2009
openswan (1:2.6.23+dfsg-1) unstable; urgency=low
* New upstream release.
Closes: #551565: openswan: new version 2.6.23 is available -
resolves problem with SA refcount
-- Rene Mayrhofer <rmayr@debian.org> Mon, 19 Oct 2009 12:12:46 +0200
openswan (1:2.6.22+dfsg-1) unstable; urgency=HIGH
Urgency high because of security release.
* New upstream release. Closes a security bug in the ASN.1 parser (no
CVE number at this time).
Closes: #528747: [FTBFS] cannot build with kernel 2.6.29-2-686
* The linux-patch-openswan package is no longer built, as this new
upstream release no longer requires a kernel patch for proper NAT-T
support with KLIPS (thanks to Harald Jenny).
-- Rene Mayrhofer <rmayr@debian.org> Tue, 23 Jun 2009 09:34:17 +0200
openswan (1:2.6.21+dfsg-2) unstable; urgency=low
* The new upstream release should also compile with newer Debian
kernels.
Closes: #522112: openswan-modules-source: Fails to build with kernel
2.6.26
* Removed ununsed scripts in linux-patch-openswan that have security
issues.
Closes: #496376: The possibility of attack with the help of symlinks
in some Debian packages
-- Rene Mayrhofer <rmayr@debian.org> Tue, 21 Apr 2009 10:02:14 +0200
openswan (1:2.6.21+dfsg-1) unstable; urgency=low
* New upstream release
Closes: #521949: CVE-2009-0790: DoS
-- Rene Mayrhofer <rmayr@debian.org> Thu, 09 Apr 2009 17:05:39 +0200
openswan (1:2.6.20+dfsg-6) unstable; urgency=low
* Fix DoS issue via malicious Dead Peer Detection packet. Thanks to the
security team for providing the patch.
Closes: #521949: CVE-2009-0790: DoS
Gerd v. Egidy discovered that the Pluto IKE daemon in openswan is prone
to a denial of service attack via a malicious packet.
-- Rene Mayrhofer <rmayr@debian.org> Tue, 31 Mar 2009 09:56:06 +0000
openswan (1:2.6.20+dfsg-5) unstable; urgency=low
* Mea culpa (again). Fix the fix.
Closes: #520082: openswan: reincarnation
* Correct the build dependency for openswan-modules-source. Thanks
to Harald Jenny for the patch.
-- Rene Mayrhofer <rmayr@debian.org> Fri, 27 Mar 2009 07:39:12 +0100
openswan (1:2.6.20+dfsg-4) unstable; urgency=low
* Backticks got messed up when applying last patch to init script to
check for user id instead of / being writable.
Closes: #520082: openswan: init script bug: "permission denied (must
be superuser)"
-- Rene Mayrhofer <rmayr@debian.org> Sun, 22 Mar 2009 10:21:38 +0100
openswan (1:2.6.20+dfsg-3) unstable; urgency=low
* Actually, mark ipsec.conf and ipsec.secrets as conffiles but avoid
editing them. Sorry for the blunder, reverting the last patch.
* The last upload was also messed up in terms of source package
(the orig.tar.gz was missing, so it was erroneously created as
native source).
-- Rene Mayrhofer <rmayr@debian.org> Thu, 12 Mar 2009 19:08:51 +0100
openswan (1:2.6.20+dfsg-2) unstable; urgency=low
* Fix a few problems caused by changes in upstream packaging, e.g. to
no longer require no_oe.conf hackery as there is now a config file
option. Removed debconf question for now (commented out, actually).
Closes: #515098: overwrites local configuration
* No longer advertise the debian-openswan@gibraltar.at mailing list as
support address, as I have deleted it. My personal email address
should be used again.
* I agree that md[25].[ch] are sufficiently compatible with distribution
in this Debian package according to http://www.ietf.org/ietf/IPR/RSA-MD-all.
IANAL, but as far as I judge the situation, there is no license issue.
Closes: #405363: openswan: contains non-free files
* Updated Swedish debconf translation
Closes: #518498: [INTL:sv] Swedish strings for openswan debconf
* Add libcurl4-openssl-dev to the list of Build-Dep alternatives and
remove lynx, which is no longer required for building.
* Explicitly remove directories /etc/ipsec.d and /var/run/pluto on purge.
Closes: #455112: openswan -- Doesn't purge all files after piuparts
Install+Upgrade+Purge test
* Don't check if / is writable in init script. This doesn't make sense
for readonly filesystems.
Closes: #499837: Will not start when / is mounted read only
* No longer mark ipsec.conf and ipsec.secrets as conffiles, as they
are modified by postinst. Although I don't particularly like this
method of patching DEBIAN/conffiles, I don't have a better solution
right now. Thus take patch from Mathieu Parent.
Closes: #515095: programmatically modifies a conffile
Integrated cleanup patch, also thanks to Mathieu Parent:
* Add 'rm -rf OBJ.*' in clean target.
Closes: #517703: openswan_1:2.6.20+dfsg-1(mipsel/unstable): FTBFS with
-rsudo
* clean generated doc/manpage.d/*.html and doc/index.html
-- Rene Mayrhofer <rmayr@debian.org> Thu, 12 Mar 2009 15:29:40 +0100
openswan (1:2.6.20+dfsg-1) unstable; urgency=low
* New upstream release. This no longer ships the fswcert tool, so skip
building and installing it in the Debian package as well.
-- Rene Mayrhofer <rmayr@debian.org> Sat, 28 Feb 2009 19:39:16 +0000
2008
openswan (1:2.4.12+dfsg-1) unstable; urgency=low
* New upstream release that should compile with newer kernels again.
Closes: #439977: openswan-modules-source: Is not compatible with
kernel >=2.6.22
Dropping patch from openswan BTS included in 1:2.4.9+dfsg-3, which
has been added upstream.
* Pull in NMU patch.
Closes: #463361: openswan: ldap_init implicitly converted to pointer
* Added Finnish debconf translation.
Closes: #472504: [INTL:fi] Finnish translation of the debconf templates
* Updated Japanese debconf translation.
Closes: #463320: openswan: [INTL:ja] Update po-debconf template
translation (ja.po)
* Updated French debconf translation.
Closes: #461841: openswan: [INTL:fr] French debconf templates
translation update
* Added Galician debconf translation.
Closes: #474627: [INTL:gl] Galician debconf template translation for
openswan
* Added Russian debconf translation.
Closes: #475047: openswan: [INTL:ru] Russian debconf templates translation
* Sigh, another service to users by removing documentation. Removed
anything the looks like an RFC or an RFC draft again. Obviously, this
seems the most critical bug for this package, so I actually considered
increasing urgency - after all, we are fixing an RC bug here...
Closes: #451110: Source package contains non-free IETF RFC/I-D's
* According to http://bugs.xelerance.com/view.php?id=849, 2.4.10 should
fix this assertion failure (although the upstream bug report has not
been closed). Please reopen if the problem still persists (and if not,
please also tell upstream so that they can close their own bug report).
Closes: #443525: openswan: pluto dies with ASSERTION FAILED at
kernel.c:2237: c->kind == CK_PERMANENT || c->kind ==
CK_INSTANCE
-- Rene Mayrhofer <rmayr@debian.org> Sun, 30 Mar 2008 10:24:54 +0200
openswan (1:2.4.9+dfsg-3.1) unstable; urgency=low
* Non-maintainer upload.
* Define LDAP_DEPRECATED to continue use of deprecated LDAP functions.
Closes: #463361: ldap_init implicitly converted to pointer
-- dann frazier <dannf@debian.org> Mon, 10 Mar 2008 09:46:09 -0600
openswan (1:2.4.9+dfsg-3) unstable; urgency=low
* Include upstream patch to make %defaultroute work with PPP uplinks
in certain cases.
Closes: #449512: openswan: defaultroute with PPP does not work
-- Rene Mayrhofer <rmayr@debian.org> Sun, 20 Jan 2008 13:36:50 +0100
2007
openswan (1:2.4.9+dfsg-2) unstable; urgency=low
* Remove spaces before question marks in debconf template. Mea culpa,
I read the patch wrong when looking at it. debconf-updatepo seems to have
done the right thing in updating .po files with the "new" question
strings, so I don't think translators need to change anything.
-- Rene Mayrhofer <rmayr@debian.org> Sat, 27 Oct 2007 11:18:14 +0200
openswan (1:2.4.9+dfsg-1) unstable; urgency=low
* New upstream release.
* Add German debconf translation, but do not apply the patch to the English
template. I do not agree that a space should be placed before a question
mark, but feel free to correct me with references to some grammar material.
Closes: #406029: openswan: [INTL:de] German po-debconf template translation
* Add Spanish debconf translation.
Closes: #443613: [INTL:es] Spanish po-debconf template translation
* Drop the fileutils dependency, and thus no longer care about backports to
woody.
Closes: #368723: openswan: Cleanup of dependencies (fileutils)
-- Rene Mayrhofer <rmayr@debian.org> Fri, 26 Oct 2007 16:37:31 +0200
openswan (1:2.4.8-dfsg-1) unstable; urgency=low
* New upstream release.
Closes: #335074: openswan: ipsec.conf manpage doesn't include
{left|right}sourceip
Closes: #357718: ipsec.conf(5): automatic and manual keying options are
not disjoint
Closes: #357708: openswan: ipsec.secrets(5) does not document X.509 format
* Include Portugese debconf translation.
Closes: #426927: openswan: [INTL:pt] Portuguese translation for debconf
messages
* Also remove .gitignore files in addition to the other cruft when building
the binary package.
Closes: #413914: shipping gitignore file
/usr/share/doc/openswan/doc/.gitignore
-- Rene Mayrhofer <rmayr@debian.org> Wed, 04 Jul 2007 20:59:35 +0100
2006
openswan (1:2.4.6+dfsg.2-1) unstable; urgency=low
* Acknowledge our-priority-are-the-users-thus-remove-docs NMU (nothing
personal, but documentation usually tends to be useful).
Closes: #390656
* Recommend linux-source instead of kernel-source.
Closes: #394664: Recommends unavailable kernel-source
* Update Japanese debconf translation.
Closes: #393176: openswan: [INTL:ja] Updated Japanese po-debconf
template translation (ja.po)
* Build-depend on po-debconf.
* Stop invoking /etc/init.d/ipsec directly in prerm. Use invoke-rc.d.
-- Rene Mayrhofer <rmayr@debian.org> Mon, 6 Nov 2006 19:07:36 +0000
openswan (1:2.4.6+dfsg.2-0.1) unstable; urgency=low
* NMU
* Remove additional non-free draft RFCs from upstream tarball.
Closes: #390656
-- Joey Hess <joeyh@debian.org> Sun, 15 Oct 2006 17:52:57 -0400
openswan (1:2.4.6+dfsg-1) unstable; urgency=low
* New upstream release.
* Acknowledge the last 2 NMUs:
Closes: #370752: diff for 1:2.4.5+dfsg-0.1 NMU
Closes: #363375: kernel-patch-openswan: Patched linux-source-2.6.16 fails to compile
Closes: #365196: [NONFREE-DOC] Package contains IETF RFC/I-D
Thanks to Steinar for his NMUs!
* Add a call to debconf-updatepo to the clean target of debian/rules, as suggested in
the bug report.
Closes: #372917: openswan: debconf-updatepo has not been launched
* Update the Dutch debconf translation.
Closes: #378415: [INTL:nl] Updated dutch po-debconf translation
* Removed the 01-ipcomp_hippi.dpatch again, this has been incorporated upstrean.
-- Rene Mayrhofer <rene@mayrhofer.eu.org> Wed, 23 Aug 2006 22:06:52 +0100
openswan (1:2.4.5-4) unstable; urgency=low
* Removed the dependency on MAKEDEV, it does not seem to be used any
more. Thanks to Marco d'Itri for pointing it out.
-- Rene Mayrhofer <rmayr@debian.org> Sat, 3 Jun 2006 21:11:44 +0100
openswan (1:2.4.5+dfsg-0.2) unstable; urgency=low
* Non-maintainer upload.
* debian/patches/01-ipcomp_hippi.dpatch: Fix net/ipsec/ipcomp.c so it no
longer attempts to copy the "private" field of a struct_skbuff when
CONFIG_HIPPI is enabled; it was removed after 2.6.13, and this broke
compilation with 2.6.16, linux-patch-openswan and CONFIG_HIPPI.
(Closes: #363375)
-- Steinar H. Gunderson <sesse@debian.org> Fri, 9 Jun 2006 19:52:22 +0200
openswan (1:2.4.5+dfsg-0.1) unstable; urgency=low
* Non-maintainer upload.
* Remove doc/rfc394[78].txt and doc/draft-*.txt from upstream tarball
to get rid of non-DFSG free documentation. (Closes: #365196)
-- Steinar H. Gunderson <sesse@debian.org> Tue, 6 Jun 2006 18:42:09 +0200
openswan (1:2.4.5-3) unstable; urgency=low
* Renamed kernel-patch-openswan to linux-patch-openswan.
* Removed the remarks in the package descriptions that linux-patch-openswan
and openswan-modules-source will only work with 2.4 series kernels. This
is no longer true.
* Use updated French translation. Thanks to Christian Perrier and sorry for
not giving time to update the translations before the last upload. I felt
that the FTBFS should be corrected quickly.
Closes: #364399: openswan: [INTL:fr] French debconf templates translation
-- Rene Mayrhofer <rmayr@debian.org> Sun, 23 Apr 2006 21:47:53 +0100
openswan (1:2.4.5-2) unstable; urgency=low
* The NMU patch doesn't seem to have applied to debian/control,
because the dependency was still on libopensc1-dev. Fixed that now
by adding libopensc2-dev.
Closes: #363073: openswan_1:2.4.5-1: FTBFS: Build depends on
libopensc1-dev
* Added the patch to fix alignment issues on Sparc, as upstream acknowledged
it and applied it to their development tree.
Closes: #341630: openswan: Pluto crypto helper gets SIGBUS on SPARC due
to request memory alignment issue
-- Rene Mayrhofer <rmayr@debian.org> Mon, 17 Apr 2006 14:53:37 +0100
openswan (1:2.4.5-1) unstable; urgency=low
* New upstream release. This release adds support for patching newer kernel
versions. Verified that the patched kernel tree compiles with Debian
kernel sources 2.6.15-8 and 2.6.16-6.
Closes: #361800: kernel-patch-openswan: Fails to patch Debian 2.6.15
kernel
It also adds the patches for an IPSec/L2TP server behind a NAT.
Closes: #307529: More patches for openswan server behind NAT
Closes: #353792: openswan nat-t failure
And additionally there are (according to upstream changelogs) fixes for
running on SMP systems. If the following bug still persists (can not test
myself), then please reopen.
Closes: #343603: kernel-patch-openswan: Starting IPSEC makes system freeze
The patch to fix the snmpd crash is also in this upstream version (just
checked linux/net/ipsec/ipsec_tunnel.c). It was probably in older versions
as well, so this might have been closed earlier. It's not mentioned in
upstream changelog, so I don't know exactly when it has been fixed.
Closes: #318298: kernel-patch-openswan: Kernel Oops - Null Dereference
when using snmpd
The ipsec.conf manual page has been updated to document connaddrfamily.
Closes: #296611: openswan: "man -S 5 ipsec.conf" fails to mention the
parameter "connaddrfamily"
* Acknowledge fixes in last NMU - thanks to Christian.
Closes: #352050: openswan: FTBFS: Package libopensc1-dev has no
installation candidate
Closes: #356716: openswan: Incomplete clean when building
Closes: #316693: openswan_1/2.2.0-10
Closes: #339390: openswan: [INTL:sv] Swedish debconf templates translation
* Enable building of XAUTH support.
* Import override files from /etc/default instead of /etc/sysconfig. This
uses dpatch, so now Build-Depend on it.
Closes: #354965: openswan: /usr/lib/ipsec/_updown uses /etc/sysconfig/,
please change to /etc/default/
* Only ask if an existing certificate/private key pair should be used when
the user chose not to create a new key pair. Also mention, when asking to
create a new key pair, that an existing one can be used alternatively.
Closes: #298250: confusing debconf question about certificate creation
* Move the USE_LDAP, USE_LIBCURL, and HAVE_THREADS options from the
"make install" to the "make programs" call where it belongs.
Closes: #292838: openswan: Dynamic CRL fetching not supported
* Remove /usr/share/doc/openswan/index.html, because it is a duplicate of
/usr/share/doc/openswan/doc/index.html, and only the latter one has links
to existing files.
Closes: #311613: openswan: html documentation links to the wrong place
Closes: #357719: broken links in file:///usr/share/doc/openswan/index.html
Closes: #357698: broken links in file:///usr/share/doc/openswan/index.html
* Add #ifdef to linux/net/ipsec/ipsec_init.c to branch between Debian and
vanilla 2.4 kernels. For Debian kernels with the XFRM (26sec) backport,
a second option is necessary for inet_(add|del)_protocol. This should
allow KLIPS to compile on both Debian and vanilla 2.4 kernels. Verified
that it compiles with Debian 2.4.27-12 and vanilla 2.4.32.
Closes: #340294: openswan-modules-source: fails to build with 2.4.27 on
sarge
Closes: #342844: kernel-patch-openswan: FTBS with kernel-source-2.4.27
2.4.27-11
* Document in README.Debian that KLIPS for 2.4 kernels will not compile with
newer GCC versions and give a hint on how to use older versions with
make-kpkg.
* Kernel 2.6.8 is not properly supported and is horribly outdated by now.
If you really need to use 2.6.8, then please use the native 26sec IPSec
stack. For KLIPS support, use at least 2.6.12, or better 2.6.15.
Closes: #318136: kernel-patch-openswan: Problem applying
kernel-openswan-patch to kernel-source-2.6.8
* Compress the modules source tree with bzip2 instead of gzip and thus
reduce the size of the openswan-modules-source package.
-- Rene Mayrhofer <rmayr@debian.org> Sat, 15 Apr 2006 21:36:36 +0100
openswan (1:2.4.4-3.1) unstable; urgency=high
* Non-maintainer upload with maintainer's agreement
* Fix FTBFS by replacing the build dependency on libopensc1-dev to
libopensc2-dev. Closes: #352050
* Really clean when building
Closes: #356716
* Correct typos and English errors in templates
Unfuzzy translations
Closes: #316693
* Swedish debconf templates translation added
Closes: #339390
-- Christian Perrier <bubulle@debian.org> Thu, 16 Mar 2006 06:10:05 +0100
2005
openswan (1:2.4.4-3) unstable; urgency=low
* Corrected PATCHNAME in the kernel-patch-openswan unpatch script.
Closes: #344852: kernel-patch-openswan: PATCHNAME=openswan in apply script
but =freeswan in unpatch
-- Rene Mayrhofer <rmayr@debian.org> Tue, 27 Dec 2005 10:38:33 +0000
openswan (1:2.4.4-2) unstable; urgency=low
* Build-depend on libkrb5-dev.
Closes: #344612: openswan: pluto has shared library dependency on
libkrb5support.so
-- Rene Mayrhofer <rmayr@debian.org> Mon, 26 Dec 2005 11:22:17 +0000
openswan (1:2.4.4-1) unstable; urgency=high
Reasoning for urgency high: DoS security issues.
* New upstream version. This is supposed to fix the other part of the DoS
problem.
-- Rene Mayrhofer <rmayr@debian.org> Fri, 18 Nov 2005 19:23:49 +0000
openswan (1:2.4.3-1) unstable; urgency=high
Reasoning for urgency high: DoS security issues.
* New upstream version.
Closes: Bug#339082: kernel-patch-openswan: ISAKMP implementation
problems / DoS
-- Rene Mayrhofer <rmayr@debian.org> Tue, 15 Nov 2005 15:49:44 +0000
openswan (1:2.4.0-3) unstable; urgency=low
* Doh. Forgot to merge the new debconf depends from my openswan 2.2.0
package branch. Now again change the debconf depends to debconf |
debconf-2.0.
Closes: #332055: openswan depends on debconf without | debconf-2.0
alternate; blocks cdebconf transition
* Also build-depend on the new libssl (>= 0.9.8-1) now to help the
transition. If you recompile this package for woody/sarge, you can safely
ignore this versioned build-dependency. No new API is needed this is just
for the ABI transition.
-- Rene Mayrhofer <rmayr@debian.org> Mon, 10 Oct 2005 11:22:12 +0100
openswan (1:2.4.0-2) unstable; urgency=low
* Module building has changed a bit for the new openswan upstream
releases (need additional files). Adapt the openswan-modules-source
package to that and also fix pfkey_v2.c to compile with kernel 2.4
(patches sent to upstream for future inclusion).
Closes: #291274: Fails to build with 2.4.29: missing Makefile
Closes: #273443: openswan-modules-source: doesn't build with 2.6.8 -
different from #273144 (?)
* Fix the postinst script (must have been a bash update that broke it).
Closes: #330864: openswan: postinst fails with "`make-x509-cert': not a
valid identifier"
-- Rene Mayrhofer <rmayr@debian.org> Fri, 30 Sep 2005 18:11:28 +0100
openswan (1:2.4.0-1) unstable; urgency=low
* New upstream release. This finally allows the Debian packages to be
updated since the regression from 2.2.X to 2.3.X has been fixed (pluto
crash with roadwarriors). Please be aware that pluto daemons from 2.2 or
2.3 openswan release will still crash, so please update all your
installations as soon as possible.
Closes: #292132: openswan: OpenSwan 2.2.0 crashes when a road-warrior
comes in using 2.3.0
This release also supports KLIPS with 2.6 kernels now.
Closes: #301801: kernel-patch-openswan: Fails to build with Debian
2.6.10 source
#273443: openswan-modules-source: doesn't build with 2.6.8 -
different from #273144 (?)
#318136: kernel-patch-openswan: Problem applying
kernel-openswan-patch to kernel-source-2.6.8
* Fixed gcc 4 compile for fswcert (patch will be forwarded to upstream).
* Added Vietnamese debconf translation.
Closes: #316692: INTL:vi
* Introduced the epoch in this branch to allow automatic updates from the
previously downgraded 2.2 release.
* Edited the debian/copyright file to mention the shared GPL path and
removed old licenses (only refer to CREDITS now).
-- Rene Mayrhofer <rmayr@debian.org> Mon, 19 Sep 2005 13:40:30 +0100
openswan (2.3.1-1) unstable; urgency=high
Urgency HIGH because openswan is an important package for testing (at least
in my opinion...).
* New upstream version. This update should fix the various crashes
that openswan 2.3.0 pluto was causing on other openswan boxes
(occured in the wild with 2.2.0 and 2.3.0, but might also happen
with others) in some cases.
Closes: #292132: openswan: OpenSwan 2.2.0 crashes when a road-warrior
comes in using 2.3.0
* Adapt to the new way of building modules (which changed between upstream
version 2.2.0 and 2.3.0). openswan-modules-source should now build with
2.4 and with 2.6 kernels (using make-kpkg).
Closes: #291274: Fails to build with 2.4.29: missing Makefile
Closes: #276521: openswan-modules-source: ipsec_aes.o & ipsec_cryptoapi.o
not kernel modules
* Also enable building of 2.6 kernel modules in openswan-modules-source.
Closes: #273443: openswan-modules-source: doesn't build with 2.6.8 -
different from #273144 (?)
* kernel-patch-openswan also needed some changes due to the new tree
layout (specifically the new Makefile.top). Now kernel-patch-openswan
has been enabled to work with kernel 2.6, so you can now get ipsecX
interfaces with kernel 2.6 (tested with vanilla 2.6.10)!
Closes: #301801 kernel-patch-openswan: Fails to build with Debian 2.6.10
source
* There was no reply by the original bug submitter, so this really seemed
to be a toolchain problem. I can't reproduce this bug.
Closes: #283387: openswan: Fails to build on testing (Sarge)
* The build-dependency has already been updated from libcurl2-dev to
libcurl3-dev in package 2.3.0-1. Now updated it to
libcurl3-dev | libcurl2-dev so that backporting to woody is easier.
Closes: #298468 openswan fails to build on sarge due to missing
libcurl2-dev dependancy
* The same goes for libopensc*-dev.
* Fixed typos in the logcheck ignore files.
Closes: #298693: openswan: logcheck files - typo
* Updated debconf translations.
Closes: #290847: openswan: [INTL:fr] French debconf templates translation
Closes: #292077: [INTL:pt_BR] Please apply the attached patch in order to
update openswan's pt_BR debconf translation
Closes: #294202: [l10n] Czech po-debconf template translation (cs.po)
* Removed the source code for the fswcert utility from the debian/ dir in
the source package - it is now included in the upstream source under
programs/.
* Removed the conflicts with ike-server (still providing it though).
Closes: #297186: openswan: Remove conflict on ike-server
* Don't conflict with freeswan generally, but only with versions < 2.04-12.
(This is in preparation of the freeswan transition package that I am
working on.)
* Explicitly remove the execute permissions from /etc/ipsec.d/policies/*.
Closes: #298245: wrong permissions in /etc
* No longer need gawk for openswan scripts to work. This allows to finally
removed the awk-to-gawk hack in debian/rules and means that openswan no
longer depends on gawk.
* Enable the building of pluto code for dynamic URL fetching (which needs
libldap2-dev and libcurl3-dev) and the XAUTH PAM support. Therefore, we
now build-depend on libpam0g-dev.
Closes: #292838: openswan: Dynamic CRL fetching not supported
-- Rene Mayrhofer <rmayr@debian.org> Sat, 9 Apr 2005 17:56:16 +0200
openswan (2.3.0-2) unstable; urgency=HIGH
Urgency HIGH due to security issue and problems with build-deps in sarge.
* Fix the security issue. Please see
http://www.idefense.com/application/poi/display?id=190&;
type=vulnerabilities&flashstatus=false
or CAN-2005-0162 at
CAN-2005-0162">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0162
for more details. Thanks to Martin Schulze for informing me about this
issue.
Closes: #292458: Openswan XAUTH/PAM Buffer Overflow Vulnerability
* Added a Build-Dependency to lynx.
Closes: #291143: openswan: FTBFS: Missing build dependency.
-- Rene Mayrhofer <rmayr@debian.org> Thu, 27 Jan 2005 16:10:11 +0100
openswan (2.3.0-1) unstable; urgency=low
* New upstream release.
Important change: aes-sha1 is now the default proposal (but 3des-md5 is
still supported if the other side requests it). Please look at
/usr/share/doc/openswan/docs/RELEASE-NOTES for details.
* Includes KLIPS support for kernel 2.6 for the first time, but I have not
yet modified openswan-modules-source to cope with that. If somebody wants
to lend me a hand to address #273443, it would be more than welcome.
* This release includes a fix for the reported snmpd crash
(in ipsec_tunnel.c). Many thanks to Nate Carlson for pointing this out.
Closes: #261892: openswan: System crashes when snmpd runs at the same time
* Update Build-Depends from libopensc0-dev to libopensc1-dev.
Closes: #289600: openswan: can't fulfill the build dependencies
* Update Build-Depends from libcurl2-dev to libcurl3-dev.
* Include Japanese debconf translation and fix a typo in the master.
Closes: #288996: openswan: Japanese po-debconf template translation
(ja.po) and typo in template.pot
* Auto-apply the NAT Traversal patch with kernel-patch-openswan again. This
was changed by openswan (the freeswan version included the NAT-T patch
automatically). Thus, the patch is now applied before inserting the KLIPS
part.
* Include a ready-to-use NAT-T diff in the openswan-modules-source package
so that anybody who uses this package still has the option of using NAT
Traversal (though this means patching the kernel anyway, and kind of
makes the out-of-tree compilation senseless). However, Debian 2.4 series
kernels should already have NAT-T applied.
* Document the above two changes in the package descriptions and
README.Debian.
-- Rene Mayrhofer <rmayr@debian.org> Thu, 13 Jan 2005 09:30:45 +0100
2004
openswan (2.2.0-5) unstable; urgency=low
* Added more explanations to README.Debian on how to build the kernel
modules with either openswan-modules-source or kernel-patch-openswan.
-- Rene Mayrhofer <rmayr@debian.org> Sat, 16 Oct 2004 13:11:48 +0200
openswan (2.2.0-4) unstable; urgency=medium
Urgency medium to get this version into sarge - it fixes a bug that turned
up on some machines and prevented openswan from starting.
* no_oe.conf will work when there are spaces at the end, many thanks to
Hans Fugal for figuring that out!
Closes: #270012: openswan: Fails to start after Installation
(/etc/ipsec.d/examples/no_oe.conf problem?)
I am now sending this towards upstream so that it should hopefully get
fixed for the next release - it's a bit awkward for a config file.
* Fixed a minor aesthetical issue in openswan.postinst: when a plain RSA key
is already present in ipsec.secrets and a new one is being created, a
needless line was printed. Silenced by adding -q to egrep.
-- Rene Mayrhofer <rmayr@debian.org> Sun, 3 Oct 2004 20:57:22 +0200
openswan (2.2.0-3) unstable; urgency=low
* Also added flex to Build-Depends, the new starter (replacement for
the init scripts, but not yet active) needs it to build.
Closes: #272935: openswan_2.2.0-1(ia64/unstable): FTBFS: missing
build-depends
Closes: #273241: openswan: FTBFS: Missing Build-Depends on 'flex'
* Adapted the rules file of openswan-modules-source to cope with the new
upstream source code - need to generate a C file from a template before
the ipsec module can be built.
Closes: #273144: openswan-modules-source: linux/net/ipsec/version.c
neither created nor compiled
* Enabled the building of modular extensions (AES and cryptoapi) by default
for openswan-modules-source. Also enabled the AES cipher in addition to
3DES (this is directly in the ipsec.o kernel module, the modular
extensions version is an alternative to this).
-- Rene Mayrhofer <rmayr@debian.org> Fri, 24 Sep 2004 12:38:47 +0200
openswan (2.2.0-2) unstable; urgency=low
* Added bison to Build-Depends.
-- Rene Mayrhofer <rmayr@debian.org> Thu, 23 Sep 2004 15:18:51 +0200
openswan (2.2.0-1) unstable; urgency=medium
* New upstream version:
- Introduces AES support, which is the reason for urgency medium. AES
should definitly go into sarge.
- Adds RFC 3706 DPD (dead peer detection) support, see
/usr/share/doc/openswan/docs/README.DPD for details.
This adds the last missing piece (AES) to replace the freeswan package
completely. As of now, freeswan is officially unsupported and will soon
be removed from Debian. Please upgrade to openswan, which should not cause
any issues. Configuration files and certificates are completely compatible.
Closes: #270012: openswan: Fails to start after Installation
(/etc/ipsec.d/examples/no_oe.conf problem?)
I can no longer reproduce this problem on a fresh install of
2.2.0-1.
Closes: #260120: openswan: Patch fixing #256391 breaks the autogenerated
certificate
The new X.509 patch included in this upstream release (no longer
patched by the Debian package) should fix this too.
Closes: #246828: /etc/ipsec.conf refers to invalid URLs
The default ipsec.conf file distributed by upstream no longer
refers to an URL.
* Fixed a thinko in the postinst script that prevented the correct insertion
of plain RSA keys into /etc/ipsec.secrets (i.e. not using X.509
certificates). Fixed now.
Closes: #268742: openswan: Plain RSA key not successfully written to
ipsec.secrets
* Adapt to the new way of openswan handling the disabling of opportunistic
encryption. In the default ipsec.conf distributed with upstream openswan,
OE is now disabled (which changes the previous default). Adapted the
postinst script so that it can now enable and disable OE support based on
the debconf option.
Closes: #268743: openswan: fails to respect debconf OE setting
* Updated the French and Brazilian Portugese debconf translations.
Closes: #256457: openswan: [INTL:fr] French debconf templates translation
Closes: #264246: openswan: [INTL:pt_BR] Please use the attached Brazilian
Portuguese debconf template translation
* Patched debian/fswcert/fswcert.c to compile cleanly with gcc-3.4. Thanks
to Andreas Jochens for the patch!
Closes: #262663: openswan: FTBFS with gcc-3.4: label at end of compound
statement
* Documented how to build the KLIPS kernel part with either the
kernel-patch-openswan or the openswan-modules-source packages.
Closes: #246819: Needs documentation on how to build the kernel modules
* Bump Standards-Version to 3.6.1.0, no changes necessary.
-- Rene Mayrhofer <rmayr@debian.org> Tue, 21 Sep 2004 18:13:52 +0200
openswan (2.1.5-1) unstable; urgency=medium
* New upstream release, which fixes another potential security issue.
-- Rene Mayrhofer <rene@mayrhofer.eu.org> Sun, 5 Sep 2004 18:00:40 +0200
openswan (2.1.3-1) unstable; urgency=HIGH
Urgency high because of a possibly security issue.
* New upstream version. This includes the CRL fix form 2.1.1-5 and the
proper activation of NAT traversal in Makefile.inc.
Closes: #253457: Openswan: new upstream available that includes xauth
Closes: #253458: Openswan: new upstream available that includes xauth
Closes: #253461: Openswan: new upstream available
Closes: #253782: openswan: Should automatically load kernel module
xfrm_user
But I have currently not explicitly enabled xaut support in Makefile.inc,
quoting from there: "off by default, since XAUTH is tricky, and you can
get into security trouble". If it needs to be enabled to work, please tell
me and I will need to take a far closer look on it (and the involved
problems).
This new upstream version also fixes a possible security issue in the
X.509 certificate authentication.
* The last upload didn't seem to have hit the archives, strange...
However, the bugs are still fixed, closing them now.
Closes: #245450: openswan should not depend on
kernel-image-2.4 || kernel-image-2.6
Closes: #246847: openswan: shouldn't conflict with ike-server
Closes: #246373: openswan: [INTL:fr] French debconf templates translation
-- Rene Mayrhofer <rene@mayrhofer.eu.org> Thu, 17 June 2004 12:22:45 +0200
openswan (2.1.1-5) unstable; urgency=low
* Applied a patch from openswan CVS to fix CRL related crashes.
* Drop the dependency on kernels it works with - the package description
already says that it will need kernel support to work. This allows people
to easily use self-compiled kernels with the right support (e.g. 2.6.5).
Closes: #245450: openswan should not depend on
kernel-image-2.4 || kernel-image-2.6
* While I'm at it, also replace the various Suggests: freeswan with
openswan. Oops.
* openswan conflicts with ike-server because only one ike-server can be
active at any given time (it will listen on UDP port 500). This policy
has been agreed to by all Debian IPSec package maintainers and implemented
in all ike-server providing packages.
Closes: #246847: openswan: shouldn't conflict with ike-server
* Took the debconf translations from the freeswan package and "ported" them
via debconf-updatepo. Thanks to Christian Perrier for mentioning that it
was this easy.
The templates should now be correct (all instances of FreeS/wan replaced
by Openswan).
Closes: #246373: openswan: [INTL:fr] French debconf templates translation
-- Rene Mayrhofer <rene@mayrhofer.eu.org> Tue, 18 May 2004 19:46:24 +0200
openswan (2.1.1-4) unstable; urgency=low
* Fixed the kernel-patch-openswan apply script.
* Warning: Due to an upstream bug, pluto from this version will dump core
on certain CRLs. If you are hit by this bug, please report it directly to
upstream, they are still tracking the issue down.
-- Rene Mayrhofer <rene@mayrhofer.eu.org> Thu, 15 Apr 2004 09:50:32 +0200
openswan (2.1.1-3) unstable; urgency=low
* Also build the openswan-modules-source and kernel-patch-openswan
packages now.
* Fixed _startklips in combination with the native IPSec stack - many thanks
to Nate Carlson for the patch.
-- Rene Mayrhofer <rene@mayrhofer.eu.org> Wed, 31 Mar 2004 19:33:49 +0200
openswan (2.1.1-2) unstable; urgency=low
* Took the package as official maintainer.
* Updated all relevant packaging stuff to the level of freeswan 2.04-9,
including auto-generation of X.509 certificates and insertion in
ipsec.secrets. This also corrects the libexec path in some scripts.
-- Rene Mayrhofer <rene@mayrhofer.eu.org> Wed, 31 Mar 2004 11:23:46 +0200
openswan (2.1.1-1) unstable; urgency=low
* Initial version - packaging based on Rene Mayrhofer's
FreeS/WAN packaging
-- Alexander List <alexlist@sbox.tu-graz.ac.at> Sun, 21 Mar 2004 21:47:53 +0100