Accepting request 205541 from network:vpn
- Updated to strongSwan 5.1.1 minor release addressing two security fixes (bnc#847506,CVE-2013-6075, bnc#847509,CVE-2013-6076): - Fixed a denial-of-service vulnerability and potential authorization bypass triggered by a crafted ID_DER_ASN1_DN ID payload. The cause is an insufficient length check when comparing such identities. The vulnerability has been registered as CVE-2013-6075. - Fixed a denial-of-service vulnerability triggered by a crafted IKEv1 fragmentation payload. The cause is a NULL pointer dereference. The vulnerability has been registered as CVE-2013-6076. - The lean stand-alone pt-tls-client can set up a RFC 6876 PT-TLS session with a strongSwan policy enforcement point which uses the tnc-pdp charon plugin. - The new TCG TNC SWID IMC/IMV pair supports targeted SWID requests for either full SWID Tag or concise SWID Tag ID inventories. - The XAuth backend in eap-radius now supports multiple XAuth exchanges for different credential types and display messages. All user input gets concatenated and verified with a single User-Password RADIUS attribute on the AAA. With an AAA supporting it, one for example can implement Password+Token authentication with proper dialogs on iOS and OS X clients. - charon supports IKEv1 Mode Config exchange in push mode. The ipsec.conf modeconfig=push option enables it for both client and server, the same way as pluto used it. - Using the "ah" ipsec.conf keyword on both IKEv1 and IKEv2 connections, charon can negotiate and install Security Associations integrity-protected by the Authentication Header protocol. Supported are plain AH(+IPComp) SAs only, but not the deprecated RFC2401 style ESP+AH bundles. [...] - Adjusted file lists: this version installs the pki utility and manuals in common /usr directories and additional ipsec/pt-tls-client helper. OBS-URL: https://build.opensuse.org/request/show/205541 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/strongswan?expand=0&rev=53
This commit is contained in:
commit
d911ed5612
@ -1,3 +0,0 @@
|
|||||||
version https://git-lfs.github.com/spec/v1
|
|
||||||
oid sha256:a0ce4ce80c2e3db34748a46a139db7af6f6fed578d34f470cdff8b3941188aec
|
|
||||||
size 3602562
|
|
@ -1,14 +0,0 @@
|
|||||||
-----BEGIN PGP SIGNATURE-----
|
|
||||||
Version: GnuPG v1.4.11 (GNU/Linux)
|
|
||||||
|
|
||||||
iQGcBAABAgAGBQJR+ZgTAAoJEN9CwXCzTbp3eJcL+wR+uDYrforO377ji47oZSdo
|
|
||||||
w4eYZa+tJAiBK0ZMaTaODJLWGyHYbGH7dlsTLxXbAshMU0R2hEWjIgHTmR8nak11
|
|
||||||
KgnsuUa2LS9wYyhZabP0D2CMu4zcdCsC5ngJrgxsGMuH+xyG0MXU4S+DtIT7OgZa
|
|
||||||
rK+gLNByDOGHoi37dtXZT+b87qDoNbxNECMs4j6E2aL+WsBMd4jVg1sJGYMqL20D
|
|
||||||
ExMnxu67eDZ+K3fE7HOFInoc7kSKf8fYEEml/HbrSkOVSJHCmKCXEpcIo8SEq1gW
|
|
||||||
FM5CGu6+Wc9QsUHpNqMdyKowWWUSaJBVN7YyvFS0bowaeUQEnKWvjiMlsV0wvNfN
|
|
||||||
bQMoJXrSM2fd9SrsAyh08BM5po9lRKw50voUdw52cHrSAoOjxEQwxpjwFvfb3zxF
|
|
||||||
uO1r4XTWJQQF6o+XXdpUXSlIgXQMMCO87AL3eGxqqAdyLKRQBOaG5D5Bl4mbcBin
|
|
||||||
ltDriL52YHVu0oSXQLtECX0DlIU6zdlV+u+vo8zrdA==
|
|
||||||
=A/p6
|
|
||||||
-----END PGP SIGNATURE-----
|
|
3
strongswan-5.1.1.tar.bz2
Normal file
3
strongswan-5.1.1.tar.bz2
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
version https://git-lfs.github.com/spec/v1
|
||||||
|
oid sha256:fbf2a668221fc4a36a34bdeac2dfeda25b96f572d551df022585177953622406
|
||||||
|
size 3673200
|
14
strongswan-5.1.1.tar.bz2.sig
Normal file
14
strongswan-5.1.1.tar.bz2.sig
Normal file
@ -0,0 +1,14 @@
|
|||||||
|
-----BEGIN PGP SIGNATURE-----
|
||||||
|
Version: GnuPG v1.4.11 (GNU/Linux)
|
||||||
|
|
||||||
|
iQGcBAABAgAGBQJSc1ufAAoJEN9CwXCzTbp3Y48L/RW112f7JryXe4dTekfzBehN
|
||||||
|
9n5ycczrK8xEc6RqLbD7WI6Av97fJd/FDLAieSE3FTk2znAbf0iFXuBb7ORhOr4H
|
||||||
|
IywXex9uXgJtDI9WBVCbL/PPBYk/JiBWeviJv5ESji0oc+Uvtx5y2xShx3YwaZCt
|
||||||
|
38peoT2EKPmaj98OIDslfDK0q9n55puKdM0NPewtPLVOfcfhBTh5XvwI/qdZhqRH
|
||||||
|
7hG4QHsFeY3t5sy5/XllEDXckx9vWmogchxRltoGPUfjxJb7X3empsCK8o3gbWcf
|
||||||
|
mX887cROOxXpPHzxj887orCwu+vmSlDRJXhHaTbYbhYdOnpo0o/R/HGwdO4Bv4PY
|
||||||
|
7yrpbz9DnpYw1XPZqd2ed4wgQMCWCuFmPFuJZBxQ2lza7QxDeC6EIc+dhT5AC7GI
|
||||||
|
XTqU3jw3kfm+b7N0MWmMkU5iL5cgNiR23v4D8U697ruoR6Qx310xe473Yh7ZhzoV
|
||||||
|
gJ6Z1jvc6d82ywsxo04hhv/yT7LeLyFmg+vyAAmbtg==
|
||||||
|
=040C
|
||||||
|
-----END PGP SIGNATURE-----
|
@ -1,3 +1,66 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri Nov 1 12:28:39 UTC 2013 - mt@suse.de
|
||||||
|
|
||||||
|
- Updated to strongSwan 5.1.1 minor release addressing two security
|
||||||
|
fixes (bnc#847506,CVE-2013-6075, bnc#847509,CVE-2013-6076):
|
||||||
|
- Fixed a denial-of-service vulnerability and potential authorization
|
||||||
|
bypass triggered by a crafted ID_DER_ASN1_DN ID payload. The cause
|
||||||
|
is an insufficient length check when comparing such identities. The
|
||||||
|
vulnerability has been registered as CVE-2013-6075.
|
||||||
|
- Fixed a denial-of-service vulnerability triggered by a crafted IKEv1
|
||||||
|
fragmentation payload. The cause is a NULL pointer dereference. The
|
||||||
|
vulnerability has been registered as CVE-2013-6076.
|
||||||
|
- The lean stand-alone pt-tls-client can set up a RFC 6876 PT-TLS
|
||||||
|
session with a strongSwan policy enforcement point which uses the
|
||||||
|
tnc-pdp charon plugin.
|
||||||
|
- The new TCG TNC SWID IMC/IMV pair supports targeted SWID requests
|
||||||
|
for either full SWID Tag or concise SWID Tag ID inventories.
|
||||||
|
- The XAuth backend in eap-radius now supports multiple XAuth
|
||||||
|
exchanges for different credential types and display messages.
|
||||||
|
All user input gets concatenated and verified with a single
|
||||||
|
User-Password RADIUS attribute on the AAA. With an AAA supporting
|
||||||
|
it, one for example can implement Password+Token authentication with
|
||||||
|
proper dialogs on iOS and OS X clients. - charon supports IKEv1 Mode
|
||||||
|
Config exchange in push mode. The ipsec.conf modeconfig=push option
|
||||||
|
enables it for both client and server, the same way as pluto used it.
|
||||||
|
- Using the "ah" ipsec.conf keyword on both IKEv1 and IKEv2
|
||||||
|
connections, charon can negotiate and install Security Associations
|
||||||
|
integrity-protected by the Authentication Header protocol. Supported
|
||||||
|
are plain AH(+IPComp) SAs only, but not the deprecated RFC2401 style
|
||||||
|
ESP+AH bundles.
|
||||||
|
- The generation of initialization vectors for IKE and ESP (when using
|
||||||
|
libipsec) is now modularized and IVs for e.g. AES-GCM are now correctly
|
||||||
|
allocated sequentially, while other algorithms like AES-CBC still
|
||||||
|
use random IVs.
|
||||||
|
- The left and right options in ipsec.conf can take multiple address
|
||||||
|
ranges and subnets. This allows connection matching against a larger
|
||||||
|
set of addresses, for example to use a different connection for clients
|
||||||
|
connecting from a internal network.
|
||||||
|
- For all those who have a queasy feeling about the NIST elliptic curve
|
||||||
|
set, the Brainpool curves introduced for use with IKE by RFC 6932 might
|
||||||
|
be a more trustworthy alternative.
|
||||||
|
- The kernel-libipsec userland IPsec backend now supports usage
|
||||||
|
statistics, volume based rekeying and accepts ESPv3 style TFC padded
|
||||||
|
packets.
|
||||||
|
- With two new strongswan.conf options fwmarks can be used to implement
|
||||||
|
host-to-host tunnels with kernel-libipsec.
|
||||||
|
- load-tester supports transport mode connections and more complex
|
||||||
|
traffic selectors, including such using unique ports for each tunnel.
|
||||||
|
- The new dnscert plugin provides support for authentication via CERT
|
||||||
|
RRs that are protected via DNSSEC. The plugin was created by Ruslan
|
||||||
|
N. Marchenko.
|
||||||
|
- The eap-radius plugin supports forwarding of several Cisco Unity
|
||||||
|
specific RADIUS attributes in corresponding configuration payloads.
|
||||||
|
- Database transactions are now abstracted and implemented by the two
|
||||||
|
backends. If you use MySQL make sure all tables use the InnoDB engine.
|
||||||
|
- libstrongswan now can provide an experimental custom implementation
|
||||||
|
of the printf family functions based on klibc if neither Vstr nor
|
||||||
|
glibc style printf hooks are available. This can avoid the Vstr
|
||||||
|
dependency on some systems at the cost of slower and less complete
|
||||||
|
printf functions.
|
||||||
|
- Adjusted file lists: this version installs the pki utility and manuals
|
||||||
|
in common /usr directories and additional ipsec/pt-tls-client helper.
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Mon Aug 5 13:48:11 UTC 2013 - mt@suse.de
|
Mon Aug 5 13:48:11 UTC 2013 - mt@suse.de
|
||||||
|
|
||||||
|
@ -17,7 +17,7 @@
|
|||||||
|
|
||||||
|
|
||||||
Name: strongswan
|
Name: strongswan
|
||||||
Version: 5.1.0
|
Version: 5.1.1
|
||||||
Release: 0
|
Release: 0
|
||||||
%define upstream_version %{version}
|
%define upstream_version %{version}
|
||||||
%define strongswan_docdir %{_docdir}/%{name}
|
%define strongswan_docdir %{_docdir}/%{name}
|
||||||
@ -421,7 +421,9 @@ fi
|
|||||||
%config %{_sysconfdir}/init.d/ipsec
|
%config %{_sysconfdir}/init.d/ipsec
|
||||||
%{_sbindir}/rcipsec
|
%{_sbindir}/rcipsec
|
||||||
%endif
|
%endif
|
||||||
|
%{_bindir}/pki
|
||||||
%{_sbindir}/ipsec
|
%{_sbindir}/ipsec
|
||||||
|
%{_mandir}/man1/pki*.1*
|
||||||
%{_mandir}/man8/ipsec.8*
|
%{_mandir}/man8/ipsec.8*
|
||||||
%{_mandir}/man5/ipsec.conf.5*
|
%{_mandir}/man5/ipsec.conf.5*
|
||||||
%{_mandir}/man5/ipsec.secrets.5*
|
%{_mandir}/man5/ipsec.secrets.5*
|
||||||
@ -433,8 +435,8 @@ fi
|
|||||||
%{_libexecdir}/ipsec/conftest
|
%{_libexecdir}/ipsec/conftest
|
||||||
%{_libexecdir}/ipsec/duplicheck
|
%{_libexecdir}/ipsec/duplicheck
|
||||||
%{_libexecdir}/ipsec/openac
|
%{_libexecdir}/ipsec/openac
|
||||||
%{_libexecdir}/ipsec/pki
|
|
||||||
%{_libexecdir}/ipsec/pool
|
%{_libexecdir}/ipsec/pool
|
||||||
|
%{_libexecdir}/ipsec/pt-tls-client
|
||||||
%{_libexecdir}/ipsec/scepclient
|
%{_libexecdir}/ipsec/scepclient
|
||||||
%{_libexecdir}/ipsec/starter
|
%{_libexecdir}/ipsec/starter
|
||||||
%{_libexecdir}/ipsec/stroke
|
%{_libexecdir}/ipsec/stroke
|
||||||
|
Loading…
Reference in New Issue
Block a user