- Updated to strongSwan 5.1.1 minor release addressing two security

fixes (bnc#847506,CVE-2013-6075, bnc#847509,CVE-2013-6076):
  - Fixed a denial-of-service vulnerability and potential authorization
    bypass triggered by a crafted ID_DER_ASN1_DN ID payload. The cause
    is an insufficient length check when comparing such identities. The
    vulnerability has been registered as CVE-2013-6075.
  - Fixed a denial-of-service vulnerability triggered by a crafted IKEv1
    fragmentation payload. The cause is a NULL pointer dereference. The
    vulnerability has been registered as CVE-2013-6076.
  - The lean stand-alone pt-tls-client can set up a RFC 6876 PT-TLS
    session with a strongSwan policy enforcement point which uses the
    tnc-pdp charon plugin.
  - The new TCG TNC SWID IMC/IMV pair supports targeted SWID requests
    for either full SWID Tag or concise SWID Tag ID inventories.
  - The XAuth backend in eap-radius now supports multiple XAuth
    exchanges for different credential types and display messages.
    All user input gets concatenated and verified with a single
    User-Password RADIUS attribute on the AAA. With an AAA supporting
    it, one for example can implement Password+Token authentication with
    proper dialogs on iOS and OS X clients.  - charon supports IKEv1 Mode
    Config exchange in push mode. The ipsec.conf modeconfig=push option
    enables it for both client and server, the same way as pluto used it.
  - Using the "ah" ipsec.conf keyword on both IKEv1 and IKEv2
    connections, charon can negotiate and install Security Associations
    integrity-protected by the Authentication Header protocol. Supported
    are plain AH(+IPComp) SAs only, but not the deprecated RFC2401 style
    ESP+AH bundles.
  [...]

OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=62

strongswan-5.1.0.tar.bz2

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:a0ce4ce80c2e3db34748a46a139db7af6f6fed578d34f470cdff8b3941188aec
-size 3602562

strongswan-5.1.0.tar.bz2.sig

@@ -1,14 +0,0 @@
------BEGIN PGP SIGNATURE-----
-Version: GnuPG v1.4.11 (GNU/Linux)
-
-iQGcBAABAgAGBQJR+ZgTAAoJEN9CwXCzTbp3eJcL+wR+uDYrforO377ji47oZSdo
-w4eYZa+tJAiBK0ZMaTaODJLWGyHYbGH7dlsTLxXbAshMU0R2hEWjIgHTmR8nak11
-KgnsuUa2LS9wYyhZabP0D2CMu4zcdCsC5ngJrgxsGMuH+xyG0MXU4S+DtIT7OgZa
-rK+gLNByDOGHoi37dtXZT+b87qDoNbxNECMs4j6E2aL+WsBMd4jVg1sJGYMqL20D
-ExMnxu67eDZ+K3fE7HOFInoc7kSKf8fYEEml/HbrSkOVSJHCmKCXEpcIo8SEq1gW
-FM5CGu6+Wc9QsUHpNqMdyKowWWUSaJBVN7YyvFS0bowaeUQEnKWvjiMlsV0wvNfN
-bQMoJXrSM2fd9SrsAyh08BM5po9lRKw50voUdw52cHrSAoOjxEQwxpjwFvfb3zxF
-uO1r4XTWJQQF6o+XXdpUXSlIgXQMMCO87AL3eGxqqAdyLKRQBOaG5D5Bl4mbcBin
-ltDriL52YHVu0oSXQLtECX0DlIU6zdlV+u+vo8zrdA==
-=A/p6
------END PGP SIGNATURE-----

strongswan-5.1.1.tar.bz2

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:fbf2a668221fc4a36a34bdeac2dfeda25b96f572d551df022585177953622406
+size 3673200

strongswan-5.1.1.tar.bz2.sig

@@ -0,0 +1,14 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.11 (GNU/Linux)
+
+iQGcBAABAgAGBQJSc1ufAAoJEN9CwXCzTbp3Y48L/RW112f7JryXe4dTekfzBehN
+9n5ycczrK8xEc6RqLbD7WI6Av97fJd/FDLAieSE3FTk2znAbf0iFXuBb7ORhOr4H
+IywXex9uXgJtDI9WBVCbL/PPBYk/JiBWeviJv5ESji0oc+Uvtx5y2xShx3YwaZCt
+38peoT2EKPmaj98OIDslfDK0q9n55puKdM0NPewtPLVOfcfhBTh5XvwI/qdZhqRH
+7hG4QHsFeY3t5sy5/XllEDXckx9vWmogchxRltoGPUfjxJb7X3empsCK8o3gbWcf
+mX887cROOxXpPHzxj887orCwu+vmSlDRJXhHaTbYbhYdOnpo0o/R/HGwdO4Bv4PY
+7yrpbz9DnpYw1XPZqd2ed4wgQMCWCuFmPFuJZBxQ2lza7QxDeC6EIc+dhT5AC7GI
+XTqU3jw3kfm+b7N0MWmMkU5iL5cgNiR23v4D8U697ruoR6Qx310xe473Yh7ZhzoV
+gJ6Z1jvc6d82ywsxo04hhv/yT7LeLyFmg+vyAAmbtg==
+=040C
+-----END PGP SIGNATURE-----

strongswan.changes

@@ -1,3 +1,66 @@
+-------------------------------------------------------------------
+Fri Nov  1 12:28:39 UTC 2013 - mt@suse.de
+
+- Updated to strongSwan 5.1.1 minor release addressing two security
+  fixes (bnc#847506,CVE-2013-6075, bnc#847509,CVE-2013-6076):
+  - Fixed a denial-of-service vulnerability and potential authorization
+    bypass triggered by a crafted ID_DER_ASN1_DN ID payload. The cause
+    is an insufficient length check when comparing such identities. The
+    vulnerability has been registered as CVE-2013-6075.
+  - Fixed a denial-of-service vulnerability triggered by a crafted IKEv1
+    fragmentation payload. The cause is a NULL pointer dereference. The
+    vulnerability has been registered as CVE-2013-6076.
+  - The lean stand-alone pt-tls-client can set up a RFC 6876 PT-TLS
+    session with a strongSwan policy enforcement point which uses the
+    tnc-pdp charon plugin.
+  - The new TCG TNC SWID IMC/IMV pair supports targeted SWID requests
+    for either full SWID Tag or concise SWID Tag ID inventories.
+  - The XAuth backend in eap-radius now supports multiple XAuth
+    exchanges for different credential types and display messages.
+    All user input gets concatenated and verified with a single
+    User-Password RADIUS attribute on the AAA. With an AAA supporting
+    it, one for example can implement Password+Token authentication with
+    proper dialogs on iOS and OS X clients.  - charon supports IKEv1 Mode
+    Config exchange in push mode. The ipsec.conf modeconfig=push option
+    enables it for both client and server, the same way as pluto used it.
+  - Using the "ah" ipsec.conf keyword on both IKEv1 and IKEv2
+    connections, charon can negotiate and install Security Associations
+    integrity-protected by the Authentication Header protocol. Supported
+    are plain AH(+IPComp) SAs only, but not the deprecated RFC2401 style
+    ESP+AH bundles.
+  - The generation of initialization vectors for IKE and ESP (when using
+    libipsec) is now modularized and IVs for e.g. AES-GCM are now correctly
+    allocated sequentially, while other algorithms like AES-CBC still
+    use random IVs.
+  - The left and right options in ipsec.conf can take multiple address
+    ranges and subnets. This allows connection matching against a larger
+    set of addresses, for example to use a different connection for clients
+    connecting from a internal network.
+  - For all those who have a queasy feeling about the NIST elliptic curve
+    set, the Brainpool curves introduced for use with IKE by RFC 6932 might
+    be a more trustworthy alternative.
+  - The kernel-libipsec userland IPsec backend now supports usage
+    statistics, volume based rekeying and accepts ESPv3 style TFC padded
+    packets.
+  - With two new strongswan.conf options fwmarks can be used to implement
+    host-to-host tunnels with kernel-libipsec.
+  - load-tester supports transport mode connections and more complex
+    traffic selectors, including such using unique ports for each tunnel.
+  - The new dnscert plugin provides support for authentication via CERT
+    RRs that are protected via DNSSEC.  The plugin was created by Ruslan
+    N. Marchenko.
+  - The eap-radius plugin supports forwarding of several Cisco Unity
+    specific RADIUS attributes in corresponding configuration payloads.
+  - Database transactions are now abstracted and implemented by the two
+    backends. If you use MySQL make sure all tables use the InnoDB engine.
+  - libstrongswan now can provide an experimental custom implementation
+    of the printf family functions based on klibc if neither Vstr nor
+    glibc style printf hooks are available. This can avoid the Vstr
+    dependency on some systems at the cost of slower and less complete
+    printf functions.
+- Adjusted file lists: this version installs the pki utility and manuals
+  in common /usr directories and additional ipsec/pt-tls-client helper.
+
 -------------------------------------------------------------------
 Mon Aug  5 13:48:11 UTC 2013 - mt@suse.de
 

strongswan.spec

@@ -17,7 +17,7 @@
 
 
 Name:           strongswan
-Version:        5.1.0
+Version:        5.1.1
 Release:        0
 %define         upstream_version   %{version}
 %define         strongswan_docdir  %{_docdir}/%{name}
@@ -421,7 +421,9 @@ fi
 %config %{_sysconfdir}/init.d/ipsec
 %{_sbindir}/rcipsec
 %endif
+%{_bindir}/pki
 %{_sbindir}/ipsec
+%{_mandir}/man1/pki*.1*
 %{_mandir}/man8/ipsec.8*
 %{_mandir}/man5/ipsec.conf.5*
 %{_mandir}/man5/ipsec.secrets.5*
@@ -433,8 +435,8 @@ fi
 %{_libexecdir}/ipsec/conftest
 %{_libexecdir}/ipsec/duplicheck
 %{_libexecdir}/ipsec/openac
-%{_libexecdir}/ipsec/pki
 %{_libexecdir}/ipsec/pool
+%{_libexecdir}/ipsec/pt-tls-client
 %{_libexecdir}/ipsec/scepclient
 %{_libexecdir}/ipsec/starter
 %{_libexecdir}/ipsec/stroke