- Updated to strongSwan 5.6.0 providing the following changes:
*Fixed a DoS vulnerability in the gmp plugin that was caused by insufficient input validation
when verifying RSA signatures, which requires decryption with the operation m^e mod n,
where m is the signature, and e and n are the exponent and modulus of the public key.
The value m is an integer between 0 and n-1, however, the gmp plugin did not verify this.
So if m equals n the calculation results in 0, in which case mpz_export() returns NULL.
This result wasn't handled properly causing a null-pointer dereference.
This vulnerability has been registered as CVE-2017-11185. (bsc#1051222)
*New SWIMA IMC/IMV pair implements the draft-ietf-sacm-nea-swima-patnc Internet
Draft and has been demonstrated at the IETF 99 Prague Hackathon.
*The IMV database template has been adapted to achieve full compliance with the
ISO 19770-2:2015 SWID tag standard.
*The pt-tls-client can attach and use TPM 2.0 protected private keys via the --keyid parameter.
*By default the /etc/swanctl/conf.d directory is created and *.conf files in it are included in the default
swanctl.conf file.
*The curl plugin now follows HTTP redirects (configurable via strongswan.conf).
*The CHILD_SA rekeying was fixed in charon-tkm and the behavior is refined a bit more since 5.5.3
*libtpmtss supports Intel's TSS2 Architecture Broker and Resource Manager interface (tcti-tabrmd).
* more on https://wiki.strongswan.org/versions/66
OBS-URL: https://build.opensuse.org/request/show/521273
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=104
