1
0
forked from pool/strongswan

- Updated to strongSwan 5.1.1 minor release addressing two security

fixes (bnc#847506,CVE-2013-6075, bnc#847509,CVE-2013-6076):
  - Fixed a denial-of-service vulnerability and potential authorization
    bypass triggered by a crafted ID_DER_ASN1_DN ID payload. The cause
    is an insufficient length check when comparing such identities. The
    vulnerability has been registered as CVE-2013-6075.
  - Fixed a denial-of-service vulnerability triggered by a crafted IKEv1
    fragmentation payload. The cause is a NULL pointer dereference. The
    vulnerability has been registered as CVE-2013-6076.
  - The lean stand-alone pt-tls-client can set up a RFC 6876 PT-TLS
    session with a strongSwan policy enforcement point which uses the
    tnc-pdp charon plugin.
  - The new TCG TNC SWID IMC/IMV pair supports targeted SWID requests
    for either full SWID Tag or concise SWID Tag ID inventories.
  - The XAuth backend in eap-radius now supports multiple XAuth
    exchanges for different credential types and display messages.
    All user input gets concatenated and verified with a single
    User-Password RADIUS attribute on the AAA. With an AAA supporting
    it, one for example can implement Password+Token authentication with
    proper dialogs on iOS and OS X clients.  - charon supports IKEv1 Mode
    Config exchange in push mode. The ipsec.conf modeconfig=push option
    enables it for both client and server, the same way as pluto used it.
  - Using the "ah" ipsec.conf keyword on both IKEv1 and IKEv2
    connections, charon can negotiate and install Security Associations
    integrity-protected by the Authentication Header protocol. Supported
    are plain AH(+IPComp) SAs only, but not the deprecated RFC2401 style
    ESP+AH bundles.
  [...]

OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=62
This commit is contained in:
Marius Tomaschewski 2013-11-01 12:47:59 +00:00 committed by Git OBS Bridge
parent edd96c4f8d
commit 2f4b26b633
7 changed files with 84 additions and 19 deletions

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:a0ce4ce80c2e3db34748a46a139db7af6f6fed578d34f470cdff8b3941188aec
size 3602562

View File

@ -1,14 +0,0 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQGcBAABAgAGBQJR+ZgTAAoJEN9CwXCzTbp3eJcL+wR+uDYrforO377ji47oZSdo
w4eYZa+tJAiBK0ZMaTaODJLWGyHYbGH7dlsTLxXbAshMU0R2hEWjIgHTmR8nak11
KgnsuUa2LS9wYyhZabP0D2CMu4zcdCsC5ngJrgxsGMuH+xyG0MXU4S+DtIT7OgZa
rK+gLNByDOGHoi37dtXZT+b87qDoNbxNECMs4j6E2aL+WsBMd4jVg1sJGYMqL20D
ExMnxu67eDZ+K3fE7HOFInoc7kSKf8fYEEml/HbrSkOVSJHCmKCXEpcIo8SEq1gW
FM5CGu6+Wc9QsUHpNqMdyKowWWUSaJBVN7YyvFS0bowaeUQEnKWvjiMlsV0wvNfN
bQMoJXrSM2fd9SrsAyh08BM5po9lRKw50voUdw52cHrSAoOjxEQwxpjwFvfb3zxF
uO1r4XTWJQQF6o+XXdpUXSlIgXQMMCO87AL3eGxqqAdyLKRQBOaG5D5Bl4mbcBin
ltDriL52YHVu0oSXQLtECX0DlIU6zdlV+u+vo8zrdA==
=A/p6
-----END PGP SIGNATURE-----

3
strongswan-5.1.1.tar.bz2 Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:fbf2a668221fc4a36a34bdeac2dfeda25b96f572d551df022585177953622406
size 3673200

View File

@ -0,0 +1,14 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQGcBAABAgAGBQJSc1ufAAoJEN9CwXCzTbp3Y48L/RW112f7JryXe4dTekfzBehN
9n5ycczrK8xEc6RqLbD7WI6Av97fJd/FDLAieSE3FTk2znAbf0iFXuBb7ORhOr4H
IywXex9uXgJtDI9WBVCbL/PPBYk/JiBWeviJv5ESji0oc+Uvtx5y2xShx3YwaZCt
38peoT2EKPmaj98OIDslfDK0q9n55puKdM0NPewtPLVOfcfhBTh5XvwI/qdZhqRH
7hG4QHsFeY3t5sy5/XllEDXckx9vWmogchxRltoGPUfjxJb7X3empsCK8o3gbWcf
mX887cROOxXpPHzxj887orCwu+vmSlDRJXhHaTbYbhYdOnpo0o/R/HGwdO4Bv4PY
7yrpbz9DnpYw1XPZqd2ed4wgQMCWCuFmPFuJZBxQ2lza7QxDeC6EIc+dhT5AC7GI
XTqU3jw3kfm+b7N0MWmMkU5iL5cgNiR23v4D8U697ruoR6Qx310xe473Yh7ZhzoV
gJ6Z1jvc6d82ywsxo04hhv/yT7LeLyFmg+vyAAmbtg==
=040C
-----END PGP SIGNATURE-----

View File

@ -1,3 +1,66 @@
-------------------------------------------------------------------
Fri Nov 1 12:28:39 UTC 2013 - mt@suse.de
- Updated to strongSwan 5.1.1 minor release addressing two security
fixes (bnc#847506,CVE-2013-6075, bnc#847509,CVE-2013-6076):
- Fixed a denial-of-service vulnerability and potential authorization
bypass triggered by a crafted ID_DER_ASN1_DN ID payload. The cause
is an insufficient length check when comparing such identities. The
vulnerability has been registered as CVE-2013-6075.
- Fixed a denial-of-service vulnerability triggered by a crafted IKEv1
fragmentation payload. The cause is a NULL pointer dereference. The
vulnerability has been registered as CVE-2013-6076.
- The lean stand-alone pt-tls-client can set up a RFC 6876 PT-TLS
session with a strongSwan policy enforcement point which uses the
tnc-pdp charon plugin.
- The new TCG TNC SWID IMC/IMV pair supports targeted SWID requests
for either full SWID Tag or concise SWID Tag ID inventories.
- The XAuth backend in eap-radius now supports multiple XAuth
exchanges for different credential types and display messages.
All user input gets concatenated and verified with a single
User-Password RADIUS attribute on the AAA. With an AAA supporting
it, one for example can implement Password+Token authentication with
proper dialogs on iOS and OS X clients. - charon supports IKEv1 Mode
Config exchange in push mode. The ipsec.conf modeconfig=push option
enables it for both client and server, the same way as pluto used it.
- Using the "ah" ipsec.conf keyword on both IKEv1 and IKEv2
connections, charon can negotiate and install Security Associations
integrity-protected by the Authentication Header protocol. Supported
are plain AH(+IPComp) SAs only, but not the deprecated RFC2401 style
ESP+AH bundles.
- The generation of initialization vectors for IKE and ESP (when using
libipsec) is now modularized and IVs for e.g. AES-GCM are now correctly
allocated sequentially, while other algorithms like AES-CBC still
use random IVs.
- The left and right options in ipsec.conf can take multiple address
ranges and subnets. This allows connection matching against a larger
set of addresses, for example to use a different connection for clients
connecting from a internal network.
- For all those who have a queasy feeling about the NIST elliptic curve
set, the Brainpool curves introduced for use with IKE by RFC 6932 might
be a more trustworthy alternative.
- The kernel-libipsec userland IPsec backend now supports usage
statistics, volume based rekeying and accepts ESPv3 style TFC padded
packets.
- With two new strongswan.conf options fwmarks can be used to implement
host-to-host tunnels with kernel-libipsec.
- load-tester supports transport mode connections and more complex
traffic selectors, including such using unique ports for each tunnel.
- The new dnscert plugin provides support for authentication via CERT
RRs that are protected via DNSSEC. The plugin was created by Ruslan
N. Marchenko.
- The eap-radius plugin supports forwarding of several Cisco Unity
specific RADIUS attributes in corresponding configuration payloads.
- Database transactions are now abstracted and implemented by the two
backends. If you use MySQL make sure all tables use the InnoDB engine.
- libstrongswan now can provide an experimental custom implementation
of the printf family functions based on klibc if neither Vstr nor
glibc style printf hooks are available. This can avoid the Vstr
dependency on some systems at the cost of slower and less complete
printf functions.
- Adjusted file lists: this version installs the pki utility and manuals
in common /usr directories and additional ipsec/pt-tls-client helper.
------------------------------------------------------------------- -------------------------------------------------------------------
Mon Aug 5 13:48:11 UTC 2013 - mt@suse.de Mon Aug 5 13:48:11 UTC 2013 - mt@suse.de

View File

@ -17,7 +17,7 @@
Name: strongswan Name: strongswan
Version: 5.1.0 Version: 5.1.1
Release: 0 Release: 0
%define upstream_version %{version} %define upstream_version %{version}
%define strongswan_docdir %{_docdir}/%{name} %define strongswan_docdir %{_docdir}/%{name}
@ -421,7 +421,9 @@ fi
%config %{_sysconfdir}/init.d/ipsec %config %{_sysconfdir}/init.d/ipsec
%{_sbindir}/rcipsec %{_sbindir}/rcipsec
%endif %endif
%{_bindir}/pki
%{_sbindir}/ipsec %{_sbindir}/ipsec
%{_mandir}/man1/pki*.1*
%{_mandir}/man8/ipsec.8* %{_mandir}/man8/ipsec.8*
%{_mandir}/man5/ipsec.conf.5* %{_mandir}/man5/ipsec.conf.5*
%{_mandir}/man5/ipsec.secrets.5* %{_mandir}/man5/ipsec.secrets.5*
@ -433,8 +435,8 @@ fi
%{_libexecdir}/ipsec/conftest %{_libexecdir}/ipsec/conftest
%{_libexecdir}/ipsec/duplicheck %{_libexecdir}/ipsec/duplicheck
%{_libexecdir}/ipsec/openac %{_libexecdir}/ipsec/openac
%{_libexecdir}/ipsec/pki
%{_libexecdir}/ipsec/pool %{_libexecdir}/ipsec/pool
%{_libexecdir}/ipsec/pt-tls-client
%{_libexecdir}/ipsec/scepclient %{_libexecdir}/ipsec/scepclient
%{_libexecdir}/ipsec/starter %{_libexecdir}/ipsec/starter
%{_libexecdir}/ipsec/stroke %{_libexecdir}/ipsec/stroke