forked from pool/strongswan
Accepting request 933151 from home:iznogood:branches:network:vpn
- Update to version 5.9.4: * Fixed a denial-of-service vulnerability in the gmp plugin that was caused by an integer overflow when processing RSASSA-PSS signatures with very large salt lengths. This vulnerability has been registered as CVE-2021-41990. Please refer to our blog for details. * Fixed a denial-of-service vulnerability in the in-memory certificate cache if certificates are replaced and a very large random value caused an integer overflow. This vulnerability has been registered as CVE-2021-41991. Please refer to our blog for details. * Fixed a related flaw that caused the daemon to accept and cache an infinite number of versions of a valid certificate by modifying the parameters in the signatureAlgorithm field of the outer X.509 Certificate structure. * AUTH_LIFETIME notifies are now only sent by a responder if it can't reauthenticate the IKE_SA itself due to asymmetric authentication (i.e. EAP) or the use of virtual IPs. * Several corner cases with reauthentication have been fixed (48fbe1d, 36161fe, 0d373e2). * Serial number generation in several pki sub-commands has been fixed so they don't start with an unintended zero byte. * Loading SSH public keys via vici has been improved. * Shared secrets, PEM files, vici messages, PF_KEY messages, swanctl configs and other data is properly wiped from memory. * Use a longer dummy key to initialize HMAC instances in the openssl plugin in case it's used in FIPS-mode. * The --enable-tpm option now implies --enable-tss-tss2 as the plugin doesn't do anything without a TSS 2.0. * libtpmtss is initialized in all programs and libraries that use it. * Migrated testing scripts to Python 3. OBS-URL: https://build.opensuse.org/request/show/933151 OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=128
This commit is contained in:
parent
22be53cdf9
commit
9d37f89cf7
@ -1,3 +0,0 @@
|
|||||||
version https://git-lfs.github.com/spec/v1
|
|
||||||
oid sha256:9325ab56a0a4e97e379401e1d942ce3e0d8b6372291350ab2caae0755862c6f7
|
|
||||||
size 4652311
|
|
@ -1,14 +0,0 @@
|
|||||||
-----BEGIN PGP SIGNATURE-----
|
|
||||||
|
|
||||||
iQGzBAABCgAdFiEElI8Vik52onvz0HUy30LBcLNNuncFAmDkSF0ACgkQ30LBcLNN
|
|
||||||
uncrygwAjMYQOjm18Xzu/nnqhGZhgtAjk5yFRsSAwjcbevcC9a8q0aRWyMXA6Yhl
|
|
||||||
LQOclYEBbyH4r/59GEHrZNvAHJ0iwAxtp20DcqUwzjRzrwL2g6/FZI1LTRkr0W0r
|
|
||||||
3neaM8xVVZhpCUoVFVI1RZlpocwElgHGliivCnLwhEvEHJE89bzStBgdqbIZx3E1
|
|
||||||
Piz0Ta6qkN1mglGtnsmFeImY3MosUdoQ0aj8q6dthmzNPxpn6f80RHkdoJm7S783
|
|
||||||
FMFhwds4wLCp33v7JpAoGMvDJJnMtErj5PMSwrmN//eArWKHGWQPlGJq0OKZcJWO
|
|
||||||
JI3sUaUsQlQ+3YsV63QIq6Oyav7h7yCmS9jEk9tiTB8QXj7GJrRpBetIYmvdzRMd
|
|
||||||
wHmvZOC3vGdoEj8AKKNF447X3WMEVs0/DEYr/PHh6h6X9Ed8NyKVhiLm+OE6nk9F
|
|
||||||
0Fthllsf+z8LLd+q1OPwH69FsI9J8oiW/pVyXB/MmBdu+0r6A1+EJw0cxqmqbLuN
|
|
||||||
uN1rNh4k
|
|
||||||
=O9SJ
|
|
||||||
-----END PGP SIGNATURE-----
|
|
3
strongswan-5.9.4.tar.bz2
Normal file
3
strongswan-5.9.4.tar.bz2
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
version https://git-lfs.github.com/spec/v1
|
||||||
|
oid sha256:45fdf1a4c2af086d8ff5b76fd7b21d3b6f0890f365f83bf4c9a75dda26887518
|
||||||
|
size 4651000
|
14
strongswan-5.9.4.tar.bz2.sig
Normal file
14
strongswan-5.9.4.tar.bz2.sig
Normal file
@ -0,0 +1,14 @@
|
|||||||
|
-----BEGIN PGP SIGNATURE-----
|
||||||
|
|
||||||
|
iQGzBAABCgAdFiEElI8Vik52onvz0HUy30LBcLNNuncFAmFtRUEACgkQ30LBcLNN
|
||||||
|
undRkwwAo22C+tsCWS+QFmAZZ7l2pMrYYwCSFJns+wVnzw5+7hhGR3JysoDnf+9A
|
||||||
|
706SKcEPWnlXI7BwAk/9hdTDxdzfYQ7FEOJRZVk6+wOsodwR/EJpETj7OLGYbu/u
|
||||||
|
tsTIPkJCtVPtO/v+3H4pnrdG+KRNTynN4vNzyWSjwNEw3yGusk0jiidsdhr7I+cy
|
||||||
|
X6VG+cOkAVjjyWUHToxUufVEeJybAFhaeR39/mpBLk2xBF4e6/L+BQYjnsqleeAh
|
||||||
|
Yj8txL7FgVymsm09LrrzSEcY1ntXRobzKZqDJA8u3fxDvn19hAhb07uo3pnk3G05
|
||||||
|
NPvXFNqhYjyY5qaiQxiCXpOEliJUOZuPU4VM2WL2t2obAW1gWEjNXeWc9YjocIEf
|
||||||
|
BLGZttfj5iM8Htt486YzdPW4uqR/MnuoRHbr4vFG7NWs4Mw2dAtSQWXu8k/PmoxH
|
||||||
|
5gmxJwjyp8WBhEe3ZCczd1bnCz5+Ms8ycq3Icnvd837ZJalXVrxZAma/He83u7fF
|
||||||
|
hVkK6RLz
|
||||||
|
=05ZP
|
||||||
|
-----END PGP SIGNATURE-----
|
@ -1,3 +1,39 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon Nov 22 16:19:08 UTC 2021 - Bjørn Lie <bjorn.lie@gmail.com>
|
||||||
|
|
||||||
|
- Update to version 5.9.4:
|
||||||
|
* Fixed a denial-of-service vulnerability in the gmp plugin that
|
||||||
|
was caused by an integer overflow when processing RSASSA-PSS
|
||||||
|
signatures with very large salt lengths. This vulnerability has
|
||||||
|
been registered as CVE-2021-41990. Please refer to our blog for
|
||||||
|
details.
|
||||||
|
* Fixed a denial-of-service vulnerability in the in-memory
|
||||||
|
certificate cache if certificates are replaced and a very large
|
||||||
|
random value caused an integer overflow. This vulnerability has
|
||||||
|
been registered as CVE-2021-41991. Please refer to our blog for
|
||||||
|
details.
|
||||||
|
* Fixed a related flaw that caused the daemon to accept and cache
|
||||||
|
an infinite number of versions of a valid certificate by
|
||||||
|
modifying the parameters in the signatureAlgorithm field of the
|
||||||
|
outer X.509 Certificate structure.
|
||||||
|
* AUTH_LIFETIME notifies are now only sent by a responder if it
|
||||||
|
can't reauthenticate the IKE_SA itself due to asymmetric
|
||||||
|
authentication (i.e. EAP) or the use of virtual IPs.
|
||||||
|
* Several corner cases with reauthentication have been fixed
|
||||||
|
(48fbe1d, 36161fe, 0d373e2).
|
||||||
|
* Serial number generation in several pki sub-commands has been
|
||||||
|
fixed so they don't start with an unintended zero byte.
|
||||||
|
* Loading SSH public keys via vici has been improved.
|
||||||
|
* Shared secrets, PEM files, vici messages, PF_KEY messages,
|
||||||
|
swanctl configs and other data is properly wiped from memory.
|
||||||
|
* Use a longer dummy key to initialize HMAC instances in the
|
||||||
|
openssl plugin in case it's used in FIPS-mode.
|
||||||
|
* The --enable-tpm option now implies --enable-tss-tss2 as the
|
||||||
|
plugin doesn't do anything without a TSS 2.0.
|
||||||
|
* libtpmtss is initialized in all programs and libraries that use
|
||||||
|
it.
|
||||||
|
* Migrated testing scripts to Python 3.
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Mon Sep 27 19:01:38 UTC 2021 - Bjørn Lie <bjorn.lie@gmail.com>
|
Mon Sep 27 19:01:38 UTC 2021 - Bjørn Lie <bjorn.lie@gmail.com>
|
||||||
|
|
||||||
|
@ -17,7 +17,7 @@
|
|||||||
|
|
||||||
|
|
||||||
Name: strongswan
|
Name: strongswan
|
||||||
Version: 5.9.3
|
Version: 5.9.4
|
||||||
Release: 0
|
Release: 0
|
||||||
%define upstream_version %{version}
|
%define upstream_version %{version}
|
||||||
%define strongswan_docdir %{_docdir}/%{name}
|
%define strongswan_docdir %{_docdir}/%{name}
|
||||||
@ -558,6 +558,7 @@ fi
|
|||||||
%endif
|
%endif
|
||||||
%{_bindir}/pki
|
%{_bindir}/pki
|
||||||
%{_bindir}/pt-tls-client
|
%{_bindir}/pt-tls-client
|
||||||
|
%{_bindir}/tpm_extendpcr
|
||||||
%{_sbindir}/ipsec
|
%{_sbindir}/ipsec
|
||||||
%{_sbindir}/swanctl
|
%{_sbindir}/swanctl
|
||||||
%{_mandir}/man1/pki*.1*
|
%{_mandir}/man1/pki*.1*
|
||||||
|
Loading…
Reference in New Issue
Block a user