This bug was fixed in the package strongswan - 5.3.5-1ubuntu1 --------------- strongswan (5.3.5-1ubuntu1) xenial; urgency=medium
* debian/{rules,control,libstrongswan-extra-plugins.install} Enable bliss plugin * debian/{rules,control,libstrongswan-extra-plugins.install} Enable chapoly plugin * debian/patches/dont-load-kernel-libipsec-plugin-by-default.patch Upstream suggests to not load this plugin by default as it has some limitations. https://wiki.strongswan.org/projects/strongswan/wiki/Kernel-libipsec * debian/patches/increase-bliss-test-timeout.patch Under QEMU/KVM for autopkgtest bliss test takes a bit longer then default * Update Apparmor profiles - usr.lib.ipsec.charon - add capability audit_write for xauth-pam (LP: #1470277) - add capability dac_override (needed by agent plugin) - allow priv dropping (LP: #1333655) - allow caching CRLs (LP: #1505222) - allow rw access to /dev/net/tun for kernel-libipsec (LP: #1309594) - usr.lib.ipsec.stroke - allow priv dropping (LP: #1333655) - add local include - usr.lib.ipsec.lookip - add local include * Merge from Debian, which includes fixes for all previous CVEs Fixes (LP: #1330504, #1451091, #1448870, #1470277) Remaining changes: * debian/control - Lower dpkg-dev to 1.16.1 from 1.16.2 to enable backporting to Precise - Update Maintainer for Ubuntu - Add build-deps - dh-apparmor - iptables-dev - libjson0-dev - libldns-dev - libmysqlclient-dev - libpcsclite-dev - libsoup2.4-dev - libtspi-dev - libunbound-dev - Drop build-deps - libfcgi-dev - clearsilver-dev - Create virtual packages for all strongswan-plugin-* for dist-upgrade - Set XS-Testsuite: autopkgtest * debian/rules: - Enforcing DEB_BUILD_OPTIONS=nostrip for library integrity checking. - Set TESTS_REDUCED_KEYLENGTHS to one generate smallest key-lengths in tests. - Change init/systemd program name to strongswan - Install AppArmor profiles - Removed pieces on 'patching ipsec.conf' on build. - Enablement of features per Ubuntu current config suggested from upstream recommendation - Unpack and sort enabled features to one-per-line - Disable duplicheck as per https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718291#10 - Disable libfast (--disable-fast): Requires dropping medsrv, medcli plugins which depend on libfast - Add configure options --with-tss=trousers - Remove configure options: --enable-ha (requires special kernel) --enable-unit-test (unit tests run by default) - Drop logcheck install * debian/tests/* - Add DEP8 test for strongswan service and plugins * debian/strongswan-starter.strongswan.service - Add new systemd file instead of patching upstream * debian/strongswan-starter.links - removed, use Ubuntu systemd file instead of linking to upstream * debian/usr.lib.ipsec.{charon, lookip, stroke} - added AppArmor profiles for charon, lookip and stroke * debian/libcharon-extra-plugins.install - Add plugins - kernel-libipsec.{so, lib, conf, apparmor} - Remove plugins - libstrongswan-ha.so - Relocate plugins - libstrongswan-tnc-tnccs.so (strongswan-tnc-base.install) * debian/libstrongswan-extra-plugins.install - Add plugins (so, lib, conf) - acert - attr-sql - coupling - dnscert - fips-prf - gmp - ipseckey - load-tester - mysql - ntru - radattr - soup - sqlite - sql - systime-fix - unbound - whitelist - Relocate plugins (so, lib, conf) - ccm (libstrongswan.install) - test-vectors (libstrongswan.install) * debian/libstrongswan.install - Sort sections - Add plugins (so, lib, conf) - libchecksum - ccm - eap-identity - md4 - test-vectors * debian/strongswan-charon.install - Add AppArmor profile for charon * debian/strongswan-starter.install - Add tools, manpages, conf - openac - pool - _updown_espmark - Add AppArmor profile for stroke * debian/strongswan-tnc-base.install - Add new subpackage for TNC - remove non-existent (dropped in 5.2.1) libpts library files * debian/strongswan-tnc-client.install - Add new subpackage for TNC * debian/strongswan-tnc-ifmap.install - Add new subpackage for TNC * debian/strongswan-tnc-pdp.install - Add new subpackage for TNC * debian/strongswan-tnc-server.install - Add new subpackage for TNC * debian/strongswan-starter.postinit: - Removed section about runlevel changes, it's almost 2014. - Adapted service restart section for Upstart. - Remove old symlinks to init.d files is necessary. * debian/strongswan-starter.dirs: Don't touch /etc/init.d. * debian/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call. * debian/strongswan-starter.prerm: Stop strongswan service on package removal (as opposed to using the old init.d script). * debian/libstrongswan.strongswan.logcheck combined into debian/strongswan.logcheck - logcheck patterns updated to be helpful * debian/strongswan-starter.postinst: Removed further out-dated code and entire section on opportunistic encryption - this was never in strongSwan. * debian/ipsec.secrets.proto: Removed ipsec.secrets.inc reference. Drop changes: * debian/control - Per-plugin package breakup: Reducing packaging delta from Debian - Don't build dhcp, farp subpackages: Reduce packging delta from Debian * debian/watch: Already exists in Debian merge * debian/upstream/signing-key.asc: Upstream has newer version. strongswan (5.3.5-1) unstable; urgency=medium * New upstream bugfix release. strongswan (5.3.4-1) unstable; urgency=medium * New upstream release. * debian/patches: - 03_systemd-service refreshed for new upstream release. - 0001-socket-default-Refactor-setting-source-address-when-, 0001-socket-dynamic-Refactor-setting-source-address-when- and CVE-2015-8023_eap_mschapv2_state dropped, included upstream. strongswan (5.3.3-3) unstable; urgency=high * Set urgency=high for security fix. * debian/patches: - CVE-2015-8023_eap_mschapv2_state added, fix authentication bypass when using EAP MSCHAPv2. strongswan (5.3.3-2) unstable; urgency=medium * debian/rules: - make the dh_install override arch-dependent only since it only acts on arch:any packages, fix FTBFS on arch:all. strongswan (5.3.3-1) unstable; urgency=medium * debian/rules: - enable the connmark plugin. * debian/control: - add build-dep on iptables-dev. * debian/libstrongswan-standard-plugins: - add connmark plugin to the standard-plugins package. * New upstream release. closes: #803772 * debian/strongswan-starter.install: - install new pki --dn manpage to ipsec-starter package. * debian/patches: - 0001-socket-default-Refactor-setting-source-address-when- and 0001-socket-dynamic-Refactor-setting-source-address-when- added (taken from c761db and 9e8b4a in the 1171-socket-default-scope branch), fix source address selection with IPv6 (upstream #1171) strongswan (5.3.2-1) unstable; urgency=medium * New upstream release. * debian/patches: - 05_ivgen-allow-reusing-same-message-id-twice dropped, included upstream. - CVE-2015-4171_enforce_remote_auth dropped as well. strongswan (5.3.1-1) unstable; urgency=high * New upstream release. * debian/patches: - strongswan-5.2.2-5.3.0_unknown_payload dropped, included upstream. - 05_ivgen-allow-reusing-same-message-id-twice added, allow reusing the same message ID twice in sequential IV gen. strongSwan issue #980. - CVE-2015-4171_enforce_remote_auth added, fix potential leak of authentication credential to rogue server when using PSK or EAP. This is CVE-2015-4171. strongswan (5.3.0-2) unstable; urgency=medium * debian/patches: - strongswan-5.2.2-5.3.0_unknown_payload added, fixes a DoS and potential remote code execution vulnerability (CVE-2015-3991). * debian/strongswan-starter.lintian-overrides: add override for command-with-path-in-maintainer-script since it's there to check for file existence. * Upload to unstable. strongswan (5.3.0-1) experimental; urgency=medium * New upstream release. * debian/patches: - 01_fix-manpages refreshed for new upstream release. - 02_chunk-endianness dropped, included upstream. - CVE-2014-9221_modp_custom dropped, included upstream. * debian/strongswan-starter.install - don't install the _updown and _updown_espmark manpages anymore, they're gone. - also remove the _updown_espmark script, gone too. * debian/copyright updated. strongswan (5.2.1-6) unstable; urgency=medium * Ship /lib/systemd/system/ipsec.service as a symlink to strongswan.service in strongswan-starter instead of using Alias= in the service file. This makes the ipsec name available to invoke-rc.d before the service gets actually enabled, which avoids some confusion (closes: #781209). strongswan (5.2.1-5) unstable; urgency=high * debian/patches: - debian/patches/CVE-2014-9221_modp_custom added, fix unauthenticated denial of service in IKEv2 when using custom MODP value. strongswan (5.2.1-4) unstable; urgency=medium * Give up on trying to run the test suite on !amd64, it now times out on both i386 and s390x, our chosen "fast" archs. strongswan (5.2.1-3) unstable; urgency=medium * Disable libtls tests again, they are still too intensive for the buildd network... strongswan (5.2.1-2) unstable; urgency=medium * Cherry-pick commits 701d6ed and 1c70c6e from upstream to fix checksum computation and FTBFS on big-endian hosts. * Run the test suite only on amd64, i386, and s390x. It requires lots of entropy and CPU time, which are typically hard to come by on slower archs. * Re-enable normal keylengths in test suite. * Re-enable libtls tests. * Update Dutch translation, thanks to Frans Spiesschaert (closes: #763798). * Bump Standards-Version to 3.9.6. strongswan (5.2.1-1) unstable; urgency=medium * New upstream release. * Stop shipping /etc/strongswan.conf.d in libstrongswan. strongswan (5.2.0-2) unstable; urgency=medium * Add systemd integration: + Install upstream systemd service file in strongswan-starter. + Alias strongswan.service to ipsec.service to match the sysv init script. + Drop After=syslog.target (as syslog is socket-activated nowadays), but add After=network.target to ensure that charon gets the chance to send deletes on exit. + Add ExecReload for reload action, since the starter script has one. + On linux-any, add build-dep on systemd to ensure that the pkg-config metadata file can be found. + Add build-dep on dh-systemd, and use systemd dh addon. * Remove debian/patches/03_include-stdint.patch. strongswan (5.2.0-1) unstable; urgency=medium * New upstream release. [ Romain Francoise ] * Amend build-dep on libgcrypt to 'libgcrypt20-dev | libgcrypt11-dev'. * Drop hardening-wrapper from build-depends (unused since 5.0.4-1). [ Yves-Alexis Perez ] * debian/po: - pt_BR.po updated, thanks Adriano Rafael Gomes. closes: #752721 * debian/patches: 03_pfkey-Always-include-stdint.h dropped, included upstream. * debian/strongswan-starter.install: - replace tools.conf by pki.conf and scepclient.conf. strongswan (5.1.3-4) unstable; urgency=medium * debian/control: - add build-dep on pkg-config. * debian/patches: - 03_pfkey-Always-include-stdint.h added, cherry-picked from upstream git: always include of stdint.h. Fix FTBFS on kFreeBSD. strongswan (5.1.3-3) unstable; urgency=medium * debian/watch: - add pgpsigurlmangle to get PGP signature * debian/upstream/signing-key.asc: - bootstrap keyring by adding Andreas Steffen key (0xDF42C170B34DBA77) * debian/control: - add build-dep on libgcrypt20-dev, fix FTBFS. closes: #747796 strongswan (5.1.3-2) unstable; urgency=low * Disable the new libtls test suite for now--it appears to be a little too intensive for slower archs. strongswan (5.1.3-1) unstable; urgency=low * New upstream release. * debian/control: make strongswan-charon depend on iproute2 | iproute, thanks to Ryo IGARASHI <rigar...@gmail.com> (closes: #744832). strongswan (5.1.2-4) unstable; urgency=high * debian/patches/04_cve-2014-2338.patch: added to fix CVE-2014-2338 (authentication bypass vulnerability in IKEv2 code). * debian/control: add myself to Uploaders. strongswan (5.1.2-3) unstable; urgency=medium * debian/patches/ - 02_unit-tests-Fix-filtered-enumerator-tests-on-64-bit-b added, fix testsuite failing on 64 bit big-endian platforms (s390x). - 03_unit-tests-Fix-chunk-clear-armel added, fix testsuite failing on armel. strongswan (5.1.2-2) unstable; urgency=medium * debian/rules: - use reduced keylengths in testsuite on various arches, hopefully fixing FTBFS when the genrsa test runs. strongswan (5.1.2-1) unstable; urgency=medium * New upstream release. * debian/control: - add conflicts against openSwan. closes: #740808 * debian/strongswan-starter,postrm: - remove /var/lib/strongswan on purge. * debian/ipsec.secrets.proto: - stop lying about ipsec showhostkey command. closes: #600382 * debian/patches: - 01_fix-manpages refreshed for new upstream. - 02_include-strongswan.conf.d removed, strongswan.d is now supported upstream. * debian/rules, debian/*.install: - install default configuration files for all plugins. * debian/NEWS: - fix spurious entry. - add a NEWS entry to advertise about the new strongswan.d configuration mechanism. -- Ryan Harper <ryan.har...@canonical.com> Fri, 12 Feb 2016 11:24:53 -0600 ** Changed in: strongswan (Ubuntu) Status: Confirmed => Fix Released ** Bug watch added: Debian Bug tracker #718291 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718291 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2014-2338 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2014-9221 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2015-3991 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2015-4171 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2015-8023 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1333655 Title: strongSwan AppArmor profile does not allow user priv dropping To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1333655/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs