- Updated to strongSwan 5.0.4 release (bnc#815236, CVE-2013-2944):

- Fixed a security vulnerability in the openssl plugin which was reported by Kevin Wojtysiak. The vulnerability has been registered as CVE-2013-2944. Before the fix, if the openssl plugin's ECDSA signature verification was used, due to a misinterpretation of the error code returned by the OpenSSL ECDSA_verify() function, an empty or zeroed signature was accepted as a legitimate one. Refer to our blog for details. - The handling of a couple of other non-security relevant OpenSSL return codes was fixed as well. - The tnc_ifmap plugin now publishes virtual IPv4 and IPv6 addresses via its TCG TNC IF-MAP 2.1 interface. - The charon.initiator_only strongswan.conf option causes charon to ignore IKE initiation requests. - The openssl plugin can now use the openssl-fips library. The version 5.0.3 provides new ipseckey plugin, enabling authentication based on trustworthy public keys stored as IPSECKEY resource records in the DNS and protected by DNSSEC and new openssl plugin using the AES-NI accelerated version of AES-GCM if the hardware supports it. See http://wiki.strongswan.org/projects/strongswan/wiki/Changelog50 for a list of all changes since the 5.0.1 release. OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=58
2013-04-30 13:10:58 +00:00 · 2013-04-30 13:10:58 +00:00 · 2fa10a3109
commit 2fa10a3109
parent f2cf7cb837
7 changed files with 51 additions and 22 deletions
--- a/strongswan-5.0.1.tar.bz2
+++ b/strongswan-5.0.1.tar.bz2
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:1a4dff19ef69d15e0b90b1ea80bd183235ac73b4ecd114aab58ed54de0f5c3b4
-size 3146776
--- a/strongswan-5.0.1.tar.bz2.sig
+++ b/strongswan-5.0.1.tar.bz2.sig
@ -1,14 +0,0 @@
-----BEGIN PGP SIGNATURE-----
-Version: GnuPG v1.4.11 (GNU/Linux)
-
-iQGcBAABAgAGBQJQa9S/AAoJEN9CwXCzTbp30d0L/3Uj1RYm8+25k+RLIWvU1q/L
-z5+mLjNAZpxoV7t1lUuMAA2STvZFisMtoNkw2EhsdanRsEV+WYpL101EPPMja077
-BT86DVKk/IDtoGLKpQK41mV5h0bWzrUBXodw2ggoG1bOLhdfuV6z7hAn3GI+AgxM
-Eus0TUWNT6VRZzYgTAcofmUyKM4Hruh5+82OSJtj8eeCqe333fdV/k6mumxYhoLB
-b1Yp8NVuMmjbfp0T/kyMAlRMnOb1DGjun9sBNaPK+t6+wcToLDeijl+D83l67ZIl
-Et0fehugK5dbkGtUbZHOJFWiSGyVP3eDVOjxMBp6ejBAwi0GwqNWXsE0GnHJr9TL
-Q3TrM8Kt0vJ6mhlWU9KFGoRwpiyR+3pBc8smZkJvIs3kKIL5ItTVPsJcWJKu2iEd
-L6+X15ZScalcrMJOGRYjgKh7cchIgVaudJOnPLtXjfyMuq+07Zz1ZhybUIu+i5Zo
-q8AVLAoM6MkUXWKkJR51CH08+w32DaDp5p7yRyxCRA==
-=100T
-----END PGP SIGNATURE-----
--- a/strongswan-5.0.4-rpmlintrc
+++ b/strongswan-5.0.4-rpmlintrc
--- a/strongswan-5.0.4.tar.bz2
+++ b/strongswan-5.0.4.tar.bz2
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:3ec66d64046f652ab7556b3be8f9be8981fd32ef4a11e3e461a04d658928bfe2
+size 3412930
--- a/strongswan-5.0.4.tar.bz2.sig
+++ b/strongswan-5.0.4.tar.bz2.sig
@ -0,0 +1,14 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.11 (GNU/Linux)
+
+iQGcBAABAgAGBQJRflW/AAoJEN9CwXCzTbp3q+oL/jtA73UxuENW3JuA2vgXsHeU
+jpWXDfM1GLEIKgy41D2+ajqx7l1amxM4ZOqtQZhFTMXs4EwWDIxpUl8RiARkwJy6
+ueciwMnsmAbC3tmPa85JwnbgrXrMZX5IfUYRx8+3DdeIuh8gxDOu2nvYGqSdIbh2
+8jN4x21wUQ+9mLz04VmuMKAmImoAitv8z89NVg6ZNiBEiYUfFdrkCepS7IGAY1ie
+pmmYM4svK7LLuXIlQKMyq7mXccjFD0sjM3SS6cIZlxIcOlXuKMa7xmVlkfktz816
+qz8XVOtD2zRiJuxjB92W9BW5Xr/+p5kXx995GjGitxv8g3CTTlPeg4GUciH6TGSW
+46lQ36XHKQX/NccgymWYMkXmZbMbacyglz3ShR0OO/aM1/cVlQ9qiHccZDh7gt9+
+fnfTAZn0RAfbe1zYKNn1h2BoY+LxscjnaX27oWxqI7KbrfrusZiyZic5twSeADcM
+khfIOGVyOCjwTThAuGpu6p09NqoYNm6Y/9Aj+R5NiA==
+=gI6I
+-----END PGP SIGNATURE-----
--- a/strongswan.changes
+++ b/strongswan.changes
@ -1,3 +1,28 @@
+-------------------------------------------------------------------
+Tue Apr 30 12:48:44 UTC 2013 - mt@suse.de
+
+- Updated to strongSwan 5.0.4 release (bnc#815236, CVE-2013-2944):
+  - Fixed a security vulnerability in the openssl plugin which was
+    reported by Kevin Wojtysiak.  The vulnerability has been registered
+    as CVE-2013-2944. Before the fix, if the openssl plugin's ECDSA
+    signature verification was used, due to a misinterpretation of the
+    error code returned by the OpenSSL ECDSA_verify() function, an empty
+    or zeroed signature was accepted as a legitimate one. Refer to our
+    blog for details.
+  - The handling of a couple of other non-security relevant OpenSSL
+    return codes was fixed as well.
+  - The tnc_ifmap plugin now publishes virtual IPv4 and IPv6 addresses
+    via its TCG TNC IF-MAP 2.1 interface.
+  - The charon.initiator_only strongswan.conf option causes charon to
+    ignore IKE initiation requests.
+  - The openssl plugin can now use the openssl-fips library.
+  The version 5.0.3 provides new ipseckey plugin, enabling authentication
+  based on trustworthy public keys stored as IPSECKEY resource records in
+  the DNS and protected by DNSSEC and new openssl plugin using the AES-NI
+  accelerated version of AES-GCM if the hardware supports it.
+  See http://wiki.strongswan.org/projects/strongswan/wiki/Changelog50
+  for a list of all changes since the 5.0.1 release.
+
 -------------------------------------------------------------------
 Thu Nov 29 19:13:40 CET 2012 - sbrabec@suse.cz

--- a/strongswan.spec
+++ b/strongswan.spec
@ -1,7 +1,7 @@
 #
 # spec file for package strongswan
 #
-# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -17,7 +17,7 @@


 Name:           strongswan
-Version:        5.0.1
+Version:        5.0.4
 Release:        0
 %define         upstream_version   %{version}
 %define         strongswan_docdir  %{_docdir}/%{name}
@ -28,12 +28,12 @@ Release:        0
 %else
 %bcond_with     tests
 %endif
-%if 1
+%if 0%{suse_version} > 1110
 %bcond_without  mysql
 %else
 %bcond_with     mysql
 %endif
-%if 0%{suse_version} >= 1110
+%if 0%{suse_version} > 1110
 %bcond_without  sqlite
 %bcond_without  gcrypt
 %bcond_without  nm
@ -319,6 +319,8 @@ export RPM_OPT_FLAGS CFLAGS
 %endif
 %if %{with nm}
 	--enable-nm \
+%else
+	--disable-nm \
 %endif
 %if %{with tests}
 	--enable-load-tester \
@ -351,7 +353,7 @@ cat << EOT > ${RPM_BUILD_ROOT}%{_sysconfdir}/ipsec.secrets
 #
 EOT
 #
-rm -f $RPM_BUILD_ROOT%{strongswan_libdir}/lib{charon,hydra,strongswan}.so
+rm -f $RPM_BUILD_ROOT%{strongswan_libdir}/lib{charon,hydra,strongswan,pttls}.so
 rm -f $RPM_BUILD_ROOT%{strongswan_libdir}/lib{radius,simaka,tls,tnccs,imcv}.so
 find  $RPM_BUILD_ROOT%{strongswan_libdir} \
      -name "*.a" -o -name "*.la" | xargs -r rm -f
@ -464,6 +466,7 @@ fi
 %{strongswan_libdir}/libchecksum.so
 %{strongswan_libdir}/libcharon.so.*
 %{strongswan_libdir}/libhydra.so.*
+%{strongswan_libdir}/libpttls.so.*
 %{strongswan_libdir}/libradius.so.*
 %{strongswan_libdir}/libsimaka.so.*
 %{strongswan_libdir}/libstrongswan.so.*
@ -532,6 +535,7 @@ fi
 %{strongswan_plugins}/libstrongswan-pgp.so
 %{strongswan_plugins}/libstrongswan-pkcs1.so
 %{strongswan_plugins}/libstrongswan-pkcs11.so
+%{strongswan_plugins}/libstrongswan-pkcs7.so
 %{strongswan_plugins}/libstrongswan-pkcs8.so
 %{strongswan_plugins}/libstrongswan-pubkey.so
 %{strongswan_plugins}/libstrongswan-radattr.so