osc copypac from project:openSUSE:Factory package:strongswan revision:70

OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=118
2020-01-30 15:50:32 +00:00
parent b84f3a369a
commit 152d7b558c
14 changed files with 336 additions and 609 deletions
--- a/strongswan.changes
+++ b/strongswan.changes
@@ -1,34 +1,203 @@
 -------------------------------------------------------------------
-Thu Nov 14 12:56:01 UTC 2019 - Madhu Mohan Nelemane <mmnelemane@suse.com>
+Sun Jan 26 08:54:01 UTC 2020 - Jan Engelhardt <jengelh@inai.de>

- Added patch to fix vulnerability: CVE-2018-17540 (bsc#1109845)
-  [+ 0010-strongswan-4.4.0-5.7.0_gmp-pkcs1-overflow.patch]
+- Replace %__-type macro indirections. Update homepage URL to https.

 -------------------------------------------------------------------
-Wed Nov 13 16:43:52 UTC 2019 - Madhu Mohan Nelemane <mmnelemane@suse.com>
+Mon Jan  6 22:06:58 UTC 2020 - Bjørn Lie <bjorn.lie@gmail.com>

- Added patch to fix vulnerability: CVE-2018-10811 (bsc#1093536)
-  - denial-of-service vulnerability
-  [+ 0009-strongswan-5.5.0-5.6.2_skeyseed_init.patch]
+- Update to version 5.8.2:
+  * The systemd service units have changed their name.
+    "strongswan" is now "strongswan-starter", and
+    "strongswan-swanctl" is now "strongswan".
+    After installation, you need to `systemctl disable` the old
+    name and `systemctl enable`+start the new one.
+  * Fix CVE-2018-17540, CVE-2018-16151 and CVE-2018-16152.
+  * boo#1109845 and boo#1107874.
+- Please check included NEWS file for info on what other changes
+  that have been done in versions 5.8.2, 5.8.1 5.8.0, 5.7.2, 5.7.1
+  and 5.7.0.
+- Rebase strongswan_ipsec_service.patch.
+- Disable patches that need rebase or dropping:
+  * strongswan_modprobe_syslog.patch
+  * 0006-fix-compilation-error-by-adding-stdint.h.patch
+- Add conditional pkgconfig(libsystemd) BuildRequires: New
+  dependency.

 -------------------------------------------------------------------
-Wed Nov 13 15:41:29 UTC 2019 - Madhu Mohan Nelemane <mmnelemane@suse.com>
+Wed Jun  6 22:14:57 UTC 2018 - bjorn.lie@gmail.com

- - Added patch to fix vulnerability: CVE-2018-5388 (bsc#1094462)
-   - Buffer Underflow in stroke_socket.c
-   [+ 0008-strongswan-5.1.2-5.6.2_stroke_msg_len.patch]
+- Update to version 5.6.3 (CVE-2018-10811, boo#1093536,
+  CVE-2018-5388, boo#1094462):
+  * Fixed a DoS vulnerability in the IKEv2 key derivation if the
+    openssl plugin is used in FIPS mode and HMAC-MD5 is negotiated
+    as PRF. This vulnerability has been registered as
+    CVE-2018-10811, boo#1093536.
+  * Fixed a vulnerability in the stroke plugin, which did not check
+    the received length before reading a message from the socket.
+    Unless a group is configured, root privileges are required to
+    access that socket, so in the default configuration this
+    shouldn't be an issue. This vulnerability has been registered
+    as CVE-2018-5388, boo#1094462.
+  * CRLs that are not yet valid are now ignored to avoid problems
+    in scenarios where expired certificates are removed from new
+    CRLs and the clock on the host doing the revocation check is
+    trailing behind that of the host issuing CRLs. Not doing this
+    could result in accepting a revoked and expired certificate, if
+    it's still valid according to the trailing clock but not
+    contained anymore in not yet valid CRLs.
+  * The issuer of fetched CRLs is now compared to the issuer of the
+    checked certificate (#2608).
+  * CRL validation results other than revocation (e.g. a skipped
+    check because the CRL couldn't be fetched) are now stored also
+    for intermediate CA certificates and not only for end-entity
+    certificates, so a strict CRL policy can be enforced in such
+    cases.
+  * In compliance with RFC 4945, section 5.1.3.2, certificates used
+    for IKE must now either not contain a keyUsage extension (like
+    the ones generated by pki), or have at least one of the
+    digitalSignature or nonRepudiation bits set.
+  * New options for vici/swanctl allow forcing the local
+    termination of an IKE_SA. This might be useful in situations
+    where it's known the other end is not reachable anymore, or
+    that it already removed the IKE_SA, so retransmitting a DELETE
+    and waiting for a response would be pointless.
+  * Waiting only a certain amount of time for a response (i.e.
+    shorter than all retransmits would be) before destroying the
+    IKE_SA is also possible by additionally specifying a timeout in
+    the forced termination request.
+  * When removing routes, the kernel-netlink plugin now checks if
+    it tracks other routes for the same destination and replaces
+    the installed route instead of just removing it. Same during
+    installation, where existing routes previously weren't
+    replaced. This should allow using traps with virtual IPs on
+    Linux (#2162).
+  * The dhcp plugin now only sends the client identifier DHCP
+    option if the identity_lease setting is enabled (7b660944b6).
+    It can also send identities of up to 255 bytes length, instead
+    of the previous 64 bytes (30e886fe3b, 0e5b94d038). If a server
+    address is configured, DHCP requests are now sent from port 67
+    instead of 68 to avoid ICMP port unreachables (becf027cd9).
+  * The handling of faulty INVALID_KE_PAYLOAD notifies (e.g. one
+    containing a DH group that wasn't proposed) during
+    CREATE_CHILD_SA exchanges has been improved (#2536).
+  * Roam events are now completely ignored for IKEv1 SAs (there is
+    no MOBIKE to handle such changes properly).
+  * ChaCha20/Poly1305 is now correctly proposed without key length
+    (#2614). For compatibility with older releases the
+    chacha20poly1305compat keyword may be included in proposals to
+    also propose the algorithm with a key length (c58434aeff).
+  * Configuration of hardware offload of IPsec SAs is now more
+    flexible and allows a new setting (auto), which automatically
+    uses it if the kernel and device both support it. If hw_offload
+    is set to yes and offloading is not supported, the CHILD_SA
+    installation now fails.
+  * The kernel-pfkey plugin optionally installs routes via internal
+    interface (one with an IP in the local traffic selector). On
+    FreeBSD, enabling this selects the correct source IP when
+    sending packets from the gateway itself (e811659323).
+  * SHA-2 based PRFs are supported in PKCS#8 files as generated by
+    OpenSSL 1.1 (#2574).
+  * The pki --verify tool may load CA certificates and CRLs from
+    directories.
+  * The IKE daemon now also switches to port 4500 if the remote
+    port is not 500 (e.g. because the remote maps the response to a
+    different port, as might happen on Azure), as long as the local
+    port is 500 (85bfab621d).
+  * Fixed an issue with DNS servers passed to NetworkManager in
+    charon-nm (ee8c25516a).
+  * Logged traffic selectors now always contain the protocol if
+    either protocol or port are set (a36d8097ed).
+  * Only the inbound SA/policy will be updated as reaction to IP
+    address changes for rekeyed CHILD_SAs that are kept around.
+  * The parser for strongswan.conf/swanctl.conf now accepts =
+    characters in values without having to put the value in quotes
+    (e.g. for Base64 encoded shared secrets).
+- Rename strongswan-5.6.2-rpmlintrc to strongswan-rpmlintrc,
+  changing the version string on every version update makes no
+  sense.

 -------------------------------------------------------------------
-Wed Nov 13 13:51:38 UTC 2019 - Madhu Mohan Nelemane <mmnelemane@suse.com>
+Tue Apr 17 13:24:38 UTC 2018 - bjorn.lie@gmail.com

- Added patch to fix vulnerability: CVE-2018-16151,CVE-2018-16152 (bsc#1107874)
-  - Insufficient input validation in gmp plugin
-  [+ 0007-strongswan-5.3.1-5.6.0_gmp-pkcs1-verify.patch]
+- Update to version 5.6.2:
+  * Fixed a DoS vulnerability in the parser for PKCS#1 RSASSA-PSS
+    signatures that was caused by insufficient input validation.
+    One of the configurable parameters in algorithm identifier
+    structures for RSASSA-PSS signatures is the mask generation
+    function (MGF). Only MGF1 is currently specified for this
+    purpose. However, this in turn takes itself a parameter that
+    specifies the underlying hash function. strongSwan's parser did
+    not correctly handle the case of this parameter being absent,
+    causing an undefined data read. This vulnerability has been
+    registered as CVE-2018-6459.
+  * When rekeying IKEv2 IKE_SAs the previously negotiated DH group
+    will be reused, instead of using the first configured group,
+    which avoids an additional exchange if the peer previously
+    selected a different DH group via INVALID_KE_PAYLOAD notify.
+    The same is also done when rekeying CHILD_SAs except for the
+    first rekeying of the CHILD_SA that was created with the
+    IKE_SA, where no DH group was negotiated yet. Also, the
+    selected DH group is moved to the front in all sent proposals
+    that contain it and all proposals that don't are moved to the
+    back in order to convey the preference for this group to the
+    peer.
+  * Handling of MOBIKE task queuing has been improved. In
+    particular, the response to an address update (with NAT-D
+    payloads) is not ignored anymore if only an address list update
+    or DPD is queued as that could prevent updating the UDP
+    encapsulation in the kernel.
+  * On Linux, roam events may optionally be triggered by changes to
+    the routing rules, which can be useful if routing rules
+    (instead of e.g. route metrics) are used to switch from one to
+    another interface (i.e. from one to another routing table).
+    Since routing rules are currently not evaluated when doing
+    route lookups this is only useful if the kernel-based route
+    lookup is used (4664992f7d).
+  * The fallback drop policies installed to avoid traffic leaks
+    when replacing addresses in installed policies are now replaced
+    by temporary drop policies, which also prevent acquires because
+    we currently delete and reinstall IPsec SAs to update their
+    addresses (35ef1b032d).
+  * Access X.509 certificates held in non-volatile storage of a TPM
+    2.0 referenced via the NV index.
+  * Adding the --keyid parameter to pki --print allows to print
+    private keys or certificates stored in a smartcard or a TPM
+    2.0.
+  * Fixed proposal selection if a peer incorrectly sends DH groups
+    in the ESP proposal during IKE_AUTH and also if a DH group is
+    configured in the local ESP proposal and
+    charon.prefer_configured_proposals is disabled (d058fd3c32).
+  * The lookup for PSK secrets for IKEv1 has been improved for
+    certain scenarios (see #2497 for details).
+  * MSKs received via RADIUS are now padded to 64 bytes to avoid
+    compatibility issues with EAP-MSCHAPv2 and PRFs that have a
+    block size < 64 bytes (e.g. AES-XCBC-PRF-128, see 73cbce6013).
+  * The tpm_extendpcr command line tool extends a digest into a TPM
+    PCR.
+  * Ported the NetworkManager backend from the deprecated
+    libnm-glib to libnm.
+  * The save-keys debugging/development plugin saves IKE and/or ESP
+    keys to files compatible with Wireshark.
+- Following upstreams port, replace NetworkManager-devel with
+  pkgconfig(libnm) BuildRequires.
+- Refresh patches with quilt.
+- Disable strongswan_fipsfilter.patch, needs rebase or dropping,
+  the file it patches no longer exists in tarball.

 -------------------------------------------------------------------
-Wed Mar 14 15:43:42 UTC 2018 - mmnelemane@suse.com
+Fri Mar 16 08:55:10 UTC 2018 - mmnelemane@suse.com

- Removed unused requires and macro calls(bsc#1083261)
+- Removed unused requires and macro calls(bsc#1083261) 
+
+-------------------------------------------------------------------
+Tue Oct 17 11:27:54 UTC 2017 - jengelh@inai.de
+
+- Update summaries and descriptions. Trim filler words and
+  author list.
+- Drop %if..%endif guards that are idempotent and do not affect
+  the build result.
+- Replace old $RPM_ shell variables.

 -------------------------------------------------------------------
 Tue Sep  5 17:10:11 CEST 2017 - ndas@suse.de