Accepting request 767305 from network:vpn

- Update to version 5.8.2: * Fix CVE-2018-17540, CVE-2018-16151 and CVE-2018-16152. * boo#1109845 and boo#1107874. OBS-URL: https://build.opensuse.org/request/show/767305 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/strongswan?expand=0&rev=70
2020-01-29 12:10:50 +00:00 · 2020-01-29 12:10:50 +00:00 · f840ebb27d
commit f840ebb27d
parent a348ee0611 f51dbccc77
7 changed files with 74 additions and 30 deletions
--- a/strongswan-5.6.3.tar.bz2
+++ b/strongswan-5.6.3.tar.bz2
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:c3c7dc8201f40625bba92ffd32eb602a8909210d8b3fac4d214c737ce079bf24
-size 4961579
--- a/strongswan-5.6.3.tar.bz2.sig
+++ b/strongswan-5.6.3.tar.bz2.sig
@ -1,14 +0,0 @@
-----BEGIN PGP SIGNATURE-----
-Version: GnuPG v1
-
-iQGcBAABAgAGBQJbC/V/AAoJEN9CwXCzTbp3xwsL/RivLwRDRkIDC93Le2B/d7dT
-/BHN/4PDmy+dEzysNVPXDG8TLm1VWgaIXvh0pVzPq4ohJSOP0tPFoeyJpHtPT9Xt
-x/VLnVlw2lNm70MZxXh1w9U6oEt8Sce9jtRJuEu54RhHBPcypNhNY1OsE1v8yeKf
-1MYENntcs/ATn7OkgtCALIB9WAZEFnXMQmpG+9hUzsr6zBfTY33t2QbsVeoiZAnV
-yTIRZQgilEAx9ZahjF1Vri1plUti8ZL/W9y0OnWt+/oOnXAx91NH2KgZ4qkAqtbg
-1H3nacKNHk6XP0Ca+wB4WIBmwDfquUEDTNbBPDaQy2yl33hzj9w2jovbSPF3YPnl
-TzY07K77OMK9r7YtxIa+diXs3GTh6vEe9E8mgRrQ96TXDCXCVvlQcTfEDmJ3z1ZC
-gk5blg7os5gAVKkdtEPChJP1VPJk2qhY8eZOCfdgIucv06YQKkj2aAcac+Umthne
-yS/qWZm8/LI6UII9Nf541o2KrlDd4ypoYOt0oibaoA==
-=NiPQ
-----END PGP SIGNATURE-----
--- a/strongswan-5.8.2.tar.bz2
+++ b/strongswan-5.8.2.tar.bz2
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:86900ddbe7337c923dadf2c8339ae8ed2b9158e3691745884d08ae534677430e
+size 4533402
--- a/strongswan-5.8.2.tar.bz2.sig
+++ b/strongswan-5.8.2.tar.bz2.sig
@ -0,0 +1,14 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1
+
+iQGcBAABAgAGBQJd+MscAAoJEN9CwXCzTbp3f6ML/0y5DGj7CytdIWcT7ODbZ5Dt
+S8MS2BHxUJ4cgzB8InCK4wNQFpyzRhR2goPly1B8RVNSVSfdyvqfSC/A++esZe3m
+wwjsjzjWYVaNnkj1lrl/8azOiDkD/uA/NaaUcASp6hoJIJQALYW5HfPjL/S/hC+v
+iVio5Fy9c/9HGJEeeZxqRMp/gTNjvh05hbP9ukLADk6klphwaNFg5o0YNgf1NJFE
+CBo/rGJNVfvEUUlJMLiBlFCBaPMOIjoIXODpjootRioDpnF6IonfcoIGiR6TuRQC
+zR3u3Zhgpe4tJfkKCpCCSPGwMCcwreMAUwzRf/U/HDUSPZX+c4sBOIl8eedwVA77
+DjNlktwmPta8x4YOh6NB3ghAwwztEkPvvaAIcwH0gh1DkjIicFr2VkoXIS5jqaVN
+bK2YvTQ7StZa35VaEYnlu5JzIchPlqhXND6sWLWJolnwrNWskZyojVYioyIv3KJJ
+tXphbN0HHCfLPs5vX8/X97IAa06tsnEOZEZg5Sk3Jw==
+=VHUc
+-----END PGP SIGNATURE-----
--- a/strongswan.changes
+++ b/strongswan.changes
@ -1,3 +1,29 @@
+-------------------------------------------------------------------
+Sun Jan 26 08:54:01 UTC 2020 - Jan Engelhardt <jengelh@inai.de>
+
+- Replace %__-type macro indirections. Update homepage URL to https.
+
+-------------------------------------------------------------------
+Mon Jan  6 22:06:58 UTC 2020 - Bjørn Lie <bjorn.lie@gmail.com>
+
+- Update to version 5.8.2:
+  * The systemd service units have changed their name.
+    "strongswan" is now "strongswan-starter", and
+    "strongswan-swanctl" is now "strongswan".
+    After installation, you need to `systemctl disable` the old
+    name and `systemctl enable`+start the new one.
+  * Fix CVE-2018-17540, CVE-2018-16151 and CVE-2018-16152.
+  * boo#1109845 and boo#1107874.
+- Please check included NEWS file for info on what other changes
+  that have been done in versions 5.8.2, 5.8.1 5.8.0, 5.7.2, 5.7.1
+  and 5.7.0.
+- Rebase strongswan_ipsec_service.patch.
+- Disable patches that need rebase or dropping:
+  * strongswan_modprobe_syslog.patch
+  * 0006-fix-compilation-error-by-adding-stdint.h.patch
+- Add conditional pkgconfig(libsystemd) BuildRequires: New
+  dependency.
+
 -------------------------------------------------------------------
 Wed Jun  6 22:14:57 UTC 2018 - bjorn.lie@gmail.com

--- a/strongswan.spec
+++ b/strongswan.spec
@ -1,7 +1,7 @@
 #
 # spec file for package strongswan
 #
-# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2020 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -12,12 +12,12 @@
 # license that conforms to the Open Source Definition (Version 1.9)
 # published by the Open Source Initiative.

-# Please submit bugfixes or comments via http://bugs.opensuse.org/
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
 #


 Name:           strongswan
-Version:        5.6.3
+Version:        5.8.2
 Release:        0
 %define         upstream_version     %{version}
 %define         strongswan_docdir    %{_docdir}/%{name}
@ -64,8 +64,7 @@ Release:        0
 Summary:        IPsec-based VPN solution
 License:        GPL-2.0-or-later
 Group:          Productivity/Networking/Security
-Url:            http://www.strongswan.org/
-Requires:       strongswan-ipsec = %{version}
+URL:            https://www.strongswan.org/
 Source0:        http://download.strongswan.org/strongswan-%{upstream_version}.tar.bz2
 Source1:        http://download.strongswan.org/strongswan-%{upstream_version}.tar.bz2.sig
 Source2:        %{name}.init.in
@ -76,6 +75,7 @@ Source5:        %{name}.keyring
 Source6:        fipscheck.sh.in
 Source7:        fips-enforce.conf
 %endif
+# Needs rebase
 Patch1:         %{name}_modprobe_syslog.patch
 Patch2:         %{name}_ipsec_service.patch
 %if %{with fipscheck}
@ -84,6 +84,7 @@ Patch3:         %{name}_fipscheck.patch
 Patch4:         %{name}_fipsfilter.patch
 %endif
 Patch5:         0005-ikev1-Don-t-retransmit-Aggressive-Mode-response.patch
+# Needs rebase
 Patch6:         0006-fix-compilation-error-by-adding-stdint.h.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildRequires:  bison
@ -112,6 +113,7 @@ BuildRequires:  pkgconfig(libnm)
 %endif
 %if %{with systemd}
 %{?systemd_requires}
+BuildRequires:  pkgconfig(libsystemd)
 %endif
 BuildRequires:  iptables
 %if %{with systemd}
@ -126,6 +128,7 @@ BuildRequires:  automake
 BuildRequires:  fipscheck
 %endif
 BuildRequires:  libtool
+Requires:       strongswan-ipsec = %{version}

 %description
 StrongSwan is an IPsec-based VPN solution for Linux.
@ -159,9 +162,9 @@ StrongSwan is an IPsec-based VPN solution for Linux.
 This package triggers the installation of both, IKEv1 and IKEv2 daemons.

 %package doc
-BuildArch:      noarch
 Summary:        Documentation for strongSwan
 Group:          Documentation/Man
+BuildArch:      noarch

 %description doc
 StrongSwan is an IPsec-based VPN solution for Linux.
@ -254,7 +257,8 @@ and the load testing plugin for IKEv2 daemon.

 %prep
 %setup -q -n %{name}-%{upstream_version}
-%patch1 -p1
+# Needs rebase, file it patches no longer exists.
+#patch1 -p1
 %patch2 -p1
 %if %{with fipscheck}
 %patch3 -p1
@ -262,7 +266,8 @@ and the load testing plugin for IKEv2 daemon.
 #patch4 -p1
 %endif
 %patch5 -p1
-%patch6 -p1
+# Needs rebase.
+#patch6 -p1
 sed -e 's|@libexecdir@|%_libexecdir|g'    \
     < %{_sourcedir}/strongswan.init.in \
     > strongswan.init
@ -288,6 +293,7 @@ autoreconf --force --install
 	--with-resolv-conf=%{_rundir}/%{name}/resolv.conf \
 	--with-piddir=%{_rundir}/%{name} \
 %if %{with systemd}
+	--enable-systemd \
 	--with-systemdsystemunitdir=%{_unitdir} \
 %endif
 	--enable-pkcs11 \
@ -442,7 +448,7 @@ install -c -m644 TODO NEWS README COPYING LICENSE \
 install -c -m644 %{_sourcedir}/README.SUSE \
 		 %{buildroot}/%{strongswan_docdir}/
 %if %{with systemd}
-%{__install} -d -m 0755 %{buildroot}%{_tmpfilesdir}
+install -d -m 0755 %{buildroot}%{_tmpfilesdir}
 echo 'd %{_rundir}/%{name} 0770 root root' > %{buildroot}%{_tmpfilesdir}/%{name}.conf
 %endif
 %if %{with fipscheck}
@ -477,7 +483,7 @@ install -c -m644 %{_sourcedir}/fips-enforce.conf \
 %post libs0
 /sbin/ldconfig
 %{?tmpfiles_create:%tmpfiles_create %{_tmpfilesdir}/%{name}.conf}
-%{!?tmpfiles_create:test -d %{_rundir}/%{name} || %{__mkdir_p} %{_rundir}/%{name}}
+%{!?tmpfiles_create:test -d %{_rundir}/%{name} || mkdir -p %{_rundir}/%{name}}

 %postun libs0 -p /sbin/ldconfig

@ -551,9 +557,11 @@ fi
 %dir %{_sysconfdir}/ipsec.d/ocspcerts
 %dir %attr(700,root,root) %{_sysconfdir}/ipsec.d/private
 %if %{with systemd}
+%{_unitdir}/strongswan-starter.service
 %{_unitdir}/strongswan.service
-%{_sysconfdir}/dbus-1/system.d/nm-strongswan-service.conf
+%{_datadir}/dbus-1/system.d/nm-strongswan-service.conf
 %{_sbindir}/rcstrongswan
+%{_sbindir}/charon-systemd
 %else
 %config %{_sysconfdir}/init.d/ipsec
 %{_sbindir}/rcipsec
@ -574,6 +582,7 @@ fi
 %if %{with test}
 %{_libexecdir}/ipsec/conftest
 %endif
+%{_libexecdir}/ipsec/xfrmi
 %{_libexecdir}/ipsec/duplicheck
 %{_libexecdir}/ipsec/pool
 %{_libexecdir}/ipsec/scepclient
@ -583,6 +592,7 @@ fi
 %{_libexecdir}/ipsec/_imv_policy
 %{_libexecdir}/ipsec/imv_policy_manager
 %dir %{strongswan_plugins}
+%{strongswan_plugins}/libstrongswan-drbg.so
 %{strongswan_plugins}/libstrongswan-stroke.so
 %{strongswan_plugins}/libstrongswan-updown.so

@ -609,6 +619,9 @@ fi
 %dir %{strongswan_configs}
 %dir %{strongswan_configs}/charon
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon.conf
+%if %{with systemd}
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon-systemd.conf
+%endif
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon-logging.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/imcv.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/pki.conf
@ -621,6 +634,7 @@ fi
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/aes.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/counters.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/curve25519.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/drbg.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/vici.conf
 %if %{with afalg}
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/af-alg.conf
@ -856,6 +870,7 @@ fi
 %{strongswan_templates}/config/plugins/des.conf
 %{strongswan_templates}/config/plugins/dhcp.conf
 %{strongswan_templates}/config/plugins/dnskey.conf
+%{strongswan_templates}/config/plugins/drbg.conf
 %{strongswan_templates}/config/plugins/duplicheck.conf
 %{strongswan_templates}/config/plugins/eap-aka-3gpp2.conf
 %{strongswan_templates}/config/plugins/eap-aka.conf
@ -931,6 +946,9 @@ fi
 %{strongswan_templates}/config/plugins/xcbc.conf
 %{strongswan_templates}/config/plugins/curve25519.conf
 %{strongswan_templates}/config/plugins/vici.conf
+%if %{with systemd}
+%{strongswan_templates}/config/strongswan.d/charon-systemd.conf
+%endif
 %{strongswan_templates}/config/strongswan.d/charon-logging.conf
 %{strongswan_templates}/config/strongswan.d/charon.conf
 %{strongswan_templates}/config/strongswan.d/imcv.conf
--- a/strongswan_ipsec_service.patch
+++ b/strongswan_ipsec_service.patch
@ -1,7 +1,7 @@
 Index: strongswan-5.6.2/init/systemd/strongswan.service.in
 ===================================================================
--- strongswan-5.6.2.orig/init/systemd/strongswan.service.in	2017-02-07 08:04:04.000000000 +0100
-+++ strongswan-5.6.2/init/systemd/strongswan.service.in	2018-04-17 16:53:57.546334751 +0200
+--- strongswan-5.6.2.orig/init/systemd-starter/strongswan-starter.service.in	2017-02-07 08:04:04.000000000 +0100
+++ strongswan-5.6.2/init/systemd-starter/strongswan-starter.service.in	2018-04-17 16:53:57.546334751 +0200
@@ -9,3 +9,4 @@ Restart=on-abnormal
 
 [Install]