strongswan (5.3.5-1ubuntu1) xenial; urgency=medium

  * debian/{rules,control,libstrongswan-extra-plugins.install}
    Enable bliss plugin
  * debian/{rules,control,libstrongswan-extra-plugins.install}
    Enable chapoly plugin
  * debian/patches/dont-load-kernel-libipsec-plugin-by-default.patch
    Upstream suggests to not load this plugin by default as it has
    some limitations.
    https://wiki.strongswan.org/projects/strongswan/wiki/Kernel-libipsec
  * debian/patches/increase-bliss-test-timeout.patch
    Under QEMU/KVM for autopkgtest bliss test takes a bit longer then default
  * Update Apparmor profiles
    - usr.lib.ipsec.charon
      - add capability audit_write for xauth-pam (LP: #1470277)
      - add capability dac_override (needed by agent plugin)
      - allow priv dropping (LP: #1333655)
      - allow caching CRLs (LP: #1505222)
      - allow rw access to /dev/net/tun for kernel-libipsec (LP: #1309594)
    - usr.lib.ipsec.stroke
      - allow priv dropping (LP: #1333655)
      - add local include
    - usr.lib.ipsec.lookip
      - add local include
  * Merge from Debian, which includes fixes for all previous CVEs
    Fixes (LP: #1330504, #1451091, #1448870, #1470277)
    Remaining changes:
      * debian/control
        - Lower dpkg-dev to 1.16.1 from 1.16.2 to enable backporting to Precise
        - Update Maintainer for Ubuntu
        - Add build-deps
          - dh-apparmor
          - iptables-dev
          - libjson0-dev
          - libldns-dev
          - libmysqlclient-dev
          - libpcsclite-dev
          - libsoup2.4-dev
          - libtspi-dev
          - libunbound-dev
        - Drop build-deps
          - libfcgi-dev
          - clearsilver-dev
        - Create virtual packages for all strongswan-plugin-* for dist-upgrade
        - Set XS-Testsuite: autopkgtest
      * debian/rules:
        - Enforcing DEB_BUILD_OPTIONS=nostrip for library integrity checking.
        - Set TESTS_REDUCED_KEYLENGTHS to one generate smallest key-lengths in
          tests.
        - Change init/systemd program name to strongswan
        - Install AppArmor profiles
        - Removed pieces on 'patching ipsec.conf' on build.
        - Enablement of features per Ubuntu current config suggested from
          upstream recommendation
        - Unpack and sort enabled features to one-per-line
        - Disable duplicheck as per
          https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718291#10
        - Disable libfast (--disable-fast):
          Requires dropping medsrv, medcli plugins which depend on libfast
        - Add configure options
          --with-tss=trousers
        - Remove configure options:
          --enable-ha (requires special kernel)
          --enable-unit-test (unit tests run by default)
        - Drop logcheck install
      * debian/tests/*
        - Add DEP8 test for strongswan service and plugins
      * debian/strongswan-starter.strongswan.service
        - Add new systemd file instead of patching upstream
      * debian/strongswan-starter.links
        - removed, use Ubuntu systemd file instead of linking to upstream
      * debian/usr.lib.ipsec.{charon, lookip, stroke}
        - added AppArmor profiles for charon, lookip and stroke
      * debian/libcharon-extra-plugins.install
        - Add plugins
          - kernel-libipsec.{so, lib, conf, apparmor}
        - Remove plugins
          - libstrongswan-ha.so
        - Relocate plugins
          - libstrongswan-tnc-tnccs.so (strongswan-tnc-base.install)
      * debian/libstrongswan-extra-plugins.install
        - Add plugins (so, lib, conf)
          - acert
          - attr-sql
          - coupling
          - dnscert
          - fips-prf
          - gmp
          - ipseckey
          - load-tester
          - mysql
          - ntru
          - radattr
          - soup
          - sqlite
          - sql
          - systime-fix
          - unbound
          - whitelist
        - Relocate plugins (so, lib, conf)
          - ccm (libstrongswan.install)
          - test-vectors (libstrongswan.install)
      * debian/libstrongswan.install
        - Sort sections
        - Add plugins (so, lib, conf)
          - libchecksum
          - ccm
          - eap-identity
          - md4
          - test-vectors
      * debian/strongswan-charon.install
        - Add AppArmor profile for charon
      * debian/strongswan-starter.install
        - Add tools, manpages, conf
          - openac
          - pool
          - _updown_espmark
        - Add AppArmor profile for stroke
      * debian/strongswan-tnc-base.install
        - Add new subpackage for TNC
        - remove non-existent (dropped in 5.2.1) libpts library files
      * debian/strongswan-tnc-client.install
        - Add new subpackage for TNC
      * debian/strongswan-tnc-ifmap.install
        - Add new subpackage for TNC
      * debian/strongswan-tnc-pdp.install
        - Add new subpackage for TNC
      * debian/strongswan-tnc-server.install
        - Add new subpackage for TNC
      * debian/strongswan-starter.postinit:
        - Removed section about runlevel changes, it's almost 2014.
        - Adapted service restart section for Upstart.
        - Remove old symlinks to init.d files is necessary.
      * debian/strongswan-starter.dirs: Don't touch /etc/init.d.
      * debian/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' 
call.
      * debian/strongswan-starter.prerm: Stop strongswan service on package
        removal (as opposed to using the old init.d script).
      * debian/libstrongswan.strongswan.logcheck combined into 
debian/strongswan.logcheck
        - logcheck patterns updated to be helpful
      * debian/strongswan-starter.postinst: Removed further out-dated code and
        entire section on opportunistic encryption - this was never in 
strongSwan.
      * debian/ipsec.secrets.proto: Removed ipsec.secrets.inc reference.
    Drop changes:
      * debian/control
        - Per-plugin package breakup: Reducing packaging delta from Debian
        - Don't build dhcp, farp subpackages: Reduce packging delta from Debian
      * debian/watch: Already exists in Debian merge
      * debian/upstream/signing-key.asc:  Upstream has newer version.

strongswan (5.3.5-1) unstable; urgency=medium

  * New upstream bugfix release.

strongswan (5.3.4-1) unstable; urgency=medium

  * New upstream release.
  * debian/patches:
    - 03_systemd-service refreshed for new upstream release.
    - 0001-socket-default-Refactor-setting-source-address-when-,
    0001-socket-dynamic-Refactor-setting-source-address-when- and
    CVE-2015-8023_eap_mschapv2_state dropped, included upstream.

strongswan (5.3.3-3) unstable; urgency=high

  * Set urgency=high for security fix.
  * debian/patches:
    - CVE-2015-8023_eap_mschapv2_state added, fix authentication bypass when
    using EAP MSCHAPv2.

strongswan (5.3.3-2) unstable; urgency=medium

  * debian/rules:
    - make the dh_install override arch-dependent only since it only acts on
    arch:any packages, fix FTBFS on arch:all.

strongswan (5.3.3-1) unstable; urgency=medium

  * debian/rules:
    - enable the connmark plugin.
  * debian/control:
    - add build-dep on iptables-dev.
  * debian/libstrongswan-standard-plugins:
    - add connmark plugin to the standard-plugins package.
  * New upstream release.                                       closes: #803772
  * debian/strongswan-starter.install:
    - install new pki --dn manpage to ipsec-starter package.
  * debian/patches:
    - 0001-socket-default-Refactor-setting-source-address-when- and
    0001-socket-dynamic-Refactor-setting-source-address-when- added (taken
    from c761db and 9e8b4a in the 1171-socket-default-scope branch), fix
    source address selection with IPv6 (upstream #1171)

strongswan (5.3.2-1) unstable; urgency=medium

  * New upstream release.
  * debian/patches:
    - 05_ivgen-allow-reusing-same-message-id-twice dropped, included upstream.
    - CVE-2015-4171_enforce_remote_auth dropped as well.

strongswan (5.3.1-1) unstable; urgency=high

  * New upstream release.
  * debian/patches:
    - strongswan-5.2.2-5.3.0_unknown_payload dropped, included upstream.
    - 05_ivgen-allow-reusing-same-message-id-twice added, allow reusing the
    same message ID twice in sequential IV gen. strongSwan issue #980.
    - CVE-2015-4171_enforce_remote_auth added, fix potential leak of
    authentication credential to rogue server when using PSK or EAP. This is
    CVE-2015-4171.

strongswan (5.3.0-2) unstable; urgency=medium

  * debian/patches:
    - strongswan-5.2.2-5.3.0_unknown_payload added, fixes a DoS and potential
      remote code execution vulnerability (CVE-2015-3991).
  * debian/strongswan-starter.lintian-overrides: add override for
    command-with-path-in-maintainer-script since it's there to check for file
    existence.
  * Upload to unstable.

strongswan (5.3.0-1) experimental; urgency=medium

  * New upstream release.
  * debian/patches:
    - 01_fix-manpages refreshed for new upstream release.
    - 02_chunk-endianness dropped, included upstream.
    - CVE-2014-9221_modp_custom dropped, included upstream.
  * debian/strongswan-starter.install
    - don't install the _updown and _updown_espmark manpages anymore, they're
    gone.
    - also remove the _updown_espmark script, gone too.
  * debian/copyright updated.

strongswan (5.2.1-6) unstable; urgency=medium

  * Ship /lib/systemd/system/ipsec.service as a symlink to
    strongswan.service in strongswan-starter instead of using Alias= in
    the service file. This makes the ipsec name available to invoke-rc.d
    before the service gets actually enabled, which avoids some confusion
    (closes: #781209).

strongswan (5.2.1-5) unstable; urgency=high

  * debian/patches:
    - debian/patches/CVE-2014-9221_modp_custom added, fix unauthenticated
    denial of service in IKEv2 when using custom MODP value.

strongswan (5.2.1-4) unstable; urgency=medium

  * Give up on trying to run the test suite on !amd64, it now times out on
    both i386 and s390x, our chosen "fast" archs.

strongswan (5.2.1-3) unstable; urgency=medium

  * Disable libtls tests again, they are still too intensive for the buildd
    network...

strongswan (5.2.1-2) unstable; urgency=medium

  * Cherry-pick commits 701d6ed and 1c70c6e from upstream to fix checksum
    computation and FTBFS on big-endian hosts.
  * Run the test suite only on amd64, i386, and s390x. It requires lots of
    entropy and CPU time, which are typically hard to come by on slower
    archs.
  * Re-enable normal keylengths in test suite.
  * Re-enable libtls tests.
  * Update Dutch translation, thanks to Frans Spiesschaert (closes: #763798).
  * Bump Standards-Version to 3.9.6.

strongswan (5.2.1-1) unstable; urgency=medium

  * New upstream release.
  * Stop shipping /etc/strongswan.conf.d in libstrongswan.

strongswan (5.2.0-2) unstable; urgency=medium

  * Add systemd integration:
    + Install upstream systemd service file in strongswan-starter.
    + Alias strongswan.service to ipsec.service to match the sysv init script.
    + Drop After=syslog.target (as syslog is socket-activated nowadays), but
      add After=network.target to ensure that charon gets the chance to send
      deletes on exit.
    + Add ExecReload for reload action, since the starter script has one.
    + On linux-any, add build-dep on systemd to ensure that the pkg-config
      metadata file can be found.
    + Add build-dep on dh-systemd, and use systemd dh addon.
  * Remove debian/patches/03_include-stdint.patch.

strongswan (5.2.0-1) unstable; urgency=medium

  * New upstream release.
  [ Romain Francoise ]
  * Amend build-dep on libgcrypt to 'libgcrypt20-dev | libgcrypt11-dev'.
  * Drop hardening-wrapper from build-depends (unused since 5.0.4-1).

  [ Yves-Alexis Perez ]
  * debian/po:
    - pt_BR.po updated, thanks Adriano Rafael Gomes.            closes: #752721
  * debian/patches:
    03_pfkey-Always-include-stdint.h dropped, included upstream.
  * debian/strongswan-starter.install:
    - replace tools.conf by pki.conf and scepclient.conf.

strongswan (5.1.3-4) unstable; urgency=medium

  * debian/control:
    - add build-dep on pkg-config.
  * debian/patches:
    - 03_pfkey-Always-include-stdint.h added, cherry-picked from upstream git:
      always include of stdint.h. Fix FTBFS on kFreeBSD.

strongswan (5.1.3-3) unstable; urgency=medium

  * debian/watch:
    - add pgpsigurlmangle to get PGP signature
  * debian/upstream/signing-key.asc:
    - bootstrap keyring by adding Andreas Steffen key (0xDF42C170B34DBA77)
  * debian/control:
    - add build-dep on libgcrypt20-dev, fix FTBFS.              closes: #747796

strongswan (5.1.3-2) unstable; urgency=low

  * Disable the new libtls test suite for now--it appears to be a
    little too intensive for slower archs.

strongswan (5.1.3-1) unstable; urgency=low

  * New upstream release.
  * debian/control: make strongswan-charon depend on iproute2 | iproute,
    thanks to Ryo IGARASHI <rigar...@gmail.com> (closes: #744832).

strongswan (5.1.2-4) unstable; urgency=high

  * debian/patches/04_cve-2014-2338.patch: added to fix CVE-2014-2338
    (authentication bypass vulnerability in IKEv2 code).
  * debian/control: add myself to Uploaders.

strongswan (5.1.2-3) unstable; urgency=medium

  * debian/patches/
    - 02_unit-tests-Fix-filtered-enumerator-tests-on-64-bit-b  added, fix
    testsuite failing on 64 bit big-endian platforms (s390x).
    - 03_unit-tests-Fix-chunk-clear-armel added, fix testsuite failing on
    armel.

strongswan (5.1.2-2) unstable; urgency=medium

  * debian/rules:
    - use reduced keylengths in testsuite on various arches, hopefully fixing
      FTBFS when the genrsa test runs.

strongswan (5.1.2-1) unstable; urgency=medium

  * New upstream release.
  * debian/control:
    - add conflicts against openSwan.                           closes: #740808
  * debian/strongswan-starter,postrm:
    - remove /var/lib/strongswan on purge.
  * debian/ipsec.secrets.proto:
    - stop lying about ipsec showhostkey command.               closes: #600382
  * debian/patches:
    - 01_fix-manpages refreshed for new upstream.
    - 02_include-strongswan.conf.d removed, strongswan.d is now supported
      upstream.
  * debian/rules, debian/*.install:
    - install default configuration files for all plugins.
  * debian/NEWS:
    - fix spurious entry.
    - add a NEWS entry to advertise about the new strongswan.d configuration
      mechanism.

Date: Fri, 12 Feb 2016 11:24:53 -0600
Changed-By: Ryan Harper <ryan.har...@canonical.com>
Maintainer: Ubuntu Developers <ubuntu-devel-disc...@lists.ubuntu.com>
Signed-By: Serge Hallyn <serge.hal...@ubuntu.com>
https://launchpad.net/ubuntu/+source/strongswan/5.3.5-1ubuntu1
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 12 Feb 2016 11:24:53 -0600
Source: strongswan
Binary: strongswan libstrongswan libstrongswan-standard-plugins 
strongswan-plugin-dnskey strongswan-plugin-fips-prf strongswan-plugin-gmp 
strongswan-plugin-pgp strongswan-plugin-pubkey strongswan-plugin-sshkey 
libstrongswan-extra-plugins libcharon-extra-plugins strongswan-dbg 
strongswan-starter strongswan-libcharon strongswan-charon strongswan-ike 
strongswan-nm strongswan-tnc-ifmap strongswan-tnc-base strongswan-tnc-client 
strongswan-tnc-server strongswan-tnc-pdp strongswan-ikev1 strongswan-ikev2 
charon-cmd strongswan-plugin-agent strongswan-plugin-openssl 
strongswan-plugin-af-alg strongswan-plugin-attr-sql strongswan-plugin-coupling 
strongswan-plugin-curl strongswan-plugin-dnscert strongswan-plugin-gcrypt 
strongswan-plugin-ipseckey strongswan-plugin-ldap strongswan-plugin-load-tester 
strongswan-plugin-mysql strongswan-plugin-ntru strongswan-plugin-pkcs11 
strongswan-plugin-radattr strongswan-plugin-sql strongswan-plugin-sqlite 
strongswan-plugin-soup
 strongswan-plugin-systime-fix strongswan-plugin-unbound 
strongswan-plugin-whitelist strongswan-plugin-dhcp strongswan-plugin-certexpire 
strongswan-plugin-eap-aka strongswan-plugin-eap-gtc strongswan-plugin-eap-md5 
strongswan-plugin-eap-mschapv2 strongswan-plugin-eap-radius 
strongswan-plugin-eap-tls strongswan-plugin-eap-tnc strongswan-plugin-eap-ttls 
strongswan-plugin-error-notify strongswan-plugin-kernel-libipsec 
strongswan-plugin-led strongswan-plugin-lookip strongswan-plugin-unity 
strongswan-plugin-xauth-eap strongswan-plugin-xauth-generic 
strongswan-plugin-xauth-pam strongswan-plugin-eap-aka-3gpp2 
strongswan-plugin-eap-dynamic strongswan-plugin-eap-peap 
strongswan-plugin-eap-sim strongswan-plugin-eap-sim-file 
strongswan-plugin-eap-sim-pcsc strongswan-plugin-eap-simaka-pseudonym 
strongswan-plugin-eap-simaka-reauth strongswan-plugin-eap-simaka-sql 
strongswan-plugin-farp strongswan-plugin-xauth-noauth
 strongswan-plugin-duplicheck
Architecture: source
Version: 5.3.5-1ubuntu1
Distribution: xenial
Urgency: high
Maintainer: Ubuntu Developers <ubuntu-devel-disc...@lists.ubuntu.com>
Changed-By: Ryan Harper <ryan.har...@canonical.com>
Description:
 charon-cmd - standalone IPsec client
 libcharon-extra-plugins - strongSwan charon library (extra plugins)
 libstrongswan - strongSwan utility and crypto library
 libstrongswan-extra-plugins - strongSwan utility and crypto library (extra 
plugins)
 libstrongswan-standard-plugins - strongSwan utility and crypto library 
(standard plugins)
 strongswan - IPsec VPN solution metapackage
 strongswan-charon - strongSwan Internet Key Exchange daemon
 strongswan-dbg - strongSwan library and binaries - debugging symbols
 strongswan-ike - strongSwan Internet Key Exchange daemon (transitional package)
 strongswan-ikev1 - strongSwan IKEv1 daemon, transitional package
 strongswan-ikev2 - strongSwan IKEv2 daemon, transitional package
 strongswan-libcharon - strongSwan charon library
 strongswan-nm - strongSwan plugin to interact with NetworkManager
 strongswan-plugin-af-alg - strongSwan plugin for AF_ALG Linux crypto API 
interface
 strongswan-plugin-agent - strongSwan plugin for accessing private keys via 
ssh-agent
 strongswan-plugin-attr-sql - strongSwan plugin for providing IKE attributes 
from databases
 strongswan-plugin-certexpire - strongSwan plugin for exporting expiration 
dates of certificates
 strongswan-plugin-coupling - strongSwan plugin for permanent peer certificate 
coupling
 strongswan-plugin-curl - strongSwan plugin for the libcurl based HTTP/FTP 
fetcher
 strongswan-plugin-dhcp - strongSwan plugin for forwarding DHCP request to a 
server
 strongswan-plugin-dnscert - strongSwan plugin for authentication via CERT RRs
 strongswan-plugin-dnskey - strongSwan plugin for parsing RFC 4034 public keys
 strongswan-plugin-duplicheck - strongSwan plugin for duplicheck functionality
 strongswan-plugin-eap-aka - strongSwan plugin for generic EAP-AKA protocol 
handling
 strongswan-plugin-eap-aka-3gpp2 - strongSwan plugin for the 3GPP2-based 
EAP-AKA backend
 strongswan-plugin-eap-dynamic - strongSwan plugin for dynamic EAP method 
selection
 strongswan-plugin-eap-gtc - strongSwan plugin for EAP-GTC protocol handler
 strongswan-plugin-eap-md5 - strongSwan plugin for EAP-MD5 protocol handler
 strongswan-plugin-eap-mschapv2 - strongSwan plugin for EAP-MSCHAPv2 protocol 
handler
 strongswan-plugin-eap-peap - strongSwan plugin for EAP-PEAP protocol handler
 strongswan-plugin-eap-radius - strongSwan plugin for EAP interface to a RADIUS 
server
 strongswan-plugin-eap-sim - strongSwan plugin for generic EAP-SIM protocol 
handling
 strongswan-plugin-eap-sim-file - strongSwan plugin for EAP-SIM credentials 
from files
 strongswan-plugin-eap-sim-pcsc - strongSwan plugin for EAP-SIM credentials on 
smartcards
 strongswan-plugin-eap-simaka-pseudonym - strongSwan plugin for the EAP-SIM/AKA 
identity database
 strongswan-plugin-eap-simaka-reauth - strongSwan plugin for the EAP-SIM/AKA 
reauthentication database
 strongswan-plugin-eap-simaka-sql - strongSwan plugin for SQL-based EAP-SIM/AKA 
backend reading
 strongswan-plugin-eap-tls - strongSwan plugin for the EAP-TLS protocol handler
 strongswan-plugin-eap-tnc - strongSwan plugin for the EAP-TNC protocol handler
 strongswan-plugin-eap-ttls - strongSwan plugin for the EAP-TTLS protocol 
handler
 strongswan-plugin-error-notify - strongSwan plugin for error notifications
 strongswan-plugin-farp - strongSwan plugin for faking ARP responses
 strongswan-plugin-fips-prf - strongSwan plugin for PRF specified by FIPS
 strongswan-plugin-gcrypt - strongSwan plugin for gcrypt
 strongswan-plugin-gmp - strongSwan plugin for libgmp based crypto
 strongswan-plugin-ipseckey - strongSwan plugin for authentication via IPSECKEY 
RRs
 strongswan-plugin-kernel-libipsec - strongSwan plugin for a IPsec backend that 
entirely in userland
 strongswan-plugin-ldap - strongSwan plugin for LDAP CRL fetching
 strongswan-plugin-led - strongSwan plugin for LEDs blinking on IKE activity
 strongswan-plugin-load-tester - strongSwan plugin for load testing
 strongswan-plugin-lookip - strongSwan plugin for lookip interface
 strongswan-plugin-mysql - strongSwan plugin for MySQL
 strongswan-plugin-ntru - strongSwan plugin for NTRU crypto
 strongswan-plugin-openssl - strongSwan plugin for OpenSSL
 strongswan-plugin-pgp - strongSwan plugin for PGP encoding/decoding routines
 strongswan-plugin-pkcs11 - strongSwan plugin for PKCS#11 smartcard backend
 strongswan-plugin-pubkey - strongSwan plugin for raw public keys
 strongswan-plugin-radattr - strongSwan plugin for custom RADIUS attribute 
processing
 strongswan-plugin-soup - strongSwan plugin for the libsoup based HTTP fetcher
 strongswan-plugin-sql - strongSwan plugin for SQL configuration and credentials
 strongswan-plugin-sqlite - strongSwan plugin for SQLite
 strongswan-plugin-sshkey - strongSwan plugin for SSH key decoding routines
 strongswan-plugin-systime-fix - strongSwan plugin for system time fixing
 strongswan-plugin-unbound - strongSwan plugin for DNSSEC-enabled resolver 
using libunbound
 strongswan-plugin-unity - strongSwan plugin for IKEv1 Cisco Unity Extensions
 strongswan-plugin-whitelist - strongSwan plugin for peer-verification against 
a whitelist
 strongswan-plugin-xauth-eap - strongSwan plugin for XAuth backend using EAP 
methods
 strongswan-plugin-xauth-generic - strongSwan plugin for the generic XAuth 
backend
 strongswan-plugin-xauth-noauth - strongSwan plugin for the generic XAuth 
backend
 strongswan-plugin-xauth-pam - strongSwan plugin for XAuth backend using PAM
 strongswan-starter - strongSwan daemon starter and configuration file parser
 strongswan-tnc-base - strongSwan Trusted Network Connect's (TNC) - base files
 strongswan-tnc-client - strongSwan Trusted Network Connect's (TNC) - client 
files
 strongswan-tnc-ifmap - strongSwan plugin for Trusted Network Connect's (TNC) 
IF-MAP clie
 strongswan-tnc-pdp - strongSwan plugin for Trusted Network Connect's (TNC) PDP
 strongswan-tnc-server - strongSwan Trusted Network Connect's (TNC) - server 
files
Closes: 600382 740808 744832 747796 752721 763798 781209 803772
Launchpad-Bugs-Fixed: 1309594 1330504 1333655 1448870 1451091 1470277 1505222
Changes:
 strongswan (5.3.5-1ubuntu1) xenial; urgency=medium
 .
   * debian/{rules,control,libstrongswan-extra-plugins.install}
     Enable bliss plugin
   * debian/{rules,control,libstrongswan-extra-plugins.install}
     Enable chapoly plugin
   * debian/patches/dont-load-kernel-libipsec-plugin-by-default.patch
     Upstream suggests to not load this plugin by default as it has
     some limitations.
     https://wiki.strongswan.org/projects/strongswan/wiki/Kernel-libipsec
   * debian/patches/increase-bliss-test-timeout.patch
     Under QEMU/KVM for autopkgtest bliss test takes a bit longer then default
   * Update Apparmor profiles
     - usr.lib.ipsec.charon
       - add capability audit_write for xauth-pam (LP: #1470277)
       - add capability dac_override (needed by agent plugin)
       - allow priv dropping (LP: #1333655)
       - allow caching CRLs (LP: #1505222)
       - allow rw access to /dev/net/tun for kernel-libipsec (LP: #1309594)
     - usr.lib.ipsec.stroke
       - allow priv dropping (LP: #1333655)
       - add local include
     - usr.lib.ipsec.lookip
       - add local include
   * Merge from Debian, which includes fixes for all previous CVEs
     Fixes (LP: #1330504, #1451091, #1448870, #1470277)
     Remaining changes:
       * debian/control
         - Lower dpkg-dev to 1.16.1 from 1.16.2 to enable backporting to Precise
         - Update Maintainer for Ubuntu
         - Add build-deps
           - dh-apparmor
           - iptables-dev
           - libjson0-dev
           - libldns-dev
           - libmysqlclient-dev
           - libpcsclite-dev
           - libsoup2.4-dev
           - libtspi-dev
           - libunbound-dev
         - Drop build-deps
           - libfcgi-dev
           - clearsilver-dev
         - Create virtual packages for all strongswan-plugin-* for dist-upgrade
         - Set XS-Testsuite: autopkgtest
       * debian/rules:
         - Enforcing DEB_BUILD_OPTIONS=nostrip for library integrity checking.
         - Set TESTS_REDUCED_KEYLENGTHS to one generate smallest key-lengths in
           tests.
         - Change init/systemd program name to strongswan
         - Install AppArmor profiles
         - Removed pieces on 'patching ipsec.conf' on build.
         - Enablement of features per Ubuntu current config suggested from
           upstream recommendation
         - Unpack and sort enabled features to one-per-line
         - Disable duplicheck as per
           https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718291#10
         - Disable libfast (--disable-fast):
           Requires dropping medsrv, medcli plugins which depend on libfast
         - Add configure options
           --with-tss=trousers
         - Remove configure options:
           --enable-ha (requires special kernel)
           --enable-unit-test (unit tests run by default)
         - Drop logcheck install
       * debian/tests/*
         - Add DEP8 test for strongswan service and plugins
       * debian/strongswan-starter.strongswan.service
         - Add new systemd file instead of patching upstream
       * debian/strongswan-starter.links
         - removed, use Ubuntu systemd file instead of linking to upstream
       * debian/usr.lib.ipsec.{charon, lookip, stroke}
         - added AppArmor profiles for charon, lookip and stroke
       * debian/libcharon-extra-plugins.install
         - Add plugins
           - kernel-libipsec.{so, lib, conf, apparmor}
         - Remove plugins
           - libstrongswan-ha.so
         - Relocate plugins
           - libstrongswan-tnc-tnccs.so (strongswan-tnc-base.install)
       * debian/libstrongswan-extra-plugins.install
         - Add plugins (so, lib, conf)
           - acert
           - attr-sql
           - coupling
           - dnscert
           - fips-prf
           - gmp
           - ipseckey
           - load-tester
           - mysql
           - ntru
           - radattr
           - soup
           - sqlite
           - sql
           - systime-fix
           - unbound
           - whitelist
         - Relocate plugins (so, lib, conf)
           - ccm (libstrongswan.install)
           - test-vectors (libstrongswan.install)
       * debian/libstrongswan.install
         - Sort sections
         - Add plugins (so, lib, conf)
           - libchecksum
           - ccm
           - eap-identity
           - md4
           - test-vectors
       * debian/strongswan-charon.install
         - Add AppArmor profile for charon
       * debian/strongswan-starter.install
         - Add tools, manpages, conf
           - openac
           - pool
           - _updown_espmark
         - Add AppArmor profile for stroke
       * debian/strongswan-tnc-base.install
         - Add new subpackage for TNC
         - remove non-existent (dropped in 5.2.1) libpts library files
       * debian/strongswan-tnc-client.install
         - Add new subpackage for TNC
       * debian/strongswan-tnc-ifmap.install
         - Add new subpackage for TNC
       * debian/strongswan-tnc-pdp.install
         - Add new subpackage for TNC
       * debian/strongswan-tnc-server.install
         - Add new subpackage for TNC
       * debian/strongswan-starter.postinit:
         - Removed section about runlevel changes, it's almost 2014.
         - Adapted service restart section for Upstart.
         - Remove old symlinks to init.d files is necessary.
       * debian/strongswan-starter.dirs: Don't touch /etc/init.d.
       * debian/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' 
call.
       * debian/strongswan-starter.prerm: Stop strongswan service on package
         removal (as opposed to using the old init.d script).
       * debian/libstrongswan.strongswan.logcheck combined into 
debian/strongswan.logcheck
         - logcheck patterns updated to be helpful
       * debian/strongswan-starter.postinst: Removed further out-dated code and
         entire section on opportunistic encryption - this was never in 
strongSwan.
       * debian/ipsec.secrets.proto: Removed ipsec.secrets.inc reference.
     Drop changes:
       * debian/control
         - Per-plugin package breakup: Reducing packaging delta from Debian
         - Don't build dhcp, farp subpackages: Reduce packging delta from Debian
       * debian/watch: Already exists in Debian merge
       * debian/upstream/signing-key.asc:  Upstream has newer version.
 .
 strongswan (5.3.5-1) unstable; urgency=medium
 .
   * New upstream bugfix release.
 .
 strongswan (5.3.4-1) unstable; urgency=medium
 .
   * New upstream release.
   * debian/patches:
     - 03_systemd-service refreshed for new upstream release.
     - 0001-socket-default-Refactor-setting-source-address-when-,
     0001-socket-dynamic-Refactor-setting-source-address-when- and
     CVE-2015-8023_eap_mschapv2_state dropped, included upstream.
 .
 strongswan (5.3.3-3) unstable; urgency=high
 .
   * Set urgency=high for security fix.
   * debian/patches:
     - CVE-2015-8023_eap_mschapv2_state added, fix authentication bypass when
     using EAP MSCHAPv2.
 .
 strongswan (5.3.3-2) unstable; urgency=medium
 .
   * debian/rules:
     - make the dh_install override arch-dependent only since it only acts on
     arch:any packages, fix FTBFS on arch:all.
 .
 strongswan (5.3.3-1) unstable; urgency=medium
 .
   * debian/rules:
     - enable the connmark plugin.
   * debian/control:
     - add build-dep on iptables-dev.
   * debian/libstrongswan-standard-plugins:
     - add connmark plugin to the standard-plugins package.
   * New upstream release.                                       closes: #803772
   * debian/strongswan-starter.install:
     - install new pki --dn manpage to ipsec-starter package.
   * debian/patches:
     - 0001-socket-default-Refactor-setting-source-address-when- and
     0001-socket-dynamic-Refactor-setting-source-address-when- added (taken
     from c761db and 9e8b4a in the 1171-socket-default-scope branch), fix
     source address selection with IPv6 (upstream #1171)
 .
 strongswan (5.3.2-1) unstable; urgency=medium
 .
   * New upstream release.
   * debian/patches:
     - 05_ivgen-allow-reusing-same-message-id-twice dropped, included upstream.
     - CVE-2015-4171_enforce_remote_auth dropped as well.
 .
 strongswan (5.3.1-1) unstable; urgency=high
 .
   * New upstream release.
   * debian/patches:
     - strongswan-5.2.2-5.3.0_unknown_payload dropped, included upstream.
     - 05_ivgen-allow-reusing-same-message-id-twice added, allow reusing the
     same message ID twice in sequential IV gen. strongSwan issue #980.
     - CVE-2015-4171_enforce_remote_auth added, fix potential leak of
     authentication credential to rogue server when using PSK or EAP. This is
     CVE-2015-4171.
 .
 strongswan (5.3.0-2) unstable; urgency=medium
 .
   * debian/patches:
     - strongswan-5.2.2-5.3.0_unknown_payload added, fixes a DoS and potential
       remote code execution vulnerability (CVE-2015-3991).
   * debian/strongswan-starter.lintian-overrides: add override for
     command-with-path-in-maintainer-script since it's there to check for file
     existence.
   * Upload to unstable.
 .
 strongswan (5.3.0-1) experimental; urgency=medium
 .
   * New upstream release.
   * debian/patches:
     - 01_fix-manpages refreshed for new upstream release.
     - 02_chunk-endianness dropped, included upstream.
     - CVE-2014-9221_modp_custom dropped, included upstream.
   * debian/strongswan-starter.install
     - don't install the _updown and _updown_espmark manpages anymore, they're
     gone.
     - also remove the _updown_espmark script, gone too.
   * debian/copyright updated.
 .
 strongswan (5.2.1-6) unstable; urgency=medium
 .
   * Ship /lib/systemd/system/ipsec.service as a symlink to
     strongswan.service in strongswan-starter instead of using Alias= in
     the service file. This makes the ipsec name available to invoke-rc.d
     before the service gets actually enabled, which avoids some confusion
     (closes: #781209).
 .
 strongswan (5.2.1-5) unstable; urgency=high
 .
   * debian/patches:
     - debian/patches/CVE-2014-9221_modp_custom added, fix unauthenticated
     denial of service in IKEv2 when using custom MODP value.
 .
 strongswan (5.2.1-4) unstable; urgency=medium
 .
   * Give up on trying to run the test suite on !amd64, it now times out on
     both i386 and s390x, our chosen "fast" archs.
 .
 strongswan (5.2.1-3) unstable; urgency=medium
 .
   * Disable libtls tests again, they are still too intensive for the buildd
     network...
 .
 strongswan (5.2.1-2) unstable; urgency=medium
 .
   * Cherry-pick commits 701d6ed and 1c70c6e from upstream to fix checksum
     computation and FTBFS on big-endian hosts.
   * Run the test suite only on amd64, i386, and s390x. It requires lots of
     entropy and CPU time, which are typically hard to come by on slower
     archs.
   * Re-enable normal keylengths in test suite.
   * Re-enable libtls tests.
   * Update Dutch translation, thanks to Frans Spiesschaert (closes: #763798).
   * Bump Standards-Version to 3.9.6.
 .
 strongswan (5.2.1-1) unstable; urgency=medium
 .
   * New upstream release.
   * Stop shipping /etc/strongswan.conf.d in libstrongswan.
 .
 strongswan (5.2.0-2) unstable; urgency=medium
 .
   * Add systemd integration:
     + Install upstream systemd service file in strongswan-starter.
     + Alias strongswan.service to ipsec.service to match the sysv init script.
     + Drop After=syslog.target (as syslog is socket-activated nowadays), but
       add After=network.target to ensure that charon gets the chance to send
       deletes on exit.
     + Add ExecReload for reload action, since the starter script has one.
     + On linux-any, add build-dep on systemd to ensure that the pkg-config
       metadata file can be found.
     + Add build-dep on dh-systemd, and use systemd dh addon.
   * Remove debian/patches/03_include-stdint.patch.
 .
 strongswan (5.2.0-1) unstable; urgency=medium
 .
   * New upstream release.
   [ Romain Francoise ]
   * Amend build-dep on libgcrypt to 'libgcrypt20-dev | libgcrypt11-dev'.
   * Drop hardening-wrapper from build-depends (unused since 5.0.4-1).
 .
   [ Yves-Alexis Perez ]
   * debian/po:
     - pt_BR.po updated, thanks Adriano Rafael Gomes.            closes: #752721
   * debian/patches:
     03_pfkey-Always-include-stdint.h dropped, included upstream.
   * debian/strongswan-starter.install:
     - replace tools.conf by pki.conf and scepclient.conf.
 .
 strongswan (5.1.3-4) unstable; urgency=medium
 .
   * debian/control:
     - add build-dep on pkg-config.
   * debian/patches:
     - 03_pfkey-Always-include-stdint.h added, cherry-picked from upstream git:
       always include of stdint.h. Fix FTBFS on kFreeBSD.
 .
 strongswan (5.1.3-3) unstable; urgency=medium
 .
   * debian/watch:
     - add pgpsigurlmangle to get PGP signature
   * debian/upstream/signing-key.asc:
     - bootstrap keyring by adding Andreas Steffen key (0xDF42C170B34DBA77)
   * debian/control:
     - add build-dep on libgcrypt20-dev, fix FTBFS.              closes: #747796
 .
 strongswan (5.1.3-2) unstable; urgency=low
 .
   * Disable the new libtls test suite for now--it appears to be a
     little too intensive for slower archs.
 .
 strongswan (5.1.3-1) unstable; urgency=low
 .
   * New upstream release.
   * debian/control: make strongswan-charon depend on iproute2 | iproute,
     thanks to Ryo IGARASHI <rigar...@gmail.com> (closes: #744832).
 .
 strongswan (5.1.2-4) unstable; urgency=high
 .
   * debian/patches/04_cve-2014-2338.patch: added to fix CVE-2014-2338
     (authentication bypass vulnerability in IKEv2 code).
   * debian/control: add myself to Uploaders.
 .
 strongswan (5.1.2-3) unstable; urgency=medium
 .
   * debian/patches/
     - 02_unit-tests-Fix-filtered-enumerator-tests-on-64-bit-b  added, fix
     testsuite failing on 64 bit big-endian platforms (s390x).
     - 03_unit-tests-Fix-chunk-clear-armel added, fix testsuite failing on
     armel.
 .
 strongswan (5.1.2-2) unstable; urgency=medium
 .
   * debian/rules:
     - use reduced keylengths in testsuite on various arches, hopefully fixing
       FTBFS when the genrsa test runs.
 .
 strongswan (5.1.2-1) unstable; urgency=medium
 .
   * New upstream release.
   * debian/control:
     - add conflicts against openSwan.                           closes: #740808
   * debian/strongswan-starter,postrm:
     - remove /var/lib/strongswan on purge.
   * debian/ipsec.secrets.proto:
     - stop lying about ipsec showhostkey command.               closes: #600382
   * debian/patches:
     - 01_fix-manpages refreshed for new upstream.
     - 02_include-strongswan.conf.d removed, strongswan.d is now supported
       upstream.
   * debian/rules, debian/*.install:
     - install default configuration files for all plugins.
   * debian/NEWS:
     - fix spurious entry.
     - add a NEWS entry to advertise about the new strongswan.d configuration
       mechanism.
Checksums-Sha1:
 cc4370526f569a481d7301837e3133498ce2b532 8527 strongswan_5.3.5-1ubuntu1.dsc
 80fbd22d4ddb6c0545103c05015f80013e9ad43f 4415297 strongswan_5.3.5.orig.tar.bz2
 ce34294ec3d15a8b53199570e24bcaf0d29bf699 131496 
strongswan_5.3.5-1ubuntu1.debian.tar.xz
Checksums-Sha256:
 2cd1fb1c31252055c1a63743681e695bdc236941db8a71f38aabe2a98fb58ed6 8527 
strongswan_5.3.5-1ubuntu1.dsc
 2c84b663da652b1ff180a1a73c24a3d7b9fc4b9b8ba6bd07f94a1e33092e6350 4415297 
strongswan_5.3.5.orig.tar.bz2
 acb6bd0db213526c3ceea5a394455a8b531a1859a0dea3c7a317e465ede41069 131496 
strongswan_5.3.5-1ubuntu1.debian.tar.xz
Files:
 2c7b042fb324077419d7c08235a24d05 8527 net optional 
strongswan_5.3.5-1ubuntu1.dsc
 a2f9ea185f27e7f8413d4cd2ee61efe4 4415297 net optional 
strongswan_5.3.5.orig.tar.bz2
 fa725858ee45e6fce97616acd54dd12e 131496 net optional 
strongswan_5.3.5-1ubuntu1.debian.tar.xz
Original-Maintainer: strongSwan Maintainers 
<pkg-swan-de...@lists.alioth.debian.org>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCgAGBQJWxUTxAAoJEOn+6gaoXj+dga8H/Rzl6qTvyYvQYHAz6nkTzZPz
4Ikdxo8MCFGCx94xnTwkFgNJBYDg+bXxO/AZAf0FMEkAtOlmKvYOS/eFd6/zLl4j
QflFO5BPtDn5CwkGWgPflxkWw+tFl/EX4vlJ1l789yQEhXpIxIXyJb+NwfXb1t6q
NJkWOtscAK5wOVFMUVSftz3CnbLnn3wng8fAihXe2qeH4exS2D3kFsTteGAU5ykk
EvyxkiFxHRnhFYFXHQ4/ldYO2gJ327pVW205InbR7iml+5uQWTnzwgpGPUhUuDXN
ClwucO9kSU1dwfajwWAi0tT81l/urzxqW8oCVvN9mfLAYA3oIaOZ/4D+Tj38XYE=
=ao5h
-----END PGP SIGNATURE-----
-- 
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/xenial-changes

Reply via email to