From 84759843dfb8ce6e2a079f272628ce7bf6955f65088d693672f5a820fe2f310f Mon Sep 17 00:00:00 2001
From: Marius Tomaschewski <mt@suse.com>
Date: Tue, 15 Apr 2014 06:12:43 +0000
Subject: [PATCH] - Updated to strongSwan 5.1.3 providing the following
 changes:   - Fixed an authentication bypass vulnerability triggered by
 rekeying     an unestablished IKEv2 SA while it gets actively initiated. This
     allowed an attacker to trick a peer's IKE_SA state to established,    
 without the need to provide any valid authentication credentials.    
 (CVE-2014-2338, bnc#870572).   - The acert plugin evaluates X.509 Attribute
 Certificates. Group     membership information encoded as strings can be used
 to fulfill     authorization checks defined with the rightgroups option.    
 Attribute Certificates can be loaded locally or get exchanged in     IKEv2
 certificate payloads.   - The pki command gained support to generate X.509
 Attribute     Certificates using the --acert subcommand, while the --print   
  command supports the ac type. The openac utility has been removed     in
 favor of the new pki functionality.   - The libtls TLS 1.2 implementation as
 used by EAP-(T)TLS and other     protocols has been extended by AEAD mode
 support, currently limited     to AES-GCM.   - Fixed an issue where CRL/OCSP
 trustchain validation broke enforcing     CA constraints   - Limited OCSP
 signing to specific certificates to improve performance   - authKeyIdentifier
 is not added to self-signed certificates anymore   - Fixed the comparison of
 IKE configs if only the cipher suites were     different

OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=65
---
 strongswan-5.1.2.tar.bz2                      |  3 --
 strongswan-5.1.2.tar.bz2.sig                  | 14 ----------
 ....2-rpmlintrc => strongswan-5.1.3-rpmlintrc |  0
 strongswan-5.1.3.tar.bz2                      |  3 ++
 strongswan-5.1.3.tar.bz2.sig                  | 14 ++++++++++
 strongswan.changes                            | 28 +++++++++++++++++++
 strongswan.spec                               |  6 ++--
 7 files changed, 47 insertions(+), 21 deletions(-)
 delete mode 100644 strongswan-5.1.2.tar.bz2
 delete mode 100644 strongswan-5.1.2.tar.bz2.sig
 rename strongswan-5.1.2-rpmlintrc => strongswan-5.1.3-rpmlintrc (100%)
 create mode 100644 strongswan-5.1.3.tar.bz2
 create mode 100644 strongswan-5.1.3.tar.bz2.sig

diff --git a/strongswan-5.1.2.tar.bz2 b/strongswan-5.1.2.tar.bz2
deleted file mode 100644
index d02220c..0000000
--- a/strongswan-5.1.2.tar.bz2
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:fb4c3066461dade176408840edbc9d830255f4816b0991baebbbedee501fddd6
-size 3767546
diff --git a/strongswan-5.1.2.tar.bz2.sig b/strongswan-5.1.2.tar.bz2.sig
deleted file mode 100644
index c125964..0000000
--- a/strongswan-5.1.2.tar.bz2.sig
+++ /dev/null
@@ -1,14 +0,0 @@
------BEGIN PGP SIGNATURE-----
-Version: GnuPG v1.4.11 (GNU/Linux)
-
-iQGcBAABAgAGBQJTEEhjAAoJEN9CwXCzTbp3joQL/27auKbdX8nu/2qtGthWRP9M
-l41/eUZ9hC8K4BO4Td/NCHYBarmvvSe4JNcXJtPmW71DS/8MlOIHJlx4Fti3TZA0
-t/C2IZ61ipGhaWEjEPzFN3NjgCqV4cDdIZsn/a7Z5IkL/4BOuH3snkjVAwc5eZy1
-sZX883XvKHrtnfzkufjoIeGhezzriGxyxCS2QpYUjlM28Ub2nIsGm2lijxL1Ni30
-7e57CXILZZxnMIXH0/B2eUJBd3H0xhBZ5Ub4CLz8oRH8d901IG2g7bZ/FLzNqTnK
-pyrOqGc+F9YKphV099WmLx0iGyfv+3e4KVKEkFU+v8bGvT5i8ZBxomchult1vqVG
-6EfMC1N6/aj9MGKlIDVk0jpdZj9gcgSyKY6CQem7RYUn5a7pO7/KWzwpv5hajneU
-q+EXnvjNVmdQtE4aDEat5znRGxD8d71PH1yUjGpqT+yMt2Flr+FW6vlvyfZu0mod
-+innw2wiOc9jC77lkn4KPYVKXasRiyCJJsTkXDGjiw==
-=O9SH
------END PGP SIGNATURE-----
diff --git a/strongswan-5.1.2-rpmlintrc b/strongswan-5.1.3-rpmlintrc
similarity index 100%
rename from strongswan-5.1.2-rpmlintrc
rename to strongswan-5.1.3-rpmlintrc
diff --git a/strongswan-5.1.3.tar.bz2 b/strongswan-5.1.3.tar.bz2
new file mode 100644
index 0000000..b52ba2d
--- /dev/null
+++ b/strongswan-5.1.3.tar.bz2
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:84e46d5ce801e1b874e2bfba8d21dbd78b432e23b7fb1f4f2d637359e7a183a8
+size 3807212
diff --git a/strongswan-5.1.3.tar.bz2.sig b/strongswan-5.1.3.tar.bz2.sig
new file mode 100644
index 0000000..7884d97
--- /dev/null
+++ b/strongswan-5.1.3.tar.bz2.sig
@@ -0,0 +1,14 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.11 (GNU/Linux)
+
+iQGcBAABAgAGBQJTS9jUAAoJEN9CwXCzTbp3E3cMAJuQv7IsG5XDNQB/Wcb66hLQ
+2DSZN2zXRI2Ku5ONXDqnzCzyGRO84SOsGVzX9AQTHactr29B0n9rZxSCKZrm+ZRX
+lMKu6UNsS+jSKhXkXfmDSilFnM7ap7tAlFUuH/7uz8LcG34643W5BOJH0oMq7Rx3
+WN/7/TbrYf1aE0s3C8tcJXc5OghkvAfsE0jBPWhwT7dwi5eczluPMyYYdGxg8zNP
+LdBdoHTfnFRnMcL18SGwUYl09hj2YkZMoo+2Qt4I6WNy3yIINRIQluPSl2f91HHG
+VXyzGLpC3W63WYxXhPmjdmkpaT9+kulF6WVhgt3i6VMOv6nSNitHs5/X0W6N5xuX
+BhPmJRFmT0Oej3MJVxSKqUy89Ny3DyRmai5bERAFe+FOt9HN1UWqpK+qYFI+YQw/
+dMS9kviW2UhSq4BM9F9F+QrL66Bz0gc5+jXolm971FII62cV4i6n9U6veGPY9qkg
++Jcn6XpKOe2JXLsIeIMQgc0GitIaEHq/zdST/pn2Gw==
+=NZ/K
+-----END PGP SIGNATURE-----
diff --git a/strongswan.changes b/strongswan.changes
index 9af74ca..bd931f5 100644
--- a/strongswan.changes
+++ b/strongswan.changes
@@ -1,3 +1,31 @@
+-------------------------------------------------------------------
+Mon Apr 14 23:36:07 UTC 2014 - mt@suse.de
+
+- Updated to strongSwan 5.1.3 providing the following changes:
+  - Fixed an authentication bypass vulnerability triggered by rekeying
+    an unestablished IKEv2 SA while it gets actively initiated. This
+    allowed an attacker to trick a peer's IKE_SA state to established,
+    without the need to provide any valid authentication credentials.
+    (CVE-2014-2338, bnc#870572).
+  - The acert plugin evaluates X.509 Attribute Certificates. Group
+    membership information encoded as strings can be used to fulfill
+    authorization checks defined with the rightgroups option.
+    Attribute Certificates can be loaded locally or get exchanged in
+    IKEv2 certificate payloads.
+  - The pki command gained support to generate X.509 Attribute
+    Certificates using the --acert subcommand, while the --print
+    command supports the ac type. The openac utility has been removed
+    in favor of the new pki functionality.
+  - The libtls TLS 1.2 implementation as used by EAP-(T)TLS and other
+    protocols has been extended by AEAD mode support, currently limited
+    to AES-GCM.
+  - Fixed an issue where CRL/OCSP trustchain validation broke enforcing
+    CA constraints
+  - Limited OCSP signing to specific certificates to improve performance
+  - authKeyIdentifier is not added to self-signed certificates anymore
+  - Fixed the comparison of IKE configs if only the cipher suites were
+    different
+
 -------------------------------------------------------------------
 Mon Apr 14 07:43:37 UTC 2014 - mt@suse.de
 
diff --git a/strongswan.spec b/strongswan.spec
index e526215..50c6f26 100644
--- a/strongswan.spec
+++ b/strongswan.spec
@@ -17,14 +17,14 @@
 
 
 Name:           strongswan
-Version:        5.1.2
+Version:        5.1.3
 Release:        0
 %define         upstream_version     %{version}
 %define         strongswan_docdir    %{_docdir}/%{name}
 %define         strongswan_libdir    %{_libdir}/ipsec
-%define         strongswan_plugins   %{strongswan_libdir}/plugins
 %define         strongswan_configs   %{_sysconfdir}/strongswan.d
 %define         strongswan_datadir   %{_datadir}/strongswan
+%define         strongswan_plugins   %{strongswan_libdir}/plugins
 %define         strongswan_templates %{strongswan_datadir}/templates
 %if 0
 %bcond_without  tests
@@ -437,7 +437,6 @@ fi
 %{_libexecdir}/ipsec/_updown_espmark
 %{_libexecdir}/ipsec/conftest
 %{_libexecdir}/ipsec/duplicheck
-%{_libexecdir}/ipsec/openac
 %{_libexecdir}/ipsec/pool
 %{_libexecdir}/ipsec/pt-tls-client
 %{_libexecdir}/ipsec/scepclient
@@ -462,7 +461,6 @@ fi
 %{strongswan_docdir}/ChangeLog
 %{_mandir}/man8/_updown.8*
 %{_mandir}/man8/_updown_espmark.8*
-%{_mandir}/man8/openac.8*
 %{_mandir}/man8/scepclient.8*
 
 %files libs0