Accepting request 933164 from network:vpn

OBS-URL: https://build.opensuse.org/request/show/933164
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/strongswan?expand=0&rev=78

strongswan-5.9.3.tar.bz2

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:9325ab56a0a4e97e379401e1d942ce3e0d8b6372291350ab2caae0755862c6f7
-size 4652311

strongswan-5.9.3.tar.bz2.sig

@@ -1,14 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQGzBAABCgAdFiEElI8Vik52onvz0HUy30LBcLNNuncFAmDkSF0ACgkQ30LBcLNN
-uncrygwAjMYQOjm18Xzu/nnqhGZhgtAjk5yFRsSAwjcbevcC9a8q0aRWyMXA6Yhl
-LQOclYEBbyH4r/59GEHrZNvAHJ0iwAxtp20DcqUwzjRzrwL2g6/FZI1LTRkr0W0r
-3neaM8xVVZhpCUoVFVI1RZlpocwElgHGliivCnLwhEvEHJE89bzStBgdqbIZx3E1
-Piz0Ta6qkN1mglGtnsmFeImY3MosUdoQ0aj8q6dthmzNPxpn6f80RHkdoJm7S783
-FMFhwds4wLCp33v7JpAoGMvDJJnMtErj5PMSwrmN//eArWKHGWQPlGJq0OKZcJWO
-JI3sUaUsQlQ+3YsV63QIq6Oyav7h7yCmS9jEk9tiTB8QXj7GJrRpBetIYmvdzRMd
-wHmvZOC3vGdoEj8AKKNF447X3WMEVs0/DEYr/PHh6h6X9Ed8NyKVhiLm+OE6nk9F
-0Fthllsf+z8LLd+q1OPwH69FsI9J8oiW/pVyXB/MmBdu+0r6A1+EJw0cxqmqbLuN
-uN1rNh4k
-=O9SJ
------END PGP SIGNATURE-----

strongswan-5.9.4.tar.bz2

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:45fdf1a4c2af086d8ff5b76fd7b21d3b6f0890f365f83bf4c9a75dda26887518
+size 4651000

strongswan-5.9.4.tar.bz2.sig

@@ -0,0 +1,14 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQGzBAABCgAdFiEElI8Vik52onvz0HUy30LBcLNNuncFAmFtRUEACgkQ30LBcLNN
+undRkwwAo22C+tsCWS+QFmAZZ7l2pMrYYwCSFJns+wVnzw5+7hhGR3JysoDnf+9A
+706SKcEPWnlXI7BwAk/9hdTDxdzfYQ7FEOJRZVk6+wOsodwR/EJpETj7OLGYbu/u
+tsTIPkJCtVPtO/v+3H4pnrdG+KRNTynN4vNzyWSjwNEw3yGusk0jiidsdhr7I+cy
+X6VG+cOkAVjjyWUHToxUufVEeJybAFhaeR39/mpBLk2xBF4e6/L+BQYjnsqleeAh
+Yj8txL7FgVymsm09LrrzSEcY1ntXRobzKZqDJA8u3fxDvn19hAhb07uo3pnk3G05
+NPvXFNqhYjyY5qaiQxiCXpOEliJUOZuPU4VM2WL2t2obAW1gWEjNXeWc9YjocIEf
+BLGZttfj5iM8Htt486YzdPW4uqR/MnuoRHbr4vFG7NWs4Mw2dAtSQWXu8k/PmoxH
+5gmxJwjyp8WBhEe3ZCczd1bnCz5+Ms8ycq3Icnvd837ZJalXVrxZAma/He83u7fF
+hVkK6RLz
+=05ZP
+-----END PGP SIGNATURE-----

strongswan.changes

@@ -1,3 +1,39 @@
+-------------------------------------------------------------------
+Mon Nov 22 16:19:08 UTC 2021 - Bjørn Lie <bjorn.lie@gmail.com>
+
+- Update to version 5.9.4:
+  * Fixed a denial-of-service vulnerability in the gmp plugin that
+    was caused by an integer overflow when processing RSASSA-PSS
+    signatures with very large salt lengths. This vulnerability has
+    been registered as CVE-2021-41990. Please refer to our blog for
+    details.
+  * Fixed a denial-of-service vulnerability in the in-memory
+    certificate cache if certificates are replaced and a very large
+    random value caused an integer overflow. This vulnerability has
+    been registered as CVE-2021-41991. Please refer to our blog for
+    details.
+  * Fixed a related flaw that caused the daemon to accept and cache
+    an infinite number of versions of a valid certificate by
+    modifying the parameters in the signatureAlgorithm field of the
+    outer X.509 Certificate structure.
+  * AUTH_LIFETIME notifies are now only sent by a responder if it
+    can't reauthenticate the IKE_SA itself due to asymmetric
+    authentication (i.e. EAP) or the use of virtual IPs.
+  * Several corner cases with reauthentication have been fixed
+    (48fbe1d, 36161fe, 0d373e2).
+  * Serial number generation in several pki sub-commands has been
+    fixed so they don't start with an unintended zero byte.
+  * Loading SSH public keys via vici has been improved.
+  * Shared secrets, PEM files, vici messages, PF_KEY messages,
+    swanctl configs and other data is properly wiped from memory.
+  * Use a longer dummy key to initialize HMAC instances in the
+    openssl plugin in case it's used in FIPS-mode.
+  * The --enable-tpm option now implies --enable-tss-tss2 as the
+    plugin doesn't do anything without a TSS 2.0.
+  * libtpmtss is initialized in all programs and libraries that use
+    it.
+  * Migrated testing scripts to Python 3.
+
 -------------------------------------------------------------------
 Mon Sep 27 19:01:38 UTC 2021 - Bjørn Lie <bjorn.lie@gmail.com>
 

strongswan.spec

@@ -17,7 +17,7 @@
 
 
 Name:           strongswan
-Version:        5.9.3
+Version:        5.9.4
 Release:        0
 %define         upstream_version     %{version}
 %define         strongswan_docdir    %{_docdir}/%{name}
@@ -558,6 +558,7 @@ fi
 %endif
 %{_bindir}/pki
 %{_bindir}/pt-tls-client
+%{_bindir}/tpm_extendpcr
 %{_sbindir}/ipsec
 %{_sbindir}/swanctl
 %{_mandir}/man1/pki*.1*