SHA256
1
0
forked from pool/strongswan
OBS User unknown 2009-04-02 16:51:38 +00:00 committed by Git OBS Bridge
parent f1c08d14e3
commit ed54a2e985
9 changed files with 106 additions and 45 deletions

View File

@ -1,4 +1,3 @@
addFilter('strongswan.* shlib-policy-missing-suffix') addFilter('strongswan.* shlib-policy-missing-suffix')
addFilter("strongswan.* incoherent-init-script-name ipsec") addFilter("strongswan.* incoherent-init-script-name ipsec")
addFilter("strongswan.* devel-file-in-non-devel-package .*/usr/lib.*/ipsec/plugins") addFilter("strongswan.* devel-file-in-non-devel-package .*/usr/lib.*/ipsec/plugins")

View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:4b9acc7a8d3f8b5b715472375d8f5baea92656a427352a9c40d898075230e09a
size 2740464

View File

@ -0,0 +1,9 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iQCVAwUASc5e/tYbDnNAmVNZAQJZewP/Y6KYLbebalL3GNjqANG5hB7k/xSjIuSX
txhYdqmYxKQhe9F4nd0/LGpuco+pBzT2d7evUoANUnytNPH4YBAq+6xKNnuCwAth
LnqgfxFhp2Hn+IUrRDztD+Cl9wQqVzf3ld/mCGNY0epnMrvRvOhSPW+k8b2t3Hxn
O5Jh906OVbI=
=P088
-----END PGP SIGNATURE-----

View File

@ -1,11 +0,0 @@
--- scripts/thread_analysis.c
+++ scripts/thread_analysis.c 2008/08/28 07:41:27
@@ -102,7 +102,7 @@
fd = fopen(LOGFILE, "r");
if (!fd)
{
- printf("could not open log file '%s'\n");
+ printf("could not open log file '%s'\n", LOGFILE);
return 1;
}

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:3e5a291857d55dfa530d5618e27a9fd17d0fd1e9d24023199a46466f76a6b687
size 2906030

View File

@ -1,9 +0,0 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iQCVAwUASPP38NYbDnNAmVNZAQK+AQP9EZ6yw3ru3RpRiR04qH4asitAF/bxGOLb
O5ZZrbdedw4zC9gXZI3zmCgxO8t5RQA3JjtlsUtSkITAVhhxoyQb3LLg+8dtF3EN
+eawBteUG7xRl6Y+y3ESLwQ0Voma6FijN3GpqKFh7TJeFP+gSsV9Q0iZvDBxlCa/
uVCvhbq+dcc=
=H4YY
-----END PGP SIGNATURE-----

View File

@ -1,3 +1,30 @@
-------------------------------------------------------------------
Tue Mar 31 11:19:03 CEST 2009 - mt@suse.de
- Updated to strongSwan 4.2.14 release that fixes a grave DPD
denial of service vulnerability registered as CVE-2009-0790,
that had been slumbering in the code for many years:
* A vulnerability in the Dead Peer Detection (RFC 3706) code
was found by Gerd v. Egidy <gerd.von.egidy@intra2net.com> of
Intra2net AG affecting all Openswan and strongSwan releases.
A malicious (or expired ISAKMP) R_U_THERE or R_U_THERE_ACK
Dead Peer Detection packet can cause the pluto IKE daemon to
crash and restart. No authentication or encryption is required
to trigger this bug. One spoofed UDP packet can cause the pluto
IKE daemon to restart and be unresponsive for a few seconds
while restarting. This DPD null state vulnerability has been
officially registered as CVE-2009-0790 and is fixed by this
release.
* The new server-side EAP RADIUS plugin (--enable-eap-radius)
relays EAP messages to and from a RADIUS server. Succesfully
tested with with a freeradius server using EAP-MD5 and EAP-SIM.
* ASN.1 to time_t conversion caused a time wrap-around for dates
after Jan 18 03:14:07 UTC 2038 on 32-bit platforms.
As a workaround such dates are set to the maximum representable
time, i.e. Jan 19 03:14:07 UTC 2038.
* Distinguished Names containing wildcards (*) are not sent in the
IDr payload anymore.
------------------------------------------------------------------- -------------------------------------------------------------------
Mon Oct 20 09:27:06 CEST 2008 - mt@suse.de Mon Oct 20 09:27:06 CEST 2008 - mt@suse.de

View File

@ -1,7 +1,7 @@
# #
# spec file for package strongswan (Version 4.2.8) # spec file for package strongswan (Version 4.2.14)
# #
# Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany. # Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany.
# #
# All modifications and additions to the file contributed by third parties # All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed # remain the property of their copyright owners, unless otherwise agreed
@ -19,9 +19,9 @@
Name: strongswan Name: strongswan
%define upstream_version 4.2.8 %define upstream_version 4.2.14
%define strongswan_docdir %{_docdir}/%{name} %define strongswan_docdir %{_docdir}/%{name}
Version: 4.2.8 Version: 4.2.14
Release: 1 Release: 1
License: GPL v2 or later License: GPL v2 or later
Group: Productivity/Networking/Security Group: Productivity/Networking/Security
@ -38,8 +38,7 @@ Source1: http://download.strongswan.org/strongswan-%{upstream_version}.ta
Source2: %{name}.init.in Source2: %{name}.init.in
Source3: %{name}-%{version}-rpmlintrc Source3: %{name}-%{version}-rpmlintrc
Patch1: %{name}_modprobe_syslog.dif Patch1: %{name}_modprobe_syslog.dif
Patch2: %{name}-%{upstream_version}.dif Patch2: %{name}_update-dns-server.dif
Patch3: %{name}_update-dns-server.dif
BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: bison flex gmp-devel gperf pkg-config BuildRequires: bison flex gmp-devel gperf pkg-config
%if 0%{?suse_version} >= 1030 %if 0%{?suse_version} >= 1030
@ -136,7 +135,6 @@ Authors:
%setup -q -n %{name}-%{upstream_version} %setup -q -n %{name}-%{upstream_version}
%patch1 -p0 %patch1 -p0
%patch2 -p0 %patch2 -p0
%patch3 -p0
sed -e 's|@libexecdir@|%_libexecdir|g' \ sed -e 's|@libexecdir@|%_libexecdir|g' \
< $RPM_SOURCE_DIR/strongswan.init.in \ < $RPM_SOURCE_DIR/strongswan.init.in \
> strongswan.init > strongswan.init
@ -269,6 +267,30 @@ fi
%{_mandir}/man8/starter.8* %{_mandir}/man8/starter.8*
%changelog %changelog
* Tue Mar 31 2009 mt@suse.de
- Updated to strongSwan 4.2.14 release that fixes a grave DPD
denial of service vulnerability registered as CVE-2009-0790,
that had been slumbering in the code for many years:
* A vulnerability in the Dead Peer Detection (RFC 3706) code
was found by Gerd v. Egidy <gerd.von.egidy@intra2net.com> of
Intra2net AG affecting all Openswan and strongSwan releases.
A malicious (or expired ISAKMP) R_U_THERE or R_U_THERE_ACK
Dead Peer Detection packet can cause the pluto IKE daemon to
crash and restart. No authentication or encryption is required
to trigger this bug. One spoofed UDP packet can cause the pluto
IKE daemon to restart and be unresponsive for a few seconds
while restarting. This DPD null state vulnerability has been
officially registered as CVE-2009-0790 and is fixed by this
release.
* The new server-side EAP RADIUS plugin (--enable-eap-radius)
relays EAP messages to and from a RADIUS server. Succesfully
tested with with a freeradius server using EAP-MD5 and EAP-SIM.
* ASN.1 to time_t conversion caused a time wrap-around for dates
after Jan 18 03:14:07 UTC 2038 on 32-bit platforms.
As a workaround such dates are set to the maximum representable
time, i.e. Jan 19 03:14:07 UTC 2038.
* Distinguished Names containing wildcards (*) are not sent in the
IDr payload anymore.
* Mon Oct 20 2008 mt@suse.de * Mon Oct 20 2008 mt@suse.de
- Updated to 4.2.8 release: - Updated to 4.2.8 release:
* IKEv2 charon daemon supports authentication based on raw public * IKEv2 charon daemon supports authentication based on raw public
@ -360,7 +382,7 @@ fi
- Added patch adding a missed file name argument in printf call in the - Added patch adding a missed file name argument in printf call in the
scripts/thread_analysis.c file -- resulting binary is not installed. scripts/thread_analysis.c file -- resulting binary is not installed.
- Removed obsolete patches crash_badcfg_reload and old-caps-version. - Removed obsolete patches crash_badcfg_reload and old-caps-version.
* Tue Jul 01 2008 mt@suse.de * Mon Jun 30 2008 mt@suse.de
- Added fix that explicitly enables version 1 linux capabilities - Added fix that explicitly enables version 1 linux capabilities
on version 2 systems to aviod that the charon and pluto daemons on version 2 systems to aviod that the charon and pluto daemons
exit because of failed capset call (bnc#404989). exit because of failed capset call (bnc#404989).

View File

@ -1,11 +1,35 @@
--- src/starter/klips.c
+++ src/starter/klips.c 2009/03/23 10:46:01
@@ -36,7 +36,7 @@ starter_klips_init(void)
/* ipsec module makes the pf_key proc interface visible */
if (stat(PROC_MODULES, &stb) == 0)
{
- ignore_result(system("modprobe -qv ipsec"));
+ ignore_result(system("modprobe -a ipsec"));
}
/* now test again */
@@ -50,9 +50,9 @@ starter_klips_init(void)
}
/* load crypto algorithm modules */
- ignore_result(system("modprobe -qv ipsec_aes"));
- ignore_result(system("modprobe -qv ipsec_blowfish"));
- ignore_result(system("modprobe -qv ipsec_sha2"));
+ ignore_result(system("modprobe -s ipsec_aes"));
+ ignore_result(system("modprobe -s ipsec_blowfish"));
+ ignore_result(system("modprobe -s ipsec_sha2"));
DBG(DBG_CONTROL,
DBG_log("Found KLIPS IPsec stack")
--- src/starter/netkey.c --- src/starter/netkey.c
+++ src/starter/netkey.c 2007/12/06 09:05:30 +++ src/starter/netkey.c 2009/03/23 10:46:34
@@ -36,7 +36,7 @@ starter_netkey_init(void) @@ -36,7 +36,7 @@ starter_netkey_init(void)
/* af_key module makes the netkey proc interface visible */ /* af_key module makes the netkey proc interface visible */
if (stat(PROC_MODULES, &stb) == 0) if (stat(PROC_MODULES, &stb) == 0)
{ {
- system("modprobe -qv af_key"); - ignore_result(system("modprobe -qv af_key"));
+ system("modprobe -s af_key"); + ignore_result(system("modprobe -s af_key"));
} }
/* now test again */ /* now test again */
@ -13,16 +37,16 @@
/* make sure that all required IPsec modules are loaded */ /* make sure that all required IPsec modules are loaded */
if (stat(PROC_MODULES, &stb) == 0) if (stat(PROC_MODULES, &stb) == 0)
{ {
- system("modprobe -qv ah4"); - ignore_result(system("modprobe -qv ah4"));
- system("modprobe -qv esp4"); - ignore_result(system("modprobe -qv esp4"));
- system("modprobe -qv ipcomp"); - ignore_result(system("modprobe -qv ipcomp"));
- system("modprobe -qv xfrm4_tunnel"); - ignore_result(system("modprobe -qv xfrm4_tunnel"));
- system("modprobe -qv xfrm_user"); - ignore_result(system("modprobe -qv xfrm_user"));
+ system("modprobe -s ah4"); + ignore_result(system("modprobe -s ah4"));
+ system("modprobe -s esp4"); + ignore_result(system("modprobe -s esp4"));
+ system("modprobe -s ipcomp"); + ignore_result(system("modprobe -s ipcomp"));
+ system("modprobe -s xfrm4_tunnel"); + ignore_result(system("modprobe -s xfrm4_tunnel"));
+ system("modprobe -s xfrm_user"); + ignore_result(system("modprobe -s xfrm_user"));
} }
DBG(DBG_CONTROL, DBG(DBG_CONTROL,