This bug was fixed in the package strongswan - 5.3.5-1ubuntu1
---
strongswan (5.3.5-1ubuntu1) xenial; urgency=medium
* debian/{rules,control,libstrongswan-extra-plugins.install}
Enable bliss plugin
* debian/{rules,control,libstrongswan-extra-plugins.install}
Enable chapoly plugin
* debian/patches/dont-load-kernel-libipsec-plugin-by-default.patch
Upstream suggests to not load this plugin by default as it has
some limitations.
https://wiki.strongswan.org/projects/strongswan/wiki/Kernel-libipsec
* debian/patches/increase-bliss-test-timeout.patch
Under QEMU/KVM for autopkgtest bliss test takes a bit longer then default
* Update Apparmor profiles
- usr.lib.ipsec.charon
- add capability audit_write for xauth-pam (LP: #1470277)
- add capability dac_override (needed by agent plugin)
- allow priv dropping (LP: #1333655)
- allow caching CRLs (LP: #1505222)
- allow rw access to /dev/net/tun for kernel-libipsec (LP: #1309594)
- usr.lib.ipsec.stroke
- allow priv dropping (LP: #1333655)
- add local include
- usr.lib.ipsec.lookip
- add local include
* Merge from Debian, which includes fixes for all previous CVEs
Fixes (LP: #1330504, #1451091, #1448870, #1470277)
Remaining changes:
* debian/control
- Lower dpkg-dev to 1.16.1 from 1.16.2 to enable backporting to Precise
- Update Maintainer for Ubuntu
- Add build-deps
- dh-apparmor
- iptables-dev
- libjson0-dev
- libldns-dev
- libmysqlclient-dev
- libpcsclite-dev
- libsoup2.4-dev
- libtspi-dev
- libunbound-dev
- Drop build-deps
- libfcgi-dev
- clearsilver-dev
- Create virtual packages for all strongswan-plugin-* for dist-upgrade
- Set XS-Testsuite: autopkgtest
* debian/rules:
- Enforcing DEB_BUILD_OPTIONS=nostrip for library integrity checking.
- Set TESTS_REDUCED_KEYLENGTHS to one generate smallest key-lengths in
tests.
- Change init/systemd program name to strongswan
- Install AppArmor profiles
- Removed pieces on 'patching ipsec.conf' on build.
- Enablement of features per Ubuntu current config suggested from
upstream recommendation
- Unpack and sort enabled features to one-per-line
- Disable duplicheck as per
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718291#10
- Disable libfast (--disable-fast):
Requires dropping medsrv, medcli plugins which depend on libfast
- Add configure options
--with-tss=trousers
- Remove configure options:
--enable-ha (requires special kernel)
--enable-unit-test (unit tests run by default)
- Drop logcheck install
* debian/tests/*
- Add DEP8 test for strongswan service and plugins
* debian/strongswan-starter.strongswan.service
- Add new systemd file instead of patching upstream
* debian/strongswan-starter.links
- removed, use Ubuntu systemd file instead of linking to upstream
* debian/usr.lib.ipsec.{charon, lookip, stroke}
- added AppArmor profiles for charon, lookip and stroke
* debian/libcharon-extra-plugins.install
- Add plugins
- kernel-libipsec.{so, lib, conf, apparmor}
- Remove plugins
- libstrongswan-ha.so
- Relocate plugins
- libstrongswan-tnc-tnccs.so (strongswan-tnc-base.install)
* debian/libstrongswan-extra-plugins.install
- Add plugins (so, lib, conf)
- acert
- attr-sql
- coupling
- dnscert
- fips-prf
- gmp
- ipseckey
- load-tester
- mysql
- ntru
- radattr
- soup
- sqlite
- sql
- systime-fix
- unbound
- whitelist
- Relocate plugins (so, lib, conf)
- ccm (libstrongswan.install)
- test-vectors (libstrongswan.install)
* debian/libstrongswan.install
- Sort sections
- Add plugins (so, lib, conf)
- libchecksum
- ccm
- eap-identity
- md4
- test-vectors
* debian/strongswan-charon.install
- Add AppArmor profile for charon
* debian/strongswan-starter.install
- Add tools, manpages, conf
- openac
- pool
- _updown_espmark
- Add AppArmor profile for stroke
* debian/strongswan-tnc-base.install
- Add new subpackage for TNC
- remove non-existent (dropped in 5.2.1) libpts library files
* debian/strongswan-tnc-client.install
- Add new subpackage for TNC
* debian/strongswan-tnc-ifmap.install
- Add new subpackage for TNC
* debian/strongswan-tnc-pdp.install
- Add new subpackage for TN
