- Update to release 5.9.11
* A long-standing deadlock in the vici plugin has been fixed that
could get triggered when multiple connections were
initiated/terminated concurrently and control-log events were
raised by the watcher_t component (#566).
* In compliance with RFC 5280, CRLs now have to be signed by a
certificate that either encodes the cRLSign keyUsage bit
(even if it is a CA certificate), or is a CA certificate without
a keyUsage extension. strongSwan encodes a keyUsage extension
with cRLSign bit set in all CA certificates since 13 years. And
before that it didn't encode the extension, so these certificates
would also be accepted as CRL issuer in case they are still valid
(7dc82de).
* Support for optional CA labels in EST server URIs
(e.g. https://www.example.org/.well-known/est/arbitraryLabel1/<operation>)
was added to the pki --est and pki --estca commands (#1614).
* The pkcs7 and openssl plugins now support CMS-style signatures in
PKCS#7 containers, which allows verifying RSA-PSS and ECDSA
signatures (#1615).
* Fixed a regression in the server implementation of EAP-TLS when
using TLS 1.2 or earlier that was introduced with 5.9.10
(#1613, 3d0d3f5).
* The EAP-TLS client does now enforce that the TLS handshake is
complete when using TLS 1.2 or earlier. It was possible to
shortcut it by sending an early EAP-Success message. Note that
this isn't a security issue as the server is authenticated at
that point (db87087).
* On Linux, the kernel-libipsec plugin can now optionally handle
ESP packets without UDP encapsulation (uses RAW sockets, disabled
by default, e3cb756). The plugin and libipsec also gained support
OBS-URL: https://build.opensuse.org/request/show/1092621
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=149
This resolves one issue in particular that caused failures in Tumbleweed, see https://forums.opensuse.org/showthread.php/569960-Latest-strongswan-ipsec-crashes-on-startup .
- Update to release 5.9.7
* The IKEv2 key derivation is now delayed until the keys are actually needed to process or send the next message.
* Inbound IKEv2 messages, in particular requests, are now processed differently.
* The retransmission logic in the dhcp plugin has been fixed (#1154).
* The connmark plugin now considers configured masks in installed firewall rules (#1087).
* Child config selection has been fixed as responder in cases where multiple children use transport mode traffic selectors (#1143).
* The outbound SA/policy is now also removed after IKEv1 CHILD_SA rekeyings (#1041).
* The openssl plugin supports AES and Camellia in CTR mode (112bb46).
* The AES-XCBC/CMAC PRFs are demoted in the default proposal (after HMAC-based PRFs) since they were never widely adopted
* The kdf plugin is now automatically enabled if any of the aesni, cmac or xcbc plugins are enabled, or if none of the plugins that directly provide HMAC-based KDFs are enabled (botan, openssl or wolfssl).
* The CALLBACK macros (and some other issues) have been fixed when compiling with GCC 12 (#1053).
OBS-URL: https://build.opensuse.org/request/show/991798
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=136
This adds bug references to changes file that are in SLES 15 SP2,
to allow potential reintegration to SLES.
old: network:vpn/strongswan
new: home:msmeissn:branches:network:vpn/strongswan rev None
Index: strongswan.changes
===================================================================
--- strongswan.changes (revision 129)
+++ strongswan.changes (revision 2)
@@ -12,12 +12,12 @@
was caused by an integer overflow when processing RSASSA-PSS
signatures with very large salt lengths. This vulnerability has
been registered as CVE-2021-41990. Please refer to our blog for
- details.
+ details. (bsc#1191367)
* Fixed a denial-of-service vulnerability in the in-memory
certificate cache if certificates are replaced and a very large
random value caused an integer overflow. This vulnerability has
been registered as CVE-2021-41991. Please refer to our blog for
- details.
+ details. (bsc#1191435)
* Fixed a related flaw that caused the daemon to accept and cache
an infinite number of versions of a valid certificate by
modifying the parameters in the signatureAlgorithm field of the
@@ -46,7 +46,7 @@
- Update to version 5.9.3:
* Added AES-ECB, SHA-3 and SHAKE-256 support to the wolfssl
plugin.
- * Added AES-CCM support to the openssl plugin (#353).
+ * Added AES-CCM support to the openssl plugin (#353 bsc#1185363).
* The x509 and the openssl plugins now consider the
authorityKeyIdentifier, if available, before verifying
signatures, which avoids unnecessary signature verifications
@@ -70,6 +70,9 @@
- Replace libsoup-devel with pkgconfig(libsoup-2.4) BuildRequires,
as this is what really checks for. Needed as libsoup-3.0 is
released.
+- 5.9.1
+ - README: added a missing " to pki example command (bsc#1167880)
+ - fixed a libgcrypt call in FIPS mode (bsc#1180801)
-------------------------------------------------------------------
Mon Sep 7 08:38:01 UTC 2020 - Jan Engelhardt <jengelh@inai.de>
OBS-URL: https://build.opensuse.org/request/show/949255
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=130
- Update to version 5.9.4:
* Fixed a denial-of-service vulnerability in the gmp plugin that
was caused by an integer overflow when processing RSASSA-PSS
signatures with very large salt lengths. This vulnerability has
been registered as CVE-2021-41990. Please refer to our blog for
details.
* Fixed a denial-of-service vulnerability in the in-memory
certificate cache if certificates are replaced and a very large
random value caused an integer overflow. This vulnerability has
been registered as CVE-2021-41991. Please refer to our blog for
details.
* Fixed a related flaw that caused the daemon to accept and cache
an infinite number of versions of a valid certificate by
modifying the parameters in the signatureAlgorithm field of the
outer X.509 Certificate structure.
* AUTH_LIFETIME notifies are now only sent by a responder if it
can't reauthenticate the IKE_SA itself due to asymmetric
authentication (i.e. EAP) or the use of virtual IPs.
* Several corner cases with reauthentication have been fixed
(48fbe1d, 36161fe, 0d373e2).
* Serial number generation in several pki sub-commands has been
fixed so they don't start with an unintended zero byte.
* Loading SSH public keys via vici has been improved.
* Shared secrets, PEM files, vici messages, PF_KEY messages,
swanctl configs and other data is properly wiped from memory.
* Use a longer dummy key to initialize HMAC instances in the
openssl plugin in case it's used in FIPS-mode.
* The --enable-tpm option now implies --enable-tss-tss2 as the
plugin doesn't do anything without a TSS 2.0.
* libtpmtss is initialized in all programs and libraries that use
it.
* Migrated testing scripts to Python 3.
OBS-URL: https://build.opensuse.org/request/show/933151
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=128
- Update to version 5.9.3:
* Added AES-ECB, SHA-3 and SHAKE-256 support to the wolfssl
plugin.
* Added AES-CCM support to the openssl plugin (#353).
* The x509 and the openssl plugins now consider the
authorityKeyIdentifier, if available, before verifying
signatures, which avoids unnecessary signature verifications
after a CA key rollover if both CA certificates are loaded.
The openssl plugin now does the same also for CRLs (the x509
plugin already did).
* The pkcs11 plugin better handles optional attributes like
CKA_TRUSTED, which previously depended on a version check.
* The NetworkManager backend (charon-nm) now supports using SANs
as client identities, not only full DNs (#437).
* charon-tkm now handles IKE encryption.
* Send a MOBIKE update again if a a change in the NAT mappings is
detected but the endpoints stay the same (e143a7d).
* A deadlock in the HA plugin introduced with 5.9.2 has been
fixed (#456).
* DSCP values are now also set for NAT keepalives.
* The ike_derived_keys() hook now receives more keys but in a
different order (4e29d6f).
* Converted most of the test case scenarios to the vici
interface.
- Replace libsoup-devel with pkgconfig(libsoup-2.4) BuildRequires,
as this is what really checks for. Needed as libsoup-3.0 is
released.
OBS-URL: https://build.opensuse.org/request/show/921885
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=127
