2 files changed, 28 insertions, 0 deletions

diff --git a/debian/NEWS b/debian/NEWS
index e94bb6284..548d4fd4d 100644
--- a/debian/NEWS
+++ b/debian/NEWS
@@ -1,3 +1,25 @@
+strongswan (5.6.1-2) UNRELEASED; urgency=medium
+
+  Starting 5.6.1, several algorithms were removed from the default ESP/AH and
+  IKEv2 proposals in compliance with RFC 8221[1] and RFC 8247[2],
+  respectively.
+  .
+  Removed from the default ESP/AH proposal were the 3DES and Blowfish
+  encryption algorithms and the HMAC-MD5 integrity algorithm.
+  .
+  From the IKEv2 default proposal the HMAC-MD5 integrity algorithm and the
+  MODP-1024 Diffie-Hellman group were removed (the latter is significant for
+  Windows clients in their default configuration).
+  .
+  These algorithms may still be used in custom proposals and MODP-2048 can be
+  enabled manually on Windows 7 clients [3].
+  .
+  [1] https://tools.ietf.org/html/rfc8221
+  [2] https://tools.ietf.org/html/rfc8247
+  [3] https://wiki.strongswan.org/projects/strongswan/wiki/Windows7#AES-256-CBC-and-MODP2048
+
+ -- Yves-Alexis Perez <corsac@debian.org>  Thu, 30 Nov 2017 14:01:24 +0100
+
 strongswan (5.1.2-1) unstable; urgency=medium
 
   Starting 5.1.2, strongSwan natively support a configuration directory (in
diff --git a/debian/changelog b/debian/changelog
index f752cfc2f..08f4a54c6 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+strongswan (5.6.1-4) UNRELEASED; urgency=medium
+
+  * d/NEWS: add information about disabled algorithms (closes: #883072)
+
+ -- Yves-Alexis Perez <corsac@debian.org>  Thu, 30 Nov 2017 14:09:26 +0100
+
 strongswan (5.6.1-3) unstable; urgency=medium
 
   * move updown plugin from -starter to -libcharon.             closes: #884578