breaks/replaces from libstrongswan-extra-plugins to
libstrongswan as we dropped relocating ccm and test-vectors.
(droppable >18.04).
- d/control: add breaks/replace from libstrongswan to
libstrongswan-extra-plugins for the move of mgf1 to libstrongswan.
(droppable >18.04).
* Dropped changes:
+ Update init/service handling (debian default matches Ubuntu past now)
Dropping this fixes (LP: #1734886)
- d/rules: Change init/systemd program name to strongswan
- d/strongswan-starter.strongswan.service: Add new systemd file instead of
patching upstream
- d/strongswan-starter.links: Removed, use Ubuntu systemd file instead of
linking to upstream
+ d/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call
(this is a never failing no-op for us, no need for Delta).
+ d/strongswan-starter.prerm: Stop strongswan service on package removal
(ipsec now maps to strongswan service, so this works as-is).
+ Clean up d/strongswan-starter.postinst: rename service ipsec to
strongswan (ipsec now maps to strongswan service, so this works as-is)
+ Clean up d/strongswan-starter.postinst: daemon enable/disable (the
whole section is disabled, so no need for delta)
+ (is upstream) CVE-2017-11185 patches
+ (is upstream) FTBFS upstream fix for changed include files
+ (is upstream) debian/patches/increase-bliss-test-timeout.patch: Under
QEMU/KVM autopkgtest the bliss test takes longer than the default
+ (in Debian) add now built (since 5.5.1) mgf1 plugin to
libstrongswan-extra-plugins.
+ (in Debian) d/strongswan-starter.install: install stroke apparmor profile
+ (this was enabled as part of the former delta, squash changes to no-up)
d/rules: Disable duplicheck.
+ (not needed) Relocate plugins test-vectors from extra-plugins to
libstrongswan
- d/libstrongswan-extra-plugins.install: Remove plugins/conffiles
- d/libstrongswan.install: Add plugins/confiles
- d/control: move package descriptions and add required breaks/replaces
+ (not needed) Relocate plugins ccm from extra-plugins to libstrongswan
- d/libstrongswan-extra-plugins.install: Remove plugins/conffiles
- d/libstrongswan.install: Add plugins/confiles
- d/control: move package descriptions and add required breaks/replaces
+ (while using it requires special kernel, it does not hurt to be
available in the package) Remove ha plugin
- d/libcharon-extra-plugins.install: Stop installing ha (so, conf)
- d/rules: Do not enable ha plugin
- d/control: Drop listing the ha plugin in the package description
.
strongswan (5.6.1-2) unstable; urgency=medium
.
* move counters plugin from -starter to -libcharon. closes: #882431
.
strongswan (5.6.1-1) unstable; urgency=medium
.
* debian/control:
- remove strongswan-ike{,v1,v2} packages. closes: #878979
* New upstream version 5.6.1
- fix FTBFS with glibc 2.26+. closes: #880561
* debian/rules: explicitly enable tpm plugin
* debian/strongswan-starter.install: install counters plugin
* debian/libstrongswan.install: install MGF1 plugin
* debian/libstrongswan-extra-plugins.install: install tpm plugin
* debian/control:
- update standards version to 4.1.1
- replace dh-systemd build-dep by updated build-dep on debhelper
.
strongswan (5.6.0-2) unstable; urgency=medium
.
* debian/rules:
- only use dh_missing --fail-missing when doing an architecture dependent
packages. closes: #874152
.
strongswan (5.6.0-1) unstable; urgency=medium
.
* New upstream release.
- fix insufficient input validation in gmp plugin, which can cause a
denial of service vulnerability (CVE-2017-11185) closes: #872155
* debian/rules:
- remove .la files before install
- don't call dh_install with --fail-missing
- override dh_missing with --fail-missing to catch uninstalled files
- apply patch from Gerald Turner to restrict permissions on swanctl folder
containing private material.
- replace DEB_BUILD_* by DEB_HOST_* when needed, fix FTCBFS, for example
when building for ppc64el on x86. Thanks Helmut Grohne. closes: #866669
* debian/strongswan-swanctl.install:
- install the whole /etc/swanctl folder, including (empty) subfolders.
closes: #866324
* debian/charon-systemd.install:
- install charon-systemd.conf files, thanks Gerald Turner. closes: #866325
* Add AppArmor profiles for swanctl and charon-system, thanks Gerald Turner.
closes: #866327
* debian/libcharon-extra-plugins.install:
- install pt-tls-client in /u/b and also install its manpage.
* debian/strongswan-swanctl.lintian-overrides:
- add lintian overrides for private keys directories using 700
permissions.
.
strongswan (5.5.3-2) unstable; urgency=medium
.
* debian/control:
- fix typo in libstrongswan-extra-plugins long description.
* move curve25519 plugin from libcharon-extra-plugins to
libstrongswan-extra-plugins
.
strongswan (5.5.3-1) unstable; urgency=medium
.
* New upstream release.
* debian/control:
- update standards version to 4.0.0
.
strongswan (5.5.2-1) experimental; urgency=medium
.
* New upstream release.
* debian/patches/03_systemd-service refreshed.
* debian/libcharon-extra-plugins.install:
- include curve25519 plugin.
* debian/libstrongswan-extra-plugins.install:
- install libtpmtss library.
Checksums-Sha1:
c55135da36f6bfb99b705ace104238112b74e9b0 4098 strongswan_5.6.1-2ubuntu1.dsc
d431809421fbe3a98223a4de6fb6895ea9c74a6f 4931679 strongswan_5.6.1.orig.tar.bz2
9a886477be9212e4bc15750f83b4e3a2e1427a28 134956 strongswan_5.6.1-2ubuntu1.debian.tar.xz
1f5d0e903686634978fdca2bd161055a9ee453b8 10548 strongswan_5.6.1-2ubuntu1_source.buildinfo
Checksums-Sha256:
c2327e7ce249dd781705431e2d15811bd9d543f56b8a7a40f88380a1342b7cac 4098 strongswan_5.6.1-2ubuntu1.dsc
e0c282d8ad418609c5dfb5e8efa01b28b95ef3678070ed47bf2a229f55f4ab53 4931679 strongswan_5.6.1.orig.tar.bz2
3e4b80e102eed83cb9d684d68a6db44f54c2d9fe9c4d036230b801f9f6a9e222 134956 strongswan_5.6.1-2ubuntu1.debian.tar.xz
698229e2154d52d03bed132b09a74b64d0f21cae936608aa2a8ead134883dcdd 10548 strongswan_5.6.1-2ubuntu1_source.buildinfo
Files:
b13f847487959c6ae1a55d6247cb17d6 4098 net optional strongswan_5.6.1-2ubuntu1.dsc
cb2241f1b96c524cd15b1c0f50ed9a27 4931679 net optional strongswan_5.6.1.orig.tar.bz2
b3dc7154cd481942b551d4f77d1f3e82 134956 net optional strongswan_5.6.1-2ubuntu1.debian.tar.xz
b7202de84de62783545fd834a6592367 10548 net optional strongswan_5.6.1-2ubuntu1_source.buildinfo
Original-Maintainer: strongSwan Maintainers <pkg-swan-devel at lists.alioth.debian.org>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBAgAGBQJaMoQwAAoJELo+KTOCgLJC4XQQAKfbpkgwCP4hpLRkdK+h8waD
Ni/E1dAeFLTQq3HU4kwHuASON9jCJoxmfMjAIZHtCOOSBNUUflm+TRkaB/ah8+4j
uAVpMGCaCPJ6CE/v7sflu7VdPQathJO7bMB0JBjzNmnq3qHUZg6xTtUNuPqZ9IWh
/wKfj9WxzQ/XeAxYClfvWLWjp/2F4hO/VXK9NWQG7rPdNj8XMWLWWxFXg8YmUp4d
dN6ZwVG0g3FYEh4uq9AEAe4hVdQyRykGYtsNXC4Rkrz8Bt9yqoS+mx8MGldLwP5S
fguuyM0LCaV1tWJb7wcEAMzFZ7AGj/80k+QHuYWhRDKx/uhm+BuLosgDyhg2grm4
VfyCO5RLtbYLmJzUmC/6MGPU7VVf2EfYuAm42R3hWlDMDwGRerT49+2IJxpVNT2K
diebhq9+q5UEtTf+7XiftblDRcmrzIztw3Wd3rRTbt1UATIJKSI2cck5lh0ZsSC5
9bix06q7wbrXU2zWzCMxVDTsHRNFYqOdQBtXbJaRoIhmLykjI9TH4lY0xsqywkQ3
idj/VLe4v2t6Z/VxFDAXWdm5QcZJ96MuBc3gkVah4Kl/+WEkUfn6kwBN4WdhQ5hz
PwNKvUm5xZo9ZpDjVaoOIVeueAY526JhJwqzIQnzS9MI9L6Fq424HyDX5ahgh7VG
kZS3gLLFuoq3N1RarxL9
=nXfI
-----END PGP SIGNATURE-----
More information about the Bionic-changes
mailing list