Accepting request 185964 from network:vpn

- Updated to strongSwan 5.1.0 release (bnc#833278, CVE-2013-5018)

OBS-URL: https://build.opensuse.org/request/show/185964
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/strongswan?expand=0&rev=51

strongswan-5.0.4.tar.bz2

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:3ec66d64046f652ab7556b3be8f9be8981fd32ef4a11e3e461a04d658928bfe2
-size 3412930

strongswan-5.0.4.tar.bz2.sig

@@ -1,14 +0,0 @@
------BEGIN PGP SIGNATURE-----
-Version: GnuPG v1.4.11 (GNU/Linux)
-
-iQGcBAABAgAGBQJRflW/AAoJEN9CwXCzTbp3q+oL/jtA73UxuENW3JuA2vgXsHeU
-jpWXDfM1GLEIKgy41D2+ajqx7l1amxM4ZOqtQZhFTMXs4EwWDIxpUl8RiARkwJy6
-ueciwMnsmAbC3tmPa85JwnbgrXrMZX5IfUYRx8+3DdeIuh8gxDOu2nvYGqSdIbh2
-8jN4x21wUQ+9mLz04VmuMKAmImoAitv8z89NVg6ZNiBEiYUfFdrkCepS7IGAY1ie
-pmmYM4svK7LLuXIlQKMyq7mXccjFD0sjM3SS6cIZlxIcOlXuKMa7xmVlkfktz816
-qz8XVOtD2zRiJuxjB92W9BW5Xr/+p5kXx995GjGitxv8g3CTTlPeg4GUciH6TGSW
-46lQ36XHKQX/NccgymWYMkXmZbMbacyglz3ShR0OO/aM1/cVlQ9qiHccZDh7gt9+
-fnfTAZn0RAfbe1zYKNn1h2BoY+LxscjnaX27oWxqI7KbrfrusZiyZic5twSeADcM
-khfIOGVyOCjwTThAuGpu6p09NqoYNm6Y/9Aj+R5NiA==
-=gI6I
------END PGP SIGNATURE-----

strongswan-5.1.0.tar.bz2

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:a0ce4ce80c2e3db34748a46a139db7af6f6fed578d34f470cdff8b3941188aec
+size 3602562

strongswan-5.1.0.tar.bz2.sig

@@ -0,0 +1,14 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.11 (GNU/Linux)
+
+iQGcBAABAgAGBQJR+ZgTAAoJEN9CwXCzTbp3eJcL+wR+uDYrforO377ji47oZSdo
+w4eYZa+tJAiBK0ZMaTaODJLWGyHYbGH7dlsTLxXbAshMU0R2hEWjIgHTmR8nak11
+KgnsuUa2LS9wYyhZabP0D2CMu4zcdCsC5ngJrgxsGMuH+xyG0MXU4S+DtIT7OgZa
+rK+gLNByDOGHoi37dtXZT+b87qDoNbxNECMs4j6E2aL+WsBMd4jVg1sJGYMqL20D
+ExMnxu67eDZ+K3fE7HOFInoc7kSKf8fYEEml/HbrSkOVSJHCmKCXEpcIo8SEq1gW
+FM5CGu6+Wc9QsUHpNqMdyKowWWUSaJBVN7YyvFS0bowaeUQEnKWvjiMlsV0wvNfN
+bQMoJXrSM2fd9SrsAyh08BM5po9lRKw50voUdw52cHrSAoOjxEQwxpjwFvfb3zxF
+uO1r4XTWJQQF6o+XXdpUXSlIgXQMMCO87AL3eGxqqAdyLKRQBOaG5D5Bl4mbcBin
+ltDriL52YHVu0oSXQLtECX0DlIU6zdlV+u+vo8zrdA==
+=A/p6
+-----END PGP SIGNATURE-----

strongswan.changes

@@ -1,3 +1,76 @@
+-------------------------------------------------------------------
+Mon Aug  5 13:48:11 UTC 2013 - mt@suse.de
+
+- Updated to strongSwan 5.1.0 release (bnc#833278, CVE-2013-5018):
+  - Fixed a denial-of-service vulnerability triggered by specific XAuth
+    usernames and EAP identities (since 5.0.3), and PEM files (since
+    4.1.11). The crash was caused by insufficient error handling in the
+    is_asn1() function. The vulnerability has been registered as
+    CVE-2013-5018.
+  - The new charon-cmd command line IKE client can establish road
+    warrior connections using IKEv1 or IKEv2 with different
+    authentication profiles. It does not depend on any configuration
+    files and can be configured using a few simple command line options.
+  - The kernel-pfroute networking backend has been greatly improved.
+    It now can install virtual IPs on TUN devices on OS X and FreeBSD,
+    allowing these systems to act as a client in common road warrior
+    scenarios.
+  - The new kernel-libipsec plugin uses TUN devices and libipsec to
+    provide IPsec processing in userland on Linux, FreeBSD and Mac OS X.
+  - The eap-radius plugin can now serve as an XAuth backend called
+    xauth-radius, directly verifying XAuth credentials using RADIUS
+    User-Name/User-Password attributes. This is more efficient than the
+    existing xauth-eap+eap-radius combination, and allows RADIUS servers
+    without EAP support to act as AAA backend for IKEv1.
+  - The new osx-attr plugin installs configuration attributes (currently
+    DNS servers) via SystemConfiguration on Mac OS X. The keychain
+    plugin provides certificates from the OS X keychain service.
+  - The sshkey plugin parses SSH public keys, which, together with the
+    --agent option for charon-cmd, allows the use of ssh-agent for
+    authentication. To configure SSH keys in ipsec.conf the
+    left|rightrsasigkey options are replaced with left|rightsigkey,
+    which now take public keys in one of three formats: SSH (RFC 4253,
+    ssh: prefix), DNSKEY (RFC 3110, dns: prefix), and PKCS#1 (the
+    default, no prefix).
+  - Extraction of certificates and private keys from PKCS#12 files is
+    now provided by the new pkcs12 plugin or the openssl plugin.
+    charon-cmd (--p12) as well as charon (via P12 token in
+    ipsec.secrets) can make use of this.
+  - IKEv2 can now negotiate transport mode and IPComp in NAT situations.
+  - IKEv2 exchange initiators now properly close an established IKE or
+    CHILD_SA on error conditions using an additional exchange, keeping
+    state in sync between peers.
+  - Using a SQL database interface a Trusted Network Connect (TNC)
+    Policy Manager can  generate specific measurement workitems for an
+    arbitrary number of Integrity Measurement Verifiers (IMVs) based on
+    the history of the VPN user and/or device.
+  - Several core classes in libstrongswan are now tested with unit
+    tests. These can be enabled with --enable-unit-tests and run with
+    'make check'.
+    Coverage reports can be generated with --enable-coverage and 'make
+    coverage' (this disables any optimization, so it should not be
+    enabled when building production releases).
+  - The leak-detective developer tool has been greatly improved. It
+    works much faster/stabler with multiple threads, does not use
+    deprecated malloc hooks anymore and has been ported to OS X.
+  - chunk_hash() is now based on SipHash-2-4 with a random key. This
+    provides better distribution and prevents hash flooding attacks
+    when used with hashtables.
+  - All default plugins implement the get_features() method to define
+    features and their dependencies. The plugin loader has been
+    improved, so that plugins in a custom load statement can be ordered
+    freely or to express preferences without being affected by
+    dependencies between plugin features.
+  - A centralized thread can take care for watching multiple file
+    descriptors concurrently. This removes the need for a dedicated
+    listener threads in various plugins. The number of "reserved"
+    threads for such tasks has been reduced to about five, depending on
+    the plugin configuration.
+  - Plugins that can be controlled by a UNIX socket IPC mechanism gained
+    network transparency. Third party applications querying these
+    plugins now can use TCP connections from a different host.
+  - libipsec now supports AES-GCM.
+
 -------------------------------------------------------------------
 Tue Apr 30 12:48:44 UTC 2013 - mt@suse.de
 

strongswan.spec

@@ -17,7 +17,7 @@
 
 
 Name:           strongswan
-Version:        5.0.4
+Version:        5.1.0
 Release:        0
 %define         upstream_version   %{version}
 %define         strongswan_docdir  %{_docdir}/%{name}
@@ -439,6 +439,8 @@ fi
 %{_libexecdir}/ipsec/starter
 %{_libexecdir}/ipsec/stroke
 %{_libexecdir}/ipsec/charon
+%{_libexecdir}/ipsec/_imv_policy
+%{_libexecdir}/ipsec/imv_policy_manager
 %dir %{strongswan_plugins}
 %{strongswan_plugins}/libstrongswan-stroke.so
 %{strongswan_plugins}/libstrongswan-updown.so
@@ -535,11 +537,13 @@ fi
 %{strongswan_plugins}/libstrongswan-pgp.so
 %{strongswan_plugins}/libstrongswan-pkcs1.so
 %{strongswan_plugins}/libstrongswan-pkcs11.so
+%{strongswan_plugins}/libstrongswan-pkcs12.so
 %{strongswan_plugins}/libstrongswan-pkcs7.so
 %{strongswan_plugins}/libstrongswan-pkcs8.so
 %{strongswan_plugins}/libstrongswan-pubkey.so
 %{strongswan_plugins}/libstrongswan-radattr.so
 %{strongswan_plugins}/libstrongswan-random.so
+%{strongswan_plugins}/libstrongswan-rc2.so
 %{strongswan_plugins}/libstrongswan-resolve.so
 %{strongswan_plugins}/libstrongswan-revocation.so
 %{strongswan_plugins}/libstrongswan-sha1.so
@@ -548,6 +552,7 @@ fi
 %{strongswan_plugins}/libstrongswan-socket-default.so
 %{strongswan_plugins}/libstrongswan-soup.so
 %{strongswan_plugins}/libstrongswan-sql.so
+%{strongswan_plugins}/libstrongswan-sshkey.so
 %{strongswan_plugins}/libstrongswan-tnc-imc.so
 %{strongswan_plugins}/libstrongswan-tnc-imv.so
 %{strongswan_plugins}/libstrongswan-tnc-pdp.so