2006
freeswan (2.04-14) unstable; urgency=medium
This is probably the final upload to this package, I will ask for
removal after etch is released.
* Adopted NMU-patch by Andres Henriksson:
Comment out lines in debian/rules to not install any files in the
transition package except the debian changelog and copyright file.
(Urgency medium as it fixes a RC bug, Closes: #398401)
-- Rene Mayrhofer <rmayr@debian.org> Tue, 14 Nov 2006 17:58:57 +0100
freeswan (2.04-13) unstable; urgency=low
* Changed the dependeny of kernel-patch freeswan to
linux-patch-openswan | kernel-patch-openswan, as the openswan kernel
patch package has been renamed to make it clear that it is a Linux kernel
patch.
-- Rene Mayrhofer <rmayr@debian.org> Sun, 23 Apr 2006 21:52:05 +0100
2005
freeswan (2.04-12) unstable; urgency=low
* Finally remove freeswan from Debian. These are transition packages
that only depend on the respective openswan packages and may be
safely removed after openswan has been installed.
Your config files should be taken over by openswan, but please report
any anomalies that might happen.
-- Rene Mayrhofer <rmayr@debian.org> Sun, 20 Jun 2005 17:52:30 +0100
2004
freeswan (2.04-11) unstable; urgency=high
* Updated the last security fix, it could break connections with self-
signed certificates.
-- Rene Mayrhofer <rmayr@debian.org> Wed, 7 Jul 2004 20:30:44 +0200
freeswan (2.04-10) unstable; urgency=HIGH
* Fixed a security issue in the X.509 patch reported by Andreas Steffen to
the openswan mailing list (CAN-2004-0590).
* Compiling freeswan-modules-source on a non-patched 2.4 kernel tree still
fails because of bad integration of the NAT patch into the X.509 patch
I am currently using. I am still working on that, but this security issue
must be fixed as soon as possible.
-- Rene Mayrhofer <rmayr@debian.org> Mon, 28 Jun 2004 13:32:19 +0200
freeswan (2.04-9) unstable; urgency=medium
* Fixed the alg patch to work again - the upstream patch by Andreas Steffen
does currently not apply cleanly to a kernel source, because files have
been moved.
-- Rene Mayrhofer <rmayr@debian.org> Mon, 22 Mar 2004 10:26:54 +0100
freeswan (2.04-8) unstable; urgency=low
* Updated the X.509 patch. This new upstream release supports CRL
download via OCSP, which is a huge win.
* Updated the alg patch.
* Include NAT Traversal support again, many thanks to Andreas Steffen for
doing the work of forward-porting it.
* Remove the notify-delete patch, it is now included in the X.509 patch.
* Adapt debian/rules to not install some doc files that are now missing
with the new patch versions.
* Additional debian/rules cleanup to remove cosmetical error messages during
package build.
* Fix a few lintian warnings - many thanks to Martin Koeppe for pointing
them out.
* Really work on the automatic editing of ipsec.secrets now - this version
ships a better default config that makes checking for previous key a lot
easier. Updating from a previous default config should work.
Closes: #199990: freeswan - key presence check broken
Closes: #199993: freeswan - postinst cert insertion check broken
* debian/po/POTFILES.in now lists the master file.
Closes: #231226: freeswan: Broken woody backward compatibility mechanism
for debconf templates translation
* Updated the Japanese debconf translation.
Closes: #231227: freeswan: Japanese translation of templates broken
* Updated the French debconf translation.
Closes: #235267: freeswan: [INTL:fr] French debconf templates translation
Closes: #232068: freeswan: [INTL:fr] French debconf templates translation
* Fixed the last debconf template, thanks for the patch.
Closes: #231295: freeswan: Templates corrections
* Explicitly use bash in mkx509cert.sh, it seems to be broken with dash.
Closes: #232583: postinst fails to create certificate with posix bourne
shell
* Now build pluto with support for LDAP CRL fetching, CRL or OCSP fetching
via cURL and secret keys on smart cards via opensc. This means that there
are 3 more build dependencies and that the freeswan package depends on 3
more library packages. Since they are less than 2MB in whole, I though
that should be ok.
Closes: #231825: please build with opensc support
* Ship the fswcert tool now again, this time under /usr/bin. It is very
useful to connect to a non-X.509 capable freeswan box on the other side,
because the RSA public key needed by the other side can be easily
extracted with fswcert from the own PEM certificate.
* Add the /etc/ipsec.d/ocspcerts and /etc/ipsec.d/policies directories.
* Be sure that a valid country code is entered for the X.509 certificate -
openssl will not create one without it:
- Added a default value (AT at the moment, if somebody has a "better"
default for Debian, mail me).
- Don't allow an empty field in the config script.
Closes: #217796: broken with debconf noninteractive
-- Rene Mayrhofer <rene@mayrhofer.eu.org> Thu, 4 Mar 2004 20:01:41 +0100
freeswan (2.04-7) unstable; urgency=medium
Urgency is medium because OE breaks connectivity on some systems.
* Really disable Opportunistic Encryption now for all cases, also
updates. This should solve the problem of 2 routes being erroneously
created and effectively disconnecting the host from its default route.
During installation, the user can select via debconf OE should be disabled,
but disabling is the default and is strongly recommended in the wording.
It should also work for existing config files.
Closes: #230557: freeswan: Default installation kills network connection
Closes: #225530: freeswan: adds "default route" on empty config
-- Rene Mayrhofer <rene@mayrhofer.eu.org> Tue, 3 Feb 2004 14:26:52 +0100
freeswan (2.04-6) unstable; urgency=low
* Recommend ipsec-tools instead of suggesting them and clearly state
in the README.Debian file that ipsec-tools is necessary when the
kernel native stack is used instead of the KLIPS stack. Maybe I
should even depend on ipsec-tools. Installing the package fixes the
problem that pluto can't be stopped.
Closes: #227747: freeswan: Can't stop ipsec
-- Rene Mayrhofer <rene@mayrhofer.eu.org> Thu, 29 Jan 2004 12:29:56 +0100
freeswan (2.04-5) unstable; urgency=medium
Urgency is medium due to a kernel patch error on all architectures (#229887).
* Remove -Werror for compilation. Although I don't really like that
solution, upstream recommended to do that. This finally makes
freeswan compile on ia64. Many thanks to Bdale Garbee for compiling a few
versions on one of his spare ia64.
Closes: #203339: freeswan_2.01-1(unstable/ia64): FTBFS: int format,
different type arg
* Change the architecture of the created freeswan-modules package from all
to any. Thanks to Matthias Klose for noticing that.
Closes: #227209: freeswan-modules-source builds module of architecture all
* freeswan routing setup scripts now really need the ip tool. Depend on
the iproute package to be sure it's installed. I didn't notice this
because I have ip installed on all of my systems.
Closes: #229981: freeswan: does not create routing entries
* Remove my fix for the missing Config.in entries - it apparently got fixed
in the rc12 alg patch by inserting the lines at a different place. Thus,
the entries were put twice into the Config.in, breaking make menuconfig.
Closes: #229887: FreeS/WAN kernel patch causes failure in Menuconfig
* Ugh, remove config files from debian/freeswan.conffiles - debhelper
already takes care of that.
Closes: #223281: freeswan: Some conffiles are listed twice
* Add the japanese debconf translation.
Closes: #227824: freeswan: Japanese po-debconf template translation (ja.po)
-- Rene Mayrhofer <rene@mayrhofer.eu.org> Thu, 29 Jan 2004 09:24:54 +0100
freeswan (2.04-4) unstable; urgency=low
* Updated the alg patch to rc12, which seems to fix compatibility with
the new kernel interface. Many thanks to Herbert Valerio Riedel for
providing the patch !
Closes: #224704: freeswan unable to select kernel cipher
-- Rene Mayrhofer <rene@mayrhofer.eu.org> Mon, 5 Jan 2004 12:21:25 +0100
2003
freeswan (2.04-3) unstable; urgency=medium
* Revert back to 0.8.1rc10 alg patch, because 0.8.1rc11 seems to cause
trouble for some people.
Closes: #224704: freeswan unable to select kernel cipher
* Fix double clean. Thanks to Marc Haber for pointing out the mistake.
* Fix building of the modules outside of /usr/src/modules. Thanks to
Adam Lackorzynski for that one.
* Fix alg modules with versioned module kernel builds.
Closes: #224283: freeswan-modules-source: failure to build ipsec_aes.o
* Remove the empty Depends: line in freeswan-modules-source, which breaks
apt-get under woody.
-- Rene Mayrhofer <rmayr@debian.org> Mon, 22 Dec 2003 13:01:53 +0100
freeswan (2.04-2) unstable; urgency=medium
* Wah, cvs-buildpackage f***ed up. Some of my changes were not taken into
the last build (after importing the upstream sources). This should correct
it. Thus, set urgency to medium because the last upload broke the
compilation of freeswan-modules-source.
* Fix the compilation of freeswan-modules-source by changing alg_modules to
all_alg_modules in debian/rules.
* Remove the temporary hack concerning the cryptoapi module - it works now
and is the only way to get all the ciphers.
* Add a fix for linux/net/ipsec/Makefile, so that compiling ipsec without
module support in the kernel will again work. Thanks to Christian Welzel
for tracking this one down !
* Suggest curl for dynamic CRL loading.
-- Rene Mayrhofer <rmayr@debian.org> Wed, 17 Dec 2003 09:10:34 +0100
freeswan (2.04-1) unstable; urgency=low
* New upstream release.
* Updated the X.509 patch, which now support port and protocol selectors
for the native IPSec stack.
* Hebert Xu's patch is no longer needed, it has been integrated into
upstream. Thanks for making my life a lot easier :)
* Updated Juanjo's alg patch (which is now a single patch instead of
multiple small ones).
* Removed my patch to fix the gcc 3.x log conflict, this has now also been
done upstream.
* Don't ship the various documentation files from the alg and NAT Traversal
patches in the debian/ directory of the source package, they are added by
the patches anyway.
* Disable the NAT Traversal patch for now because it has large problems with
2.04 upstream (most probably because of the changes needed to integrate
Herbert's work). I can not fix this immediately, so I will either have to
wait until Mathieu Lafon updates his patch or try to do it myself, which
means digging deeply into the pluto and kernel code....
However, this has to wait because there are some bugs to fix in this
package, and we've been told to do it quickly :)
Closes: #219007: freeswan-modules-source: NAT_TRAVERSAL sould be disabled
with newer kernel-source packages
* Forward-port Mathieu's notify-delete patch myself: use plog instead of log
(as with my old log-conflicts patch) and replace st_connection.(this|that)
by st_connection.spd.(this|that), which should fix the compile problems.
* Finally apply patch to fix the build on ia64. Sorry that it took so long,
I somehow managed to look over this bug. It is untested but should not
break stuff.
Closes: #203339: freeswan_2.01-1(unstable/ia64): FTBFS: int format,
different type arg
* I am not aware that I said that kernel-headers were enough to build the
freeswan-modules-source package, and I don't think that make-kpkg does
that in its default configuration. Anyway, document that the real kernel
soures (the unpacked kernel) tree is needed to build the modules in
README.Debian and add a Recommends: kernel-source so that it should be
clear. If this is in policy violation for *-source packages, then I need
some help in fixing this.
Closes: #211935: FTB modules package for kernel-headers-2.4.22*
Closes: #209167: Can not build modules, or?
* Define the CONFIG_IPSEC_ALG_* macros for the kernel configuration in
freeswan-modules-source with 1 instead of just defining them.
Closes: #218998: freeswan-modules-source: Definition of CONFIG_IPSEC_ALG_*
* Include french debconf translations and remove some default fields from
being translated where it doesn't make sense.
Closes: #200119: freeswan: Please switch to gettext-based debconf templates
Closes: #200727: freeswan: Please switch to gettext-based debconf templates
+ french translation
Closes: #213479: freeswan: [INTL:fr] French debconf templates translation
* Suggest ipsec-tools (because setkey is needed when the native IPSec stack
is used).
* A bug with handling 4096 bit keys has been solved by upstream, after the
report has been forwarded to them. I have received a message from
Hugh Redelmeier that it has been fixed, but can not find the mentioned bug
report #254 in their GNATS bug database.
Closes: #208165: freeswan - buffer for TXT rrs too short
* Finally get rid of the duplicate HTML files in the doc directory (they are
not really duplicate, rather one set is created from the other by the
install script).
Closes: #119259: freeswan: duplication of html files
-- Rene Mayrhofer <rene@mayrhofer.eu.org> Mon, 24 Nov 2003 18:01:02 +0100
freeswan (2.01-4) unstable; urgency=low
Warning: the kernel-patch-freeswan package will, in this version, not work
with vanilla kernel sources but only with the Debian kernel source. This will
hopefully be fixed in the next upload (based on freeswan 2.04); but for the
time being, please use 2.01-3 if you need freeswan kernel modules for vanilla
(non-Debian) kernels.
* Include Herbert Xu's patch for compatibility with Debian kernels and
the backported IPSec kernel support. This means that (a) the kernel-
patch-freeswan and freeswan-modules-source packages finally work
with Debian kernel sources and (b) that pluto should now be able to
use the kernel IPSec support backported from 2.6.
Yaacov Akiba Slama has already test this with both the 2.4.22-3 Debian
kernel source and the 2.6.0-test8-mm1 kernel source and has reported it
to work out-of-the-box without any further issues, even with NAT Traversal.
Many thanks for testing this !
There is an additional catch: NAT Traversal will not work in the KLIPS
part when applied to Debian kernels. But since the native kernel IPSec
stack already has NAT Traversal support, you might not even need KLIPS
anymore (AES and other ciphers are in the kernel and now that NAT
Traversal is also in, it seems to be the better alternative).
Many thanks to Herbert for his patch !
Closes: #205556: kernel-patch-freeswan: Fails to apply to to
kernel-source-2.4.21 2.4.21-4
Closes: #204620: kernel-patch-freeswan: build fails in oldconfig on
2.4.22-rc1
Closes: #212021: kernel-patch-freeswan: fails to apply to
kernel-source-2.4.19-10
Closes: #200033: freeswan-modules-source: failure compiling against
2.4.21
Closes: #207946: kernel-patch-freeswan: Don't understand patch system
Closes: #215188: freeswan-modules-source: 2.01-3 module compilation fail:
ipsec_rcv.c:1540: union has no member named `af_udp'
Closes: #212122: freeswan-modules-source: Build with 2.4.22-sources
fails
(Please start reading other people's bug reports before submitting a new
one - most of the above reports show the same error messages.)
* Provide ike-server now so that the three IKE daemons which are now in
Debian conflict with each other.
* Mention in README.Debian that the module sources need to be unpacked.
CLoses: #209407: freeswan-modules-source: Please add a little more
documentation
* Add more documentation to README.Debian now that kernel support no longer
has to be built and default Debian kernels can be used out-of-the-box.
* Only make /etc/ipsec.d/private chmod 700 instead of the whole /etc/ipsec.d.
This should now finally get all permissions right and is a small change
from the previous upload.
Closes: #210438: wrong permissions in /etc/ipsec.d/
-- Rene Mayrhofer <rene@mayrhofer.eu.org> Tue, 21 Oct 2003 21:40:33 +0200
freeswan (2.01-3) unstable; urgency=high
Urgency is high because of the wrong permissions. Besides that, this is the
first 2.x package which has both freeswan-modules-source and
kernel-patch-freeswan working.
* Whoa, "beautifying" debian/rules in the last upload left dh_fixperms after
changing the permissions of /etc/ipsec.* and thus left /etc/ipsec.* with
wrong permissions ! /etc/ipsec.secrets was world-readable on a fresh
installation of freeswan 2.01-2, fixed now.
* Make NAT Traversal work again - it was a lot of patching work so I
sent my diff to Mathieu Lafon for integration in his next NAT
Traversal patch package.
* Added a "Source: " line to the freeswan-modules-source control file,
which should make the package build again on unstable boxes.
* freeswan-modules-source and kernel-patch-freeswan now depend on
coreutils | fileutils, so that backporting to woody is simpler
(in fact, it only needs to be recompiled on a woody box).
* "Fixed" the clean target of debian/rules so that dpkg-buildpackage is now
idempotent.
* freeswan-modules-source now uses the rootcmd properly (some code snippets
have been taken from alsa-driver, as suggested by the bug report).
Closes: #212669: freeswan-modules-source: build process doesn't use
rootcmd correctly
* Changed the AES patch so that it at least applies cleanly to a vanilla
2.4.22 kernel source tree. It won't work with the Debian kernels due to
the 2.5.x IPSec backport. Sorry folks, but I simply don't know what to do
about this. There are patches to make it work with the Debian package, but
applying them will break compatibility with vanilla kernels. For now, I
will stick to vanilla kernels and hopefully get support for the kernel
IPSec backport running soon.
* The freeswan-modules-source package now also compiles the crypto extension
modules correctly. However, NAT Traversal will not work with the
freeswan-modules-source package because it needs a patch to the kernel
UDP code.
* Get the automatic RSA key insertion into /etc/ipsec.secrets in postinst
working again.
* Create the X.509 certificate in /etc/ipsec.d/certs instead of /etc/ipsec.d.
The new X.509 patch expects it that way.
* Removed the debconf warning about this being an experimental package. I no
longer consider it as experimental since it has proven itself on my
machines.
-- Rene Mayrhofer <rmayr@debian.org> Mon, 6 Oct 2003 14:57:23 +0200
freeswan (2.01-2) unstable; urgency=low
* This is a bundled release: with the normal patch-set for the Debian main
archive (X.509, crypto-ext, notify/delety, etc.) and without any
third-party patch for upsteam freeswan 2.02. Yes, the upstream tarball will
from now on contain all stuff that is necessary to create the Debian
packages, even if it's without those patches.
The debian/rules file is now able to cope with missing patches and simply
doesn't apply them if they aren't there. This step is an important one and
will hopefully lead to much quicker updates of the Debian main archive if
new upstream versions are released.
* Added Herbert Xu's patch to freeswan so that the upstream kernel ipsec
support (which is in Debian 2.4.2x and in 2.6.x kernels) can be used with
pluto.
It needed to be changed a bit (applied and fixed manually) because it
slightly conflicted with other patches. I hope that I didn't mess up too
badly with this. If it breaks something, please simply disable the patch
in debian/pre-build-patches and recompile.
UPDATE: This patch is disabled because it currently doesn't work for me.
With 2.03 upstream, it will be included (hopefully) anyway.
* Use architecture All for the freeswan-modules-* packages. Thanks to
Peter Palfrader for the hint.
Closes: #202748: architecture should be all
* Freeswan now also depens on host because the verify script needs it.
Closes: #205424: freeswan: missing dependency
* Build-Depend on gawk for now, I hope to remove it soon.
Closes: #206174: freeswwan: missing build-depends on gawk
* Make the po-debconf part packported-friendly. Thanks to Marc Haber for the
patch !
Closes: #207135: freeswan: please consider using backport-friendly way of
using po-debconf
* Use the DEB_DEST variable in the freeswan-modules-* build process if it's
available.
Closes: #206405: freeswan-modules-source: cannot specify build destination
-- Rene Mayrhofer <rene@mayrhofer.eu.org> Tue, 2 Sep 2003 13:01:21 +0200
freeswan (2.01-1) unstable; urgency=low
* New upstream version.
* Bump standards version to 3.6.0.
* Updated the X.509 patch.
* Updated the crypto-ext patches to 0.8.1-rc9, which means that my huge
all-crypto patch can go away and I don't need to maintain it manually.
This also enables single-DES (yes, I don't have to patch it with still
another patch).
I had to remove the RCSID parts of the patch to make it apply though.
* Ported the NAT Traversal patch so that it works in combination with
the AES (crypto-ext) patch. Now enabling NAT Traversal again for
this package.
Update: Puh, I had to disable it again because it simply can't be applied
so that the module build will work properly. If anybody has some time to
figure out what needs to be changed, then please try it.... I will try to
make it work, but will probably not find time for it in the next 2 weeks.
* Ok, ok. Reintroduced the kernel-patch-freeswan package, which now again
allows to build IPSec support in the kernel non-modular. The main reason
for putting this back in is that I am currently not sure if NAT Traversal
will work when using the freeswan-modules-source approach (Angus Lees
suggested that - thanks for the hint). After a quick look, I don't see
any patching of the UDP handling with the kernel patch, but I still need
to test this. If anybody is using it successfully with the modules
package, I would appreciate a short note.
The kernel-patch-freeswan-ext package is now gone for good. Instead, the
kernel-patch-freeswan package includes all the patches that the Debian
package features (e.g. AES / crypto-ext, NAT Traversal, Notify-Delete).
Although it was nice to have an unmodified kernel patch containing only
sources by freeswan upstream, it caused a lot of headache, like the
building of the Debian package and problems between kernel and user space
(pluto with NAT Traversal, kernel without - refer to bug #XXXXXX for
details). Please don't ask for an unpatched kernel-patch-freeswan package
unless you are willing to send me a nice patch _and_ assist with it for
future package versions.
* Generate the HTML docs, which are removed by cleaning the upstream source.
This means that the source package now Build-Depends on htmldoc and
man2html.
* freeswan-modules-source now depends on debhelper, which is really needed
for using it.
* Don't abort in the config script if the user selects not to upgrade, do
the whole thing in the preinst, where it belongs. Sorry for the mistake
and thanks to Matt Zimmerman for leading me to the right path :)
Now freeswan has to Pre-Depend on debconf.
Closes: #199971: Installation abort does not work
* Only replace /usr/local with /usr in regular files during building the
package. This prevents modifying files that are pointed to by symlinks in
the build tree, but are outside the build tree themselves.
Closes: #200237: freeswan: source package build modifies installed files
* Add another patch to rename the log(...) function to plog(...) because
gcc 3.3 now has log(double) built-in and thus conflicts. This allows to
use gcc 3.3 as the default compiler now.
Closes: #199925: freeswan_2.00-1(unstable/ia64): FTBFS: bad gcc version
* This new upstream version should work with (at least vanilla) kernel
2.4.21.
Closes: #199211: kernel-patch-freeswan: Freeswan patch fails to build
with kernel 2.4.21
* Depend on coreutils instead of fileutils.
Closes: #189676: kernel-patch-freeswan: Wrong dependency to fileutils
-- Rene Mayrhofer <rene@mayrhofer.eu.org> Wed, 9 Jul 2003 07:06:40 +0200
freeswan (2.00-1) unstable; urgency=low
Warning: This is currently an experimental package. Please test it in your
environment before using it on a production system.
* New upstream version.
* Completely redesigned the kernel integration - the kernel-patch-freeswan*
packages are now gone for good, we can finally build a module without
patching the kernel (although the kernel sources are of course needed).
It is one (probably conflicting) kernel patch less.
This also means that compiling freeswan support into the kernel is no
longer supported by this package, only the ipsec module can be built. If
you really, _really_ don't like or can't use modules, you will have to use
the source package and do it from there. If there is a compelling reason
why patching the kernel is necessary (and if somebody offers some help
with this)., I might re-introduce a completely new kernel-patch-freeswan
package as an alternative to the module package.
Closes: #197252: freeswan: new upstream major release available
Closes: #197864: kernel-patch-freeswan:
Does not compile with openssl 0.9.7b-2
* Updated the X.509 patch.
* Updated the crypto extension patch to a slightly newer version and made it
apply to the 2.00 upstream sources. Mostly minor things needed to be
changed to make it apply cleanly, but I did not care to create a split
patch again. The crypto extension patch is at the moment one large patch
file containing everything that is needed.
* Use dh_installexamples, since it's there and I did manually what it is
meant to do.
* Depend on gawk again as the script seem to really need it now, mawk did
not work for me.
* Use po-debconf for translations - thanks to Andre Luis Lopes for the
patch !
Closes: #187672: freeswan: [wishlist] Update packaging to use the newer
gettext-based debconf template translation system
* NAT Translation has now finally been ported to freeswan 2.0, but the patch
heavily conflicts with AES, so I will need to fix it manually (sigh...).
It is nonetheless enabled in the default module configuration kept in
config-all.h so that it will automatically get compiled in once the patch
is ready.
* I will leave the kernel-patch-freeswan* bugs open for now until the new
package has been tested thoroughly and can be used for all purposes.
-- Rene Mayrhofer <rene@mayrhofer.eu.org> Wed, 4 Jun 2003 18:50:11 +0200
freeswan (1.99-7) unstable; urgency=low
* Added the L2TP HOWTO by Martin Koeppe - many thanks for providing
it.
-- Rene Mayrhofer <rene@mayrhofer.eu.org> Thu, 24 Apr 2003 19:41:23 +0200
freeswan (1.99-6) unstable; urgency=low
* Updated the X.509 patch to solve a problem with parsing ipsec.conf
From the upstream changelog:
"A little bug in connections.c:default_end() caused that connections
without a rightid parameter (defaulting to right) could not be initiated
("cannot initiate connection without knowing peer IP address")"
Closes: #186378: freeswan: My freeswan config stopped working
* This has been closed by the last logcheck rules cleanup.
Closes: #186096: freeswan has incorrect logcheck rules
-- Rene Mayrhofer <rene@mayrhofer.eu.org> Wed, 9 Apr 2003 19:45:25 +0200
freeswan (1.99-5) unstable; urgency=HIGH
* Fixed the pluto compilation problem. I simply don't know how this
happened, because the package compiled and installed correctly on my
development machine before uploading (I am using it in production). It
seems to be a problem with the newest X.509 patch in conjunction with
the (older) NAT traversal patch.
However, please excuse any difficulties that this upload caused, it
shouldn't have happened.
Many thanks to all the bug reporters for the quick hints and especially
to Giacomo Mulas for sending me a description how he solved the problem.
Closes: #185847: ipsec broken
Closes: #185433: freeswan: missing pluto binary, compilation error?
Closes: #185568: freeswan: Whack missing from ipsec command
* Fixed the logcheck ignore patterns and added a violations ignore file.
Closes: #138436: Logcheck reports unwanted KLIPS debug message
* Be a nice Debian package and use the fine invoke-rc.d command in the
postinst.
Closes: #185385: freeswan: postinst starts ipsec with no respect for
runlevels
-- Rene Mayrhofer <rene@mayrhofer.eu.org> Mon, 24 Mar 2003 09:07:56 +0100
freeswan (1.99-4) unstable; urgency=low
This release only changes user-space tools, so there is no need to
recompile your kernel if you have used kernel-patch-freeswan* 1.99-3.
* Updated X.509 patch.
Closes: #183144: freeswan: pluto complains --id: unkown OID in
ID_DER_ASN1_DN (ignored)
* Now simply remove everything under /usr/local in the build tree before
making the package - the upstream Makefiles somehow manage to drop stuff
in there.
Closes: #171204: freeswan: libdes installed in /usr/local again
-- Rene Mayrhofer <rene@mayrhofer.eu.org> Wed, 12 Mar 2003 22:33:14 +0100
freeswan (1.99-3) unstable; urgency=low
This is the "maintainer isn't dead and is sometimes even reading bug
reports" release. Besides introducing a few new, hopefully helpful patches,
it fixes quite some bug reports (and yes, even some of the long-standing
ones).
* Updated the X.509 patch, which should now include a pretty stable version
of the protocol and port selector.
* Updated the NAT traversal patch and made it apply (i.e. resolve conflicts
with the updated X.509 patch).
* Added the single-DES patch to allow selection of single-DES as "cipher".
[ducks Please don't kill me for that. I know that it's inherently
insecure and thus I don't give any hint in any README file that this
is available. But some may need it for interoperability with broken
IPSec routers.]
However, this patch is currently not applied, only contained in the source
package. It does not apply cleanly with the other patches and I have to
figure out if it works if I manually apply it (I also do this for other
patches, but the other ones seem to have no problems other than
syntactical ones). If anybody wants to play with it, just download the
source, rename the .disabled file in debian/pre-build-patches/ to .diff
and recompile.
* Added the %any %any shared secrets patch. If anybody needs road warrior
support with shared secrets, this will enable it (and should do not harm
otherwise).
Please note that the last patch only affects pluto, not the kernel code
Thus it should not be able to break your system in any way, just make
pluto a bit more flexible.
This patch is also currently not applied, for the same reason as the
single-DES patch isn't.
* Removed that bogus comment at the end of ipsec.secrets when
inserting a private key reference.
* Moved the example configurations from ext-patches to crypto-ext-patches.
* Finally deal with the start order with NFS: let the user choose if
/usr is mounted via NFS or not (and start as early as possible by
default, i.e. directly after the network has been set up).
While on the way, also let the user choose if it should start after
PCMCIA.
Closes: #134650: freeswan: starts too late on NIS/NFS clients
Closes: #143362: Freeswan init script should start after pcmcia
Closes: #151064: freeswan: FreeSWan starts too early when using local DNS
lookups
* Change the logcheck ignore patterns to match current syslog messages.
Closes: #168673: Change templates for logcheck
* Insert the contents of the plain RSA key instead of the temporary
filename into ipsec.secrets .....
Closes: #167730: freeswan: Do not generate ipsec.secret
Closes: #167508: freeswan: plain keypairs do not go into /etc/ipsec.secrets
correctly
* Also check for the existance of the automatically generated X.509
certificate and key files before overwriting them.
Closes: #171491: freeswan: x509 certificate recreated upon upgrade
* Use empty strings for empty fields in the debconf questions instead of
dots.
Closes: #143311: freeswan: empty x509 settings should not require dots
* Changed the example for the X.509 state field (ST) in the debconf template.
Closes: #148364: freeswan: bogus ST in X.509 DN example
* I didn't hear anything back from the bug reporter and don't have any
access to a Sparc machine. Thus, I am now closing this bug, which should
have gone away with the new upstream version.
Closes: #173682: kernel-patch-freeswan: freeswan compilation and
ioctl() error on sparc64
* Ok, I finally removed gawk completely (i.e. --purge) from my system
and tried freeswan. As I could not notice any problems and Angus Lees
also reported that it worked successfully, I am now closing this bug.
I know that the upstream docs say that gawk is needed, but I can't see
a reason for this at the moment. If the bug persists, then please send
me the full error messages (bug reporter did not respond to Angus Lees's
request to post the error message to the BTS).
Closes: #179756: Freeswan: Gawk (again) is missing from dependencies
* Finally acknowledging these bugs that have been fixed in previous NMUs.
Closes: #133752: kernel-patch-freeswan: unpatch/freeswan remove empty
files
Closes: #139024: freeswan: wrong logcheck rule filters ALL "unusual"
syslog messages
Closes: #141059: kernel-patch-freeswan: link error with freeswan 1.64
and 2.4.18 kernel
Closes: #127236: freeswan: FTBFS with gcc 3.0 (hppe/unstable)
Closes: #135068: [Bugs] FreeS/WAN on hppa
Closes: #139857: Undeclared dependency on gawk
Closes: #115737: freeswan: bashism in /usr/lib/ipsec/_plutorun
-- Rene Mayrhofer <rene@mayrhofer.eu.org> Sun, 16 Feb 2003 21:17:08 +0100
2002
freeswan (1.99-2) unstable; urgency=low
This is a major update to debian package in regards to the build process.
I know that it does now take even _longer_ to build, but this is necessary
to have it clean (in regards to debian/rules standards) and to build the
kernel-patch-freeswan package (without the crypto extensions patches).
Currently, I am thinking of dropping the upstream freeswan source in favor
of the Superfreeswan source from www.freeswan.ca. It is actively maintained
and enhances the freeswan source by all the patches that I am currently
using and a few more small fixes. However, that would mean dropping the
kernel-patch-freeswan-ext package and only having a patched
kernel-patch-freeswan one (no more unpatched freeswan kernel modules).
* Added the NAT traversal patch, which should allow freeswan to be used
behind NAT gateways.
* Copy the workstation logcheck.ignore file instead of linking it to
the server file.
Closes: #162811: Logcheck will ignore it.
Should also close the following, please tell me if it's not (I can't
reproduce it and need more details if this doesn't help).
Closes: #141182: freeswan: upgrade errors
* Restructure (read: clean up) the build process. Thanks to Joey for
pointing it out.
* Please try the current version of freeswan and reopen the bugs if the
errors are still there (too much has changed since 1.94 and 1.95).
Closes: #163393: freeswan: version outdated
Closes: #131341: freeswan: doesn't compile
Closes: #137286: freeswan kernel link error
Closes: #140892: kernel-patch-freeswan: won't apply to 2.4.18
Closes: #167733: kernel-patch-freeswan: Do not patch with kernel-source-2.4.18
The same for this bug: some build errors were already fixed by current
crypto-ext patches.
Closes: #152723: kernel-patch-freeswan: Extension modules are not built if CONFIG_IPSEC=y
* Finally build-depend on libssl-dev.....
Closes: #165854: freeswan: /usr/lib/ipsec/pluto missing (missing build-dep on libssl-dev)
Closes: #137835: kernel-patch-freeswan: Missing a "Depends: libssl-dev"
* Move the other third party patches (besides X.509) into their own
directory (named "crypto-ext-patches").
Closes: #143894: freeswan: please put third party patches in their own directory
* I can not reproduce this: the only symlinks in my (normally patched)
kernel tree point to targets inside the kernel tree itself, which do not
have to be owned by root.
Closes: #171157: kernel-patch-freeswan-ext: It symlinks to root-owned files that need to be touch'd during compile
* Some small debian/rules fixes. Thanks to Rene Camu for the patch !
-- Rene Mayrhofer <rene@mayrhofer.eu.org> Mon, 23 Dec 2002 20:40:56 +0100
freeswan (1.99-1) unstable; urgency=HIGH
* New upstream release, fixes a DoS attack
(http://www.kb.cert.org/vuls/id/459371)
Closes: #168274: freeswan: DoSable due to inadequate authentication
data validation
* Updated X.509 patch.
* Updated extension patches.
* Since recently, the private key data does not need to go into
ipsec.secrets anymore. Only the file name is inserted to reference to the
private key file. Therefore this is not a bug, but a feature :)
Closes: #167508: freeswan: plain keypairs do not go into
/etc/ipsec.secrets correctly
-- Rene Mayrhofer <rene@mayrhofer.eu.org> Sun, 10 Nov 2002 20:40:01 +0100
freeswan (1.98b-4) unstable; urgency=low
* Change section to be 'net' instead of 'main' - stupid me....
* Do not distribute the LICENSE file, but copy it's contents into
debian/copyright with some added comment on where this file came from.
* Remove the .cvsignore files from the upstream package.
* A few small tweaks to eliminate many lintian warnings.
* Fixed the upstream Makefile, which installed libdes into /usr/local.
-- Rene Mayrhofer <rene@mayrhofer.eu.org> Tue, 8 Oct 2002 12:43:17 +0200
freeswan (1.98b-3) unstable; urgency=high
* Security fix: overwrite zlib/infblock.c with the new upstream version,
which has a more complete security fix than 1.96-1.
It seems that cvs-upgrade from cvs-buildpackage has not upgraded this
file when I imported the new upstream source (most probably due to my
stupidity). I have to investigate in this problem, so that it won't
occur again (any hints are more than welcome).
Many thanks to Christian Jaeger for pointing this out.
* Save original ipsec.secrets file before changing it in postinst - so
that it can be restored to its distributed state as the postinst
message says.
* Remove the patch debian/pre-build-patches/patch-ssh-sentinel-IKE.diff
which is now included in the extension patches (and caused the build to
silently fail - sorry about that).
* Added the LICENSE file to the upstream source tree. This file will be
included in the next stable upstream release (2.00) and has already been
authorized by upstream (see the archives of the "distro" mailing list at
lists.freeswan.org). In the file, the upstream authors give an addition to
the GPL license that explicitely allows linking to the libdes library by
Eric Young (which has an advertising clause in its license terms).
This should now finally fix the license issues that prevented any
freeswan version since 1.96-2 from entering the Debian archive.
-- Rene Mayrhofer <rene@mayrhofer.eu.org> Mon, 16 Sep 2002 22:22:06 +0200
freeswan (1.98b-2) unstable; urgency=low
* Removed dependency on libssl to finally get the package into
unstable again. As it turned out, freeswan does not necessarily need
libssl to compile, because the libdes library is contained in the
freeswan source code. According to the CREDITS file in the upstream
source, Eric Young (the author of libdes) gave explicit permission to
include it in the source code. Therefore, license conflicts should no
longer be a problem.
The freeswan package depends on openssl only because the postinst
script needs its binaries for the automatic creation of X.509
certificates (for authentication); the openssl library is not linked
into the freeswan binaries.
However, future version of the Debian package of freeswan might again
use openssl (respectively libssl) instead of the included libdes for
two reasons:
1. Security bugs might get fixed quicker in the openssl package than in
the freeswan package (nothing said about upstream....).
2. Dynamic linking and shared libraries are generally a good thing (TM).
-- Rene Mayrhofer <rene@mayrhofer.eu.org> Mon, 19 Aug 2002 15:45:21 +0200
freeswan (1.98b-1) unstable; urgency=low
* Corrected debian/rules so that the new ext patches work again.
I don't know why my upload of 1.96-2 did not get into unstable, I uploaded
twice. Maybe I did something wrong with the main -> non-US transition. This
was the changelog text:
* Moved from non-US to main.
* Now the source package generates two different kernel-patch-freeswan
packages: One with and one without the ext patches (which add AES
among other ciphers). This made some restructuring of debian/rules
necessary, but there are no changes that should affect the generated
packages in any way (not getting in the way of the freeze).
Thanks to Kyle McMartin for doing a lot of fore-work.
This somehow deals with the following bug (please use the non-ext
kernel-patch package if there are problems with the ext package). This is
also good for the freeze since kernel-patch-freeswan is now again back
to upstream state and therefore stable.
BTW: This bug can easily be avoided by either enabling the aes or the
aes-opt module (and not both).
Closes: #137282: freeswan kernel patch doesn't compile with AES configured
The restructuring should also deal with this one:
Closes: #141024: build problem
* Fixed mkx509cert.sh. I am keeping this script just for one reason
(and not integrating it directly into the postinst): it will get used by
some other scripts that are about to come. Therefore I did not want to
have this code directly in the postinst script.
Closes: #136803: mkx509cert is fubar
Closes: #140059: Certificates not generated properly by install
* Completed the transition to the new capabilities of the X509 patch: now
the X509 key file (when created in PEM format or taken from an existing
key) is copied to /etc/ipsec.d/private/<hostname<Key>.pem and this
filename is put into /etc/ipsec.secrets. Therefore this file does not
need to be touched anymore manually when using X509 certificates.
Also fixed a small bug - thanks to Robert Bihlmeyer for discovering and
sending a patch.
Closes: #143310: generating a non-self-signed keypair (cert req) is broken
Since fswcert is now no longer needed (there is no need to extract the RSA
key from the PEM file anymore, pluto can now deal with this directly), it
is not included in the upstream X509 patch. The references in README.x509
also say that this tool is optional and that it can be downloaded from the
given webpage.
Closes: #141293: fswcert not present
* Changed the default keylength for created RSA keys. Now it is 2048 bit,
conforming with the recommendation by upstream.
Closes: #136799: RSA keys should default to 2048 bits
* Really distribute the example configurations for the ext patches.
Closes: #142747: README.Debian mentions non existant documentation
Angus Lees offered to be a co-maintainer of freeswan and I am happy about
that - expect bugs to be fixed quicker when two maintainers are working on
freeswan. Therefore put him into the uploaders field. He already sent me a
packaged version of 1.98b, which I have (hopefully) integrated into this
upload. His changelog entries were:
* New upstream version (closes: #148742).
* Updated the X.509 patch.
* Updated the crypto extensions patch.
* Add notify_delete patch from Mathieu Lafon (closes: #140992)
(required a trivial change to work with crypto extensions patch).
* Replace `pwd` with $(CURDIR) and remove "sh -c" braindeadness from
debian/rules.
* After perusing all the awk scripts, I declare that we are no longer
dependent on gawk. Dependencies and (broken) debian/rules munging
removed. Bug reports welcome :) (closes: #141024)
* Make install-kernel-patch-freeswan debian/rules target depend on
"build", so it triggers patching. Really should be moved into a
separate "patch" target or something.
* Set KLIPSLINK=cp rather than try and munge Makefile directly.
-- Rene Mayrhofer <rmayr@debian.org> Fri, 02 Jul 2002 12:25:36 +0200
freeswan (1.96-1.2) unstable; urgency=high
Urgency high because of RC bug
* fix linkage problem of pfkey_register_reply if IPSEC_DEBUG is of
(closes: #141059)
-- Christoph Martin <christoph.martin@uni-mainz.de> Sat, 6 Apr 2002 15:26:23 +0200
freeswan (1.96-1.1) unstable; urgency=high
Urgency high because of RC bugs.
* add gawk to dependencies for kernel-patch-freeswan to fix the silent
failure of the patch (closes: #139857)
* fix the logcheck rules files to prevent the removing of all unusual
messages of all programms (closes: #139024)
-- Christoph Martin <christoph.martin@uni-mainz.de> Sat, 30 Mar 2002 11:18:26 +0100
freeswan (1.96-1) unstable; urgency=HIGH
Urgency critical because of the zlib bug.
* New upstream version.
* Fixed the zlib bug by manually applying the patch from the bug report.
Closes: #138210: zlib security bug also present in freeswan 1.95-2
* Updated the X.509 patch.
* Updated the crypto extensions patch.
-- Rene Mayrhofer <rene@mayrhofer.eu.org> Thu, 14 Mar 2002 17:48:23 +0100
freeswan (1.95-3) unstable; urgency=HIGH
Another small RC bug, please get this back into woody. * Added libssl-dev to kernel-patch-freeswan depends.
-- Rene Mayrhofer <rene.mayrhofer@vianova.at> Wed, 13 Mar 2002 17:05:41 +0100
freeswan (1.95-2) unstable; urgency=HIGH
Urgency HIGH to get it back into woody...
* Applied patches that were done in the NMU. Thanks for it, now I
should have more time again.
Closes: #135598 freeswan: patch for 1.95-1.1 NMU
Closes: #134407 freeswan: package build bug: xargs
Fixed handling of restarting: removed message in prerm script (not needed
anymore), fixed postinst (the init.d script is named ipsec, not freeswan).
Fixed the config script: The new question introduced by the NMU was
never asked....
Now freeswan is restarted when asked to do so (via debconf).
Closes: #128205 freeswan: freeswan does not restart on upgrade
* Really changed from awk to gawk now (in all the occurances).
Closes: #119257 freeswan: gawk dependency mishandled
* Applied patch from bugreport to make manually patching the kernel (without
make-kpkg) easier.
Closes: #134427 freeswan: fixes to make apply/freeswan easier to use
* Moved the created X.509 key file to /etc/ipsec.d/private.
Closes: #134654 freeswan: better key path in postinst
* Changed the build system back to it's original state: The only thing
that gets changed by Debian .diff is the debian/ subdir. All the other
files are patched in the build / install process. This makes it a lot
easier on upstream upgrades because I only have to copy the debian/ dir
to the new upstream and it should work. I am using cvs-buildpackage, but
even with CVS merge it is easier this way.
I hope to have all the patches in there, but if I missed something, please
file a bug report.
* Added extended patches from http://www.irrigacion.gov.ar/juanjo/ipsec/
so this package now comes with support for new ciphers (including AES).
* I can not reproduce this bug, compiling kernel-source-2.4.17 with
support from kernel-patch-freeswan works for me.
Closes: #135627 kernel-patch-freeswan: patch breaks kernel-source from
kernel-source-2.4.17_2.4.17-1.deb
-- Rene Mayrhofer <rmayr@debian.org> Wed, 27 Feb 2002 22:29:26 +0100
freeswan (1.95-1.1) unstable; urgency=high
setting to high because of the rc fixes...
* utils/_plutorun now runs /bin/bash (fix on my system which uses ash as
the default sh (closes: #115737)
* applied fix to the compile bug on pluto/constants.h (closes: #127236)
* applied fix for the removing empty files bug (closes: #133752)
* duh, the kernel is too new and freeswan too old (closes: #135406)
* fix the rm + xargs bug (closes: #134407)
* ask if we want to restart freeswan in the postinst (closes: #128205)
i think this is all that i fixed.
-- Kyle McMartin <kyle@debian.org> Sat, 23 Feb 2002 03:23:18 -0500
freeswan (1.95-1) unstable; urgency=HIGH
This release has urgency HIGH because it makes the package usable again.
(The last upstream release is unusable.)
* New upstream release.
This release should make freeswan usable again, but the major changes
seem to have happened in the x509 patches (which I include in the
newest version in this package). The patched pluto is now able to read
its RSA private key directly from a x509 file in PEM or DER format
(please look at /usr/share/doc/freeswan/ipsec.secrets.template.x509 for
details) instead of having to extract the key and store it in
ipsec.secrets. Of cource, this makes my previously introduced
extractrsakey.sh script useless, sigh.... Although I have invested some
time in the previous solution, this one is definitely cleaner.
Entering the private key file in ipsec.secrets automatically will be done
by a future package, this one only creates new x509 certificates as
before, but does not change ipsec.secrets (I have to release quickly).
Closes: #129392, 120252
I hope this also fixes the problem with the validity date of x509
certificates. Since I was unable to reproduce the problem, I am closing
the bug report. Please reopen it if it still does not work for you (but
the I need more details for reproducing).
Closes: #128117
* The kernel-patch-freeswan should work with current kernels, at least on
my system it does. If it does not compile for you, please send me
a detailed report with the kernel version and the kernel configuration
you are using.
Closes: #128000, #122115, #122116
* Made the postinst script a bit more robust against failures when starting
freeswan (the kernel module might not be available yet).
Closes: #128471
* As far as I see it, the makefiles for patching the kernel have to be
called from within the kernel patch directory. The KERNELSRC variable
is responsible for changing files in the right directory (and that one
gets set to the current working directory, which should be the kernel
source dir when calling the apply script). Therefore I think the
PATCHDIR variable is set correctly. If it does not work in some cases,
then please send me a report where it does not work this way.
For now, closing the bug report since it seems to work on all of my
systems.
Closes: #119637
-- Rene Mayrhofer <rene.mayrhofer@vianova.at> Mon, 11 Feb 2002 00:23:18 +0100
2001
freeswan (1.94-2) unstable; urgency=low
* Corrected config script (a few return codes from debconf were not
ignored, thus killing the config script when debconf returned an
error).
Closes: #126688
-- Rene Mayrhofer <rene.mayrhofer@vianova.at> Fri, 28 Dec 2001 15:13:35 +0100
freeswan (1.94-1) unstable; urgency=low
* New upstream release.
* Updated the x509 patch.
Now there is one patch instead of 3, corrected the debian/rules
accordingly.
* Now also install the CHANGES files from the x509 patch into
/usr/share/doc/freeswan
-- Rene Mayrhofer <rene.mayrhofer@vianova.at> Tue, 25 Dec 2001 20:40:03 +0100
freeswan (1.93-1) unstable; urgency=low
* New upstream release.
Now also copy Makefile.inc and Makefile.ver into the kernel-patch-freeswan
package (new in upstream).
* Updated the x509 patch.
* Now also create the file /etc/x509cert.der from the X509 certificate, so
that FreeS/WAN can now find its own certificate.
(And remove it during purge.)
-- Rene Mayrhofer <rene.mayrhofer@vianova.at> Thu, 6 Dec 2001 10:51:41 +0100
freeswan (1.92-1) unstable; urgency=low
This is a major release with new features (talking about the Debian
packaging now), because this is the first version that supports that auto-
creation of RSA keys.
* New upstream release, now compiles with 2.4.14.
Closes: #119638
* Updated the x509 patch.
* Now create the directories /etc/ipsec.d/cacerts and /etc/ipsec.d/crls for
using the PKI features of the x509 patch.
* Do not stop FreeS/Wan during upgrade, because people might lose their
network connection (and their session) due to this.
Only start freeswan on new installations, not on updates.
Closes: #115412
* Only ask to create the device nodes if devfs is not used.
* During the check for the existance of an ipsec kernel module in the
startup script, also try the location where the module is on older
kernels.
Thanks for the patch to Christoph Martin. Please test if it works, I do
not have a system with kernel 2.2 anymore.
Closes: #121190
-- Rene Mayrhofer <rmayr@debian.org> Thu, 15 Nov 2001 02:21:14 +0100
freeswan (1.91-4) unstable; urgency=low
* Added a version depends on fileutils (for kernel-patch-freeswan), because
the call of 'cp' uses options only available in newer versions.
Closes: #109294
* kernel-patch-freeswan now again works with newer vanilla kernels
(>= 2.4.11), because the 'min' macro has been changed. It does not build
on a vanilla 2.4.9 kernel, but it works with newer ones.
But please users, use the newest upstream version when compiling with
newer kernels (1.9 does not work).
Closes: #110903, #115214, #116124
* kernel-patch-freeswan is useable by non-root users since 1.91-2.
Closes: #112489
Fixed by Kyle McMartin, thank you very much for the patch.
* Modified constants.h to hopefully fix the build error on hppa
Closes: #111603
* Made MAKEDEV call a debconf option (also starts freeswan if selected)
Closes: #113135
* Fixed manpage paths to point to correct locations
Closes: Bug#86740
* Edited init script to check to see if /proc/sys/net/ipsec exists, and if
it does we know that IPSec has been compiled into the kernel, this should
more gracefully handle installation.
(Modified a bit by me so that it also checks if the kernel module exists
alternatively to the file in proc. Because the kernel module is
automatically loaded by the script if it is there, we don't need to stop
if the file in proc does not exist, but the kernel module does.)
Closes: Bug#96613
* Fixed problems building on potato in the rules, libgmp2-dev is defunct.
Closes: #113552, #113555
-- Rene Mayrhofer <rmayr@debian.org> Fri, 1 Nov 2001 18:14:01 +0100
freeswan (1.91-3) unstable; urgency=medium
* The backup file /etc/init.d/ipsec~ (which is created by patching the
file during package creation) has been removed in 1.91-2.
Closes: #109782
* Removed the explicit listing of conffiles from debian/freeswan.conffiles
because debhelper already does that.
Closes: #109781
* Cleaned up the apply and unpatch scripts a bit. Now it is also possible to
have the patches in a directory other than /usr/src/kernel-patches/
* Escaped the special characters in the logcheck ignore files.
-- Rene Mayrhofer <rmayr@debian.org> Sat, 25 Aug 2001 11:57:12 +0200
freeswan (1.91-2) unstable; urgency=medium
* BTW: This upstream version is capable of opportunistic encryption, you
might want to play with it (look at
/usr/share/doc/freeswan/doc/opportunism.howto for details).
* Now hopefully really fixing the problem that kernel-patch-freeswan
was not useable by non-root users. I don't know why the Makefile of
the kernel patch was not patched in the last package, it is now.
Closes: #97438, #107331
* Including logcheck ignore files now. Thanks to Martin Waitz for providing
a ready-to-use logcheck ignore file (used for server level, adapted it for
paranoid level, workstation is a link to server now).
Closes: #107924
* Removed a lot of lintian errors. Thanks to Tollef Fog Heen for fiddling
with the lines that were already (commented out) in the rules file - I
just never got around doing it....
-- Rene Mayrhofer <rmayr@debian.org> Sat, 11 Aug 2001 19:51:13 +0200
freeswan (1.91-1) unstable; urgency=medium
* New upstream version.
Closes: #103979, #103698, #106776
* Updated the x509 patches - now trust paths are supported.
* Closing bug reports that were closed by 1.9-2 (not uploaded, just an
internal testing release)
Closes: #97438, #97959, #84310, #97825
* Made the build-dependency on libssl-dev versioned.
Closes: #100130
* Manually applying the kernel patch should work now. Please tell me if it
doesn't work for you.
Closes: #100131
-- Rene Mayrhofer <rmayr@debian.org> Sun, 22 July 2001 12:51:27 +0200
freeswan (1.9-2) unstable; urgency=low
* Make the kernel patch useable by non-root users by copying the needed
files to the kernel directory instead of symlinking them. This requires
changing the freeswan Makefile which does not make me quite happy, but I
do not see another good and clean solution at the moment.
Closes: #97438
* The same goes for this bug. Now the out.kpatch file should not be created
anymore under /usr/src/kernel-patches/freeswan, but I have to change the
Makefile to do this.
Closes: #97959
* This has been fixed by the new upstream, which supports 2.4.x now.
Closes: #84310
* Changed boot order to 15, because freeswan might be needed by some other
servives.
Can we please have the new init scheme with need(), because then we
would not have to care about some boot number....
Closes: #97825
-- Rene Mayrhofer <rene.mayrhofer@vianova.at> Thu, 31 May 2001 18:13:27 +0200
freeswan (1.9-1) unstable; urgency=low
* I know that this release generates a lot of lintian errors in the
kernel-patch-freeswan package, but I do not have time to fix them now
and will no be able to do so for the next week. Because those errors are
uncritical (just too much files shipped which are not needed), I am
uploading now because this package fixes a lot of bug reports and enables
2.4.x kernel users to use it.
Please don't file a bug report about these errors, they will get fixed
anyway.
* New upstream release, now the kernel patch works with 2.4.x kernels too.
* Rewrote most of the code for creating the kernel-patch-freeswan package.
Now the package is a bit bigger, but it should work for newer versions of
freeswan with less problems.
Closes: #86741
* Also upgraded the x509 support for the new upstream release.
* Added a note on how to compile a kernel without the help of kernel-package.
Closes: #93206
* Added a dependency on bsdmainutils
Closes: #88073
* Changed the build-dependency from libssl096-dev to libssl-dev
* Added a doc-base entry for freeswan (thanks to Wichert Ackerman for this)..
Closes: #86738
* Shut the postinst script up.
Closes: #86742
* Added a patch to remove the 'depmod -a' call from the /etc/init.d/ipsec
script. There is no need for it because 'depmod -a' is called on reboot on
Debian systems, so this makes starting ipsec a bit quicker.
-- Rene Mayrhofer <rene.mayrhofer@vianova.at> Tue, 10 Apr 2001 17:24:04 +0200
freeswan (1.8-6) unstable; urgency=low
* The version number is now -6 because of some troubles with the initial
upload into the pool (-5 might work, this is just to be sure).
* Downgraded the Rcommends: kernel-patch-freeswan to a Suggests
(for firewalls etc, which do not have development packages installed).
* Added a note about the use of the "--config=" option to make-kpkg for
compiling the patched kernel.
-- Rene Mayrhofer <rene.mayrhofer@vianova.at> Wed, 14 Feb 2001 11:41:24 +0100
freeswan (1.8-4) unstable; urgency=low
* The version number has to go up because of cvs-buildpackage (I can't
remove the tag from a removed file).
-- Rene Mayrhofer <rene.mayrhofer@vianova.at> Mon, 15 Jan 2001 13:49:25 +0100
2000
freeswan (1.8-3) unstable; urgency=low
* Fixed a bug in the creation of the kernel-patch-freeswan package: 'cp -r'
did not follow the symbolic links (anymore ?) while creating
/usr/src/kernel-patches/all/freeswan/klips, and therefore there were
symbolic links in the package that pointed nowhere. Now it should work
again.
* Updated build-dependency from libssl095a-dev to libssl096-dev.
* Minor fixes for lintian reported problems.
-- Rene Mayrhofer <rene.mayrhofer@vianova.at> Wed, 20 Dec 2000 23:11:42 +0100
freeswan (1.8-2) unstable; urgency=low
* Added Oscar Delgado Mohatar's guide for interoperability between freeswan,
Windows 2000 and PGPNet.
-- Rene Mayrhofer <rene.mayrhofer@vianova.at> Wed, 13 Dec 2000 11:33:18 +0100
freeswan (1.8-1) unstable; urgency=low
* New upstream release.
* The remove-gmp-dependency patch is no longer necessary, since the upstream
uses the GMP library installed on the system now.
* The kernel unpatching should now work better, since the upstream source now
includes an "unpatch" target (update: not used by now because I could not get
it to work).
-- Rene Mayrhofer <rene.mayrhofer@vianova.at> Tue, 5 Dec 2000 15:15:25 +0100
freeswan (1.7-4) unstable; urgency=low
* Made sure that no RSA key will be distributed with the package. It should
be created on demand and not during package creation.....
-- Rene Mayrhofer <rene.mayrhofer@vianova.at> Mon, 27 Nov 2000 13:13:24 +0100
freeswan (1.7-3) unstable; urgency=low
* Updated the x509 patch to version 0.7.1.
-- Rene Mayrhofer <rene.mayrhofer@vianova.at> Wed, 22 Nov 2000 10:53:07 +0100
freeswan (1.7-2) unstable; urgency=low
* Introduced x509 patch. Please refer to the file README.x509 for details.
The _confread patch has also been applied so that the options 'leftcert'
and 'rightcert' can be used in ipsec.conf.
-- Rene Mayrhofer <rene.mayrhofer@vianova.at> Wed, 8 Nov 2000 14:18:32 +0100
freeswan (1.7-1) unstable; urgency=low
* New upstream release
-- Rene Mayrhofer <rene.mayrhofer@vianova.at> Tue, 7 Nov 2000 19:07:59 +0100
freeswan (1.6-1) unstable; urgency=low
* New upstream release
* Removed the patch for the glibc update in woody. It seems that this is
not needed anymore with upstream version 1.6.
-- Rene Mayrhofer <rene.mayrhofer@vianova.at> Mon, 30 Oct 2000 09:47:42 +0100
freeswan (1.5-4) unstable; urgency=low
* Fixed a dump mistake in te kernel unpatching script. Hopefully if works
now (at last).
-- Rene Mayrhofer <rene.mayrhofer@vianova.at> Wed, 18 Oct 2000 12:24:56 +0200
freeswan (1.5-3) unstable; urgency=low
* Patched to use the new glibc, it did not even compile without patching.
-- Rene Mayrhofer <rene.mayrhofer@vianova.at> Fri, 13 Oct 2000 14:11:51 +0200
freeswan (1.5-2) unstable; urgency=low
* Unpatching the kernel automatically should now work
* Now the freeswan code uses the libgmp2 from Debian, not the gmp code
that comes with the upstream package. This patch was written by
Aaron Johnson and modified by me.
-- Rene Mayrhofer <rene.mayrhofer@vianova.at> Thu, 5 Oct 2000 11:58:49 +0200
freeswan (1.5-1) unstable; urgency=low
* Initial Release.
-- Rene Mayrhofer <rene.mayrhofer@vianova.at> Thu, 10 Aug 2000 10:50:33 +0200