From 2f4b26b633362613fbb9e9cdcf6ed756e885f9735c4eaa296189f56c647a198b Mon Sep 17 00:00:00 2001 From: Marius Tomaschewski Date: Fri, 1 Nov 2013 12:47:59 +0000 Subject: [PATCH] - Updated to strongSwan 5.1.1 minor release addressing two security fixes (bnc#847506,CVE-2013-6075, bnc#847509,CVE-2013-6076): - Fixed a denial-of-service vulnerability and potential authorization bypass triggered by a crafted ID_DER_ASN1_DN ID payload. The cause is an insufficient length check when comparing such identities. The vulnerability has been registered as CVE-2013-6075. - Fixed a denial-of-service vulnerability triggered by a crafted IKEv1 fragmentation payload. The cause is a NULL pointer dereference. The vulnerability has been registered as CVE-2013-6076. - The lean stand-alone pt-tls-client can set up a RFC 6876 PT-TLS session with a strongSwan policy enforcement point which uses the tnc-pdp charon plugin. - The new TCG TNC SWID IMC/IMV pair supports targeted SWID requests for either full SWID Tag or concise SWID Tag ID inventories. - The XAuth backend in eap-radius now supports multiple XAuth exchanges for different credential types and display messages. All user input gets concatenated and verified with a single User-Password RADIUS attribute on the AAA. With an AAA supporting it, one for example can implement Password+Token authentication with proper dialogs on iOS and OS X clients. - charon supports IKEv1 Mode Config exchange in push mode. The ipsec.conf modeconfig=push option enables it for both client and server, the same way as pluto used it. - Using the "ah" ipsec.conf keyword on both IKEv1 and IKEv2 connections, charon can negotiate and install Security Associations integrity-protected by the Authentication Header protocol. Supported are plain AH(+IPComp) SAs only, but not the deprecated RFC2401 style ESP+AH bundles. [...] OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=62 --- strongswan-5.1.0.tar.bz2 | 3 - strongswan-5.1.0.tar.bz2.sig | 14 ----- ....0-rpmlintrc => strongswan-5.1.1-rpmlintrc | 0 strongswan-5.1.1.tar.bz2 | 3 + strongswan-5.1.1.tar.bz2.sig | 14 +++++ strongswan.changes | 63 +++++++++++++++++++ strongswan.spec | 6 +- 7 files changed, 84 insertions(+), 19 deletions(-) delete mode 100644 strongswan-5.1.0.tar.bz2 delete mode 100644 strongswan-5.1.0.tar.bz2.sig rename strongswan-5.1.0-rpmlintrc => strongswan-5.1.1-rpmlintrc (100%) create mode 100644 strongswan-5.1.1.tar.bz2 create mode 100644 strongswan-5.1.1.tar.bz2.sig diff --git a/strongswan-5.1.0.tar.bz2 b/strongswan-5.1.0.tar.bz2 deleted file mode 100644 index d823829..0000000 --- a/strongswan-5.1.0.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:a0ce4ce80c2e3db34748a46a139db7af6f6fed578d34f470cdff8b3941188aec -size 3602562 diff --git a/strongswan-5.1.0.tar.bz2.sig b/strongswan-5.1.0.tar.bz2.sig deleted file mode 100644 index 360aa4b..0000000 --- a/strongswan-5.1.0.tar.bz2.sig +++ /dev/null @@ -1,14 +0,0 @@ ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1.4.11 (GNU/Linux) - -iQGcBAABAgAGBQJR+ZgTAAoJEN9CwXCzTbp3eJcL+wR+uDYrforO377ji47oZSdo -w4eYZa+tJAiBK0ZMaTaODJLWGyHYbGH7dlsTLxXbAshMU0R2hEWjIgHTmR8nak11 -KgnsuUa2LS9wYyhZabP0D2CMu4zcdCsC5ngJrgxsGMuH+xyG0MXU4S+DtIT7OgZa -rK+gLNByDOGHoi37dtXZT+b87qDoNbxNECMs4j6E2aL+WsBMd4jVg1sJGYMqL20D -ExMnxu67eDZ+K3fE7HOFInoc7kSKf8fYEEml/HbrSkOVSJHCmKCXEpcIo8SEq1gW -FM5CGu6+Wc9QsUHpNqMdyKowWWUSaJBVN7YyvFS0bowaeUQEnKWvjiMlsV0wvNfN -bQMoJXrSM2fd9SrsAyh08BM5po9lRKw50voUdw52cHrSAoOjxEQwxpjwFvfb3zxF -uO1r4XTWJQQF6o+XXdpUXSlIgXQMMCO87AL3eGxqqAdyLKRQBOaG5D5Bl4mbcBin -ltDriL52YHVu0oSXQLtECX0DlIU6zdlV+u+vo8zrdA== -=A/p6 ------END PGP SIGNATURE----- diff --git a/strongswan-5.1.0-rpmlintrc b/strongswan-5.1.1-rpmlintrc similarity index 100% rename from strongswan-5.1.0-rpmlintrc rename to strongswan-5.1.1-rpmlintrc diff --git a/strongswan-5.1.1.tar.bz2 b/strongswan-5.1.1.tar.bz2 new file mode 100644 index 0000000..d7310ed --- /dev/null +++ b/strongswan-5.1.1.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:fbf2a668221fc4a36a34bdeac2dfeda25b96f572d551df022585177953622406 +size 3673200 diff --git a/strongswan-5.1.1.tar.bz2.sig b/strongswan-5.1.1.tar.bz2.sig new file mode 100644 index 0000000..2e0fafe --- /dev/null +++ b/strongswan-5.1.1.tar.bz2.sig @@ -0,0 +1,14 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1.4.11 (GNU/Linux) + +iQGcBAABAgAGBQJSc1ufAAoJEN9CwXCzTbp3Y48L/RW112f7JryXe4dTekfzBehN +9n5ycczrK8xEc6RqLbD7WI6Av97fJd/FDLAieSE3FTk2znAbf0iFXuBb7ORhOr4H +IywXex9uXgJtDI9WBVCbL/PPBYk/JiBWeviJv5ESji0oc+Uvtx5y2xShx3YwaZCt +38peoT2EKPmaj98OIDslfDK0q9n55puKdM0NPewtPLVOfcfhBTh5XvwI/qdZhqRH +7hG4QHsFeY3t5sy5/XllEDXckx9vWmogchxRltoGPUfjxJb7X3empsCK8o3gbWcf +mX887cROOxXpPHzxj887orCwu+vmSlDRJXhHaTbYbhYdOnpo0o/R/HGwdO4Bv4PY +7yrpbz9DnpYw1XPZqd2ed4wgQMCWCuFmPFuJZBxQ2lza7QxDeC6EIc+dhT5AC7GI +XTqU3jw3kfm+b7N0MWmMkU5iL5cgNiR23v4D8U697ruoR6Qx310xe473Yh7ZhzoV +gJ6Z1jvc6d82ywsxo04hhv/yT7LeLyFmg+vyAAmbtg== +=040C +-----END PGP SIGNATURE----- diff --git a/strongswan.changes b/strongswan.changes index c1a2b47..4b12546 100644 --- a/strongswan.changes +++ b/strongswan.changes @@ -1,3 +1,66 @@ +------------------------------------------------------------------- +Fri Nov 1 12:28:39 UTC 2013 - mt@suse.de + +- Updated to strongSwan 5.1.1 minor release addressing two security + fixes (bnc#847506,CVE-2013-6075, bnc#847509,CVE-2013-6076): + - Fixed a denial-of-service vulnerability and potential authorization + bypass triggered by a crafted ID_DER_ASN1_DN ID payload. The cause + is an insufficient length check when comparing such identities. The + vulnerability has been registered as CVE-2013-6075. + - Fixed a denial-of-service vulnerability triggered by a crafted IKEv1 + fragmentation payload. The cause is a NULL pointer dereference. The + vulnerability has been registered as CVE-2013-6076. + - The lean stand-alone pt-tls-client can set up a RFC 6876 PT-TLS + session with a strongSwan policy enforcement point which uses the + tnc-pdp charon plugin. + - The new TCG TNC SWID IMC/IMV pair supports targeted SWID requests + for either full SWID Tag or concise SWID Tag ID inventories. + - The XAuth backend in eap-radius now supports multiple XAuth + exchanges for different credential types and display messages. + All user input gets concatenated and verified with a single + User-Password RADIUS attribute on the AAA. With an AAA supporting + it, one for example can implement Password+Token authentication with + proper dialogs on iOS and OS X clients. - charon supports IKEv1 Mode + Config exchange in push mode. The ipsec.conf modeconfig=push option + enables it for both client and server, the same way as pluto used it. + - Using the "ah" ipsec.conf keyword on both IKEv1 and IKEv2 + connections, charon can negotiate and install Security Associations + integrity-protected by the Authentication Header protocol. Supported + are plain AH(+IPComp) SAs only, but not the deprecated RFC2401 style + ESP+AH bundles. + - The generation of initialization vectors for IKE and ESP (when using + libipsec) is now modularized and IVs for e.g. AES-GCM are now correctly + allocated sequentially, while other algorithms like AES-CBC still + use random IVs. + - The left and right options in ipsec.conf can take multiple address + ranges and subnets. This allows connection matching against a larger + set of addresses, for example to use a different connection for clients + connecting from a internal network. + - For all those who have a queasy feeling about the NIST elliptic curve + set, the Brainpool curves introduced for use with IKE by RFC 6932 might + be a more trustworthy alternative. + - The kernel-libipsec userland IPsec backend now supports usage + statistics, volume based rekeying and accepts ESPv3 style TFC padded + packets. + - With two new strongswan.conf options fwmarks can be used to implement + host-to-host tunnels with kernel-libipsec. + - load-tester supports transport mode connections and more complex + traffic selectors, including such using unique ports for each tunnel. + - The new dnscert plugin provides support for authentication via CERT + RRs that are protected via DNSSEC. The plugin was created by Ruslan + N. Marchenko. + - The eap-radius plugin supports forwarding of several Cisco Unity + specific RADIUS attributes in corresponding configuration payloads. + - Database transactions are now abstracted and implemented by the two + backends. If you use MySQL make sure all tables use the InnoDB engine. + - libstrongswan now can provide an experimental custom implementation + of the printf family functions based on klibc if neither Vstr nor + glibc style printf hooks are available. This can avoid the Vstr + dependency on some systems at the cost of slower and less complete + printf functions. +- Adjusted file lists: this version installs the pki utility and manuals + in common /usr directories and additional ipsec/pt-tls-client helper. + ------------------------------------------------------------------- Mon Aug 5 13:48:11 UTC 2013 - mt@suse.de diff --git a/strongswan.spec b/strongswan.spec index 15bb141..6f6a34f 100644 --- a/strongswan.spec +++ b/strongswan.spec @@ -17,7 +17,7 @@ Name: strongswan -Version: 5.1.0 +Version: 5.1.1 Release: 0 %define upstream_version %{version} %define strongswan_docdir %{_docdir}/%{name} @@ -421,7 +421,9 @@ fi %config %{_sysconfdir}/init.d/ipsec %{_sbindir}/rcipsec %endif +%{_bindir}/pki %{_sbindir}/ipsec +%{_mandir}/man1/pki*.1* %{_mandir}/man8/ipsec.8* %{_mandir}/man5/ipsec.conf.5* %{_mandir}/man5/ipsec.secrets.5* @@ -433,8 +435,8 @@ fi %{_libexecdir}/ipsec/conftest %{_libexecdir}/ipsec/duplicheck %{_libexecdir}/ipsec/openac -%{_libexecdir}/ipsec/pki %{_libexecdir}/ipsec/pool +%{_libexecdir}/ipsec/pt-tls-client %{_libexecdir}/ipsec/scepclient %{_libexecdir}/ipsec/starter %{_libexecdir}/ipsec/stroke