1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
|
strongswan (5.0.3-1) UNRELEASED; urgency=low
* New upstream release.
* debian/patches:
- 01_fix-manpages refreshed.
- 02_add-LICENSE dropped, included upstream.
- 03_Pass-lo-as-faked-tundev-to-NM-as-it-now-needs-a-vali removed,
included upstream.
- 04-Fixed-IPv6-source-address-lookup dropped, included upstream.
- 02_fix-printf-dnssec-script added backported from upstream, fix printf()
statements.
* debian/rules:
- --enable-smartcard, --with-default-pkcs11 and --enable-nat-transport not
valid anymore for ./configure, remove them.
- add --enable-xauth-eap and --enable-xauth-pam.
- remove pluto handling since it's gone
- don't special-case XAuth on kFreeBSD anymore.
- add --enable-attr-sql.
* debian/control:
- drop strongswan-ikev1 package
- rename strongswan-ikev2 package to strongswan-ike for now and makes it
replace strongswan-ikev1 and strongswan-ikev2.
- rephrase long description to remove references to pluto.
- provide transition -ikev{1,2} packages for upgrades.
* debian/strongswan-ikev1.install removed.
* debian/strongswan-ikev2.* renamed to strongswan-ike.
* debian/strongswan-nm.install:
- NetworkManager plugin is now a separate executable.
* debian/libstrongswan.install:
- install new pkcs7, xauth-eap, xauth-generic, xauth-pam and nonce plugins.
* debian/strongswan.docs: CREDITS file is gone.
* debian/ipsec.secrets.proto: remove reference to pluto.
* debian/strongswan-starter.* remove references to pluto.
* debian/po: update potfiles for new phrasing.
-- Yves-Alexis Perez <corsac@debian.org> Fri, 26 Apr 2013 14:57:54 +0200
strongswan (4.6.4-6) unstable; urgency=low
* debian/rules:
- revert dropping privileges, it breaks too many setups for now and it's
not possible to disable it. reopens #529854 and closes: #680722
* debian/control:
- add Breaks/Replaces strongswan-ikev2 on libstrongswan because of moved
plugins. closes: #681312
-- Yves-Alexis Perez <corsac@debian.org> Sat, 01 Dec 2012 14:24:49 +0100
strongswan (4.6.4-5) unstable; urgency=low
[ Yves-Alexis Perez ]
* debian/control:
- and finally make libcap-dev linux-any too...
- make -ikev1 linux-any since pluto can't be build on FreeBSD.
* debian/rules:
- stop installing logcheck rules manually. closes: #679745
- handle non kFreeBSD more carefully closes: #640928
+ don't enable NM and Linux capabilities drop;
+ disable pluto (and xauth plugin);
+ don't enable farp and dhcp, enable kernel-pf{key,route} plugins
* Handle logcheck files from dh_installlogcheck and thus name them correctly
so they are not installed in the wrong package. closes: #679745
* debian/po
- add turkish translation, thanks Atila KOÇ. closes: #659879
* debian/patches:
- 04-Fixed-IPv6-source-address-lookup added, backported from upstream.
Fix IPv6 tunnels, broken because of bad handling of source routing.
[ Laurent Bigonville ]
* Do not use multi-arch paths, this makes no sense as only one instance of
the daemon can be run and all libraries are private.
* d/p/03_Pass-lo-as-faked-tundev-to-NM-as-it-now-needs-a-vali.patch: NM now
requires a tundev, pass the loopback interface to make it happy
(thanks to Martin Willi)
* debian/control: Fix Vcs-Browser URL
-- Yves-Alexis Perez <corsac@debian.org> Sat, 07 Jul 2012 14:21:03 +0200
strongswan (4.6.4-4) unstable; urgency=low
* debian/control:
- libnm-glib-vpn-dev also is linux-any, fix build-deps.
-- Yves-Alexis Perez <corsac@debian.org> Sat, 30 Jun 2012 18:54:00 +0200
strongswan (4.6.4-3) unstable; urgency=low
* debian/strongswan-starter.postrm
- remove strongswan user on purge.
* debian/rules:
- enable gcrypt plugin. closes: #600326
* debian/libstrongswan.install:
- ship gcrypt plugin.
-- Yves-Alexis Perez <corsac@debian.org> Sat, 30 Jun 2012 17:08:08 +0200
strongswan (4.6.4-2) unstable; urgency=low
* Upload to unstable.
* debian/rules:
- use the strongswan user. closes: #529854
* debian/control:
- fix libnm-glib-vpn-dev build-dep, it's linux-any.
-- Yves-Alexis Perez <corsac@debian.org> Sat, 30 Jun 2012 15:37:58 +0200
strongswan (4.6.4-1) experimental; urgency=low
* New upstream release. closes: #664190
- stop including individual glib headers. closes: #665612
* debian/patches:
- drop all patches, they're all included upstream now.
* debian/*.install:
- drop destination path
- libs are in ipsec folder now
- add libradius, libtls, libtnccs and libsimaka to libstrongswan.
- add tnc-tnccs, pkcs8 and cmac plugins to libstrongswan.
- use multiarch paths
- move ldap, curl, kernel-netlink and attr* plugins to libstrongswan,
since they are used by pluto too. closes: #611846
* debian/control:
- add myself to uploaders, in hope that some others will join.
- update standards version to 3.9.3.
- add depend on adduser to strongswan-starter for use in maintainer
scripts.
- update debhelper build-dep to 9 and add dpkg-dev 1.16.2 build-dep for
hardening support.
- make strongswan-nm linux-any and adjust network-manager-dev build-dep to
only happen on linux arches. closes: #640928
* debian/compat bumped to 9.
* debian/rules:
- enable hardening flags with PIE and bindnow.
- use multiarch paths.
- inconditionnally enable network-manager.
- switch to dh.
- ignore plugins in dh_makeshlibs.
- don't generate maintainer scripts snippets for init scripts, it's
already handled (atlhough we might want to change that later)
- stop bypassing dh_installdocs.
- disable DES and Blowfish plugin as they are under a 4 clauses BSD-like
license.
* debian/libstrongswan.lintian-overrides,
debian/libstrongswan-ikev2.lintian-overrides:
- override warning for hardening flags, we do use them.
* debian/patches:
- 01_fix-manpages added, fix space in NAME section.
- 02_add-LICENSE added, add the license file from upstream not yet present
in tarball.
* debian/copyright completely rewritten.
-- Yves-Alexis Perez <corsac@debian.org> Fri, 29 Jun 2012 21:24:37 +0200
strongswan (4.5.2-1.5) unstable; urgency=low
* Non-maintainer upload.
* Fix "package must not include /var/lock/subsys":
don't ship /var/lock/subsys but create it in the init script.
(Closes: #667764)
-- gregor herrmann <gregoa@debian.org> Fri, 15 Jun 2012 16:21:27 +0200
strongswan (4.5.2-1.4) unstable; urgency=high
* Non-maintainer upload by the Security Team.
* debian/patches:
- 0001-Fix-boolean-return-value-if-an-empty-RSA-signature-i added,
backported from upstream. Fix CVE-2012-2388 (when using gmp plugin,
zero length RSA signatures are considered valid).
- 0001-Added-support-for-the-resolvconf-framework-in-resolv added,
correctly handle resolvconf-managed /etc/resolv.conf. closes: #664873
-- Yves-Alexis Perez <corsac@debian.org> Thu, 24 May 2012 17:55:51 +0200
strongswan (4.5.2-1.3) unstable; urgency=low
* Non-maintainer upload.
* Fix pending l10n issues. Debconf translations:
- Dutch; (Jeroen Schot). Closes: #631502
- Norwegian Bokmål, (Bjørn Steensrud). Closes: #654411
- Polish (Michał Kułach). Closes: #658125
-- Christian Perrier <bubulle@debian.org> Wed, 08 Feb 2012 07:22:07 +0100
strongswan (4.5.2-1.2) unstable; urgency=low
* Non-maintainer upload.
* Drop libopensc2-dev from Build-Depends; that library is now private to
opensc and is not required at build time as it's loaded by dlopen() anyway.
(Closes: #635890)
-- Laurent Bigonville <bigon@debian.org> Thu, 08 Sep 2011 16:50:11 +0200
strongswan (4.5.2-1.1) unstable; urgency=low
* Non-maintainer upload.
* debian/strongswan-starter.ipsec.init: Init script should depends on
remote_fs instead of local_fs, also provide ipsec instead of vpn as
the other ipsec implementations (Closes: #629675)
* debian/patches/0001-fix-fprintf-format.patch: Fix FTBFS with gcc 4.6,
taken from upstream (Closes: #614486)
* debian/control: Tighten dependency version against libstrongswan
(Closes: #626170)
* debian/strongswan-starter.lintian-overrides, debian/rules:
Correctly set restricted permissions on /etc/ipsec.d/private/
and /var/lib/strongswan (Closes: #598827)
-- Laurent Bigonville <bigon@debian.org> Mon, 04 Jul 2011 10:58:59 +0200
strongswan (4.5.2-1) unstable; urgency=low
* New upstream version 4.5.2. This removes a lot of old manpages that were
not properly updated since freeswan.
Closes: #616482: strongswan-ikev1: virtual ips not released if xauth name
does not match id
Closes: #626169: strongswan: ipsec tunnels fail because charon segfaults
Closes: #625228: strongswan-starter: left-/rightnexthop options are broken
Closes: #614105: strongswan-ikev2: charon continually respawns
* Fix typo in debian/rules that precluded --enable-nm from being passed to
configure (LP: #771778).
Closes: #627775: strongswan-nm package is missing nm module
* Make sure to install all newly added plugins (and generally files created
by make install) by calling dh_install with --fail-missing. Install some
newly enabled crypto plugins in the libstrongswan package.
Closes: #627783: Please disable modules that are not installed in package
at build time
-- Rene Mayrhofer <rmayr@debian.org> Thu, 19 May 2011 13:42:21 +0200
strongswan (4.5.1-1) unstable; urgency=low
* New upstream version
-- Rene Mayrhofer <rmayr@debian.org> Sat, 05 Mar 2011 09:27:49 +0100
strongswan (4.5.0-1) unstable; urgency=low
* New upstream version 4.5.0
* Enabled new configure options for additional libstrongswan plugins:
--enable-ctr --enable-ccm --enable-gcm --enable-addrblock --enable-led
--enable-pkcs11 --enable-eap-tls --enable-eap-ttls --enable-eap-tnc
* Enable NAT-Traversal with transport mode support so that strongswan
can be used for an L2TP/IPsec gateway (e.g. for Windows or mobile phone
clients).
* Special handling for strongswan-nm package during build time: only build
and install if headers are really available. This supports easier
backporting by simply ignoring build-deps and therefore to build all
packages except the strongswan-nm without any changes to the source
package.
* Install test-vectors and revocation plugins for libstrongswan.
Closes: #600996: strongswan-starter: plugin 'revocation' failed to load
* Acknowledge translations NMU.
Closes: #598925: Intent to NMU or help for an l10n upload of strongswan
to fix pending po-debconf l10n bugs
Closes: #598925 #599888 #600354 #600409 #602449 #603723 #603779
* Update Brazilian Portugese debconf translation.
Closes: #607404: strongswan: [INTL:pt_BR] Brazilian Portuguese debconf
templates translation
-- Rene Mayrhofer <rmayr@debian.org> Sun, 28 Nov 2010 13:09:42 +0100
strongswan (4.4.1-5.1) unstable; urgency=low
* Non-maintainer upload.
- Fix pending l10n issues. Debconf translations:
- Vietnamese (Clytie Siddall). Closes: #598925
- Japanese (Hideki Yamane). Closes: #599888
- Czech (Miroslav Kure). Closes: #600354
- Spanish (Francisco Javier Cuadrado). Closes: #600409
- Danish (Joe Hansen). Closes: #602449
- Basque (Iñaki Larrañaga Murgoitio). Closes: #603723
- Italian (Vincenzo Campanella). Closes: #603779
-- Christian Perrier <bubulle@debian.org> Wed, 17 Nov 2010 20:21:21 +0100
strongswan (4.4.1-5) unstable; urgency=medium
* Fixed init script for restart to work when either pluto or charon
are not installed.
Closes: #598074: init script doesn't re-start the service on restart
* Enable built-in crypto test vectors.
Closes: #598136: strongswan: Please enable --enable-test-vectors
configure option
* Install libchecksum.so into correct directory (/usr/lib/ipsec instead of
/usr/lib). It still doesn't fix #598138 because of the size mismatch.
-- Rene Mayrhofer <rmayr@debian.org> Sun, 26 Sep 2010 13:48:00 +0200
strongswan (4.4.1-4) unstable; urgency=medium
* dh_clean should not be called by the install target. This caused the
arch: all package strongswan to be built but not included in the changes
file.
Closes: #593768: strongswan: 4.4.1 unavailable in testing notwhistanding
a freeze-exception request
* Rewrote parts of the init.d script to make stop/restart more robust
when pluto or charon fail.
* Closes: #595885: strongswan: FTBFS in squeeze: No package 'libnm_glib_vpn'
found
This bug was actually closed in 4.4.0 with changed dependencies.
-- Rene Mayrhofer <rmayr@debian.org> Thu, 19 Sep 2010 13:08:36 +0200
strongswan (4.4.1-3) unstable; urgency=low
* Change make clean to make distclean to make package building
idempotent.
Really closes: Bug#593313: strongswan: FTBFS because clean rule fails
-- Rene Mayrhofer <rmayr@debian.org> Sun, 22 Aug 2010 21:39:03 +0200
strongswan (4.4.1-2) unstable; urgency=low
* Recompiled with dpkg-buildpackage instead of svn-buildpackage to
make the clean target work. I am still looking for the root cause of
this quilt 3.0 format and svn-buildpackage incompatibility.
Closes: Bug#593313: strongswan: FTBFS because clean rule fails
* Removed the --enable-socket-* configure options again. Having multiple
socket variants for charon would force to explicitly enable one (in case
of pluto co-existance the socket-raw) in strongswan.conf. Disabling the
other variants for now at build-time relieves us from changing the
default config file and might be more future-proof concerning future
upstream changes to configure options.
Really closes: #587583
-- Rene Mayrhofer <rmayr@debian.org> Sat, 21 Aug 2010 23:28:47 +0200
strongswan (4.4.1-1) unstable; urgency=low
* New upstream release.
Closes: #587583: strongswan 4.4.0-2 does not work here: charon seems not
to ignore all incoming requests/answers
Closes: #506320: strongswan: include directives error and ikev2
* Fix typo in debconf templates.
Closes: #587564: strongswan: Minor typos in Debconf template
* Updated debconf translations.
Closes: #587562: strongswan: [INTL:de] updated German debconf translation
Closes: #580954: [INTL:es] Spanish debconf template translation for
strongswan
-- Rene Mayrhofer <rmayr@debian.org> Mon, 09 Aug 2010 11:37:25 +0200
strongswan (4.4.0-3) unstable; urgency=low
* Updated debconf translations.
Closes: #587562: strongswan: [INTL:de] updated German debconf translation
-- Rene Mayrhofer <rmayr@debian.org> Wed, 30 Jun 2010 09:50:31 +0200
strongswan (4.4.0-2) unstable; urgency=low
* Force enable-socket-raw configure option and enable list-missing option
for dh_install to make sure that all required plugins get built and
installed.
Closes: #587282: plugins missing
* Updated debconf translations.
Closes: #587052: strongswan: [INTL:fr] French debconf templates
translation update
Closes: #587159: strongswan: [INTL:ru] Russian debconf templates
translation update
Closes: #587255: strongswan: [INTL:pt] Updated Portuguese
translation for debconf messages
Closes: #587241: [INTL:sv] po-debconf file for strongswan
* Disabled cisco-quirks configure option, as it causes pluto to emit a
bogus Cicso vendor ID attribute. Some Cicso VPN clients might not work
without this, but it is less confusing for standards-compliant remote
gateways.
* Removed leftover attribute plugin source caused by incomplete svn-upgrade
call.
-- Rene Mayrhofer <rmayr@debian.org> Thu, 24 Jun 2010 22:32:18 +0200
strongswan (4.4.0-1) unstable; urgency=HIGH
* New upstream release, now with a high-availability plugin.
* Added patch to fix snprintf bug.
* Enable building of ha, dhcp, and farp plugins.
* Enable capability dropping (now depends on libcap). Switching
user to new system user strongswan (with nogroup) after startup
is still disabled until the iptables updown script can be made
to work.
-- Rene Mayrhofer <rmayr@debian.org> Tue, 25 May 2010 21:03:52 +0200
strongswan (4.3.6-1) unstable; urgency=low
* UNRELEASED
* New upstream release, now build-depends on gperf.
Closes: #577855: New upstream release 4.3.6
Closes: #569553: strongswan: Certificates CNs containing email address
OIDs are not correctly parsed
Closes: #557635: strongswan charon does not rekey forever
Closes: #569299: Please update configure check to use new nm-glib
pkgconfig file name
* Switch to dpkg-source 3.0 (quilt) format
* Synchronize debconf handling with current openswan 2.6.25 package to keep
X509 certificate handling etc. similar. Thanks to Harald Jenny for
implementing these changes in openswan, which I just converted to
strongswan.
* Now also build a strongswan-dbg package to ship debugging symbols.
* Include attr plugin in strongswan-ikev2 package. Thanks to Christoph Lukas
for pointing out that this was missing.
Closes: #569550: strongswan: Please include attr plugin
-- Rene Mayrhofer <rmayr@debian.org> Tue, 23 Feb 2010 10:39:21 +0000
strongswan (4.3.4-1) unstable; urgency=low
* New upstream release.
* This release supports integrity checking of libraries, which is
now enabled at build-time and can be enabled at run-time using
libstrongswan {
integrity_test = yes
}
in /etc/strongswan.conf.
* Don't disable internal crypto libraries for pluto. They might be
required when working with older ipsec.conf files.
* charon now supports "include" directives in ipsec.secrets for
compatibility with how the maintainer script includes RSA private keys.
* Patched starter to also look at routing table "default" when table
"main" doesn't have a default entry. This makes dealing with
"%defaulroute" in ipsec.conf more flexible.
Update: It seems Astaro was quicker then me sending a patch with
exactly that aim to upstream. Now applied this one, which will be
part of future upstream releases and uses netlink to read routing
tables.
-- Rene Mayrhofer <rmayr@debian.org> Wed, 21 Oct 2009 11:14:56 +0000
strongswan (4.3.2-1) unstable; urgency=HIGH
Urgency high because of security issue and FTBFS.
* New upstream release, fixes security bug.
* Fix padlock handling for i386 in debian/rules.
Closes: #525652 (FTBFS on i386)
* Acknowledge NMUs by security team.
Closes: #533837, #531612
* Add "Conflicts: strongswan (< 4.2.12-1)" to libstrongswan,
strongswan-starter, strongswan-ikev1, and strongswan-ikev2 to force
update of the strongswan package on installation and avoid conflicts
caused by package restructuring.
Closes: #526037: strongswan-ikev2 and strongswan: error when trying to
install together
Closes: #526486: strongswan and libstrongswan: error when trying to
install together
Closes: #526487: strongswan-ikev1 and strongswan: error when trying to
install together
Closes: #526488: strongswan-starter and strongswan: error when trying to
install together
* Debconf templates and debian/control reviewed by the debian-l10n-
english team as part of the Smith review project. Closes: #528073
* Debconf translation updates:
Closes: #525234: [INTL:ja] Update po-debconf template translation (ja.po)
Closes: #528323: [INTL:sv] po-debconf file for strongswan
Closes: #528370: [INTL:vi] Vietnamese debconf templates translation update
Closes: #529027: [INTL:pt] Updated Portuguese translation for debconf messages
Closes: #529071: [INTL:fr] French debconf templates translation update
Closes: #529592: nb translation of debconf PO for strongSWAN
Closes: #529638: [INTL:ru] Russian debconf templates translation
Closes: #529661: Updated Czech translation of strongswan debconf messages
Closes: #529742: [INTL:eu] strongswan debconf basque translation
Closes: #530273: [INTL:fi] Finnish translation of the debconf templates
Closes: #529063: [INTL:gl] strongswan 4.2.14-2 debconf translation update
-- Rene Mayrhofer <rmayr@debian.org> Sat, 18 Apr 2009 20:28:51 +0200
strongswan (4.2.14-1.2) unstable; urgency=high
* Non-maintainer upload.
* Fix build on i386
Closes: #525652: FTBFS on i386:
libstrongswan-padlock.so*': No such file or directory
* Fix Two Denial of Service Vulnerabilities
Closes: #533837: strongSwan Two Denial of Service Vulnerabilities
-- Ruben Puettmann <ruben@puettmann.net> Sun, 21 Jun 2009 17:50:02 +0200
strongswan (4.2.14-1.1) unstable; urgency=high
* Non-maintainer upload by the Security Team.
* Fix two possible null pointer dereferences leading to denial
of service via crafted IKE_SA_INIT, CREATE_CHILD_SA or
IKE_AUTH request (CVE-2009-1957; CVE-2009-1958; Closes: #531612).
-- Nico Golde <nion@debian.org> Mon, 15 Jun 2009 13:06:05 +0200
strongswan (4.2.14-1) unstable; urgency=low
* New upstream release, which incorporates the fix. Removed dpatch for it.
Closes: #521950: CVE-2009-0790: DoS
* New support for EAP RADIUS authentication, enabled for this package.
-- Rene Mayrhofer <rmayr@debian.org> Wed, 01 Apr 2009 22:17:52 +0200
strongswan (4.2.13-2) unstable; urgency=low
* Fix DoS issue via malicious Dead Peer Detection packet. Thanks to the
security team for providing the patch.
Closes: #521950: CVE-2009-0790: DoS
Gerd v. Egidy discovered that the Pluto IKE daemon in openswan is prone
to a denial of service attack via a malicious packet.
-- Rene Mayrhofer <rmayr@debian.org> Tue, 31 Mar 2009 12:00:51 +0200
strongswan (4.2.13-1) unstable; urgency=low
* New upstream release. This is now compatible with network-manager 0.7
in Debian, so start building the strongswan-side support. The actual
plugin will need to be another source package.
-- Rene Mayrhofer <rmayr@debian.org> Sun, 22 Mar 2009 10:59:31 +0100
strongswan (4.2.12-1) unstable; urgency=low
* New upstream release. Starting with this version, the strongswan
packages is modularized and includes support for plugins like the
NetworkManager plugin. Many details were adopted from Martin Willi's
packages.
* Dropping support for raw RSA public/private keypairs, as charon does
not support it.
* Explicitly remove directories /etc/ipsec.d and /var/run/pluto on purge.
-- Rene Mayrhofer <rmayr@debian.org> Sun, 01 Mar 2009 10:46:08 +0000
strongswan (4.2.9-1) unstable; urgency=low
* New upstream release, fixes a MOBIKE issue.
Closes: #507542: strongswan: endless loop
* Explicitly enable compilation with libcurl for CRL fetching
Closes: #497756: strongswan: not compiled with curl support; crl
fetching not available
* Enable compilation with SSH agent support.
-- Rene Mayrhofer <rmayr@debian.org> Fri, 05 Dec 2008 17:21:42 +0100
strongswan (4.2.4-5) unstable; urgency=high
Reason for urgency high: this is potentially security relevant.
* Patch backported from 4.2.7 to fix a potential DoS issue.
Thanks to Thomas Kallenberg for the patch.
-- Rene Mayrhofer <rmayr@debian.org> Mon, 29 Sep 2008 10:35:30 +0200
strongswan (4.2.4-4) unstable; urgency=low
* Tweaked configure options for lenny to remove somewhat experimental,
incomplete, or unnecessary features. Removed --enable-xml,
--enable-padlock, and --enable-manager and added --disable-aes,
--disable-des, --disable-fips-prf, --disable-gmp, --disable-md5,
--disable-sha1, and --disable-sha2 because openssl already
contains this code, we depend on it and thus don't need it twice.
Padlock support does not do much, because the bulk encryption uses
it anyway (being done internally in the kernel) and using padlock
for IKEv2 key agreement adds complexity for little gain.
Thanks to Thomas Kallenberg of strongswan upstream team for
suggesting these changes. The package is now noticable smaller.
* Also remove dbus dependency, which is no longer necessary.
-- Rene Mayrhofer <rmayr@debian.org> Mon, 01 Sep 2008 08:59:10 +0200
strongswan (4.2.4-3) unstable; urgency=low
* Changed configure option to build peer-to-peer service again.
Closes: #494678: strongswan: configure option --enable-p2p changed to
--enable-mediation
-- Rene Mayrhofer <rmayr@debian.org> Tue, 12 Aug 2008 20:08:26 +0200
strongswan (4.2.4-2) unstable; urgency=medium
Urgency medium because this fixes an FTFBS bug on non-i386.
* Only compile padlock crypto acceleration support for i386. Thanks for
the patch!
Closes: #492455: strongswan: FTBFS: Uses i386 assembler on non-i386
arches.
* Updated Swedish debconf translation.
Closes: #492902: [INTL:sv] po-debconf file for strongswan
-- Rene Mayrhofer <rmayr@debian.org> Thu, 07 Aug 2008 13:02:54 +0200
strongswan (4.2.4-1) unstable; urgency=medium
Urgency medium because this new upstream versions no longer uses
dbus and thus fixed the grave bug from the last Debian package. This
version should transit to testing.
* New upstream release. Starting with version 4.2.0, crypto algorithms have
beeen modularized with existing code ported over. Among other improvments,
this version now supports AES-CCM (e.g. with esp=aes128ccm12) and AES-GCM
(e.g. with esp=aes256gcm16) starting with kernel 2.6.25 and enables dead
peer detection by default.
Note that charon (IKEv2) now uses the new /etc/strongswan.conf.
* Enabled building of VIA Padlock and openssl crypto plugins.
* Drop patch to rename AES_cbc_encrypt so as not to conflict with an
openssl method of the same name. This has been applied upstream.
* This new upstream version no longer uses dbus.
Closes: #475098: charon needs dbus but strongswan does not depend on dbus
Closes: #475099: charon does not work any more
* This new upstream version no longer prints error messages in its
init script.
Closes: #465718: strongswan: startup on booting returns error messages
* Apply patch to ipsec init script to fix bashism.
Closes: #473703: strongswan: bashism in /bin/sh script
* Updated Czech debconf translation.
Closes: #480928: [l10n] Updated Czech translation of strongswan debconf
messages
-- Rene Mayrhofer <rmayr@debian.org> Thu, 10 Jul 2008 14:40:43 +0200
strongswan (4.1.11-1) unstable; urgency=low
* New upstream release.
* DBUS support now interacts with network-manager, so need to build-depend
on network-manager-dev.
* The web interface has been improved and now requires libfcgi-dev and
clearsilver-dev to compile, so build-depend on them. Also build-depend
on libxml2-dev, libdbus-1-dev, libtool, and libsqlite3-dev (which were
all build-deps before but were not listed explicitly so far - fix that).
* Add patch to rename internal AES_cbc_encrypt function and thus avoid
conflict with the openssl function.
Closes: #470721: pluto segfaults when using pkcs11 library linked with
OpenSSL
-- Rene Mayrhofer <rmayr@debian.org> Sun, 30 Mar 2008 10:35:16 +0200
strongswan (4.1.10-2) unstable; urgency=low
* Enable new configure options: dbus, xml, nonblocking, thread, peer-
to-peer NAT-traversal and the manager interface support.
* Also set the default path to the opensc-pkcs11 engine explicitly.
-- Rene Mayrhofer <rmayr@debian.org> Fri, 15 Feb 2008 10:25:49 +0100
strongswan (4.1.10-1) unstable; urgency=low
* New upstream release.
Closes: #455711: New upstream version 4.1.9
* Updated Japanese debconf translation.
Closes: #463321: strongswan: [INTL:ja] Update po-debconf template
translation (ja.po)
-- Rene Mayrhofer <rmayr@debian.org> Thu, 07 Feb 2008 15:15:14 +0100
strongswan (4.1.8-3) unstable; urgency=low
* Force use of hardening-wrapper when building the package by setting
a Build-Dep to it and setting export DEB_BUILD_HARDENING=1 in
debian/rules.
-- Rene Mayrhofer <rmayr@debian.org> Thu, 07 Feb 2008 14:14:48 +0100
strongswan (4.1.8-2) unstable; urgency=medium
* Ship our own init script, since upstream no longer does. This is still
installed as /etc/init.d/ipsec (and not /etc/init.d/strongswan) to be
backwards compatible.
Really closes: #442880: strongswan: postinst failure (missing
/etc/init.d/ipsec)
* Actually, need to be smarter with ipsec.conf and ipsec.secrets. Not
marking them as conffiles isn't the right thing either. Instead, now
use the includes feature to pull in config snippets that are
modified by debconf. It's not perfect, though, as the IKEv1/IKEv2
protocols can't be enabled/disabled with includes. Therefore don't
support this option in debconf for the time being, but default to
enabled for both IKE versions. The files edited with debconf are kept
under /var/lib/strongswan.
* Cleanup debian/rules: no longer need to remove leftover files from
patching, as currently there are no Debian-specific patches (fortunately).
* More cleanup: drop debconf translations hack for woody compatibility,
depend on build-stamp instead of build in the install-strongswan target,
and remove the now unnecessary dh_clean -k call in install-strongswan so
that configure shouldn't run twice during building the package.
* Update French debconf translation.
Closes: #448327: strongswan: [INTL:fr] French debconf templates
translation update
-- Rene Mayrhofer <rmayr@debian.org> Fri, 02 Nov 2007 21:55:29 +0100
strongswan (4.1.8-1) unstable; urgency=low
The "I'm back from my long semi-vacation, and strongswan is now bug-free
again" release.
* New upstream release.
Closes: #442880: strongswan: postinst failure (missing /etc/init.d/ipsec)
Closes: #431874: strongswan - FTBFS: cannot create regular file
`/etc/ipsec.conf': Permission denied
* Explicitly use debhalper compatbility version 5m now using debian/compat
instead of DH_COMPAT.
* Since there's no configurability in dh_installdeb's mania to flag
everything below /etc as a conffile, now hack DEBIAN/conffiles directly
to remove ipsec.conf and ipsec.secrets.
Closes: #442929: strongswan: Maintainer script modifies conffiles
* Add/update debconf translations.
Closes: #432189: strongswan: [INTL:de] updated German debconf translation
Closes: #432212: [l10n] Updated Czech translation of strongswan debconf
messages
Closes: #432642: strongswan: [INTL:fr] French debconf templates
translation update
Closes: #444710: strongswan: [INTL:pt] Updated Portuguese translation for
debconf messages
-- Rene Mayrhofer <rmayr@debian.org> Fri, 26 Oct 2007 16:16:51 +0200
strongswan (4.1.4-1) unstable; urgency=low
* New upstream release.
* Fixed debconf descriptions.
Closes: #431157: strongswan: Minor errors in Debconf template
* Include Portugese and
Closes: #415178: strongswan: [INTL:pt] Portuguese translation for debconf
messages
Closes: #431154: strongswan: [INTL:de] initial German debconf translation
-- Rene Mayrhofer <rmayr@debian.org> Thu, 05 Jul 2007 00:53:01 +0100
strongswan (4.1.3-1) unreleased; urgency=low
* New upstream release.
-- Rene Mayrhofer <rmayr@debian.org> Sun, 03 Jun 2007 18:39:11 +0100
strongswan (4.1.1-1) unreleased; urgency=low
Major new upstream release:
* IKEv2 support with the new "charon" daemon in addition to the old "pluto"
which is still used for IKEv1.
* Switches to auto* tools build system.
* The postinst script is still not quite as complete in updating the 2.8.x
config automatically to a new 4.x config, but I don't want to wait any
longer with the upload. It can be improved later on.
-- Rene Mayrhofer <rmayr@debian.org> Thu, 12 Apr 2007 21:33:56 +0100
strongswan (2.8.3-1) unstable; urgency=low
* New upstream release with fixes for the SHA-512-HMAC function and
added SHA-384 and SHA-2 implementations.
-- Rene Mayrhofer <rmayr@debian.org> Thu, 22 Feb 2007 20:19:45 +0000
strongswan (2.8.2-1) unstable; urgency=low
* New upstream release with interoperability fixes for some VPN
clients.
-- Rene Mayrhofer <rmayr@debian.org> Tue, 30 Jan 2007 12:21:20 +0000
strongswan (2.8.1+dfsg-1) unstable; urgency=low
* New upstream release, now with XAUTH support.
* Explicitly enable smartcard and vendorid options as well as a
few more in debian/rules.
Closes: #407449: strongswan: smartcard support is disabled
-- Rene Mayrhofer <rmayr@debian.org> Sun, 28 Jan 2007 21:06:25 +0000
strongswan (2.8.1-1) UNRELEASED; urgency=low
* New upstream release.
-- Rene Mayrhofer <rmayr@debian.org> Sun, 28 Jan 2007 20:59:11 +0000
strongswan (2.8.0+dfsg-1) unstable; urgency=low
* New upstream release.
* Update debconf templates.
Closes: #388672: strongswan: [INTL:fr] French debconf templates
translation update
Closes: #389253: [l10n] Updated Czech translation of strongswan
debconf messages
Closes: #391457: [INTL:nl] Updated dutch po-debconf translation
Closes: #396179: strongswan: [INTL:ja] Updated Japanese po-debconf
template translation (ja.po)
* Fix broken reference to a now non-existing config file. no_oe.conf
has been replaced by oe.conf, with the opposite meaning. Changed
postinst to deal with it correctly now, and also try to convert
older config file lines to newer (e.g. when updating from openswan
to strongswan).
Closes: #391565: fails to start : /etc/ipsec.conf:46: include
files found no matches
[/etc/ipsec.d/examples/no_oe.conf]
-- Rene Mayrhofer <rmayr@debian.org> Mon, 6 Nov 2006 19:01:58 +0000
strongswan (2.7.3+dfsg-1) unstable; urgency=low
* New upstream release. Another try on getting it into unstable.
Closes: #372267: ITP: strongswan -- second fork of freeswan.
* Call debian-updatepo in the clean target, in line with the openswan
change for its version 2.4.6+dfsg-1.
* Remove man2html, htmldoc, and lynx from the Build-Deps because we no
longer rebuild the documentation tree.
* Starting shipping a lintian overrides file to finally silence the
warnings about non-standard-(file|dir)-perms (they are intentional).
* Clean up /usr/lib/ipsec somehow, again owing to lintian warnings.
* Add po-debconf to build dependencies.
-- Rene Mayrhofer <rmayr@debian.org> Wed, 23 Aug 2006 21:23:36 +0100
strongswan (2.7.2+dfsg-1) unstable; urgency=low
* First upload to the main Debian archive. This does no longer build
the linux-patch-strongswan and strongswan-modules-source packages,
as KLIPS will be removed from the strongswan upstream source anyway
for the next major release. However, the openswan KLIPS could should
be interoperable with strongswan user space.
Closes: #372267: ITP: strongswan -- second fork of freeswan.
* This upload removes the draft RFCs, as they are not considered free under
the DFSG.
-- Rene Mayrhofer <rmayr@debian.org> Sun, 9 Jul 2006 12:40:34 +0100
strongswan (2.7.2-1) unstable; urgency=low
* New upstream release. This release fixes a potential DoS problem.
-- Rene Mayrhofer <rmayr@debian.org> Mon, 26 Jun 2006 12:34:43 +0100
strongswan (2.7.0-1) unstable; urgency=low
* Initial Debian packaging of strongswan. This is directly based on my
Debian package of openswan 2.4.5-3.
* Do not compile and ship fswcert right now, because it is not included
in strongswan upstream. If it turns out to be necessary for supporting
easy-to-use OE in the future (i.e. for generating the DNS format for the
public keys from generated X.509 certificates), I will re-add it to the
Debian package.
* Also disabled my patches to use /etc/default instead of /etc/sysconfig for
now. Something like that will be necessary in the future, but those parts
of strongswan differ significanty from openswan.
-- Rene Mayrhofer <rmayr@debian.org> Mon, 22 May 2006 07:37:00 +0100
Local variables:
mode: debian-changelog
End:
|