rjain/strongswan
SHA256
1
0
Fork 0
forked from jengelh/strongswan
Code Pull Requests Activity

Accepting request 933151 from home:iznogood:branches:network:vpn

Browse Source 
- Update to version 5.9.4:
  * Fixed a denial-of-service vulnerability in the gmp plugin that
    was caused by an integer overflow when processing RSASSA-PSS
    signatures with very large salt lengths. This vulnerability has
    been registered as CVE-2021-41990. Please refer to our blog for
    details.
  * Fixed a denial-of-service vulnerability in the in-memory
    certificate cache if certificates are replaced and a very large
    random value caused an integer overflow. This vulnerability has
    been registered as CVE-2021-41991. Please refer to our blog for
    details.
  * Fixed a related flaw that caused the daemon to accept and cache
    an infinite number of versions of a valid certificate by
    modifying the parameters in the signatureAlgorithm field of the
    outer X.509 Certificate structure.
  * AUTH_LIFETIME notifies are now only sent by a responder if it
    can't reauthenticate the IKE_SA itself due to asymmetric
    authentication (i.e. EAP) or the use of virtual IPs.
  * Several corner cases with reauthentication have been fixed
    (48fbe1d, 36161fe, 0d373e2).
  * Serial number generation in several pki sub-commands has been
    fixed so they don't start with an unintended zero byte.
  * Loading SSH public keys via vici has been improved.
  * Shared secrets, PEM files, vici messages, PF_KEY messages,
    swanctl configs and other data is properly wiped from memory.
  * Use a longer dummy key to initialize HMAC instances in the
    openssl plugin in case it's used in FIPS-mode.
  * The --enable-tpm option now implies --enable-tss-tss2 as the
    plugin doesn't do anything without a TSS 2.0.
  * libtpmtss is initialized in all programs and libraries that use
    it.
  * Migrated testing scripts to Python 3.

OBS-URL: https://build.opensuse.org/request/show/933151
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=128
This commit is contained in:
Jan Engelhardt
2021-11-22 20:53:44 +00:00
committed by Git OBS Bridge
parent 22be53cdf9
commit 9d37f89cf7
6 changed files with 55 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
strongswan.changes
View File

@@ -1,3 +1,39 @@
-------------------------------------------------------------------
Mon Nov 22 16:19:08 UTC 2021 - Bjørn Lie <bjorn.lie@gmail.com>
- Update to version 5.9.4:
* Fixed a denial-of-service vulnerability in the gmp plugin that
was caused by an integer overflow when processing RSASSA-PSS
signatures with very large salt lengths. This vulnerability has
been registered as CVE-2021-41990. Please refer to our blog for
details.
* Fixed a denial-of-service vulnerability in the in-memory
certificate cache if certificates are replaced and a very large
random value caused an integer overflow. This vulnerability has
been registered as CVE-2021-41991. Please refer to our blog for
details.
* Fixed a related flaw that caused the daemon to accept and cache
an infinite number of versions of a valid certificate by
modifying the parameters in the signatureAlgorithm field of the
outer X.509 Certificate structure.
* AUTH_LIFETIME notifies are now only sent by a responder if it
can't reauthenticate the IKE_SA itself due to asymmetric
authentication (i.e. EAP) or the use of virtual IPs.
* Several corner cases with reauthentication have been fixed
(48fbe1d, 36161fe, 0d373e2).
* Serial number generation in several pki sub-commands has been
fixed so they don't start with an unintended zero byte.
* Loading SSH public keys via vici has been improved.
* Shared secrets, PEM files, vici messages, PF_KEY messages,
swanctl configs and other data is properly wiped from memory.
* Use a longer dummy key to initialize HMAC instances in the
openssl plugin in case it's used in FIPS-mode.
* The --enable-tpm option now implies --enable-tss-tss2 as the
plugin doesn't do anything without a TSS 2.0.
* libtpmtss is initialized in all programs and libraries that use
it.
* Migrated testing scripts to Python 3.
-------------------------------------------------------------------
Mon Sep 27 19:01:38 UTC 2021 - Bjørn Lie <bjorn.lie@gmail.com>