forked from pool/strongswan
Marius Tomaschewski
2f4b26b633
fixes (bnc#847506,CVE-2013-6075, bnc#847509,CVE-2013-6076):
- Fixed a denial-of-service vulnerability and potential authorization
bypass triggered by a crafted ID_DER_ASN1_DN ID payload. The cause
is an insufficient length check when comparing such identities. The
vulnerability has been registered as CVE-2013-6075.
- Fixed a denial-of-service vulnerability triggered by a crafted IKEv1
fragmentation payload. The cause is a NULL pointer dereference. The
vulnerability has been registered as CVE-2013-6076.
- The lean stand-alone pt-tls-client can set up a RFC 6876 PT-TLS
session with a strongSwan policy enforcement point which uses the
tnc-pdp charon plugin.
- The new TCG TNC SWID IMC/IMV pair supports targeted SWID requests
for either full SWID Tag or concise SWID Tag ID inventories.
- The XAuth backend in eap-radius now supports multiple XAuth
exchanges for different credential types and display messages.
All user input gets concatenated and verified with a single
User-Password RADIUS attribute on the AAA. With an AAA supporting
it, one for example can implement Password+Token authentication with
proper dialogs on iOS and OS X clients. - charon supports IKEv1 Mode
Config exchange in push mode. The ipsec.conf modeconfig=push option
enables it for both client and server, the same way as pluto used it.
- Using the "ah" ipsec.conf keyword on both IKEv1 and IKEv2
connections, charon can negotiate and install Security Associations
integrity-protected by the Authentication Header protocol. Supported
are plain AH(+IPComp) SAs only, but not the deprecated RFC2401 style
ESP+AH bundles.
[...]
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=62
|
||
|---|---|---|
| .gitattributes | ||
| .gitignore | ||
| README.SUSE | ||
| strongswan_ipsec_service.patch | ||
| strongswan_modprobe_syslog.patch | ||
| strongswan-5.1.1-rpmlintrc | ||
| strongswan-5.1.1.tar.bz2 | ||
| strongswan-5.1.1.tar.bz2.sig | ||
| strongswan.changes | ||
| strongswan.init.in | ||
| strongswan.keyring | ||
| strongswan.spec | ||
Dear Customer, please note, that the strongswan release 4.5 changes the keyexchange mode to IKEv2 as default -- from strongswan-4.5.0/NEWS: "[...] IMPORTANT: the default keyexchange mode 'ike' is changing with release 4.5 from 'ikev1' to 'ikev2', thus commemorating the five year anniversary of the IKEv2 RFC 4306 and its mature successor RFC 5996. The time has definitively come for IKEv1 to go into retirement and to cede its place to the much more robust, powerful and versatile IKEv2 protocol! [...]" This requires adoption of either the "conn %default" or all other IKEv1 "conn" sections in the /etc/ipsec.conf to use explicit: keyexchange=ikev1 The strongswan package does no provide any files any more, but triggers the installation of both, IKEv1 (pluto) and IKEv2 (charon) daemons and the traditional starter scripts inclusive of the /etc/init.d/ipsec init script and /etc/ipsec.conf file. There is a new strongswan-nm package with a NetworkManager plugin to control the charon IKEv2 daemon through D-Bus, designed to work using the NetworkManager-strongswan graphical user interface. It does not depend on the traditional starter scripts, but on the IKEv2 charon daemon and plugins only. Have a lot of fun...