Several packages got renamed/updated, libgcrypt was apparently installed
by default previously.
Since most libraries changed we have to completely rebuild all the tools
installed in the root image. We currently don't provide a clean target in
the recipes, and even if we did we'd have to track which base image we
last built for. It's easier to just use a different build directory for
each base image, at the cost of some additional disk space (if not manually
cleaned). However, that's also the case when updating kernel or
software versions.
It is still compatible with the current release as the config in
sites-available will be ignored, while conf-enabled does not exist and
is not included in the main config.
Unlike `apt-get install` in a chroot debootstrap does not seem to start
the services but stopping them might cause problems if they were running
outside the chroot.
GnuTLS, which can get loaded by the curl plugin, does not properly cleanup
some allocated memory when deinitializing. This causes invalid frees if
leak detective is active. Other invalid frees are related to time
conversions (tzset).
References #1382.
/usr/local/sbin is not included in PATH set by the charon init script and
since the ipsec script is obsolete when using swanctl it makes sense to
change this anyway.
If the IKEv2 initiator acting as a TNC server receives invalid TNC measurements
from the IKEv2 responder acting as a TNC clienti, the exchange of PB-TNC batches
is continued until the IKEv2 responder acting as a TNC server has also finished
its TNC measurements.
In the past if these measurements in the other direction were correct
the IKEv2 responder acting as EAP server declared the IKEv2 EAP authentication
successful and the IPsec connection was established even though the TNC
measurement verification on the EAP peer side failed.
The fix adds an "allow" group membership on each endpoint if the corresponding
TNC measurements of the peer are successful. By requiring a "allow" group
membership in the IKEv2 connection definition the IPsec connection succeeds
only if the TNC measurements on both sides are valid.
