From 876d8e4544cfa9573b58d9992ed500d37c916443e008b509f0497e1a91982467 Mon Sep 17 00:00:00 2001 From: Madhu Mohan Nelemane Date: Thu, 19 Jul 2018 15:17:25 +0000 Subject: [PATCH] Accepting request 614748 from home:iznogood:branches:network:vpn New stable rel, fix CVS's OBS-URL: https://build.opensuse.org/request/show/614748 OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=112 --- strongswan-5.6.2.tar.bz2 | 3 - strongswan-5.6.2.tar.bz2.sig | 14 --- strongswan-5.6.3.tar.bz2 | 3 + strongswan-5.6.3.tar.bz2.sig | 14 +++ ...an-5.6.2-rpmlintrc => strongswan-rpmlintrc | 0 strongswan.changes | 93 +++++++++++++++++++ strongswan.spec | 4 +- 7 files changed, 112 insertions(+), 19 deletions(-) delete mode 100644 strongswan-5.6.2.tar.bz2 delete mode 100644 strongswan-5.6.2.tar.bz2.sig create mode 100644 strongswan-5.6.3.tar.bz2 create mode 100644 strongswan-5.6.3.tar.bz2.sig rename strongswan-5.6.2-rpmlintrc => strongswan-rpmlintrc (100%) diff --git a/strongswan-5.6.2.tar.bz2 b/strongswan-5.6.2.tar.bz2 deleted file mode 100644 index acb1b03..0000000 --- a/strongswan-5.6.2.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:e0a60a30ebf3c534c223559e1686497a21ded709a5d605c5123c2f52bcc22e92 -size 4977859 diff --git a/strongswan-5.6.2.tar.bz2.sig b/strongswan-5.6.2.tar.bz2.sig deleted file mode 100644 index 6aa1721..0000000 --- a/strongswan-5.6.2.tar.bz2.sig +++ /dev/null @@ -1,14 +0,0 @@ ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1 - -iQGcBAABAgAGBQJaiq4/AAoJEN9CwXCzTbp3ps8L/0Q5o49SWOozYIGHLsO/9y3B -0rXzGdKlkFyysTNBf8BlrUh6U21D5g9ENO8OFofOAaseTzOwN9uUygiHggfF9WhG -p0vq9kiFtW6i7fYyK2hbfo1GzIPPP5T78dJqqzP3cQp21ycLHskZPMpytUkxn1rb -vA1IFy74GIeMZqB9dbBIyTiXIPGrJjvjeuVAkI5XWu6+sOmHz/utYz17EF4oeTTg -PYJ2mvGQvgZPWh2Y4Vh4riMXFr9RBF+I/aSJ/e0Q4yuwwc2+83TShGyuZQmSG3jI -bMwnBkSGpT2KMIb0PtSzB7zvnll+Dosr3hyWNZ+MaqzIwQpo051IKF0ZaJSpoZnZ -rKVUIMriTa+N4AFkYFC60pJAZ61xUw5Wm/LTfHckHm0n7qK9CzWv2oNj5jboTmw7 -tpx7F27+iDO0/DUaBXuqTDThBXElN+e7p2/GSTnw9Y3N5jWnmgVyZHkhxggNzf4G -0W2UcEgNmpP0gbJ3U0BnKv3CN5VQuxBpz2K2tKiJwg== -=L2B6 ------END PGP SIGNATURE----- diff --git a/strongswan-5.6.3.tar.bz2 b/strongswan-5.6.3.tar.bz2 new file mode 100644 index 0000000..be84396 --- /dev/null +++ b/strongswan-5.6.3.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c3c7dc8201f40625bba92ffd32eb602a8909210d8b3fac4d214c737ce079bf24 +size 4961579 diff --git a/strongswan-5.6.3.tar.bz2.sig b/strongswan-5.6.3.tar.bz2.sig new file mode 100644 index 0000000..813e2e9 --- /dev/null +++ b/strongswan-5.6.3.tar.bz2.sig @@ -0,0 +1,14 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1 + +iQGcBAABAgAGBQJbC/V/AAoJEN9CwXCzTbp3xwsL/RivLwRDRkIDC93Le2B/d7dT +/BHN/4PDmy+dEzysNVPXDG8TLm1VWgaIXvh0pVzPq4ohJSOP0tPFoeyJpHtPT9Xt +x/VLnVlw2lNm70MZxXh1w9U6oEt8Sce9jtRJuEu54RhHBPcypNhNY1OsE1v8yeKf +1MYENntcs/ATn7OkgtCALIB9WAZEFnXMQmpG+9hUzsr6zBfTY33t2QbsVeoiZAnV +yTIRZQgilEAx9ZahjF1Vri1plUti8ZL/W9y0OnWt+/oOnXAx91NH2KgZ4qkAqtbg +1H3nacKNHk6XP0Ca+wB4WIBmwDfquUEDTNbBPDaQy2yl33hzj9w2jovbSPF3YPnl +TzY07K77OMK9r7YtxIa+diXs3GTh6vEe9E8mgRrQ96TXDCXCVvlQcTfEDmJ3z1ZC +gk5blg7os5gAVKkdtEPChJP1VPJk2qhY8eZOCfdgIucv06YQKkj2aAcac+Umthne +yS/qWZm8/LI6UII9Nf541o2KrlDd4ypoYOt0oibaoA== +=NiPQ +-----END PGP SIGNATURE----- diff --git a/strongswan-5.6.2-rpmlintrc b/strongswan-rpmlintrc similarity index 100% rename from strongswan-5.6.2-rpmlintrc rename to strongswan-rpmlintrc diff --git a/strongswan.changes b/strongswan.changes index 069e0f1..ac29935 100644 --- a/strongswan.changes +++ b/strongswan.changes @@ -1,3 +1,96 @@ +------------------------------------------------------------------- +Wed Jun 6 22:14:57 UTC 2018 - bjorn.lie@gmail.com + +- Update to version 5.6.3 (CVE-2018-10811, boo#1093536, + CVE-2018-5388, boo#1094462): + * Fixed a DoS vulnerability in the IKEv2 key derivation if the + openssl plugin is used in FIPS mode and HMAC-MD5 is negotiated + as PRF. This vulnerability has been registered as + CVE-2018-10811, boo#1093536. + * Fixed a vulnerability in the stroke plugin, which did not check + the received length before reading a message from the socket. + Unless a group is configured, root privileges are required to + access that socket, so in the default configuration this + shouldn't be an issue. This vulnerability has been registered + as CVE-2018-5388, boo#1094462. + * CRLs that are not yet valid are now ignored to avoid problems + in scenarios where expired certificates are removed from new + CRLs and the clock on the host doing the revocation check is + trailing behind that of the host issuing CRLs. Not doing this + could result in accepting a revoked and expired certificate, if + it's still valid according to the trailing clock but not + contained anymore in not yet valid CRLs. + * The issuer of fetched CRLs is now compared to the issuer of the + checked certificate (#2608). + * CRL validation results other than revocation (e.g. a skipped + check because the CRL couldn't be fetched) are now stored also + for intermediate CA certificates and not only for end-entity + certificates, so a strict CRL policy can be enforced in such + cases. + * In compliance with RFC 4945, section 5.1.3.2, certificates used + for IKE must now either not contain a keyUsage extension (like + the ones generated by pki), or have at least one of the + digitalSignature or nonRepudiation bits set. + * New options for vici/swanctl allow forcing the local + termination of an IKE_SA. This might be useful in situations + where it's known the other end is not reachable anymore, or + that it already removed the IKE_SA, so retransmitting a DELETE + and waiting for a response would be pointless. + * Waiting only a certain amount of time for a response (i.e. + shorter than all retransmits would be) before destroying the + IKE_SA is also possible by additionally specifying a timeout in + the forced termination request. + * When removing routes, the kernel-netlink plugin now checks if + it tracks other routes for the same destination and replaces + the installed route instead of just removing it. Same during + installation, where existing routes previously weren't + replaced. This should allow using traps with virtual IPs on + Linux (#2162). + * The dhcp plugin now only sends the client identifier DHCP + option if the identity_lease setting is enabled (7b660944b6). + It can also send identities of up to 255 bytes length, instead + of the previous 64 bytes (30e886fe3b, 0e5b94d038). If a server + address is configured, DHCP requests are now sent from port 67 + instead of 68 to avoid ICMP port unreachables (becf027cd9). + * The handling of faulty INVALID_KE_PAYLOAD notifies (e.g. one + containing a DH group that wasn't proposed) during + CREATE_CHILD_SA exchanges has been improved (#2536). + * Roam events are now completely ignored for IKEv1 SAs (there is + no MOBIKE to handle such changes properly). + * ChaCha20/Poly1305 is now correctly proposed without key length + (#2614). For compatibility with older releases the + chacha20poly1305compat keyword may be included in proposals to + also propose the algorithm with a key length (c58434aeff). + * Configuration of hardware offload of IPsec SAs is now more + flexible and allows a new setting (auto), which automatically + uses it if the kernel and device both support it. If hw_offload + is set to yes and offloading is not supported, the CHILD_SA + installation now fails. + * The kernel-pfkey plugin optionally installs routes via internal + interface (one with an IP in the local traffic selector). On + FreeBSD, enabling this selects the correct source IP when + sending packets from the gateway itself (e811659323). + * SHA-2 based PRFs are supported in PKCS#8 files as generated by + OpenSSL 1.1 (#2574). + * The pki --verify tool may load CA certificates and CRLs from + directories. + * The IKE daemon now also switches to port 4500 if the remote + port is not 500 (e.g. because the remote maps the response to a + different port, as might happen on Azure), as long as the local + port is 500 (85bfab621d). + * Fixed an issue with DNS servers passed to NetworkManager in + charon-nm (ee8c25516a). + * Logged traffic selectors now always contain the protocol if + either protocol or port are set (a36d8097ed). + * Only the inbound SA/policy will be updated as reaction to IP + address changes for rekeyed CHILD_SAs that are kept around. + * The parser for strongswan.conf/swanctl.conf now accepts = + characters in values without having to put the value in quotes + (e.g. for Base64 encoded shared secrets). +- Rename strongswan-5.6.2-rpmlintrc to strongswan-rpmlintrc, + changing the version string on every version update makes no + sense. + ------------------------------------------------------------------- Tue Apr 17 13:24:38 UTC 2018 - bjorn.lie@gmail.com diff --git a/strongswan.spec b/strongswan.spec index 3153cb2..c378e3b 100644 --- a/strongswan.spec +++ b/strongswan.spec @@ -17,7 +17,7 @@ Name: strongswan -Version: 5.6.2 +Version: 5.6.3 Release: 0 %define upstream_version %{version} %define strongswan_docdir %{_docdir}/%{name} @@ -69,7 +69,7 @@ Requires: strongswan-ipsec = %{version} Source0: http://download.strongswan.org/strongswan-%{upstream_version}.tar.bz2 Source1: http://download.strongswan.org/strongswan-%{upstream_version}.tar.bz2.sig Source2: %{name}.init.in -Source3: %{name}-%{version}-rpmlintrc +Source3: %{name}-rpmlintrc Source4: README.SUSE Source5: %{name}.keyring %if %{with fipscheck}