Ubuntu
strongswan package

Merge strongswan from Debian unstable for mantic

Bug #2018113 reported by Bryce Harrington
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
strongswan (Ubuntu)
Fix Released
Undecided
Andreas Hasenack
Ubuntu ubuntu-23.07

Bug Description

Upstream: tbd
Debian: 5.9.8-5
Ubuntu: 5.9.8-3ubuntu4

Debian does new releases regularly, so it's likely there will be newer versions available before FF that we can pick up if this merge is done later in the cycle.

If it turns out this needs a sync rather than a merge, please change the tag 'needs-merge' to 'needs-sync', and (optionally) update the title as desired.

### New Debian Changes ###

strongswan (5.9.8-5) unstable; urgency=medium

  * No-change upload for source-only upload.

 -- Yves-Alexis Perez <email address hidden> Fri, 03 Mar 2023 18:56:58 +0100

strongswan (5.9.8-4) unstable; urgency=medium

  * d/patches: libtls-Fix-authentication-bypass-and-expired-pointer added.
    Fix authentication bypass and use-after-free in libtls (CVE-2023-26463)
  * d/control: replace lsb-base dependency by sysvinit-utils
  * d/control: update standards version to 4.6.2

 -- Yves-Alexis Perez <email address hidden> Sun, 26 Feb 2023 09:40:09 +0100

strongswan (5.9.8-3) unstable; urgency=medium

  * d/tests: also drop _copyright test since the util is gone as well

 -- Yves-Alexis Perez <email address hidden> Thu, 03 Nov 2022 18:17:42 +0100

strongswan (5.9.8-2) unstable; urgency=medium

  * d/tests: remove scepclient tests since it's gone (Closes: #1023224)

 -- Yves-Alexis Perez <email address hidden> Thu, 03 Nov 2022 13:05:27 +0100

strongswan (5.9.8-1) unstable; urgency=medium

  * New upstream version 5.9.8
    - Includes fix for CVE-2022-40617, denial of service due to the
    revocation plugin potentially using untrusted OCSP URIs and CRL
    distribution points in CRLs. (closes: #1021271)
  * Remove strongswan-scepclient package, replaced by a pki(1) command
  * d/p/0006-fix-format-string-issue-in-enum_flags_to_string dropped, included
    upstream
  * remove dropped _copyright utility
  * d/strongswan-pki.install: install est/estca manpages (RFC 7070)
  * d/s-{started,swanctl}.lintian-overrides updated for new lintian
  * d/copyright updated for new upstream release

 -- Yves-Alexis Perez <email address hidden> Wed, 05 Oct 2022 15:25:18 +0200

strongswan (5.9.6-1) unstable; urgency=medium

  * New upstream version 5.9.6
  * d/p/0006-fix-format-string-issue-in-enum_flags_to_string added
  * d/libstrongswan.install: install kdf plugin in libstrongswan

 -- Yves-Alexis Perez <email address hidden> Sat, 07 May 2022 20:19:18 +0200

strongswan (5.9.5-2) unstable; urgency=medium

  * actually fix lintian overrides

 -- Yves-Alexis Perez <email address hidden> Wed, 26 Jan 2022 16:29:17 +0100

strongswan (5.9.5-1) unstable; urgency=medium

  * New upstream version 5.9.5
    - eap-authenticator: Enforce failure if MSK generation fails
      Fix incorrect handling of Early EAP-Success Messages (CVE-2021-45079)
  * update lintian overrides to match RUNPATH

 -- Yves-Alexis Perez <email address hidden> Wed, 26 Jan 2022 14:38:54 +0100

strongswan (5.9.4-1) unstable; urgency=medium

  [ Paride Legovini ]
  * tpm plugin: compile against the tpm2 software stack (tss2)
    (Closes: #994396, Ubuntu#1940079)

  [ Yves-Alexis Perez ]
  * New upstream version 5.9.4
  * d/patches rebased against new upstream
  * Enable forecast plugin (Closes: #943457)
  * update lintian overrides for new lintian
  * d/control: update standards version to 4.6.0
  * d/s-starter.postrm: use which to check for command existence

 -- Yves-Alexis Perez <email address hidden> Tue, 19 Oct 2021 22:34:40 +0200

strongswan (5.9.1-1) unstable; urgency=medium

  * New upstream version 5.9.1
  * d/patches: rebase against new upstream version
  * d/watch: update to version 4

 -- Yves-Alexis Perez <email address hidden> Wed, 11 Nov 2020 17:54:34 +0100

strongswan (5.9.0-1) unstable; urgency=medium

  * New upstream version 5.9.0

 -- Yves-Alexis Perez <email address hidden> Thu, 17 Sep 2020 10:21:30 +0200

strongswan (5.8.4-1) unstable; urgency=medium

  * New upstream version 5.8.4 (Closes: #956446)
  * d/rules: drop --as-needed from linker flags

### Old Ubuntu Delta ###

strongswan (5.9.8-3ubuntu4) lunar; urgency=medium

  * d/t/utils: also give `cloud-init status --wait` the same amount of
    ${limit} seconds to complete, and bump limit to 5min. The logs show
    the container started up fine, with an IP.

 -- Andreas Hasenack <email address hidden> Mon, 06 Mar 2023 11:00:58 -0300

strongswan (5.9.8-3ubuntu3) lunar; urgency=medium

  * SECURITY UPDATE: Incorrectly Accepted Untrusted Public Key With
    Incorrect Refcount
    - debian/patches/CVE-2023-26463.patch: fix authentication bypass and
      expired pointer dereference in src/libtls/tls_server.c.
    - CVE-2023-26463

 -- Marc Deslauriers <email address hidden> Thu, 02 Mar 2023 12:58:47 -0500

strongswan (5.9.8-3ubuntu2) lunar; urgency=medium

  * d/usr.sbin.swanctl: allow 'm' flag for /usr/sbin/swanctl
    (LP: #1999935)

 -- Andreas Hasenack <email address hidden> Fri, 16 Dec 2022 16:07:51 -0300

strongswan (5.9.8-3ubuntu1) lunar; urgency=medium

  * Merge with Debian unstable (LP: #1993449). Remaining changes:
    - d/control: strongswan-starter hard-depends on strongswan-charon,
      therefore bump the dependency from Recommends to Depends. At the same
      time avoid a circular dependency by dropping
      strongswan-charon->strongswan-starter from Depends to Recommends as the
      binaries can work without the services but not vice versa.
    - re-add post-quantum encryption algorithm (NTRU) (LP #1863749)
      + d/control: mention plugins in package description
      + d/rules: enable ntru at build time
      + d/libstrongswan-extra-plugins.install: ship config and shared objects
    - Re-enable eap-{dynamic,peap} libcharon plugins (LP #1878887)
      + d/control: update libcharon-extra-plugins description.
      + d/libcharon-extra-plugins.install: install .so and conf files.
      + d/rules: add plugins to the configuration arguments.
    - Remove conf files of plugins removed from libcharon-extra-plugins
      + The conf file of the following plugins were removed: eap-aka-3gpp2,
        eap-sim-file, eap-sim-pcsc, eap-sim, eap-simaka-pseudonym,
        eap-simaka-reauth, eap-simaka-sql, xauth-noauth.
      + Created d/libcharon-extra-plugins.maintscript to handle the removals
        properly.
  * Dropped:
    - SECURITY UPDATE: Using Untrusted URIs for Revocation Checking
      + debian/patches/CVE-2022-40617.patch: do online revocation checks only
        after basic trust chain validation in
        src/libstrongswan/credentials/credential_manager.c.
      + CVE-2022-40617
        [Included upstream in 5.9.8]
  * Added:
    - d/t/{control,host-to-host,utils}: new host-to-host test
      (LP: #1999525)

 -- Andreas Hasenack <email address hidden> Tue, 13 Dec 2022 11:04:24 -0300

Related branches

~ahasenack/ubuntu/+source/strongswan:mantic-strongswan-merge
git-ubuntu bot: Approve
Lucas Kanashiro (community): Approve
Canonical Server Reporter: Pending requested
Diff: 2661 lines (+2356/-4)
10 files modified
debian/changelog (+1859/-0)
debian/control (+8/-3)
debian/libcharon-extra-plugins.install (+6/-0)
debian/libcharon-extra-plugins.maintscript (+8/-0)
debian/libstrongswan-extra-plugins.install (+3/-0)
debian/rules (+3/-0)
debian/tests/control (+6/-0)
debian/tests/host-to-host (+401/-0)
debian/tests/utils (+61/-0)
debian/usr.sbin.swanctl (+1/-1)

CVE References

Bryce Harrington (bryce)
Changed in strongswan (Ubuntu):
milestone: none → ubuntu-23.07
Andreas Hasenack (ahasenack)
Changed in strongswan (Ubuntu):
assignee: nobody → Andreas Hasenack (ahasenack)
Andreas Hasenack (ahasenack)
Changed in strongswan (Ubuntu):
status: New → In Progress
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package strongswan - 5.9.11-1ubuntu1

---------------
strongswan (5.9.11-1ubuntu1) mantic; urgency=medium

  * Merge with Debian unstable (LP: #2018113). Remaining changes:
    - d/control: strongswan-starter hard-depends on strongswan-charon,
      therefore bump the dependency from Recommends to Depends. At the same
      time avoid a circular dependency by dropping
      strongswan-charon->strongswan-starter from Depends to Recommends as the
      binaries can work without the services but not vice versa.
    - re-add post-quantum encryption algorithm (NTRU) (LP #1863749)
      + d/control: mention plugins in package description
      + d/rules: enable ntru at build time
      + d/libstrongswan-extra-plugins.install: ship config and shared objects
    - Re-enable eap-{dynamic,peap} libcharon plugins (LP #1878887)
      + d/control: update libcharon-extra-plugins description.
      + d/libcharon-extra-plugins.install: install .so and conf files.
      + d/rules: add plugins to the configuration arguments.
    - Remove conf files of plugins removed from libcharon-extra-plugins
      + The conf file of the following plugins were removed: eap-aka-3gpp2,
        eap-sim-file, eap-sim-pcsc, eap-sim, eap-simaka-pseudonym,
        eap-simaka-reauth, eap-simaka-sql, xauth-noauth.
      + Created d/libcharon-extra-plugins.maintscript to handle the removals
        properly.
    - d/t/{control,host-to-host,utils}: new host-to-host test
      (LP #1999525)
    - d/usr.sbin.swanctl: allow "m" flag for /usr/sbin/swanctl
      (LP #1999935)
  * Dropped:
    - SECURITY UPDATE: Incorrectly Accepted Untrusted Public Key With
      Incorrect Refcount
      + debian/patches/CVE-2023-26463.patch: fix authentication bypass and
        expired pointer dereference in src/libtls/tls_server.c.
      + CVE-2023-26463
      [Fixed upstream in 5.9.10]

 -- Andreas Hasenack <email address hidden> Fri, 23 Jun 2023 14:05:18 -0300

Changed in strongswan (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.