From 509c30e68d806b0e3b1f5944f65e99aa8212beb56271c621b9f7b3428c7924d7 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Sun, 26 Jan 2020 08:50:51 +0000 Subject: [PATCH 1/2] Accepting request 761676 from home:iznogood:branches:network:vpn - Update to version 5.8.2: * Fix CVE-2018-17540, CVE-2018-16151 and CVE-2018-16152. * boo#1109845 and boo#1107874. - Please check included NEWS file for info on what other changes that have been done in versions 5.8.2, 5.8.1 5.8.0, 5.7.2, 5.7.1 and 5.7.0. - Rebase strongswan_ipsec_service.patch. - Disable patches that need rebase or dropping: * strongswan_modprobe_syslog.patch * 0006-fix-compilation-error-by-adding-stdint.h.patch - Add conditional pkgconfig(libsystemd) BuildRequires: New dependency. OBS-URL: https://build.opensuse.org/request/show/761676 OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=114 --- strongswan-5.6.3.tar.bz2 | 3 --- strongswan-5.6.3.tar.bz2.sig | 14 -------------- strongswan-5.8.2.tar.bz2 | 3 +++ strongswan-5.8.2.tar.bz2.sig | 14 ++++++++++++++ strongswan.changes | 16 ++++++++++++++++ strongswan.spec | 32 +++++++++++++++++++++++++------- strongswan_ipsec_service.patch | 4 ++-- 7 files changed, 60 insertions(+), 26 deletions(-) delete mode 100644 strongswan-5.6.3.tar.bz2 delete mode 100644 strongswan-5.6.3.tar.bz2.sig create mode 100644 strongswan-5.8.2.tar.bz2 create mode 100644 strongswan-5.8.2.tar.bz2.sig diff --git a/strongswan-5.6.3.tar.bz2 b/strongswan-5.6.3.tar.bz2 deleted file mode 100644 index be84396..0000000 --- a/strongswan-5.6.3.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:c3c7dc8201f40625bba92ffd32eb602a8909210d8b3fac4d214c737ce079bf24 -size 4961579 diff --git a/strongswan-5.6.3.tar.bz2.sig b/strongswan-5.6.3.tar.bz2.sig deleted file mode 100644 index 813e2e9..0000000 --- a/strongswan-5.6.3.tar.bz2.sig +++ /dev/null @@ -1,14 +0,0 @@ ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1 - -iQGcBAABAgAGBQJbC/V/AAoJEN9CwXCzTbp3xwsL/RivLwRDRkIDC93Le2B/d7dT -/BHN/4PDmy+dEzysNVPXDG8TLm1VWgaIXvh0pVzPq4ohJSOP0tPFoeyJpHtPT9Xt -x/VLnVlw2lNm70MZxXh1w9U6oEt8Sce9jtRJuEu54RhHBPcypNhNY1OsE1v8yeKf -1MYENntcs/ATn7OkgtCALIB9WAZEFnXMQmpG+9hUzsr6zBfTY33t2QbsVeoiZAnV -yTIRZQgilEAx9ZahjF1Vri1plUti8ZL/W9y0OnWt+/oOnXAx91NH2KgZ4qkAqtbg -1H3nacKNHk6XP0Ca+wB4WIBmwDfquUEDTNbBPDaQy2yl33hzj9w2jovbSPF3YPnl -TzY07K77OMK9r7YtxIa+diXs3GTh6vEe9E8mgRrQ96TXDCXCVvlQcTfEDmJ3z1ZC -gk5blg7os5gAVKkdtEPChJP1VPJk2qhY8eZOCfdgIucv06YQKkj2aAcac+Umthne -yS/qWZm8/LI6UII9Nf541o2KrlDd4ypoYOt0oibaoA== -=NiPQ ------END PGP SIGNATURE----- diff --git a/strongswan-5.8.2.tar.bz2 b/strongswan-5.8.2.tar.bz2 new file mode 100644 index 0000000..42edc4e --- /dev/null +++ b/strongswan-5.8.2.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:86900ddbe7337c923dadf2c8339ae8ed2b9158e3691745884d08ae534677430e +size 4533402 diff --git a/strongswan-5.8.2.tar.bz2.sig b/strongswan-5.8.2.tar.bz2.sig new file mode 100644 index 0000000..f025402 --- /dev/null +++ b/strongswan-5.8.2.tar.bz2.sig @@ -0,0 +1,14 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1 + +iQGcBAABAgAGBQJd+MscAAoJEN9CwXCzTbp3f6ML/0y5DGj7CytdIWcT7ODbZ5Dt +S8MS2BHxUJ4cgzB8InCK4wNQFpyzRhR2goPly1B8RVNSVSfdyvqfSC/A++esZe3m +wwjsjzjWYVaNnkj1lrl/8azOiDkD/uA/NaaUcASp6hoJIJQALYW5HfPjL/S/hC+v +iVio5Fy9c/9HGJEeeZxqRMp/gTNjvh05hbP9ukLADk6klphwaNFg5o0YNgf1NJFE +CBo/rGJNVfvEUUlJMLiBlFCBaPMOIjoIXODpjootRioDpnF6IonfcoIGiR6TuRQC +zR3u3Zhgpe4tJfkKCpCCSPGwMCcwreMAUwzRf/U/HDUSPZX+c4sBOIl8eedwVA77 +DjNlktwmPta8x4YOh6NB3ghAwwztEkPvvaAIcwH0gh1DkjIicFr2VkoXIS5jqaVN +bK2YvTQ7StZa35VaEYnlu5JzIchPlqhXND6sWLWJolnwrNWskZyojVYioyIv3KJJ +tXphbN0HHCfLPs5vX8/X97IAa06tsnEOZEZg5Sk3Jw== +=VHUc +-----END PGP SIGNATURE----- diff --git a/strongswan.changes b/strongswan.changes index ac29935..ade9623 100644 --- a/strongswan.changes +++ b/strongswan.changes @@ -1,3 +1,19 @@ +------------------------------------------------------------------- +Mon Jan 6 22:06:58 UTC 2020 - Bjørn Lie + +- Update to version 5.8.2: + * Fix CVE-2018-17540, CVE-2018-16151 and CVE-2018-16152. + * boo#1109845 and boo#1107874. +- Please check included NEWS file for info on what other changes + that have been done in versions 5.8.2, 5.8.1 5.8.0, 5.7.2, 5.7.1 + and 5.7.0. +- Rebase strongswan_ipsec_service.patch. +- Disable patches that need rebase or dropping: + * strongswan_modprobe_syslog.patch + * 0006-fix-compilation-error-by-adding-stdint.h.patch +- Add conditional pkgconfig(libsystemd) BuildRequires: New + dependency. + ------------------------------------------------------------------- Wed Jun 6 22:14:57 UTC 2018 - bjorn.lie@gmail.com diff --git a/strongswan.spec b/strongswan.spec index c378e3b..47844dd 100644 --- a/strongswan.spec +++ b/strongswan.spec @@ -1,7 +1,7 @@ # # spec file for package strongswan # -# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2020 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -12,12 +12,12 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # Name: strongswan -Version: 5.6.3 +Version: 5.8.2 Release: 0 %define upstream_version %{version} %define strongswan_docdir %{_docdir}/%{name} @@ -64,7 +64,7 @@ Release: 0 Summary: IPsec-based VPN solution License: GPL-2.0-or-later Group: Productivity/Networking/Security -Url: http://www.strongswan.org/ +URL: http://www.strongswan.org/ Requires: strongswan-ipsec = %{version} Source0: http://download.strongswan.org/strongswan-%{upstream_version}.tar.bz2 Source1: http://download.strongswan.org/strongswan-%{upstream_version}.tar.bz2.sig @@ -76,6 +76,7 @@ Source5: %{name}.keyring Source6: fipscheck.sh.in Source7: fips-enforce.conf %endif +# Needs rebase Patch1: %{name}_modprobe_syslog.patch Patch2: %{name}_ipsec_service.patch %if %{with fipscheck} @@ -84,6 +85,7 @@ Patch3: %{name}_fipscheck.patch Patch4: %{name}_fipsfilter.patch %endif Patch5: 0005-ikev1-Don-t-retransmit-Aggressive-Mode-response.patch +# Needs rebase Patch6: 0006-fix-compilation-error-by-adding-stdint.h.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: bison @@ -112,6 +114,7 @@ BuildRequires: pkgconfig(libnm) %endif %if %{with systemd} %{?systemd_requires} +BuildRequires: pkgconfig(libsystemd) %endif BuildRequires: iptables %if %{with systemd} @@ -254,7 +257,8 @@ and the load testing plugin for IKEv2 daemon. %prep %setup -q -n %{name}-%{upstream_version} -%patch1 -p1 +# Needs rebase, file it patches no longer exists. +#patch1 -p1 %patch2 -p1 %if %{with fipscheck} %patch3 -p1 @@ -262,7 +266,8 @@ and the load testing plugin for IKEv2 daemon. #patch4 -p1 %endif %patch5 -p1 -%patch6 -p1 +# Needs rebase. +#patch6 -p1 sed -e 's|@libexecdir@|%_libexecdir|g' \ < %{_sourcedir}/strongswan.init.in \ > strongswan.init @@ -288,6 +293,7 @@ autoreconf --force --install --with-resolv-conf=%{_rundir}/%{name}/resolv.conf \ --with-piddir=%{_rundir}/%{name} \ %if %{with systemd} + --enable-systemd \ --with-systemdsystemunitdir=%{_unitdir} \ %endif --enable-pkcs11 \ @@ -551,9 +557,11 @@ fi %dir %{_sysconfdir}/ipsec.d/ocspcerts %dir %attr(700,root,root) %{_sysconfdir}/ipsec.d/private %if %{with systemd} +%{_unitdir}/strongswan-starter.service %{_unitdir}/strongswan.service -%{_sysconfdir}/dbus-1/system.d/nm-strongswan-service.conf +%{_datadir}/dbus-1/system.d/nm-strongswan-service.conf %{_sbindir}/rcstrongswan +%{_sbindir}/charon-systemd %else %config %{_sysconfdir}/init.d/ipsec %{_sbindir}/rcipsec @@ -574,6 +582,7 @@ fi %if %{with test} %{_libexecdir}/ipsec/conftest %endif +%{_libexecdir}/ipsec/xfrmi %{_libexecdir}/ipsec/duplicheck %{_libexecdir}/ipsec/pool %{_libexecdir}/ipsec/scepclient @@ -583,6 +592,7 @@ fi %{_libexecdir}/ipsec/_imv_policy %{_libexecdir}/ipsec/imv_policy_manager %dir %{strongswan_plugins} +%{strongswan_plugins}/libstrongswan-drbg.so %{strongswan_plugins}/libstrongswan-stroke.so %{strongswan_plugins}/libstrongswan-updown.so @@ -609,6 +619,9 @@ fi %dir %{strongswan_configs} %dir %{strongswan_configs}/charon %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon.conf +%if %{with systemd} +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon-systemd.conf +%endif %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon-logging.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/imcv.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/pki.conf @@ -621,6 +634,7 @@ fi %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/aes.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/counters.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/curve25519.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/drbg.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/vici.conf %if %{with afalg} %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/af-alg.conf @@ -856,6 +870,7 @@ fi %{strongswan_templates}/config/plugins/des.conf %{strongswan_templates}/config/plugins/dhcp.conf %{strongswan_templates}/config/plugins/dnskey.conf +%{strongswan_templates}/config/plugins/drbg.conf %{strongswan_templates}/config/plugins/duplicheck.conf %{strongswan_templates}/config/plugins/eap-aka-3gpp2.conf %{strongswan_templates}/config/plugins/eap-aka.conf @@ -931,6 +946,9 @@ fi %{strongswan_templates}/config/plugins/xcbc.conf %{strongswan_templates}/config/plugins/curve25519.conf %{strongswan_templates}/config/plugins/vici.conf +%if %{with systemd} +%{strongswan_templates}/config/strongswan.d/charon-systemd.conf +%endif %{strongswan_templates}/config/strongswan.d/charon-logging.conf %{strongswan_templates}/config/strongswan.d/charon.conf %{strongswan_templates}/config/strongswan.d/imcv.conf diff --git a/strongswan_ipsec_service.patch b/strongswan_ipsec_service.patch index 2e7f569..cd9b08a 100644 --- a/strongswan_ipsec_service.patch +++ b/strongswan_ipsec_service.patch @@ -1,7 +1,7 @@ Index: strongswan-5.6.2/init/systemd/strongswan.service.in =================================================================== ---- strongswan-5.6.2.orig/init/systemd/strongswan.service.in 2017-02-07 08:04:04.000000000 +0100 -+++ strongswan-5.6.2/init/systemd/strongswan.service.in 2018-04-17 16:53:57.546334751 +0200 +--- strongswan-5.6.2.orig/init/systemd-starter/strongswan-starter.service.in 2017-02-07 08:04:04.000000000 +0100 ++++ strongswan-5.6.2/init/systemd-starter/strongswan-starter.service.in 2018-04-17 16:53:57.546334751 +0200 @@ -9,3 +9,4 @@ Restart=on-abnormal [Install] From f51dbccc774f45a6ce171ed10bc367e3927e59d1c72f7993a51fa8c2f3c3b9f2 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Sun, 26 Jan 2020 09:22:43 +0000 Subject: [PATCH 2/2] Add note about service name change OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=115 --- strongswan.changes | 10 ++++++++++ strongswan.spec | 10 +++++----- 2 files changed, 15 insertions(+), 5 deletions(-) diff --git a/strongswan.changes b/strongswan.changes index ade9623..476e2b0 100644 --- a/strongswan.changes +++ b/strongswan.changes @@ -1,7 +1,17 @@ +------------------------------------------------------------------- +Sun Jan 26 08:54:01 UTC 2020 - Jan Engelhardt + +- Replace %__-type macro indirections. Update homepage URL to https. + ------------------------------------------------------------------- Mon Jan 6 22:06:58 UTC 2020 - Bjørn Lie - Update to version 5.8.2: + * The systemd service units have changed their name. + "strongswan" is now "strongswan-starter", and + "strongswan-swanctl" is now "strongswan". + After installation, you need to `systemctl disable` the old + name and `systemctl enable`+start the new one. * Fix CVE-2018-17540, CVE-2018-16151 and CVE-2018-16152. * boo#1109845 and boo#1107874. - Please check included NEWS file for info on what other changes diff --git a/strongswan.spec b/strongswan.spec index 47844dd..d4a0ca6 100644 --- a/strongswan.spec +++ b/strongswan.spec @@ -64,8 +64,7 @@ Release: 0 Summary: IPsec-based VPN solution License: GPL-2.0-or-later Group: Productivity/Networking/Security -URL: http://www.strongswan.org/ -Requires: strongswan-ipsec = %{version} +URL: https://www.strongswan.org/ Source0: http://download.strongswan.org/strongswan-%{upstream_version}.tar.bz2 Source1: http://download.strongswan.org/strongswan-%{upstream_version}.tar.bz2.sig Source2: %{name}.init.in @@ -129,6 +128,7 @@ BuildRequires: automake BuildRequires: fipscheck %endif BuildRequires: libtool +Requires: strongswan-ipsec = %{version} %description StrongSwan is an IPsec-based VPN solution for Linux. @@ -162,9 +162,9 @@ StrongSwan is an IPsec-based VPN solution for Linux. This package triggers the installation of both, IKEv1 and IKEv2 daemons. %package doc -BuildArch: noarch Summary: Documentation for strongSwan Group: Documentation/Man +BuildArch: noarch %description doc StrongSwan is an IPsec-based VPN solution for Linux. @@ -448,7 +448,7 @@ install -c -m644 TODO NEWS README COPYING LICENSE \ install -c -m644 %{_sourcedir}/README.SUSE \ %{buildroot}/%{strongswan_docdir}/ %if %{with systemd} -%{__install} -d -m 0755 %{buildroot}%{_tmpfilesdir} +install -d -m 0755 %{buildroot}%{_tmpfilesdir} echo 'd %{_rundir}/%{name} 0770 root root' > %{buildroot}%{_tmpfilesdir}/%{name}.conf %endif %if %{with fipscheck} @@ -483,7 +483,7 @@ install -c -m644 %{_sourcedir}/fips-enforce.conf \ %post libs0 /sbin/ldconfig %{?tmpfiles_create:%tmpfiles_create %{_tmpfilesdir}/%{name}.conf} -%{!?tmpfiles_create:test -d %{_rundir}/%{name} || %{__mkdir_p} %{_rundir}/%{name}} +%{!?tmpfiles_create:test -d %{_rundir}/%{name} || mkdir -p %{_rundir}/%{name}} %postun libs0 -p /sbin/ldconfig