From 2fa10a310915e029396ea62a59bc0075a285fc667b541da990323f9d61744eb4 Mon Sep 17 00:00:00 2001 From: Marius Tomaschewski Date: Tue, 30 Apr 2013 13:10:58 +0000 Subject: [PATCH] - Updated to strongSwan 5.0.4 release (bnc#815236, CVE-2013-2944): - Fixed a security vulnerability in the openssl plugin which was reported by Kevin Wojtysiak. The vulnerability has been registered as CVE-2013-2944. Before the fix, if the openssl plugin's ECDSA signature verification was used, due to a misinterpretation of the error code returned by the OpenSSL ECDSA_verify() function, an empty or zeroed signature was accepted as a legitimate one. Refer to our blog for details. - The handling of a couple of other non-security relevant OpenSSL return codes was fixed as well. - The tnc_ifmap plugin now publishes virtual IPv4 and IPv6 addresses via its TCG TNC IF-MAP 2.1 interface. - The charon.initiator_only strongswan.conf option causes charon to ignore IKE initiation requests. - The openssl plugin can now use the openssl-fips library. The version 5.0.3 provides new ipseckey plugin, enabling authentication based on trustworthy public keys stored as IPSECKEY resource records in the DNS and protected by DNSSEC and new openssl plugin using the AES-NI accelerated version of AES-GCM if the hardware supports it. See http://wiki.strongswan.org/projects/strongswan/wiki/Changelog50 for a list of all changes since the 5.0.1 release. OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=58 --- strongswan-5.0.1.tar.bz2 | 3 --- strongswan-5.0.1.tar.bz2.sig | 14 ----------- ....1-rpmlintrc => strongswan-5.0.4-rpmlintrc | 0 strongswan-5.0.4.tar.bz2 | 3 +++ strongswan-5.0.4.tar.bz2.sig | 14 +++++++++++ strongswan.changes | 25 +++++++++++++++++++ strongswan.spec | 14 +++++++---- 7 files changed, 51 insertions(+), 22 deletions(-) delete mode 100644 strongswan-5.0.1.tar.bz2 delete mode 100644 strongswan-5.0.1.tar.bz2.sig rename strongswan-5.0.1-rpmlintrc => strongswan-5.0.4-rpmlintrc (100%) create mode 100644 strongswan-5.0.4.tar.bz2 create mode 100644 strongswan-5.0.4.tar.bz2.sig diff --git a/strongswan-5.0.1.tar.bz2 b/strongswan-5.0.1.tar.bz2 deleted file mode 100644 index 9447157..0000000 --- a/strongswan-5.0.1.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:1a4dff19ef69d15e0b90b1ea80bd183235ac73b4ecd114aab58ed54de0f5c3b4 -size 3146776 diff --git a/strongswan-5.0.1.tar.bz2.sig b/strongswan-5.0.1.tar.bz2.sig deleted file mode 100644 index b3c676b..0000000 --- a/strongswan-5.0.1.tar.bz2.sig +++ /dev/null @@ -1,14 +0,0 @@ ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1.4.11 (GNU/Linux) - -iQGcBAABAgAGBQJQa9S/AAoJEN9CwXCzTbp30d0L/3Uj1RYm8+25k+RLIWvU1q/L -z5+mLjNAZpxoV7t1lUuMAA2STvZFisMtoNkw2EhsdanRsEV+WYpL101EPPMja077 -BT86DVKk/IDtoGLKpQK41mV5h0bWzrUBXodw2ggoG1bOLhdfuV6z7hAn3GI+AgxM -Eus0TUWNT6VRZzYgTAcofmUyKM4Hruh5+82OSJtj8eeCqe333fdV/k6mumxYhoLB -b1Yp8NVuMmjbfp0T/kyMAlRMnOb1DGjun9sBNaPK+t6+wcToLDeijl+D83l67ZIl -Et0fehugK5dbkGtUbZHOJFWiSGyVP3eDVOjxMBp6ejBAwi0GwqNWXsE0GnHJr9TL -Q3TrM8Kt0vJ6mhlWU9KFGoRwpiyR+3pBc8smZkJvIs3kKIL5ItTVPsJcWJKu2iEd -L6+X15ZScalcrMJOGRYjgKh7cchIgVaudJOnPLtXjfyMuq+07Zz1ZhybUIu+i5Zo -q8AVLAoM6MkUXWKkJR51CH08+w32DaDp5p7yRyxCRA== -=100T ------END PGP SIGNATURE----- diff --git a/strongswan-5.0.1-rpmlintrc b/strongswan-5.0.4-rpmlintrc similarity index 100% rename from strongswan-5.0.1-rpmlintrc rename to strongswan-5.0.4-rpmlintrc diff --git a/strongswan-5.0.4.tar.bz2 b/strongswan-5.0.4.tar.bz2 new file mode 100644 index 0000000..f263636 --- /dev/null +++ b/strongswan-5.0.4.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:3ec66d64046f652ab7556b3be8f9be8981fd32ef4a11e3e461a04d658928bfe2 +size 3412930 diff --git a/strongswan-5.0.4.tar.bz2.sig b/strongswan-5.0.4.tar.bz2.sig new file mode 100644 index 0000000..8124d41 --- /dev/null +++ b/strongswan-5.0.4.tar.bz2.sig @@ -0,0 +1,14 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1.4.11 (GNU/Linux) + +iQGcBAABAgAGBQJRflW/AAoJEN9CwXCzTbp3q+oL/jtA73UxuENW3JuA2vgXsHeU +jpWXDfM1GLEIKgy41D2+ajqx7l1amxM4ZOqtQZhFTMXs4EwWDIxpUl8RiARkwJy6 +ueciwMnsmAbC3tmPa85JwnbgrXrMZX5IfUYRx8+3DdeIuh8gxDOu2nvYGqSdIbh2 +8jN4x21wUQ+9mLz04VmuMKAmImoAitv8z89NVg6ZNiBEiYUfFdrkCepS7IGAY1ie +pmmYM4svK7LLuXIlQKMyq7mXccjFD0sjM3SS6cIZlxIcOlXuKMa7xmVlkfktz816 +qz8XVOtD2zRiJuxjB92W9BW5Xr/+p5kXx995GjGitxv8g3CTTlPeg4GUciH6TGSW +46lQ36XHKQX/NccgymWYMkXmZbMbacyglz3ShR0OO/aM1/cVlQ9qiHccZDh7gt9+ +fnfTAZn0RAfbe1zYKNn1h2BoY+LxscjnaX27oWxqI7KbrfrusZiyZic5twSeADcM +khfIOGVyOCjwTThAuGpu6p09NqoYNm6Y/9Aj+R5NiA== +=gI6I +-----END PGP SIGNATURE----- diff --git a/strongswan.changes b/strongswan.changes index 3e47414..1ac203d 100644 --- a/strongswan.changes +++ b/strongswan.changes @@ -1,3 +1,28 @@ +------------------------------------------------------------------- +Tue Apr 30 12:48:44 UTC 2013 - mt@suse.de + +- Updated to strongSwan 5.0.4 release (bnc#815236, CVE-2013-2944): + - Fixed a security vulnerability in the openssl plugin which was + reported by Kevin Wojtysiak. The vulnerability has been registered + as CVE-2013-2944. Before the fix, if the openssl plugin's ECDSA + signature verification was used, due to a misinterpretation of the + error code returned by the OpenSSL ECDSA_verify() function, an empty + or zeroed signature was accepted as a legitimate one. Refer to our + blog for details. + - The handling of a couple of other non-security relevant OpenSSL + return codes was fixed as well. + - The tnc_ifmap plugin now publishes virtual IPv4 and IPv6 addresses + via its TCG TNC IF-MAP 2.1 interface. + - The charon.initiator_only strongswan.conf option causes charon to + ignore IKE initiation requests. + - The openssl plugin can now use the openssl-fips library. + The version 5.0.3 provides new ipseckey plugin, enabling authentication + based on trustworthy public keys stored as IPSECKEY resource records in + the DNS and protected by DNSSEC and new openssl plugin using the AES-NI + accelerated version of AES-GCM if the hardware supports it. + See http://wiki.strongswan.org/projects/strongswan/wiki/Changelog50 + for a list of all changes since the 5.0.1 release. + ------------------------------------------------------------------- Thu Nov 29 19:13:40 CET 2012 - sbrabec@suse.cz diff --git a/strongswan.spec b/strongswan.spec index 713f4f2..65ea6d9 100644 --- a/strongswan.spec +++ b/strongswan.spec @@ -1,7 +1,7 @@ # # spec file for package strongswan # -# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,7 +17,7 @@ Name: strongswan -Version: 5.0.1 +Version: 5.0.4 Release: 0 %define upstream_version %{version} %define strongswan_docdir %{_docdir}/%{name} @@ -28,12 +28,12 @@ Release: 0 %else %bcond_with tests %endif -%if 1 +%if 0%{suse_version} > 1110 %bcond_without mysql %else %bcond_with mysql %endif -%if 0%{suse_version} >= 1110 +%if 0%{suse_version} > 1110 %bcond_without sqlite %bcond_without gcrypt %bcond_without nm @@ -319,6 +319,8 @@ export RPM_OPT_FLAGS CFLAGS %endif %if %{with nm} --enable-nm \ +%else + --disable-nm \ %endif %if %{with tests} --enable-load-tester \ @@ -351,7 +353,7 @@ cat << EOT > ${RPM_BUILD_ROOT}%{_sysconfdir}/ipsec.secrets # EOT # -rm -f $RPM_BUILD_ROOT%{strongswan_libdir}/lib{charon,hydra,strongswan}.so +rm -f $RPM_BUILD_ROOT%{strongswan_libdir}/lib{charon,hydra,strongswan,pttls}.so rm -f $RPM_BUILD_ROOT%{strongswan_libdir}/lib{radius,simaka,tls,tnccs,imcv}.so find $RPM_BUILD_ROOT%{strongswan_libdir} \ -name "*.a" -o -name "*.la" | xargs -r rm -f @@ -464,6 +466,7 @@ fi %{strongswan_libdir}/libchecksum.so %{strongswan_libdir}/libcharon.so.* %{strongswan_libdir}/libhydra.so.* +%{strongswan_libdir}/libpttls.so.* %{strongswan_libdir}/libradius.so.* %{strongswan_libdir}/libsimaka.so.* %{strongswan_libdir}/libstrongswan.so.* @@ -532,6 +535,7 @@ fi %{strongswan_plugins}/libstrongswan-pgp.so %{strongswan_plugins}/libstrongswan-pkcs1.so %{strongswan_plugins}/libstrongswan-pkcs11.so +%{strongswan_plugins}/libstrongswan-pkcs7.so %{strongswan_plugins}/libstrongswan-pkcs8.so %{strongswan_plugins}/libstrongswan-pubkey.so %{strongswan_plugins}/libstrongswan-radattr.so