OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/strongswan?expand=0&rev=10

2009-04-02 16:51:38 +00:00 · 2009-04-02 16:51:38 +00:00 · ed54a2e985
commit ed54a2e985
parent f1c08d14e3
9 changed files with 106 additions and 45 deletions
--- a/strongswan-4.2.14-rpmlintrc
+++ b/strongswan-4.2.14-rpmlintrc
@ -1,4 +1,3 @@
 addFilter('strongswan.* shlib-policy-missing-suffix')
 addFilter("strongswan.* incoherent-init-script-name ipsec")
 addFilter("strongswan.* devel-file-in-non-devel-package .*/usr/lib.*/ipsec/plugins")
-
--- a/strongswan-4.2.14.tar.bz2
+++ b/strongswan-4.2.14.tar.bz2
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:4b9acc7a8d3f8b5b715472375d8f5baea92656a427352a9c40d898075230e09a
+size 2740464
--- a/strongswan-4.2.14.tar.bz2.sig
+++ b/strongswan-4.2.14.tar.bz2.sig
@ -0,0 +1,9 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.9 (GNU/Linux)
+
+iQCVAwUASc5e/tYbDnNAmVNZAQJZewP/Y6KYLbebalL3GNjqANG5hB7k/xSjIuSX
+txhYdqmYxKQhe9F4nd0/LGpuco+pBzT2d7evUoANUnytNPH4YBAq+6xKNnuCwAth
+LnqgfxFhp2Hn+IUrRDztD+Cl9wQqVzf3ld/mCGNY0epnMrvRvOhSPW+k8b2t3Hxn
+O5Jh906OVbI=
+=P088
+-----END PGP SIGNATURE-----
--- a/strongswan-4.2.8.dif
+++ b/strongswan-4.2.8.dif
@ -1,11 +0,0 @@
--- scripts/thread_analysis.c
-+++ scripts/thread_analysis.c	2008/08/28 07:41:27
-@@ -102,7 +102,7 @@
- 	fd = fopen(LOGFILE, "r");
- 	if (!fd)
- 	{
-		printf("could not open log file '%s'\n");
-+		printf("could not open log file '%s'\n", LOGFILE);
- 		return 1;
- 	}
- 
--- a/strongswan-4.2.8.tar.bz2
+++ b/strongswan-4.2.8.tar.bz2
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:3e5a291857d55dfa530d5618e27a9fd17d0fd1e9d24023199a46466f76a6b687
-size 2906030
--- a/strongswan-4.2.8.tar.bz2.sig
+++ b/strongswan-4.2.8.tar.bz2.sig
@ -1,9 +0,0 @@
-----BEGIN PGP SIGNATURE-----
-Version: GnuPG v1.4.6 (GNU/Linux)
-
-iQCVAwUASPP38NYbDnNAmVNZAQK+AQP9EZ6yw3ru3RpRiR04qH4asitAF/bxGOLb
-O5ZZrbdedw4zC9gXZI3zmCgxO8t5RQA3JjtlsUtSkITAVhhxoyQb3LLg+8dtF3EN
-+eawBteUG7xRl6Y+y3ESLwQ0Voma6FijN3GpqKFh7TJeFP+gSsV9Q0iZvDBxlCa/
-uVCvhbq+dcc=
-=H4YY
-----END PGP SIGNATURE-----
--- a/strongswan.changes
+++ b/strongswan.changes
@ -1,3 +1,30 @@
+-------------------------------------------------------------------
+Tue Mar 31 11:19:03 CEST 2009 - mt@suse.de
+
+- Updated to strongSwan 4.2.14 release that fixes a grave DPD
+  denial of service vulnerability registered as CVE-2009-0790,
+  that had been slumbering in the code for many years:
+  * A vulnerability in the Dead Peer Detection (RFC 3706) code
+    was found by Gerd v. Egidy <gerd.von.egidy@intra2net.com> of
+    Intra2net AG affecting all Openswan and strongSwan releases.
+    A malicious (or expired ISAKMP) R_U_THERE or R_U_THERE_ACK
+    Dead Peer Detection packet can cause the pluto IKE daemon to
+    crash and restart. No authentication or encryption is required
+    to trigger this bug. One spoofed UDP packet can cause the pluto
+    IKE daemon to restart and be unresponsive for a few seconds
+    while restarting. This DPD null state vulnerability has been
+    officially registered as CVE-2009-0790 and is fixed by this
+    release.
+  * The new server-side EAP RADIUS plugin (--enable-eap-radius)
+    relays EAP messages to and from a RADIUS server. Succesfully
+    tested with with a freeradius server using EAP-MD5 and EAP-SIM.
+  * ASN.1 to time_t conversion caused a time wrap-around for dates
+    after Jan 18 03:14:07 UTC 2038 on 32-bit platforms.
+    As a workaround such dates are set to the maximum representable
+    time, i.e. Jan 19 03:14:07 UTC 2038.
+  * Distinguished Names containing wildcards (*) are not sent in the
+    IDr payload anymore. 
+
 -------------------------------------------------------------------
 Mon Oct 20 09:27:06 CEST 2008 - mt@suse.de

--- a/strongswan.spec
+++ b/strongswan.spec
@ -1,7 +1,7 @@
 #
-# spec file for package strongswan (Version 4.2.8)
+# spec file for package strongswan (Version 4.2.14)
 #
-# Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -19,9 +19,9 @@


 Name:           strongswan
-%define         upstream_version 4.2.8
+%define         upstream_version 4.2.14
 %define         strongswan_docdir %{_docdir}/%{name}
-Version:        4.2.8
+Version:        4.2.14
 Release:        1
 License:        GPL v2 or later
 Group:          Productivity/Networking/Security
@ -38,8 +38,7 @@ Source1:        http://download.strongswan.org/strongswan-%{upstream_version}.ta
 Source2:        %{name}.init.in
 Source3:        %{name}-%{version}-rpmlintrc
 Patch1:         %{name}_modprobe_syslog.dif
-Patch2:         %{name}-%{upstream_version}.dif
-Patch3:         %{name}_update-dns-server.dif
+Patch2:         %{name}_update-dns-server.dif
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildRequires:  bison flex gmp-devel gperf pkg-config
 %if 0%{?suse_version} >= 1030
@ -136,7 +135,6 @@ Authors:
 %setup -q -n %{name}-%{upstream_version}
 %patch1 -p0
 %patch2 -p0
-%patch3 -p0
 sed -e 's|@libexecdir@|%_libexecdir|g'    \
     < $RPM_SOURCE_DIR/strongswan.init.in \
     > strongswan.init
@ -269,6 +267,30 @@ fi
 %{_mandir}/man8/starter.8*

 %changelog
+* Tue Mar 31 2009 mt@suse.de
+- Updated to strongSwan 4.2.14 release that fixes a grave DPD
+  denial of service vulnerability registered as CVE-2009-0790,
+  that had been slumbering in the code for many years:
+  * A vulnerability in the Dead Peer Detection (RFC 3706) code
+  was found by Gerd v. Egidy <gerd.von.egidy@intra2net.com> of
+  Intra2net AG affecting all Openswan and strongSwan releases.
+  A malicious (or expired ISAKMP) R_U_THERE or R_U_THERE_ACK
+  Dead Peer Detection packet can cause the pluto IKE daemon to
+  crash and restart. No authentication or encryption is required
+  to trigger this bug. One spoofed UDP packet can cause the pluto
+  IKE daemon to restart and be unresponsive for a few seconds
+  while restarting. This DPD null state vulnerability has been
+  officially registered as CVE-2009-0790 and is fixed by this
+  release.
+  * The new server-side EAP RADIUS plugin (--enable-eap-radius)
+  relays EAP messages to and from a RADIUS server. Succesfully
+  tested with with a freeradius server using EAP-MD5 and EAP-SIM.
+  * ASN.1 to time_t conversion caused a time wrap-around for dates
+  after Jan 18 03:14:07 UTC 2038 on 32-bit platforms.
+  As a workaround such dates are set to the maximum representable
+  time, i.e. Jan 19 03:14:07 UTC 2038.
+  * Distinguished Names containing wildcards (*) are not sent in the
+  IDr payload anymore.
 * Mon Oct 20 2008 mt@suse.de
 - Updated to 4.2.8 release:
  * IKEv2 charon daemon supports authentication based on raw public
@ -360,7 +382,7 @@ fi
 - Added patch adding a missed file name argument in printf call in the
  scripts/thread_analysis.c file -- resulting binary is not installed.
 - Removed obsolete patches crash_badcfg_reload and old-caps-version.
-* Tue Jul 01 2008 mt@suse.de
+* Mon Jun 30 2008 mt@suse.de
 - Added fix that explicitly enables version 1 linux capabilities
  on version 2 systems to aviod that the charon and pluto daemons
  exit because of failed capset call (bnc#404989).
--- a/strongswan_modprobe_syslog.dif
+++ b/strongswan_modprobe_syslog.dif
@ -1,11 +1,35 @@
+--- src/starter/klips.c
+++ src/starter/klips.c	2009/03/23 10:46:01
+@@ -36,7 +36,7 @@ starter_klips_init(void)
+ 	/* ipsec module makes the pf_key proc interface visible */
+ 	if (stat(PROC_MODULES, &stb) == 0)
+ 	{
+-	    ignore_result(system("modprobe -qv ipsec"));
+	    ignore_result(system("modprobe -a ipsec"));
+ 	}
+ 
+ 	/* now test again */
+@@ -50,9 +50,9 @@ starter_klips_init(void)
+     }
+     
+     /* load crypto algorithm modules */
+-    ignore_result(system("modprobe -qv ipsec_aes"));
+-    ignore_result(system("modprobe -qv ipsec_blowfish"));
+-    ignore_result(system("modprobe -qv ipsec_sha2"));
+    ignore_result(system("modprobe -s ipsec_aes"));
+    ignore_result(system("modprobe -s ipsec_blowfish"));
+    ignore_result(system("modprobe -s ipsec_sha2"));
+ 
+     DBG(DBG_CONTROL,
+ 	DBG_log("Found KLIPS IPsec stack")
 --- src/starter/netkey.c
-+++ src/starter/netkey.c	2007/12/06 09:05:30
+++ src/starter/netkey.c	2009/03/23 10:46:34
@@ -36,7 +36,7 @@ starter_netkey_init(void)
 	/* af_key module makes the netkey proc interface visible */
 	if (stat(PROC_MODULES, &stb) == 0)
 	{
-	    system("modprobe -qv af_key");
-+	    system("modprobe -s af_key");
+-	    ignore_result(system("modprobe -qv af_key"));
+	    ignore_result(system("modprobe -s af_key"));
 	}
 
 	/* now test again */
@ -13,16 +37,16 @@
     /* make sure that all required IPsec modules are loaded */
     if (stat(PROC_MODULES, &stb) == 0)
     {
-	system("modprobe -qv ah4");
-	system("modprobe -qv esp4");
-	system("modprobe -qv ipcomp");
-	system("modprobe -qv xfrm4_tunnel");
-	system("modprobe -qv xfrm_user");
-+	system("modprobe -s ah4");
-+	system("modprobe -s esp4");
-+	system("modprobe -s ipcomp");
-+	system("modprobe -s xfrm4_tunnel");
-+	system("modprobe -s xfrm_user");
+-	ignore_result(system("modprobe -qv ah4"));
+-	ignore_result(system("modprobe -qv esp4"));
+-	ignore_result(system("modprobe -qv ipcomp"));
+-	ignore_result(system("modprobe -qv xfrm4_tunnel"));
+-	ignore_result(system("modprobe -qv xfrm_user"));
+	ignore_result(system("modprobe -s ah4"));
+	ignore_result(system("modprobe -s esp4"));
+	ignore_result(system("modprobe -s ipcomp"));
+	ignore_result(system("modprobe -s xfrm4_tunnel"));
+	ignore_result(system("modprobe -s xfrm_user"));
     }
 
     DBG(DBG_CONTROL,