Resolves: rhbz#048108 - segfault at 18 ip 00007f4c7c0d841c sp 00007ffe49f61b70 error 4 in libc.so.6

Fix changelog entry
Include upstream patch link

.gitignore

@@ -1,3 +1,10 @@
 /strongswan-5.8.4.tar.bz2
 /strongswan-5.9.0.tar.bz2
 /strongswan-5.9.1.tar.bz2
+/strongswan-5.9.2.tar.bz2
+/strongswan-5.9.3.tar.bz2
+/strongswan-5.9.4.tar.bz2
+/948F158A4E76A27BF3D07532DF42C170B34DBA77
+/strongswan-5.9.5.tar.bz2
+/strongswan-5.9.5.tar.bz2.sig
+/STRONGSWAN-RELEASE-PGP-KEY

sources

@@ -1 +1,3 @@
-SHA512 (strongswan-5.9.1.tar.bz2) = 222625e77bd86959da6dd7346cfa9f92569fc396a494bb95ddf2c8e0680b7e8041541e8a14320517a0c735d713ae0fdc0d0c4694215e812817814b0b4efc3497
+SHA512 (strongswan-5.9.5.tar.bz2.sig) = 377889158484968d33b70a2a8ae149432191bc4614a2c5c3865eea1170bee1bae8ccf844d41ea5b4a087d300cc0967cba3aec6255c33976be060022871e094c5
+SHA512 (strongswan-5.9.5.tar.bz2) = 3b11c4edb1ffccf0ea5b8b843acfe2eb18dcd3857fc2818b8481c4febe7959261e1b2804c3af29068319df469fa0b784682d3ba4d49a3eb580841ff3c34e33a1
+SHA512 (STRONGSWAN-RELEASE-PGP-KEY) = 2803ebc9bdbbe88e19b75130ad9cc36af730fd3d0c9055665da99ce9b831ce518b0083f98389e6fb9b00dd62da28fcbb03df5dbf899df52b59d49c6bd34c6d37

strongswan-5.6.2-CVE-2018-5388.patch

@@ -1,15 +0,0 @@
-diff -Naur strongswan-5.6.2-orig/src/libcharon/plugins/stroke/stroke_socket.c strongswan-5.6.2/src/libcharon/plugins/stroke/stroke_socket.c
---- strongswan-5.6.2-orig/src/libcharon/plugins/stroke/stroke_socket.c	2017-11-09 10:57:30.000000000 -0500
-+++ strongswan-5.6.2/src/libcharon/plugins/stroke/stroke_socket.c	2018-05-24 00:00:32.382953618 -0400
-@@ -628,6 +628,11 @@
- 		return FALSE;
- 	}
- 
-+	if (len < offsetof(stroke_msg_t, buffer))
-+	{
-+		DBG1(DBG_CFG, "invalid stroke message length %d", len);
-+		return FALSE;
-+	}
- 	/* read message (we need an additional byte to terminate the buffer) */
- 	msg = malloc(len + 1);
- 	msg->length = len;

strongswan-5.8.4-runtime-dir.patch

@@ -1,24 +0,0 @@
-diff -ur strongswan-5.8.4.orig/init/systemd/strongswan.service.in strongswan-5.8.4/init/systemd/strongswan.service.in
---- strongswan-5.8.4.orig/init/systemd/strongswan.service.in	2019-08-27 16:26:53.000000000 +0300
-+++ strongswan-5.8.4/init/systemd/strongswan.service.in	2020-04-12 12:05:57.383596844 +0300
-@@ -9,6 +9,8 @@
- ExecReload=@SBINDIR@/swanctl --reload
- ExecReload=@SBINDIR@/swanctl --load-all --noprompt
- Restart=on-abnormal
-+RuntimeDirectory=strongswan
-+RuntimeDirectoryMode=0755
- 
- [Install]
- WantedBy=multi-user.target
-diff -ur strongswan-5.8.4.orig/init/systemd-starter/strongswan-starter.service.in strongswan-5.8.4/init/systemd-starter/strongswan-starter.service.in
---- strongswan-5.8.4.orig/init/systemd-starter/strongswan-starter.service.in	2019-08-27 16:26:53.000000000 +0300
-+++ strongswan-5.8.4/init/systemd-starter/strongswan-starter.service.in	2020-04-12 12:05:51.810559482 +0300
-@@ -6,6 +6,8 @@
- ExecStart=@SBINDIR@/@IPSEC_SCRIPT@ start --nofork
- StandardOutput=syslog
- Restart=on-abnormal
-+RuntimeDirectory=strongswan
-+RuntimeDirectoryMode=0755
- 
- [Install]
- WantedBy=multi-user.target

strongswan-5.9.1-runtime-dir.patch

@@ -1,12 +0,0 @@
-diff -Naur strongswan-5.9.1-orig/init/systemd-starter/strongswan-starter.service.in strongswan-5.9.1/init/systemd-starter/strongswan-starter.service.in
---- strongswan-5.9.1-orig/init/systemd-starter/strongswan-starter.service.in	2020-10-16 08:36:37.000000000 -0400
-+++ strongswan-5.9.1/init/systemd-starter/strongswan-starter.service.in	2021-02-12 14:06:09.985042362 -0500
-@@ -5,6 +5,8 @@
- [Service]
- ExecStart=@SBINDIR@/@IPSEC_SCRIPT@ start --nofork
- Restart=on-abnormal
-+RuntimeDirectory=strongswan
-+RuntimeDirectoryMode=0755
- 
- [Install]
- WantedBy=multi-user.target

strongswan-5.9.4-test-socket.patch

@@ -0,0 +1,31 @@
+From 377039d24648f82dac35dcf22a2b43de81f2fb96 Mon Sep 17 00:00:00 2001
+From: Petr Mensik <pemensik@redhat.com>
+Date: Thu, 11 Nov 2021 05:48:38 +0100
+Subject: [PATCH] Skip test case, which always hangs
+
+It just stops and does not continue. Avoid that test.
+---
+ src/libtls/tests/suites/test_socket.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/libtls/tests/suites/test_socket.c b/src/libtls/tests/suites/test_socket.c
+index 9e26e91..5296680 100644
+--- a/src/libtls/tests/suites/test_socket.c
++++ b/src/libtls/tests/suites/test_socket.c
+@@ -804,11 +804,13 @@ Suite *socket_suite_create()
+ 	add_tls_versions_test(test_tls_12_server, TLS_1_0, TLS_1_3);
+ 	suite_add_tcase(s, tc);
+ 
++#if 0
+ 	tc = tcase_create("TLS 1.3/key exchange groups");
+ 	tcase_add_checked_fixture(tc, setup_creds, teardown_creds);
+ 	tcase_add_loop_test(tc, test_tls13_ke_groups, 0,
+ 						tls_crypto_get_supported_groups(NULL));
+ 	suite_add_tcase(s, tc);
++#endif
+ 
+ 	tc = tcase_create("TLS 1.3/signature schemes");
+ 	tcase_add_checked_fixture(tc, setup_all_creds, teardown_creds);
+-- 
+2.31.1
+

strongswan-5.9.5-atexit-handlers.patch

@@ -0,0 +1,71 @@
+--- strongswan-5.9.5-orig/src/libstrongswan/plugins/openssl/openssl_plugin.c	2022-01-08 12:54:02.000000000 +0100
++++ strongswan-5.9.5/src/libstrongswan/plugins/openssl/openssl_plugin.c	2022-02-23 23:12:03.685111475 +0100
+@@ -16,7 +16,6 @@
+ 
+ #include <library.h>
+ #include <utils/debug.h>
+-#include <collections/array.h>
+ #include <threading/thread.h>
+ #include <threading/mutex.h>
+ #include <threading/thread_value.h>
+@@ -74,13 +73,6 @@
+ 	 * public functions
+ 	 */
+ 	openssl_plugin_t public;
+-
+-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+-	/**
+-	 * Loaded providers
+-	 */
+-	array_t *providers;
+-#endif
+ };
+ 
+ /**
+@@ -881,21 +873,12 @@
+ #endif
+ 	}
+ 	*features = f;
+-	return countof(f);
++	return count;
+ }
+ 
+ METHOD(plugin_t, destroy, void,
+ 	private_openssl_plugin_t *this)
+ {
+-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+-	OSSL_PROVIDER *provider;
+-	while (array_remove(this->providers, ARRAY_TAIL, &provider))
+-	{
+-		OSSL_PROVIDER_unload(provider);
+-	}
+-	array_destroy(this->providers);
+-#endif /* OPENSSL_VERSION_NUMBER */
+-
+ /* OpenSSL 1.1.0 cleans up itself at exit and while OPENSSL_cleanup() exists we
+  * can't call it as we couldn't re-initialize the library (as required by the
+  * unit tests and the Android app) */
+@@ -1009,20 +992,16 @@
+ 			DBG1(DBG_LIB, "unable to load OpenSSL FIPS provider");
+ 			return NULL;
+ 		}
+-		array_insert_create(&this->providers, ARRAY_TAIL, fips);
+ 		/* explicitly load the base provider containing encoding functions */
+-		array_insert_create(&this->providers, ARRAY_TAIL,
+-							OSSL_PROVIDER_load(NULL, "base"));
++		OSSL_PROVIDER_load(NULL, "base");
+ 	}
+ 	else if (lib->settings->get_bool(lib->settings, "%s.plugins.openssl.load_legacy",
+ 									 TRUE, lib->ns))
+ 	{
+ 		/* load the legacy provider for algorithms like MD4, DES, BF etc. */
+-		array_insert_create(&this->providers, ARRAY_TAIL,
+-							OSSL_PROVIDER_load(NULL, "legacy"));
++		OSSL_PROVIDER_load(NULL, "legacy");
+ 		/* explicitly load the default provider, as mentioned by crypto(7) */
+-		array_insert_create(&this->providers, ARRAY_TAIL,
+-							OSSL_PROVIDER_load(NULL, "default"));
++		OSSL_PROVIDER_load(NULL, "default");
+ 	}
+ 	ossl_provider_names_t data = {};
+ 	OSSL_PROVIDER_do_all(NULL, concat_ossl_providers, &data);

strongswan.spec

@@ -1,22 +1,36 @@
 %global _hardened_build 1
 #%%define prerelease dr1
 
+%bcond_without python3
+%bcond_without perl
+%bcond_with    check
+
+%if (0%{?fedora} && 0%{?fedora} < 36) || (0%{?rhel} && 0%{?rhel} < 9)
+# trousers was retired for F36+ and no longer available in RHEL with 9+
+%bcond_without tss_trousers
+%else
+%bcond_with tss_trousers
+%endif
+
 Name:           strongswan
-Version:        5.9.1
+Version:        5.9.5
-Release:        1%{?dist}
+Release:        3%{?dist}
 Summary:        An OpenSource IPsec-based VPN and TNC solution
 License:        GPLv2+
 URL:            http://www.strongswan.org/
-Source0:        http://download.strongswan.org/%{name}-%{version}%{?prerelease}.tar.bz2
+Source0:        http://download.strongswan.org/strongswan-%{version}%{?prerelease}.tar.bz2
-Source1:        tmpfiles-strongswan.conf
+Source1:        http://download.strongswan.org/strongswan-%{version}%{?prerelease}.tar.bz2.sig
-Patch0:         strongswan-5.9.1-runtime-dir.patch
+Source2:        https://download.strongswan.org/STRONGSWAN-RELEASE-PGP-KEY
-Patch1:         strongswan-5.6.0-uintptr_t.patch
+Source3:        tmpfiles-strongswan.conf
-Patch3:         strongswan-5.6.2-CVE-2018-5388.patch
+Patch0:         strongswan-5.6.0-uintptr_t.patch
+# https://git.strongswan.org/?p=strongswan.git;a=commit;h=3eecd40cec6415fc033f8d9141ab652047e71524
+Patch1:         strongswan-5.9.5-atexit-handlers.patch
 
 # only needed for pre-release versions
 #BuildRequires:  autoconf automake
 
-BuildRequires: make
+BuildRequires:  gnupg2
+BuildRequires:  make
 BuildRequires:  gcc
 BuildRequires:  systemd-devel
 BuildRequires:  gmp-devel
@@ -25,7 +39,6 @@ BuildRequires:  openldap-devel
 BuildRequires:  openssl-devel
 BuildRequires:  sqlite-devel
 BuildRequires:  gettext-devel
-BuildRequires:  trousers-devel
 BuildRequires:  libxml2-devel
 BuildRequires:  pam-devel
 BuildRequires:  json-c-devel
@@ -33,6 +46,23 @@ BuildRequires:  libgcrypt-devel
 BuildRequires:  systemd-devel
 BuildRequires:  iptables-devel
 BuildRequires:  libcap-devel
+BuildRequires:  tpm2-tss-devel
+Recommends:     tpm2-tools
+
+%if %{with python3}
+BuildRequires:  python3-devel
+BuildRequires:  python3-setuptools
+BuildRequires:  python3-pytest
+%endif
+
+%if %{with perl}
+BuildRequires:  perl-devel perl-macros
+BuildRequires:  perl(ExtUtils::MakeMaker)
+%endif
+
+%if %{with tss_trousers}
+BuildRequires:  trousers-devel
+%endif
 
 BuildRequires:  NetworkManager-libnm-devel
 Requires(post): systemd
@@ -53,8 +83,8 @@ in userland, using TUN devices and its own IPsec implementation libipsec.
 %package charon-nm
 Summary:        NetworkManager plugin for Strongswan
 Requires:       dbus
-Obsoletes:      %{name}-NetworkManager < 0:5.0.4-5
+Obsoletes:      strongswan-NetworkManager < 0:5.0.4-5
-Conflicts:      %{name}-NetworkManager < 0:5.0.4-5
+Conflicts:      strongswan-NetworkManager < 0:5.0.4-5
 Conflicts:      NetworkManager-strongswan < 1.4.2-1
 %description charon-nm
 NetworkManager plugin integrates a subset of Strongswan capabilities
@@ -62,14 +92,14 @@ to NetworkManager.
 
 %package sqlite
 Summary: SQLite support for strongSwan
-Requires: %{name} = %{version}-%{release}
+Requires: strongswan = %{version}-%{release}
 %description sqlite
 The sqlite plugin adds an SQLite database backend to strongSwan.
 
 %package tnc-imcvs
 Summary: Trusted network connect (TNC)'s IMC/IMV functionality
-Requires: %{name} = %{version}-%{release}
+Requires: strongswan = %{version}-%{release}
-Requires: %{name}-sqlite = %{version}-%{release}
+Requires: strongswan-sqlite = %{version}-%{release}
 %description tnc-imcvs
 This package provides Trusted Network Connect's (TNC) architecture support.
 It includes support for TNC client and server (IF-TNCCS), IMC and IMV message
@@ -80,11 +110,39 @@ modules can be used by any third party TNC Client/Server implementation
 possessing a standard IF-IMC/IMV interface. In addition, it implements
 PT-TLS to support TNC over TLS.
 
+%if %{with python3}
+%package -n python3-vici
+Summary: Strongswan Versatile IKE Configuration Interface python bindings
+BuildArch: noarch
+%description -n python3-vici
+VICI is an attempt to improve the situation for system integrators by providing
+a stable IPC interface, allowing external tools to query, configure
+and control the IKE daemon.
+
+The Versatile IKE Configuration Interface (VICI) python bindings provides module
+for Strongswan runtime configuration from python applications.
+
+%endif
+
+%if %{with perl}
+%package -n perl-vici
+Summary: Strongswan Versatile IKE Configuration Interface perl bindings
+BuildArch: noarch
+%description -n perl-vici
+VICI is an attempt to improve the situation for system integrators by providing
+a stable IPC interface, allowing external tools to query, configure
+and control the IKE daemon.
+
+The Versatile IKE Configuration Interface (VICI) perl bindings provides module
+for Strongswan runtime configuration from perl applications.
+%endif
+
+# TODO: make also ruby-vici
+
+
 %prep
-%setup -q -n %{name}-%{version}%{?prerelease}
+%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
-%patch0 -p1
+%autosetup -n %{name}-%{version}%{?prerelease} -p1
-%patch1 -p1
-%patch3 -p1
 
 %build
 # only for snapshots
@@ -103,7 +161,7 @@ PT-TLS to support TNC over TLS.
     --with-piddir=%{_rundir}/strongswan \
     --with-nm-ca-dir=%{_sysconfdir}/strongswan/ipsec.d/cacerts/ \
     --enable-bypass-lan \
-    --enable-tss-trousers \
+    --enable-tss-tss2 \
     --enable-nm \
     --enable-systemd \
     --enable-openssl \
@@ -167,26 +225,74 @@ PT-TLS to support TNC over TLS.
     --enable-curl \
     --enable-cmd \
     --enable-acert \
-    --enable-aikgen \
     --enable-vici \
     --enable-swanctl \
     --enable-duplicheck \
 %ifarch x86_64 %{ix86}
     --enable-aesni \
+%endif
+%if %{with python3}
+    PYTHON=%{python3} --enable-python-eggs \
+%endif
+%if %{with perl}
+    --enable-perl-cpan \
+%endif
+%if %{with check}
+    --enable-test-vectors \
+%endif
+%if %{with tss_trousers}
+    --enable-tss-trousers \
+    --enable-aikgen \
 %endif
     --enable-kernel-libipsec \
     --with-capabilities=libcap \
     CPPFLAGS="-DSTARTER_ALLOW_NON_ROOT"
+# TODO: --enable-python-eggs-install not python3 ready
 
 # disable certain plugins in the daemon configuration by default
 for p in bypass-lan; do
     echo -e "\ncharon.plugins.${p}.load := no" >> conf/plugins/${p}.opt
 done
 
-make %{?_smp_mflags}
+%make_build
+
+pushd src/libcharon/plugins/vici
+
+%if %{with python3}
+  pushd python
+    %make_build
+    sed -e "s,/var/run/charon.vici,%{_rundir}/strongswan/charon.vici," -i vici/session.py
+    #py3_build
+  popd
+%endif
+
+%if %{with perl}
+  pushd perl/Vici-Session/
+    perl Makefile.PL INSTALLDIRS=vendor
+    %make_build
+  popd
+%endif
+
+popd
 
 %install
-make install DESTDIR=%{buildroot}
+%make_install
+
+
+pushd src/libcharon/plugins/vici
+%if %{with python3}
+  pushd python
+    # TODO: --enable-python-eggs breaks our previous build. Do it now
+    # propose better way to upstream
+    %py3_build
+    %py3_install
+  popd
+%endif
+%if %{with perl}
+  %make_install -C perl/Vici-Session
+  rm -f %{buildroot}{%{perl_archlib}/perllocal.pod,%{perl_vendorarch}/auto/Vici/Session/.packlist}
+%endif
+popd
 # prefix man pages
 for i in %{buildroot}%{_mandir}/*/*; do
     if echo "$i" | grep -vq '/strongswan[^\/]*$'; then
@@ -205,21 +311,36 @@ for i in aacerts acerts certs cacerts crls ocspcerts private reqs; do
     install -d -m 700 %{buildroot}%{_sysconfdir}/strongswan/ipsec.d/${i}
 done
 install -d -m 0700 %{buildroot}%{_rundir}/strongswan
-install -D -m 0644 %{SOURCE1} %{buildroot}/%{_tmpfilesdir}/strongswan.conf
+install -D -m 0644 %{SOURCE3} %{buildroot}/%{_tmpfilesdir}/strongswan.conf
+install -D -m 0644 %{SOURCE3} %{buildroot}/%{_tmpfilesdir}/strongswan-starter.conf
+
+
+%check
+%if %{with check}
+  # Seen some tests hang. Ensure we do not block builder forever
+  export TESTS_VERBOSITY=1
+  timeout 600 %make_build check
+%endif
+%if %{with python}
+  pushd src/libcharon/plugins/vici
+    %pytest
+  popd
+%endif
+:
 
 %post
-%systemd_post %{name}.service
+%systemd_post strongswan.service strongswan-starter.service
 
 %preun
-%systemd_preun %{name}.service
+%systemd_preun strongswan.service strongswan-starter.service
 
 %postun
-%systemd_postun_with_restart %{name}.service
+%systemd_postun_with_restart strongswan.service strongswan-starter.service
 
 %files
 %doc README NEWS TODO ChangeLog
 %license COPYING
-%dir %attr(0700,root,root) %{_sysconfdir}/strongswan
+%dir %attr(0755,root,root) %{_sysconfdir}/strongswan
 %config(noreplace) %{_sysconfdir}/strongswan/*
 %dir %{_libdir}/strongswan
 %exclude %{_libdir}/strongswan/imcvs
@@ -249,6 +370,7 @@ install -D -m 0644 %{SOURCE1} %{buildroot}/%{_tmpfilesdir}/strongswan.conf
 %{_datadir}/strongswan/templates/database/
 %attr(0755,root,root) %dir %{_rundir}/strongswan
 %attr(0644,root,root) %{_tmpfilesdir}/strongswan.conf
+%attr(0644,root,root) %{_tmpfilesdir}/strongswan-starter.conf
 
 %files sqlite
 %{_libdir}/strongswan/plugins/libstrongswan-sqlite.so
@@ -275,9 +397,74 @@ install -D -m 0644 %{SOURCE1} %{buildroot}/%{_tmpfilesdir}/strongswan.conf
 %{_datadir}/dbus-1/system.d/nm-strongswan-service.conf
 %{_libexecdir}/strongswan/charon-nm
 
+%if %{with python3}
+%files -n python3-vici
+%license COPYING
+%doc src/libcharon/plugins/vici/python/README.rst
+%{python3_sitelib}/vici
+%{python3_sitelib}/vici-%{version}-py*.egg-info
+%endif
+
+%if %{with perl}
+%license COPYING
+%files -n perl-vici
+%{perl_vendorlib}/Vici
+%endif
+
 %changelog
+* Fri Feb 25 2022 Arne Reiter <redhat@arnereiter.de> - 5.9.5-3
+- Resolves: rhbz#2048108 - segfault at 18 ip 00007f4c7c0d841c sp 00007ffe49f61b70 error 4 in libc.so.6
+
+* Tue Jan 25 2022 Paul Wouters <paul.wouters@aiven.io> - 5.9.5-2
+- Use newly published/cleaned strongswan gpg key
+
+* Mon Jan 24 2022 Paul Wouters <paul.wouters@aiven.io> - 5.9.5-1
+- Resolves rhbz#2044361 strongswan-5.9.5 is available (CVE-2021-45079)
+
+* Sat Jan 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 5.9.4-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
+
+* Thu Dec 16 2021 Neal Gompa <ngompa@datto.com> - 5.9.4-4
+- Disable TPM/TSS 1.2 support for F36+ / RHEL9+
+- Resolves: rhbz#2033299 Drop TPM/TSS 1.2 support (trousers)
+
+* Thu Nov 11 2021 Petr Menšík <pemensik@redhat.com> - 5.9.4-3
+- Resolves rhbz#1419441 Add python and perl vici bindings
+- Adds optional tests run
+
+* Tue Nov 09 2021 Paul Wouters <paul.wouters@aiven.io> - 5.9.4-2
+- Resolves rhbz#2018547 'strongswan restart' breaks ipsec started with strongswan-starter
+- Return to using tmpfiles, but extend to cover strongswan-starter service too
+- Cleanup old patches
+
+* Wed Oct 20 2021 Paul Wouters <paul.wouters@aiven.io> - 5.9.4-1
+- Resolves: rhbz#2015165 strongswan-5.9.4 is available
+- Resolves: rhbz#2015611 CVE-2021-41990 strongswan: gmp plugin: integer overflow via a crafted certificate with an RSASSA-PSS signature
+- Resolves: rhbz#2015614 CVE-2021-41991 strongswan: integer overflow when replacing certificates in cache
+- Add BuildRequire for tpm2-tss-devel and weak dependency for tpm2-tools
+
+* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 5.9.3-4
+- Rebuilt with OpenSSL 3.0.0
+
+* Fri Jul 23 2021 Fedora Release Engineering <releng@fedoraproject.org> - 5.9.3-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
+
+* Sat Jul 10 2021 Björn Esser <besser82@fedoraproject.org> - 5.9.3-2
+- Rebuild for versioned symbols in json-c
+
+* Tue Jul 06 2021 Paul Wouters <paul.wouters@aiven.io> - 5.9.3-1
+- Resolves: rhbz#1979574 strongswan-5.9.3 is available
+- Make strongswan main dir world readable so apps can find strongswan.conf
+
+* Thu Jun 03 2021 Paul Wouters <paul.wouters@aiven.io> - 5.9.2-1
+- Resolves: rhbz#1896545 strongswan-5.9.2 is available
+
+* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 5.9.1-2
+- Rebuilt for updated systemd-rpm-macros
+  See https://pagure.io/fesco/issue/2583.
+
 * Fri Feb 12 2021 Paul Wouters <pwouters@redhat.com> - 5.9.1-1
-- Resolves: rhbz# 1896545 strongswan-5.9.1 is available
+- Resolves: rhbz#1896545 strongswan-5.9.1 is available
 
 * Thu Feb 11 2021 Davide Cavalca <dcavalca@fedoraproject.org> - 5.9.0-4
 - Build with with capabilities support