forked from pool/strongswan
Marius Tomaschewski
2fa10a3109
- Fixed a security vulnerability in the openssl plugin which was
reported by Kevin Wojtysiak. The vulnerability has been registered
as CVE-2013-2944. Before the fix, if the openssl plugin's ECDSA
signature verification was used, due to a misinterpretation of the
error code returned by the OpenSSL ECDSA_verify() function, an empty
or zeroed signature was accepted as a legitimate one. Refer to our
blog for details.
- The handling of a couple of other non-security relevant OpenSSL
return codes was fixed as well.
- The tnc_ifmap plugin now publishes virtual IPv4 and IPv6 addresses
via its TCG TNC IF-MAP 2.1 interface.
- The charon.initiator_only strongswan.conf option causes charon to
ignore IKE initiation requests.
- The openssl plugin can now use the openssl-fips library.
The version 5.0.3 provides new ipseckey plugin, enabling authentication
based on trustworthy public keys stored as IPSECKEY resource records in
the DNS and protected by DNSSEC and new openssl plugin using the AES-NI
accelerated version of AES-GCM if the hardware supports it.
See http://wiki.strongswan.org/projects/strongswan/wiki/Changelog50
for a list of all changes since the 5.0.1 release.
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=58
10 lines
428 B
Plaintext
10 lines
428 B
Plaintext
### Known warnings:
|
|
# - traditional name
|
|
addFilter("strongswan.* incoherent-init-script-name ipsec")
|
|
# - readme only, triggers full ipsec + ikev1&ikev2 install
|
|
addFilter("strongswan.* no-binary")
|
|
# - link to init script, covered by service(8)
|
|
addFilter("strongswan.* no-manual-page-for-binary rcipsec")
|
|
# - no, restating tunnels on update may break the update
|
|
addFilter("strongswan.*restart_on_update-postun /etc/init.d/ipsec")
|