From 9d37f89cf7c39f5ad05f2bdd96ce682ee97f0c81216937cfb605422457b08750 Mon Sep 17 00:00:00 2001
From: Jan Engelhardt <jengelh@inai.de>
Date: Mon, 22 Nov 2021 20:53:44 +0000
Subject: [PATCH] Accepting request 933151 from
 home:iznogood:branches:network:vpn

- Update to version 5.9.4:
  * Fixed a denial-of-service vulnerability in the gmp plugin that
    was caused by an integer overflow when processing RSASSA-PSS
    signatures with very large salt lengths. This vulnerability has
    been registered as CVE-2021-41990. Please refer to our blog for
    details.
  * Fixed a denial-of-service vulnerability in the in-memory
    certificate cache if certificates are replaced and a very large
    random value caused an integer overflow. This vulnerability has
    been registered as CVE-2021-41991. Please refer to our blog for
    details.
  * Fixed a related flaw that caused the daemon to accept and cache
    an infinite number of versions of a valid certificate by
    modifying the parameters in the signatureAlgorithm field of the
    outer X.509 Certificate structure.
  * AUTH_LIFETIME notifies are now only sent by a responder if it
    can't reauthenticate the IKE_SA itself due to asymmetric
    authentication (i.e. EAP) or the use of virtual IPs.
  * Several corner cases with reauthentication have been fixed
    (48fbe1d, 36161fe, 0d373e2).
  * Serial number generation in several pki sub-commands has been
    fixed so they don't start with an unintended zero byte.
  * Loading SSH public keys via vici has been improved.
  * Shared secrets, PEM files, vici messages, PF_KEY messages,
    swanctl configs and other data is properly wiped from memory.
  * Use a longer dummy key to initialize HMAC instances in the
    openssl plugin in case it's used in FIPS-mode.
  * The --enable-tpm option now implies --enable-tss-tss2 as the
    plugin doesn't do anything without a TSS 2.0.
  * libtpmtss is initialized in all programs and libraries that use
    it.
  * Migrated testing scripts to Python 3.

OBS-URL: https://build.opensuse.org/request/show/933151
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=128
---
 strongswan-5.9.3.tar.bz2     |  3 ---
 strongswan-5.9.3.tar.bz2.sig | 14 --------------
 strongswan-5.9.4.tar.bz2     |  3 +++
 strongswan-5.9.4.tar.bz2.sig | 14 ++++++++++++++
 strongswan.changes           | 36 ++++++++++++++++++++++++++++++++++++
 strongswan.spec              |  3 ++-
 6 files changed, 55 insertions(+), 18 deletions(-)
 delete mode 100644 strongswan-5.9.3.tar.bz2
 delete mode 100644 strongswan-5.9.3.tar.bz2.sig
 create mode 100644 strongswan-5.9.4.tar.bz2
 create mode 100644 strongswan-5.9.4.tar.bz2.sig

diff --git a/strongswan-5.9.3.tar.bz2 b/strongswan-5.9.3.tar.bz2
deleted file mode 100644
index 4c3c54f..0000000
--- a/strongswan-5.9.3.tar.bz2
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:9325ab56a0a4e97e379401e1d942ce3e0d8b6372291350ab2caae0755862c6f7
-size 4652311
diff --git a/strongswan-5.9.3.tar.bz2.sig b/strongswan-5.9.3.tar.bz2.sig
deleted file mode 100644
index f74aaaf..0000000
--- a/strongswan-5.9.3.tar.bz2.sig
+++ /dev/null
@@ -1,14 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQGzBAABCgAdFiEElI8Vik52onvz0HUy30LBcLNNuncFAmDkSF0ACgkQ30LBcLNN
-uncrygwAjMYQOjm18Xzu/nnqhGZhgtAjk5yFRsSAwjcbevcC9a8q0aRWyMXA6Yhl
-LQOclYEBbyH4r/59GEHrZNvAHJ0iwAxtp20DcqUwzjRzrwL2g6/FZI1LTRkr0W0r
-3neaM8xVVZhpCUoVFVI1RZlpocwElgHGliivCnLwhEvEHJE89bzStBgdqbIZx3E1
-Piz0Ta6qkN1mglGtnsmFeImY3MosUdoQ0aj8q6dthmzNPxpn6f80RHkdoJm7S783
-FMFhwds4wLCp33v7JpAoGMvDJJnMtErj5PMSwrmN//eArWKHGWQPlGJq0OKZcJWO
-JI3sUaUsQlQ+3YsV63QIq6Oyav7h7yCmS9jEk9tiTB8QXj7GJrRpBetIYmvdzRMd
-wHmvZOC3vGdoEj8AKKNF447X3WMEVs0/DEYr/PHh6h6X9Ed8NyKVhiLm+OE6nk9F
-0Fthllsf+z8LLd+q1OPwH69FsI9J8oiW/pVyXB/MmBdu+0r6A1+EJw0cxqmqbLuN
-uN1rNh4k
-=O9SJ
------END PGP SIGNATURE-----
diff --git a/strongswan-5.9.4.tar.bz2 b/strongswan-5.9.4.tar.bz2
new file mode 100644
index 0000000..73b5998
--- /dev/null
+++ b/strongswan-5.9.4.tar.bz2
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:45fdf1a4c2af086d8ff5b76fd7b21d3b6f0890f365f83bf4c9a75dda26887518
+size 4651000
diff --git a/strongswan-5.9.4.tar.bz2.sig b/strongswan-5.9.4.tar.bz2.sig
new file mode 100644
index 0000000..b3f3668
--- /dev/null
+++ b/strongswan-5.9.4.tar.bz2.sig
@@ -0,0 +1,14 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQGzBAABCgAdFiEElI8Vik52onvz0HUy30LBcLNNuncFAmFtRUEACgkQ30LBcLNN
+undRkwwAo22C+tsCWS+QFmAZZ7l2pMrYYwCSFJns+wVnzw5+7hhGR3JysoDnf+9A
+706SKcEPWnlXI7BwAk/9hdTDxdzfYQ7FEOJRZVk6+wOsodwR/EJpETj7OLGYbu/u
+tsTIPkJCtVPtO/v+3H4pnrdG+KRNTynN4vNzyWSjwNEw3yGusk0jiidsdhr7I+cy
+X6VG+cOkAVjjyWUHToxUufVEeJybAFhaeR39/mpBLk2xBF4e6/L+BQYjnsqleeAh
+Yj8txL7FgVymsm09LrrzSEcY1ntXRobzKZqDJA8u3fxDvn19hAhb07uo3pnk3G05
+NPvXFNqhYjyY5qaiQxiCXpOEliJUOZuPU4VM2WL2t2obAW1gWEjNXeWc9YjocIEf
+BLGZttfj5iM8Htt486YzdPW4uqR/MnuoRHbr4vFG7NWs4Mw2dAtSQWXu8k/PmoxH
+5gmxJwjyp8WBhEe3ZCczd1bnCz5+Ms8ycq3Icnvd837ZJalXVrxZAma/He83u7fF
+hVkK6RLz
+=05ZP
+-----END PGP SIGNATURE-----
diff --git a/strongswan.changes b/strongswan.changes
index 6e9f93d..c8b3704 100644
--- a/strongswan.changes
+++ b/strongswan.changes
@@ -1,3 +1,39 @@
+-------------------------------------------------------------------
+Mon Nov 22 16:19:08 UTC 2021 - Bjørn Lie <bjorn.lie@gmail.com>
+
+- Update to version 5.9.4:
+  * Fixed a denial-of-service vulnerability in the gmp plugin that
+    was caused by an integer overflow when processing RSASSA-PSS
+    signatures with very large salt lengths. This vulnerability has
+    been registered as CVE-2021-41990. Please refer to our blog for
+    details.
+  * Fixed a denial-of-service vulnerability in the in-memory
+    certificate cache if certificates are replaced and a very large
+    random value caused an integer overflow. This vulnerability has
+    been registered as CVE-2021-41991. Please refer to our blog for
+    details.
+  * Fixed a related flaw that caused the daemon to accept and cache
+    an infinite number of versions of a valid certificate by
+    modifying the parameters in the signatureAlgorithm field of the
+    outer X.509 Certificate structure.
+  * AUTH_LIFETIME notifies are now only sent by a responder if it
+    can't reauthenticate the IKE_SA itself due to asymmetric
+    authentication (i.e. EAP) or the use of virtual IPs.
+  * Several corner cases with reauthentication have been fixed
+    (48fbe1d, 36161fe, 0d373e2).
+  * Serial number generation in several pki sub-commands has been
+    fixed so they don't start with an unintended zero byte.
+  * Loading SSH public keys via vici has been improved.
+  * Shared secrets, PEM files, vici messages, PF_KEY messages,
+    swanctl configs and other data is properly wiped from memory.
+  * Use a longer dummy key to initialize HMAC instances in the
+    openssl plugin in case it's used in FIPS-mode.
+  * The --enable-tpm option now implies --enable-tss-tss2 as the
+    plugin doesn't do anything without a TSS 2.0.
+  * libtpmtss is initialized in all programs and libraries that use
+    it.
+  * Migrated testing scripts to Python 3.
+
 -------------------------------------------------------------------
 Mon Sep 27 19:01:38 UTC 2021 - Bjørn Lie <bjorn.lie@gmail.com>
 
diff --git a/strongswan.spec b/strongswan.spec
index 9505c91..df3da84 100644
--- a/strongswan.spec
+++ b/strongswan.spec
@@ -17,7 +17,7 @@
 
 
 Name:           strongswan
-Version:        5.9.3
+Version:        5.9.4
 Release:        0
 %define         upstream_version     %{version}
 %define         strongswan_docdir    %{_docdir}/%{name}
@@ -558,6 +558,7 @@ fi
 %endif
 %{_bindir}/pki
 %{_bindir}/pt-tls-client
+%{_bindir}/tpm_extendpcr
 %{_sbindir}/ipsec
 %{_sbindir}/swanctl
 %{_mandir}/man1/pki*.1*