forked from pool/strongswan
Accepting request 614748 from home:iznogood:branches:network:vpn
New stable rel, fix CVS's OBS-URL: https://build.opensuse.org/request/show/614748 OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=112
This commit is contained in:
parent
6fe1f53373
commit
876d8e4544
@ -1,3 +0,0 @@
|
|||||||
version https://git-lfs.github.com/spec/v1
|
|
||||||
oid sha256:e0a60a30ebf3c534c223559e1686497a21ded709a5d605c5123c2f52bcc22e92
|
|
||||||
size 4977859
|
|
@ -1,14 +0,0 @@
|
|||||||
-----BEGIN PGP SIGNATURE-----
|
|
||||||
Version: GnuPG v1
|
|
||||||
|
|
||||||
iQGcBAABAgAGBQJaiq4/AAoJEN9CwXCzTbp3ps8L/0Q5o49SWOozYIGHLsO/9y3B
|
|
||||||
0rXzGdKlkFyysTNBf8BlrUh6U21D5g9ENO8OFofOAaseTzOwN9uUygiHggfF9WhG
|
|
||||||
p0vq9kiFtW6i7fYyK2hbfo1GzIPPP5T78dJqqzP3cQp21ycLHskZPMpytUkxn1rb
|
|
||||||
vA1IFy74GIeMZqB9dbBIyTiXIPGrJjvjeuVAkI5XWu6+sOmHz/utYz17EF4oeTTg
|
|
||||||
PYJ2mvGQvgZPWh2Y4Vh4riMXFr9RBF+I/aSJ/e0Q4yuwwc2+83TShGyuZQmSG3jI
|
|
||||||
bMwnBkSGpT2KMIb0PtSzB7zvnll+Dosr3hyWNZ+MaqzIwQpo051IKF0ZaJSpoZnZ
|
|
||||||
rKVUIMriTa+N4AFkYFC60pJAZ61xUw5Wm/LTfHckHm0n7qK9CzWv2oNj5jboTmw7
|
|
||||||
tpx7F27+iDO0/DUaBXuqTDThBXElN+e7p2/GSTnw9Y3N5jWnmgVyZHkhxggNzf4G
|
|
||||||
0W2UcEgNmpP0gbJ3U0BnKv3CN5VQuxBpz2K2tKiJwg==
|
|
||||||
=L2B6
|
|
||||||
-----END PGP SIGNATURE-----
|
|
3
strongswan-5.6.3.tar.bz2
Normal file
3
strongswan-5.6.3.tar.bz2
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
version https://git-lfs.github.com/spec/v1
|
||||||
|
oid sha256:c3c7dc8201f40625bba92ffd32eb602a8909210d8b3fac4d214c737ce079bf24
|
||||||
|
size 4961579
|
14
strongswan-5.6.3.tar.bz2.sig
Normal file
14
strongswan-5.6.3.tar.bz2.sig
Normal file
@ -0,0 +1,14 @@
|
|||||||
|
-----BEGIN PGP SIGNATURE-----
|
||||||
|
Version: GnuPG v1
|
||||||
|
|
||||||
|
iQGcBAABAgAGBQJbC/V/AAoJEN9CwXCzTbp3xwsL/RivLwRDRkIDC93Le2B/d7dT
|
||||||
|
/BHN/4PDmy+dEzysNVPXDG8TLm1VWgaIXvh0pVzPq4ohJSOP0tPFoeyJpHtPT9Xt
|
||||||
|
x/VLnVlw2lNm70MZxXh1w9U6oEt8Sce9jtRJuEu54RhHBPcypNhNY1OsE1v8yeKf
|
||||||
|
1MYENntcs/ATn7OkgtCALIB9WAZEFnXMQmpG+9hUzsr6zBfTY33t2QbsVeoiZAnV
|
||||||
|
yTIRZQgilEAx9ZahjF1Vri1plUti8ZL/W9y0OnWt+/oOnXAx91NH2KgZ4qkAqtbg
|
||||||
|
1H3nacKNHk6XP0Ca+wB4WIBmwDfquUEDTNbBPDaQy2yl33hzj9w2jovbSPF3YPnl
|
||||||
|
TzY07K77OMK9r7YtxIa+diXs3GTh6vEe9E8mgRrQ96TXDCXCVvlQcTfEDmJ3z1ZC
|
||||||
|
gk5blg7os5gAVKkdtEPChJP1VPJk2qhY8eZOCfdgIucv06YQKkj2aAcac+Umthne
|
||||||
|
yS/qWZm8/LI6UII9Nf541o2KrlDd4ypoYOt0oibaoA==
|
||||||
|
=NiPQ
|
||||||
|
-----END PGP SIGNATURE-----
|
@ -1,3 +1,96 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Jun 6 22:14:57 UTC 2018 - bjorn.lie@gmail.com
|
||||||
|
|
||||||
|
- Update to version 5.6.3 (CVE-2018-10811, boo#1093536,
|
||||||
|
CVE-2018-5388, boo#1094462):
|
||||||
|
* Fixed a DoS vulnerability in the IKEv2 key derivation if the
|
||||||
|
openssl plugin is used in FIPS mode and HMAC-MD5 is negotiated
|
||||||
|
as PRF. This vulnerability has been registered as
|
||||||
|
CVE-2018-10811, boo#1093536.
|
||||||
|
* Fixed a vulnerability in the stroke plugin, which did not check
|
||||||
|
the received length before reading a message from the socket.
|
||||||
|
Unless a group is configured, root privileges are required to
|
||||||
|
access that socket, so in the default configuration this
|
||||||
|
shouldn't be an issue. This vulnerability has been registered
|
||||||
|
as CVE-2018-5388, boo#1094462.
|
||||||
|
* CRLs that are not yet valid are now ignored to avoid problems
|
||||||
|
in scenarios where expired certificates are removed from new
|
||||||
|
CRLs and the clock on the host doing the revocation check is
|
||||||
|
trailing behind that of the host issuing CRLs. Not doing this
|
||||||
|
could result in accepting a revoked and expired certificate, if
|
||||||
|
it's still valid according to the trailing clock but not
|
||||||
|
contained anymore in not yet valid CRLs.
|
||||||
|
* The issuer of fetched CRLs is now compared to the issuer of the
|
||||||
|
checked certificate (#2608).
|
||||||
|
* CRL validation results other than revocation (e.g. a skipped
|
||||||
|
check because the CRL couldn't be fetched) are now stored also
|
||||||
|
for intermediate CA certificates and not only for end-entity
|
||||||
|
certificates, so a strict CRL policy can be enforced in such
|
||||||
|
cases.
|
||||||
|
* In compliance with RFC 4945, section 5.1.3.2, certificates used
|
||||||
|
for IKE must now either not contain a keyUsage extension (like
|
||||||
|
the ones generated by pki), or have at least one of the
|
||||||
|
digitalSignature or nonRepudiation bits set.
|
||||||
|
* New options for vici/swanctl allow forcing the local
|
||||||
|
termination of an IKE_SA. This might be useful in situations
|
||||||
|
where it's known the other end is not reachable anymore, or
|
||||||
|
that it already removed the IKE_SA, so retransmitting a DELETE
|
||||||
|
and waiting for a response would be pointless.
|
||||||
|
* Waiting only a certain amount of time for a response (i.e.
|
||||||
|
shorter than all retransmits would be) before destroying the
|
||||||
|
IKE_SA is also possible by additionally specifying a timeout in
|
||||||
|
the forced termination request.
|
||||||
|
* When removing routes, the kernel-netlink plugin now checks if
|
||||||
|
it tracks other routes for the same destination and replaces
|
||||||
|
the installed route instead of just removing it. Same during
|
||||||
|
installation, where existing routes previously weren't
|
||||||
|
replaced. This should allow using traps with virtual IPs on
|
||||||
|
Linux (#2162).
|
||||||
|
* The dhcp plugin now only sends the client identifier DHCP
|
||||||
|
option if the identity_lease setting is enabled (7b660944b6).
|
||||||
|
It can also send identities of up to 255 bytes length, instead
|
||||||
|
of the previous 64 bytes (30e886fe3b, 0e5b94d038). If a server
|
||||||
|
address is configured, DHCP requests are now sent from port 67
|
||||||
|
instead of 68 to avoid ICMP port unreachables (becf027cd9).
|
||||||
|
* The handling of faulty INVALID_KE_PAYLOAD notifies (e.g. one
|
||||||
|
containing a DH group that wasn't proposed) during
|
||||||
|
CREATE_CHILD_SA exchanges has been improved (#2536).
|
||||||
|
* Roam events are now completely ignored for IKEv1 SAs (there is
|
||||||
|
no MOBIKE to handle such changes properly).
|
||||||
|
* ChaCha20/Poly1305 is now correctly proposed without key length
|
||||||
|
(#2614). For compatibility with older releases the
|
||||||
|
chacha20poly1305compat keyword may be included in proposals to
|
||||||
|
also propose the algorithm with a key length (c58434aeff).
|
||||||
|
* Configuration of hardware offload of IPsec SAs is now more
|
||||||
|
flexible and allows a new setting (auto), which automatically
|
||||||
|
uses it if the kernel and device both support it. If hw_offload
|
||||||
|
is set to yes and offloading is not supported, the CHILD_SA
|
||||||
|
installation now fails.
|
||||||
|
* The kernel-pfkey plugin optionally installs routes via internal
|
||||||
|
interface (one with an IP in the local traffic selector). On
|
||||||
|
FreeBSD, enabling this selects the correct source IP when
|
||||||
|
sending packets from the gateway itself (e811659323).
|
||||||
|
* SHA-2 based PRFs are supported in PKCS#8 files as generated by
|
||||||
|
OpenSSL 1.1 (#2574).
|
||||||
|
* The pki --verify tool may load CA certificates and CRLs from
|
||||||
|
directories.
|
||||||
|
* The IKE daemon now also switches to port 4500 if the remote
|
||||||
|
port is not 500 (e.g. because the remote maps the response to a
|
||||||
|
different port, as might happen on Azure), as long as the local
|
||||||
|
port is 500 (85bfab621d).
|
||||||
|
* Fixed an issue with DNS servers passed to NetworkManager in
|
||||||
|
charon-nm (ee8c25516a).
|
||||||
|
* Logged traffic selectors now always contain the protocol if
|
||||||
|
either protocol or port are set (a36d8097ed).
|
||||||
|
* Only the inbound SA/policy will be updated as reaction to IP
|
||||||
|
address changes for rekeyed CHILD_SAs that are kept around.
|
||||||
|
* The parser for strongswan.conf/swanctl.conf now accepts =
|
||||||
|
characters in values without having to put the value in quotes
|
||||||
|
(e.g. for Base64 encoded shared secrets).
|
||||||
|
- Rename strongswan-5.6.2-rpmlintrc to strongswan-rpmlintrc,
|
||||||
|
changing the version string on every version update makes no
|
||||||
|
sense.
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Tue Apr 17 13:24:38 UTC 2018 - bjorn.lie@gmail.com
|
Tue Apr 17 13:24:38 UTC 2018 - bjorn.lie@gmail.com
|
||||||
|
|
||||||
|
@ -17,7 +17,7 @@
|
|||||||
|
|
||||||
|
|
||||||
Name: strongswan
|
Name: strongswan
|
||||||
Version: 5.6.2
|
Version: 5.6.3
|
||||||
Release: 0
|
Release: 0
|
||||||
%define upstream_version %{version}
|
%define upstream_version %{version}
|
||||||
%define strongswan_docdir %{_docdir}/%{name}
|
%define strongswan_docdir %{_docdir}/%{name}
|
||||||
@ -69,7 +69,7 @@ Requires: strongswan-ipsec = %{version}
|
|||||||
Source0: http://download.strongswan.org/strongswan-%{upstream_version}.tar.bz2
|
Source0: http://download.strongswan.org/strongswan-%{upstream_version}.tar.bz2
|
||||||
Source1: http://download.strongswan.org/strongswan-%{upstream_version}.tar.bz2.sig
|
Source1: http://download.strongswan.org/strongswan-%{upstream_version}.tar.bz2.sig
|
||||||
Source2: %{name}.init.in
|
Source2: %{name}.init.in
|
||||||
Source3: %{name}-%{version}-rpmlintrc
|
Source3: %{name}-rpmlintrc
|
||||||
Source4: README.SUSE
|
Source4: README.SUSE
|
||||||
Source5: %{name}.keyring
|
Source5: %{name}.keyring
|
||||||
%if %{with fipscheck}
|
%if %{with fipscheck}
|
||||||
|
Loading…
Reference in New Issue
Block a user