Accepting request 521273 from home:ndas:branches:network:vpn

- Updated to strongSwan 5.6.0 providing the following changes: *Fixed a DoS vulnerability in the gmp plugin that was caused by insufficient input validation when verifying RSA signatures, which requires decryption with the operation m^e mod n, where m is the signature, and e and n are the exponent and modulus of the public key. The value m is an integer between 0 and n-1, however, the gmp plugin did not verify this. So if m equals n the calculation results in 0, in which case mpz_export() returns NULL. This result wasn't handled properly causing a null-pointer dereference. This vulnerability has been registered as CVE-2017-11185. (bsc#1051222) *New SWIMA IMC/IMV pair implements the draft-ietf-sacm-nea-swima-patnc Internet Draft and has been demonstrated at the IETF 99 Prague Hackathon. *The IMV database template has been adapted to achieve full compliance with the ISO 19770-2:2015 SWID tag standard. *The pt-tls-client can attach and use TPM 2.0 protected private keys via the --keyid parameter. *By default the /etc/swanctl/conf.d directory is created and *.conf files in it are included in the default swanctl.conf file. *The curl plugin now follows HTTP redirects (configurable via strongswan.conf). *The CHILD_SA rekeying was fixed in charon-tkm and the behavior is refined a bit more since 5.5.3 *libtpmtss supports Intel's TSS2 Architecture Broker and Resource Manager interface (tcti-tabrmd). * more on https://wiki.strongswan.org/versions/66 OBS-URL: https://build.opensuse.org/request/show/521273 OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=104
2017-09-05 15:38:01 +00:00 · 2017-09-05 15:38:01 +00:00 · 062c69a06d
commit 062c69a06d
parent e17322a559
7 changed files with 53 additions and 20 deletions
--- a/strongswan-5.5.3.tar.bz2
+++ b/strongswan-5.5.3.tar.bz2
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:c5ea54b199174708de11af9b8f4ecf28b5b0743d4bc0e380e741f25b28c0f8d4
-size 4768820
--- a/strongswan-5.5.3.tar.bz2.sig
+++ b/strongswan-5.5.3.tar.bz2.sig
@ -1,14 +0,0 @@
-----BEGIN PGP SIGNATURE-----
-Version: GnuPG v1
-
-iQGcBAABAgAGBQJZK+1/AAoJEN9CwXCzTbp3vvAMAJ6SQBu+q41eol6inaXmD1k2
-pwLgBYgMa/TG3dhvX2PxkpypratmYLY96GOy8WFP58/7z2gJL63SjCjN8MaNSZ7V
-UemJD5sEqu3lKGhR+q3Vsz/7xTBWYJSNoE1m/AdwftR6oF0CcIQLgrkjQa1OiU71
-SNqb2KFOafsSFicmhW44tdG9YFx56pzuoOgZhfDNEC9kMBKf7/rMpUeqAxsZah1I
-fETj26gYKPMZAzFdZJvcVLMT70WaHkDU3Oo3/UfIKrucLm+uvYjcrzQnP00laLvx
-LdgjuHXjXixrV92XzWCsa9Bbc39kmz2cBYlm6JPLfyON1x/DtUBdIoRcuO9y8nek
-HAiO8rLG0vyQsbhiaW5TJ6wfR/uyNGhKCIyabU90Nmo0dzVMlb5ro/1q0XcQM5Dl
-D4+FGErM3UdeDu0gj2klr1TyXwdOF6ZdlOtRBwRVH69mFz7o22Q6eGiw9o3Yf+9b
-cJCpzSQXEgZybV8XSYOzGnY9cVeD4Il4FxgYuxViXg==
-=9WTk
-----END PGP SIGNATURE-----
--- a/strongswan-5.6.0-rpmlintrc
+++ b/strongswan-5.6.0-rpmlintrc
--- a/strongswan-5.6.0.tar.bz2
+++ b/strongswan-5.6.0.tar.bz2
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:a14dc0d92634ed52730bfc76a76db30943a28ed3c65a560066e1e9f785827b13
+size 4850722
--- a/strongswan-5.6.0.tar.bz2.sig
+++ b/strongswan-5.6.0.tar.bz2.sig
@ -0,0 +1,14 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1
+
+iQGcBAABAgAGBQJZkUjtAAoJEN9CwXCzTbp3m08L/3A4QqZMMuBMuliao4kwO4tG
+kyHD+nWMrFIK2dwu9zAMY5noiVUNcXExPgF7UTbW77Tr2s8RtkrnIUCTEJ+qYk7F
+CNX2BmdYbB9MAofkaou/xAXKgfxXVxw41DY7sK59e+VZayJ+LN9Suq413ymdF6Da
+kclM5ZoEM9X7feY+n1U2/DG199pF5sFN4dEt+kgSD4NJuZHsn+jfLVYzciHBIyk5
+d1tnUAVjVUIVfGrQ6SG2SoASIla4Qv27YszdRtzIRYVjzj+bt4gX2ORkpChLGg6M
+an50EM6yDBdDDyF+muNKl8OaE6YaAmIBKuftn/Rlx8kILzUTtiKk+6au699XaW/H
+dMdHgb8AsyTi/nudz/nYfHUyYIbalOLwttG8qh3U+qCZ9ZbXy6wi9HB8FBPUNRru
+UBd1Y+kh7FMicZprlr5xGxJ78vi7avV9HOjxIZldfoAaP/AO9l4fXYs2AVzZRalJ
+eCwB7EHznJ/KVoKZ9MpXp6ne3iPGLYsoo92B8OXY3g==
+=ZRFr
+-----END PGP SIGNATURE-----
--- a/strongswan.changes
+++ b/strongswan.changes
@ -1,3 +1,34 @@
+-------------------------------------------------------------------
+Tue Sep  5 17:10:11 CEST 2017 - ndas@suse.de
+
+- Updated to strongSwan 5.6.0 providing the following changes:
+    *Fixed a DoS vulnerability in the gmp plugin that was caused by insufficient input validation
+    when verifying RSA signatures, which requires decryption with the operation m^e mod n,
+    where m is the signature, and e and n are the exponent and modulus of the public key.
+    The value m is an integer between 0 and n-1, however, the gmp plugin did not verify this.
+    So if m equals n the calculation results in 0, in which case mpz_export() returns NULL.
+    This result wasn't handled properly causing a null-pointer dereference.
+    This vulnerability has been registered as CVE-2017-11185. (bsc#1051222)
+
+    *New SWIMA IMC/IMV pair implements the draft-ietf-sacm-nea-swima-patnc Internet
+    Draft and has been demonstrated at the IETF 99 Prague Hackathon.
+
+    *The IMV database template has been adapted to achieve full compliance with the
+    ISO 19770-2:2015 SWID tag standard.
+
+    *The pt-tls-client can attach and use TPM 2.0 protected private keys via the --keyid parameter.
+
+    *By default the /etc/swanctl/conf.d directory is created and *.conf files in it are included in the default
+    swanctl.conf file.
+    
+    *The curl plugin now follows HTTP redirects (configurable via strongswan.conf).
+
+    *The CHILD_SA rekeying was fixed in charon-tkm and the behavior is refined a bit more since 5.5.3
+
+    *libtpmtss supports Intel's TSS2 Architecture Broker and Resource Manager interface (tcti-tabrmd).
+
+    * more on https://wiki.strongswan.org/versions/66
+
 -------------------------------------------------------------------
 Tue Sep  5 11:33:01 CEST 2017 - ndas@suse.de

--- a/strongswan.spec
+++ b/strongswan.spec
@ -17,7 +17,7 @@


 Name:           strongswan
-Version:        5.5.3
+Version:        5.6.0
 Release:        0
 %define         upstream_version     %{version}
 %define         strongswan_docdir    %{_docdir}/%{name}
@ -497,9 +497,9 @@ install -c -m644 ${RPM_SOURCE_DIR}/fips-enforce.conf \
 		 $RPM_BUILD_ROOT%{_libexecdir}/ipsec/starter \
 		 $RPM_BUILD_ROOT%{_libexecdir}/ipsec/pool \
 		 $RPM_BUILD_ROOT%{_libexecdir}/ipsec/scepclient \
-		 $RPM_BUILD_ROOT%{_libexecdir}/ipsec/pt-tls-client \
 		 $RPM_BUILD_ROOT%{_libexecdir}/ipsec/imv_policy_manager \
 		 $RPM_BUILD_ROOT%{_libexecdir}/ipsec/_fipscheck \
+		 $RPM_BUILD_ROOT%{_bindir}/pt-tls-client \
 		 $RPM_BUILD_ROOT%{_sbindir}/ipsec \
 		;
 	do
@ -570,6 +570,7 @@ fi
 %{_libexecdir}/ipsec/_fipscheck
 %{_libexecdir}/ipsec/.*.hmac
 %{_sbindir}/.ipsec.hmac
+%{_bindir}/.pt-tls-client.hmac
 %endif

 %files ipsec
@ -596,9 +597,11 @@ fi
 %{_sbindir}/rcipsec
 %endif
 %{_bindir}/pki
+%{_bindir}/pt-tls-client
 %{_sbindir}/ipsec
 %{_sbindir}/swanctl
 %{_mandir}/man1/pki*.1*
+%{_mandir}/man1/pt-tls-client.1*
 %{_mandir}/man8/ipsec.8*
 %{_mandir}/man5/ipsec.conf.5*
 %{_mandir}/man5/ipsec.secrets.5*
@ -611,7 +614,6 @@ fi
 %endif
 %{_libexecdir}/ipsec/duplicheck
 %{_libexecdir}/ipsec/pool
-%{_libexecdir}/ipsec/pt-tls-client
 %{_libexecdir}/ipsec/scepclient
 %{_libexecdir}/ipsec/starter
 %{_libexecdir}/ipsec/stroke