Dear release team, please unblock the current version 2.6.28+dfsg-4 of the openswan package from sid for the following reasons:
08-initd-configcheck.dpatch (slightly modified version included upstream in git commit 5e679e7094292eaa71d701aef3aa7a84e0f78ffd by me) does a checking of the config file prior to starting/restarting/reloading ipsec. As configuration options between 2.4.12 from Lenny and 2.6.28 from Squeeze changed without this patch a restart of openswan (either via postinst or by hand) may render some to all IPSec VPN connection unusable which may lead to grave problems when the system is only accessible through such a connection. 05-NETKEY-transport-mode+l2tp-fix.dpatch (upstream git commit 20a8ae4a7a50d3cc100334d5a0851043c71e2c25 by Paul Wouters) fixes an issue where the in-kernel NETKEY stack sends bogus messages when Windows or MacOSX clients try to establish a transport mode IPSec connection over which an L2TP tunnel is run. The result of this problem is that clients are unable to connect to the L2TP daemon, requiring manual interaction on the VPN server (in one case, reported upstream by Debian user Jerome Alet, even killing xl2tpd with signal 9 was necessary, please see http://lists.openswan.org/pipermail/users/2010-November/019620.html). As this fix was included in upstream version 2.6.29 (released on September 27, 2010) and the Debian package with this patch included was tested by Jerome Alet, I IMHO consider this code stable enough for inclusion. 06-Windows_XP-NAT_OA-l2tp-fix.dpatch (upstream git commit 234ca9dc3cdbe8260c9c3983f2fa5fb5c23 by Wolfgang Nothdurft) fixes an issue in environments where both Windows 7 and XP are using L2TP over IPSec tunnels. As Window XP sends a message with an empty value openswan cannot return the L2TP answers which renders access for the XP clients broken. The fix for this problem was included in upstream version 2.6.30 (released on October 18, 2010) and got previously tested by the patch writer who also dit the initial bug report. Considering these facts as well as that the fix is less then 10 lines long and only adds an if-clause checking for a valid IP address around the problematic code this patch is IMHO worth inclusion too. If you have any further questions please don't hesitate to contact me. Kind regards and thanks for your time Harald Jenny -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20101211103904.ga2...@harald-has.a-little-linux-box.at
