- Updated to strongSwan 5.1.3 providing the following changes:

- Fixed an authentication bypass vulnerability triggered by rekeying
    an unestablished IKEv2 SA while it gets actively initiated. This
    allowed an attacker to trick a peer's IKE_SA state to established,
    without the need to provide any valid authentication credentials.
    (CVE-2014-2338, bnc#870572).
  - The acert plugin evaluates X.509 Attribute Certificates. Group
    membership information encoded as strings can be used to fulfill
    authorization checks defined with the rightgroups option.
    Attribute Certificates can be loaded locally or get exchanged in
    IKEv2 certificate payloads.
  - The pki command gained support to generate X.509 Attribute
    Certificates using the --acert subcommand, while the --print
    command supports the ac type. The openac utility has been removed
    in favor of the new pki functionality.
  - The libtls TLS 1.2 implementation as used by EAP-(T)TLS and other
    protocols has been extended by AEAD mode support, currently limited
    to AES-GCM.
  - Fixed an issue where CRL/OCSP trustchain validation broke enforcing
    CA constraints
  - Limited OCSP signing to specific certificates to improve performance
  - authKeyIdentifier is not added to self-signed certificates anymore
  - Fixed the comparison of IKE configs if only the cipher suites were
    different

OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=65

strongswan-5.1.2.tar.bz2

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:fb4c3066461dade176408840edbc9d830255f4816b0991baebbbedee501fddd6
-size 3767546

strongswan-5.1.2.tar.bz2.sig

@@ -1,14 +0,0 @@
------BEGIN PGP SIGNATURE-----
-Version: GnuPG v1.4.11 (GNU/Linux)
-
-iQGcBAABAgAGBQJTEEhjAAoJEN9CwXCzTbp3joQL/27auKbdX8nu/2qtGthWRP9M
-l41/eUZ9hC8K4BO4Td/NCHYBarmvvSe4JNcXJtPmW71DS/8MlOIHJlx4Fti3TZA0
-t/C2IZ61ipGhaWEjEPzFN3NjgCqV4cDdIZsn/a7Z5IkL/4BOuH3snkjVAwc5eZy1
-sZX883XvKHrtnfzkufjoIeGhezzriGxyxCS2QpYUjlM28Ub2nIsGm2lijxL1Ni30
-7e57CXILZZxnMIXH0/B2eUJBd3H0xhBZ5Ub4CLz8oRH8d901IG2g7bZ/FLzNqTnK
-pyrOqGc+F9YKphV099WmLx0iGyfv+3e4KVKEkFU+v8bGvT5i8ZBxomchult1vqVG
-6EfMC1N6/aj9MGKlIDVk0jpdZj9gcgSyKY6CQem7RYUn5a7pO7/KWzwpv5hajneU
-q+EXnvjNVmdQtE4aDEat5znRGxD8d71PH1yUjGpqT+yMt2Flr+FW6vlvyfZu0mod
-+innw2wiOc9jC77lkn4KPYVKXasRiyCJJsTkXDGjiw==
-=O9SH
------END PGP SIGNATURE-----

strongswan-5.1.3.tar.bz2

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:84e46d5ce801e1b874e2bfba8d21dbd78b432e23b7fb1f4f2d637359e7a183a8
+size 3807212

strongswan-5.1.3.tar.bz2.sig

@@ -0,0 +1,14 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.11 (GNU/Linux)
+
+iQGcBAABAgAGBQJTS9jUAAoJEN9CwXCzTbp3E3cMAJuQv7IsG5XDNQB/Wcb66hLQ
+2DSZN2zXRI2Ku5ONXDqnzCzyGRO84SOsGVzX9AQTHactr29B0n9rZxSCKZrm+ZRX
+lMKu6UNsS+jSKhXkXfmDSilFnM7ap7tAlFUuH/7uz8LcG34643W5BOJH0oMq7Rx3
+WN/7/TbrYf1aE0s3C8tcJXc5OghkvAfsE0jBPWhwT7dwi5eczluPMyYYdGxg8zNP
+LdBdoHTfnFRnMcL18SGwUYl09hj2YkZMoo+2Qt4I6WNy3yIINRIQluPSl2f91HHG
+VXyzGLpC3W63WYxXhPmjdmkpaT9+kulF6WVhgt3i6VMOv6nSNitHs5/X0W6N5xuX
+BhPmJRFmT0Oej3MJVxSKqUy89Ny3DyRmai5bERAFe+FOt9HN1UWqpK+qYFI+YQw/
+dMS9kviW2UhSq4BM9F9F+QrL66Bz0gc5+jXolm971FII62cV4i6n9U6veGPY9qkg
++Jcn6XpKOe2JXLsIeIMQgc0GitIaEHq/zdST/pn2Gw==
+=NZ/K
+-----END PGP SIGNATURE-----

strongswan.changes

@@ -1,3 +1,31 @@
+-------------------------------------------------------------------
+Mon Apr 14 23:36:07 UTC 2014 - mt@suse.de
+
+- Updated to strongSwan 5.1.3 providing the following changes:
+  - Fixed an authentication bypass vulnerability triggered by rekeying
+    an unestablished IKEv2 SA while it gets actively initiated. This
+    allowed an attacker to trick a peer's IKE_SA state to established,
+    without the need to provide any valid authentication credentials.
+    (CVE-2014-2338, bnc#870572).
+  - The acert plugin evaluates X.509 Attribute Certificates. Group
+    membership information encoded as strings can be used to fulfill
+    authorization checks defined with the rightgroups option.
+    Attribute Certificates can be loaded locally or get exchanged in
+    IKEv2 certificate payloads.
+  - The pki command gained support to generate X.509 Attribute
+    Certificates using the --acert subcommand, while the --print
+    command supports the ac type. The openac utility has been removed
+    in favor of the new pki functionality.
+  - The libtls TLS 1.2 implementation as used by EAP-(T)TLS and other
+    protocols has been extended by AEAD mode support, currently limited
+    to AES-GCM.
+  - Fixed an issue where CRL/OCSP trustchain validation broke enforcing
+    CA constraints
+  - Limited OCSP signing to specific certificates to improve performance
+  - authKeyIdentifier is not added to self-signed certificates anymore
+  - Fixed the comparison of IKE configs if only the cipher suites were
+    different
+
 -------------------------------------------------------------------
 Mon Apr 14 07:43:37 UTC 2014 - mt@suse.de
 

strongswan.spec

@@ -17,14 +17,14 @@
 
 
 Name:           strongswan
-Version:        5.1.2
+Version:        5.1.3
 Release:        0
 %define         upstream_version     %{version}
 %define         strongswan_docdir    %{_docdir}/%{name}
 %define         strongswan_libdir    %{_libdir}/ipsec
-%define         strongswan_plugins   %{strongswan_libdir}/plugins
 %define         strongswan_configs   %{_sysconfdir}/strongswan.d
 %define         strongswan_datadir   %{_datadir}/strongswan
+%define         strongswan_plugins   %{strongswan_libdir}/plugins
 %define         strongswan_templates %{strongswan_datadir}/templates
 %if 0
 %bcond_without  tests
@@ -437,7 +437,6 @@ fi
 %{_libexecdir}/ipsec/_updown_espmark
 %{_libexecdir}/ipsec/conftest
 %{_libexecdir}/ipsec/duplicheck
-%{_libexecdir}/ipsec/openac
 %{_libexecdir}/ipsec/pool
 %{_libexecdir}/ipsec/pt-tls-client
 %{_libexecdir}/ipsec/scepclient
@@ -462,7 +461,6 @@ fi
 %{strongswan_docdir}/ChangeLog
 %{_mandir}/man8/_updown.8*
 %{_mandir}/man8/_updown_espmark.8*
-%{_mandir}/man8/openac.8*
 %{_mandir}/man8/scepclient.8*
 
 %files libs0