forked from pool/strongswan
Accepting request 933151 from home:iznogood:branches:network:vpn
- Update to version 5.9.4: * Fixed a denial-of-service vulnerability in the gmp plugin that was caused by an integer overflow when processing RSASSA-PSS signatures with very large salt lengths. This vulnerability has been registered as CVE-2021-41990. Please refer to our blog for details. * Fixed a denial-of-service vulnerability in the in-memory certificate cache if certificates are replaced and a very large random value caused an integer overflow. This vulnerability has been registered as CVE-2021-41991. Please refer to our blog for details. * Fixed a related flaw that caused the daemon to accept and cache an infinite number of versions of a valid certificate by modifying the parameters in the signatureAlgorithm field of the outer X.509 Certificate structure. * AUTH_LIFETIME notifies are now only sent by a responder if it can't reauthenticate the IKE_SA itself due to asymmetric authentication (i.e. EAP) or the use of virtual IPs. * Several corner cases with reauthentication have been fixed (48fbe1d, 36161fe, 0d373e2). * Serial number generation in several pki sub-commands has been fixed so they don't start with an unintended zero byte. * Loading SSH public keys via vici has been improved. * Shared secrets, PEM files, vici messages, PF_KEY messages, swanctl configs and other data is properly wiped from memory. * Use a longer dummy key to initialize HMAC instances in the openssl plugin in case it's used in FIPS-mode. * The --enable-tpm option now implies --enable-tss-tss2 as the plugin doesn't do anything without a TSS 2.0. * libtpmtss is initialized in all programs and libraries that use it. * Migrated testing scripts to Python 3. OBS-URL: https://build.opensuse.org/request/show/933151 OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=128
This commit is contained in:
parent
22be53cdf9
commit
9d37f89cf7
@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:9325ab56a0a4e97e379401e1d942ce3e0d8b6372291350ab2caae0755862c6f7
|
||||
size 4652311
|
@ -1,14 +0,0 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQGzBAABCgAdFiEElI8Vik52onvz0HUy30LBcLNNuncFAmDkSF0ACgkQ30LBcLNN
|
||||
uncrygwAjMYQOjm18Xzu/nnqhGZhgtAjk5yFRsSAwjcbevcC9a8q0aRWyMXA6Yhl
|
||||
LQOclYEBbyH4r/59GEHrZNvAHJ0iwAxtp20DcqUwzjRzrwL2g6/FZI1LTRkr0W0r
|
||||
3neaM8xVVZhpCUoVFVI1RZlpocwElgHGliivCnLwhEvEHJE89bzStBgdqbIZx3E1
|
||||
Piz0Ta6qkN1mglGtnsmFeImY3MosUdoQ0aj8q6dthmzNPxpn6f80RHkdoJm7S783
|
||||
FMFhwds4wLCp33v7JpAoGMvDJJnMtErj5PMSwrmN//eArWKHGWQPlGJq0OKZcJWO
|
||||
JI3sUaUsQlQ+3YsV63QIq6Oyav7h7yCmS9jEk9tiTB8QXj7GJrRpBetIYmvdzRMd
|
||||
wHmvZOC3vGdoEj8AKKNF447X3WMEVs0/DEYr/PHh6h6X9Ed8NyKVhiLm+OE6nk9F
|
||||
0Fthllsf+z8LLd+q1OPwH69FsI9J8oiW/pVyXB/MmBdu+0r6A1+EJw0cxqmqbLuN
|
||||
uN1rNh4k
|
||||
=O9SJ
|
||||
-----END PGP SIGNATURE-----
|
3
strongswan-5.9.4.tar.bz2
Normal file
3
strongswan-5.9.4.tar.bz2
Normal file
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:45fdf1a4c2af086d8ff5b76fd7b21d3b6f0890f365f83bf4c9a75dda26887518
|
||||
size 4651000
|
14
strongswan-5.9.4.tar.bz2.sig
Normal file
14
strongswan-5.9.4.tar.bz2.sig
Normal file
@ -0,0 +1,14 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQGzBAABCgAdFiEElI8Vik52onvz0HUy30LBcLNNuncFAmFtRUEACgkQ30LBcLNN
|
||||
undRkwwAo22C+tsCWS+QFmAZZ7l2pMrYYwCSFJns+wVnzw5+7hhGR3JysoDnf+9A
|
||||
706SKcEPWnlXI7BwAk/9hdTDxdzfYQ7FEOJRZVk6+wOsodwR/EJpETj7OLGYbu/u
|
||||
tsTIPkJCtVPtO/v+3H4pnrdG+KRNTynN4vNzyWSjwNEw3yGusk0jiidsdhr7I+cy
|
||||
X6VG+cOkAVjjyWUHToxUufVEeJybAFhaeR39/mpBLk2xBF4e6/L+BQYjnsqleeAh
|
||||
Yj8txL7FgVymsm09LrrzSEcY1ntXRobzKZqDJA8u3fxDvn19hAhb07uo3pnk3G05
|
||||
NPvXFNqhYjyY5qaiQxiCXpOEliJUOZuPU4VM2WL2t2obAW1gWEjNXeWc9YjocIEf
|
||||
BLGZttfj5iM8Htt486YzdPW4uqR/MnuoRHbr4vFG7NWs4Mw2dAtSQWXu8k/PmoxH
|
||||
5gmxJwjyp8WBhEe3ZCczd1bnCz5+Ms8ycq3Icnvd837ZJalXVrxZAma/He83u7fF
|
||||
hVkK6RLz
|
||||
=05ZP
|
||||
-----END PGP SIGNATURE-----
|
@ -1,3 +1,39 @@
|
||||
-------------------------------------------------------------------
|
||||
Mon Nov 22 16:19:08 UTC 2021 - Bjørn Lie <bjorn.lie@gmail.com>
|
||||
|
||||
- Update to version 5.9.4:
|
||||
* Fixed a denial-of-service vulnerability in the gmp plugin that
|
||||
was caused by an integer overflow when processing RSASSA-PSS
|
||||
signatures with very large salt lengths. This vulnerability has
|
||||
been registered as CVE-2021-41990. Please refer to our blog for
|
||||
details.
|
||||
* Fixed a denial-of-service vulnerability in the in-memory
|
||||
certificate cache if certificates are replaced and a very large
|
||||
random value caused an integer overflow. This vulnerability has
|
||||
been registered as CVE-2021-41991. Please refer to our blog for
|
||||
details.
|
||||
* Fixed a related flaw that caused the daemon to accept and cache
|
||||
an infinite number of versions of a valid certificate by
|
||||
modifying the parameters in the signatureAlgorithm field of the
|
||||
outer X.509 Certificate structure.
|
||||
* AUTH_LIFETIME notifies are now only sent by a responder if it
|
||||
can't reauthenticate the IKE_SA itself due to asymmetric
|
||||
authentication (i.e. EAP) or the use of virtual IPs.
|
||||
* Several corner cases with reauthentication have been fixed
|
||||
(48fbe1d, 36161fe, 0d373e2).
|
||||
* Serial number generation in several pki sub-commands has been
|
||||
fixed so they don't start with an unintended zero byte.
|
||||
* Loading SSH public keys via vici has been improved.
|
||||
* Shared secrets, PEM files, vici messages, PF_KEY messages,
|
||||
swanctl configs and other data is properly wiped from memory.
|
||||
* Use a longer dummy key to initialize HMAC instances in the
|
||||
openssl plugin in case it's used in FIPS-mode.
|
||||
* The --enable-tpm option now implies --enable-tss-tss2 as the
|
||||
plugin doesn't do anything without a TSS 2.0.
|
||||
* libtpmtss is initialized in all programs and libraries that use
|
||||
it.
|
||||
* Migrated testing scripts to Python 3.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Sep 27 19:01:38 UTC 2021 - Bjørn Lie <bjorn.lie@gmail.com>
|
||||
|
||||
|
@ -17,7 +17,7 @@
|
||||
|
||||
|
||||
Name: strongswan
|
||||
Version: 5.9.3
|
||||
Version: 5.9.4
|
||||
Release: 0
|
||||
%define upstream_version %{version}
|
||||
%define strongswan_docdir %{_docdir}/%{name}
|
||||
@ -558,6 +558,7 @@ fi
|
||||
%endif
|
||||
%{_bindir}/pki
|
||||
%{_bindir}/pt-tls-client
|
||||
%{_bindir}/tpm_extendpcr
|
||||
%{_sbindir}/ipsec
|
||||
%{_sbindir}/swanctl
|
||||
%{_mandir}/man1/pki*.1*
|
||||
|
Loading…
Reference in New Issue
Block a user