Hello community, here is the log from the commit of package strongswan.1919 for openSUSE:12.2:Update checked in at 2013-08-13 22:32:14 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:12.2:Update/strongswan.1919 (Old) and /work/SRC/openSUSE:12.2:Update/.strongswan.1919.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "strongswan.1919" Changes: -------- New Changes file: --- /dev/null 2013-07-23 23:44:04.804033756 +0200 +++ /work/SRC/openSUSE:12.2:Update/.strongswan.1919.new/strongswan.changes 2013-08-13 22:32:15.000000000 +0200 @@ -0,0 +1,906 @@ +------------------------------------------------------------------- +Mon Aug 5 11:58:03 UTC 2013 - [email protected] + +- Applied upstream fix for a denial-of-service vulnerability, that + could be triggered by special XAuth usernames and EAP identities + (affected by this are 5.0.3 and 5.0.4), and local PEM files (all + versions since 4.1.11) (CVE-2013-5018,bnc#833278). + [0004-strongswan-4.3.0-5.0.4_is_asn1-CVE-2013-5018.bnc833278.patch] + +------------------------------------------------------------------- +Tue Apr 30 12:23:23 UTC 2013 - [email protected] + +- Applied upstream patch for security vulnerability discovered by + Kevin Wojtysiak in ECDSA signature verification of the strongswan + openssl plugin (bnc#815236, CVE-2013-2944) + [0003-Check-return-value-of-ECDSA_Verify-correctly.patch] + +------------------------------------------------------------------- +Fri Sep 7 08:36:57 UTC 2012 - [email protected] + +- Applied upstream patch adjusting an internal thread id causing + charon keying daemon start failure (bnc#779038,strongswan#198): + openssl: Ensure the thread ID is never zero + This might otherwise cause problems because OpenSSL tries to + lock mutexes recursively if it assumes the lock is held by a + different thread e.g. during FIPS initialization. + See http://wiki.strongswan.org/issues/198 for more informations. + +------------------------------------------------------------------- +Thu May 31 16:08:43 UTC 2012 - [email protected] + +- Updated to strongSwan 4.6.4 release: + - Fixed a security vulnerability in the gmp plugin. If this + plugin was used for RSA signature verification an empty or + zeroed signature was handled as a legitimate one + (bnc#761325, CVE-2012-2388). + - Fixed several issues with reauthentication and address updates. + +------------------------------------------------------------------- +Thu May 10 09:15:38 UTC 2012 - [email protected] + +- Updated to strongSwan 4.6.3 release: + - The tnc-pdp plugin implements a RADIUS server interface allowing + a strongSwan TNC server to act as a Policy Decision Point. + - The eap-radius authentication backend enforces Session-Timeout + attributes using RFC4478 repeated authentication and acts upon + RADIUS Dynamic Authorization extensions, RFC 5176. Currently + supported are disconnect requests and CoA messages containing + a Session-Timeout. + - The eap-radius plugin can forward arbitrary RADIUS attributes + from and to clients using custom IKEv2 notify payloads. The new + radattr plugin reads attributes to include from files and prints + received attributes to the console. + - Added support for untruncated MD5 and SHA1 HMACs in ESP as used + in RFC 4595. + - The cmac plugin implements the AES-CMAC-96 and AES-CMAC-PRF-128 + algorithms as defined in RFC 4494 and RFC 4615, respectively. + - The resolve plugin automatically installs nameservers via + resolvconf(8), if it is installed, instead of modifying + /etc/resolv.conf directly. + - The IKEv2 charon daemon supports now raw RSA public keys in RFC + 3110 DNSKEY and PKCS#1 file format. + - The farp plugin sends ARP responses for any tunneled address, + not only virtual IPs. + - Charon resolves hosts again during additional keying tries. + - Fixed switching back to original address pair during MOBIKE. + - When resending IKE_SA_INIT with a COOKIE charon reuses the previous + DH value, as specified in RFC 5996. + This has an effect on the lifecycle of diffie_hellman_t, see + source:src/libcharon/sa/keymat.h#39 for details. + - COOKIEs are now kept enabled a bit longer to avoid certain race + conditions the commit message to 1b7debcc has some details. + - The new stroke user-creds command allows to set username/password + for a connection. + - strongswan.conf option added to set identifier for syslog(3) logging. + - Added a workaround for null-terminated XAuth secrets (as sent by + Android 4). + +------------------------------------------------------------------- +Sat Mar 3 00:10:34 UTC 2012 - [email protected] + +- Updated to strongSwan 4.6.2 release: + Changes in 4.6.2: + - Upgraded the TCG IF-IMC and IF-IMV C API to the upcoming version 1.3 + which supports IF-TNCCS 2.0 long message types, the exclusive flags + and multiple IMC/IMV IDs. Both the TNC Client and Server as well as + the "Test", "Scanner", and "Attestation" IMC/IMV pairs were updated. + - Fully implemented the "TCG Attestation PTS Protocol: Binding to IF-M" + standard (TLV-based messages only). TPM-based remote attestation of + Linux IMA (Integrity Measurement Architecture) possible. Measurement + reference values are automatically stored in an SQLite database. + - The EAP-RADIUS authentication backend supports RADIUS accounting. It sends + start/stop messages containing Username, Framed-IP and Input/Output-Octets + attributes and has been tested against FreeRADIUS and Microsoft NPS. + - Added support for PKCS#8 encoded private keys via the libstrongswan + pkcs8 plugin. This is the default format used by some OpenSSL tools since + version 1.0.0 (e.g. openssl req with -keyout). + - Added session resumption support to the strongSwan TLS stack. + +------------------------------------------------------------------- +Wed Feb 15 13:31:40 UTC 2012 - [email protected] + +- Updated to strongSwan 4.6.1 release: + Changes in 4.6.1: + - Because of changing checksums before and after installation which caused + the integrity tests to fail we avoided directly linking libsimaka, + libtls and libtnccs to those libcharon plugins which make use of these + dynamiclibraries. + Instead we linked the libraries to the charon daemon. Unfortunately + Ubuntu 11.10 activated the --as-needed ld option which discards explicit + links to dynamic libraries that are not actually used by the charon + daemon itself, thus causing failures during the loading of the plugins + which depend on these libraries for resolving external symbols. + - Therefore our approach of computing integrity checksums for plugins had + to be changed radically by moving the hash generation from the + compilation to the post-installation phase. + Changes in 4.6.0: + - The new libstrongswan certexpire plugin collects expiration information + of all used certificates and exports them to CSV files. It either + directly exports them or uses cron style scheduling for batch exports. + - Starter passes unresolved hostnames to charon, allowing it to do name + resolution not before the connection attempt. This is especially useful + with connections between hosts using dynamic IP addresses. + Thanks to Mirko Parthey for the initial patch. + - The android plugin can now be used without the Android frontend patch + and provides DNS server registration and logging to logcat. + - Pluto and starter (plus stroke and whack) have been ported to Android. + - Support for ECDSA private and public key operations has been added to + the pkcs11 plugin. The plugin now also provides DH and ECDH via PKCS#11 + and can use tokens as random number generators (RNG). By default only + private key operations are enabled, more advanced features have to be + enabled by their option in strongswan.conf. This also applies to public + key operations (even for keys not stored on the token) which were + enabled by default before. + - The libstrongswan plugin system now supports detailed plugin + dependencies. Many plugins have been extended to export its capabilities + and requirements. This allows the plugin loader to resolve plugin + loading order automatically, and in future releases, to dynamically load + the required features on demand. + Existing third party plugins are source (but not binary) compatible if + they properly initialize the new get_features() plugin function to NULL. + - The tnc-ifmap plugin implements a TNC IF-MAP 2.0 client which can + deliver metadata about IKE_SAs via a SOAP interface to a MAP server. + The tnc-ifmap plugin requires the Apache Axis2/C library. +- Merged patches, changed strongswan-doc to be a noarch package. +- Fixed rpmlint runlevel & fsf warnings, updated rpmlintrc + +------------------------------------------------------------------- +Mon Feb 6 10:27:00 UTC 2012 - [email protected] + +- Only glib.h can be included, fix compilation. + +------------------------------------------------------------------- +Wed Dec 21 10:31:49 UTC 2011 - [email protected] + +- remove call to suse_update_config (very old work around) + +------------------------------------------------------------------- +Mon Sep 12 09:26:51 UTC 2011 - [email protected] + +- remove _service file, too fragile + +------------------------------------------------------------------- +Mon Sep 12 08:24:36 UTC 2011 - [email protected] + +- Fixed version in last changelog entry + +------------------------------------------------------------------- +Thu Sep 8 16:06:46 UTC 2011 - [email protected] + +- Updated to strongSwan 4.5.3 release, changes overview since 4.5.2: + * Our private libraries (e.g. libstrongswan) are not installed directly in + prefix/lib anymore. Instead a subdirectory is used (prefix/lib/ipsec/ by + default). The plugins directory is also moved from libexec/ipsec/ to that + directory. + * The dynamic IMC/IMV libraries were moved from the plugins directory to + a new imcvs directory in the prefix/lib/ipsec/ subdirectory. + * Job priorities were introduced to prevent thread starvation caused by too + many threads handling blocking operations (such as CRL fetching). + * Two new strongswan.conf options allow to fine-tune performance on IKEv2 + gateways by dropping IKE_SA_INIT requests on high load. + * IKEv2 charon daemon supports PASS and DROP shunt policies + preventing traffic to go through IPsec connections. Installation of the + shunt policies either via the XFRM netfilter or PFKEYv2 IPsec kernel + interfaces. + * The history of policies installed in the kernel is now tracked so that e.g. + trap policies are correctly updated when reauthenticated SAs are terminated. + * IMC/IMV Scanner pair implementing the RFC 5792 PA-TNC (IF-M) protocol. + Using "netstat -l" the IMC scans open listening ports on the TNC client + and sends a port list to the IMV which based on a port policy decides if + the client is admitted to the network. + * IMC/IMV Test pair implementing the RFC 5792 PA-TNC (IF-M) protocol. + * The IKEv2 close action does not use the same value as the ipsec.conf dpdaction + setting, but the value defined by its own closeaction keyword. The action + is triggered if the remote peer closes a CHILD_SA unexpectedly. +- Fixed some fmt warnings in libchecksum, adopted paths in the spec file + ++++ 709 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:12.2:Update/.strongswan.1919.new/strongswan.changes New: ---- 0001-openssl-Ensure-the-thread-ID-is-never-zero.patch 0003-Check-return-value-of-ECDSA_Verify-correctly.patch 0004-strongswan-4.3.0-5.0.4_is_asn1-CVE-2013-5018.bnc833278.patch README.SUSE strongswan-4.6.4-fmt-warnings.patch strongswan-4.6.4-rpmlintrc strongswan-4.6.4.tar.bz2 strongswan-4.6.4.tar.bz2.sig strongswan.changes strongswan.init.in strongswan.spec strongswan_modprobe_syslog.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ strongswan.spec ++++++ # # spec file for package strongswan # # Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # Name: strongswan Version: 4.6.4 Release: 0 %define upstream_version %{version} %define strongswan_docdir %{_docdir}/%{name} %define strongswan_libdir %{_libdir}/ipsec %define strongswan_plugins %{strongswan_libdir}/plugins %define with_mysql 1 %define with_sqlite 0%{suse_version} >= 1110 %define with_gcrypt 0%{suse_version} >= 1110 %define with_nm 0%{suse_version} >= 1110 %define with_tests 0 Summary: OpenSource IPsec-based VPN Solution License: GPL-2.0+ Group: Productivity/Networking/Security Url: http://www.strongswan.org/ Requires: strongswan-ikev1 = %{version} Requires: strongswan-ikev2 = %{version} Requires: strongswan-ipsec = %{version} Source0: http://download.strongswan.org/strongswan-%{upstream_version}.tar.bz2 Source1: http://download.strongswan.org/strongswan-%{upstream_version}.tar.bz2.sig Source2: %{name}.init.in Source3: %{name}-%{version}-rpmlintrc Source4: README.SUSE Patch1: %{name}_modprobe_syslog.patch Patch2: %{name}-%{version}-fmt-warnings.patch Patch3: 0001-openssl-Ensure-the-thread-ID-is-never-zero.patch Patch4: 0003-Check-return-value-of-ECDSA_Verify-correctly.patch Patch5: 0004-strongswan-4.3.0-5.0.4_is_asn1-CVE-2013-5018.bnc833278.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: bison BuildRequires: curl-devel BuildRequires: flex BuildRequires: gmp-devel BuildRequires: gperf BuildRequires: libcap-devel BuildRequires: libopenssl-devel BuildRequires: openldap2-devel BuildRequires: pam-devel BuildRequires: pkg-config %if %with_mysql BuildRequires: libmysqlclient-devel %endif %if %with_sqlite BuildRequires: sqlite3-devel %endif %if %with_gcrypt BuildRequires: libgcrypt-devel %endif %if %with_nm BuildRequires: NetworkManager-devel %endif BuildRequires: iptables BuildRequires: libnl >= 1.1 %description StrongSwan is an OpenSource IPsec-based VPN Solution for Linux * runs both on Linux 2.4 (KLIPS IPsec) and Linux 2.6 (NETKEY IPsec) kernels * implements both the IKEv1 and IKEv2 (RFC 4306) key exchange protocols * Fully tested support of IPv6 IPsec tunnel and transport connections * Dynamical IP address and interface update with IKEv2 MOBIKE (RFC 4555) * Automatic insertion and deletion of IPsec-policy-based firewall rules * Strong 128/192/256 bit AES or Camellia encryption, 3DES support * NAT-Traversal via UDP encapsulation and port floating (RFC 3947) * Dead Peer Detection (DPD, RFC 3706) takes care of dangling tunnels * Static virtual IPs and IKEv1 ModeConfig pull and push modes * XAUTH server and client functionality on top of IKEv1 Main Mode authentication * Virtual IP address pool managed by IKE daemon or SQL database * Secure IKEv2 EAP user authentication (EAP-SIM, EAP-AKA, EAP-MSCHAPv2, etc.) * Optional relaying of EAP messages to AAA server via EAP-RADIUS plugin * Support of IKEv2 Multiple Authentication Exchanges (RFC 4739) * Authentication based on X.509 certificates or preshared keys * Generation of a default self-signed certificate during first strongSwan startup * Retrieval and local caching of Certificate Revocation Lists via HTTP or LDAP * Full support of the Online Certificate Status Protocol (OCSP, RCF 2560). * CA management (OCSP and CRL URIs, default LDAP server) * Powerful IPsec policies based on wildcards or intermediate CAs * Group policies based on X.509 attribute certificates (RFC 3281) * Storage of RSA private keys and certificates on a smartcard (PKCS #11 interface) * Modular plugins for crypto algorithms and relational database interfaces * Support of elliptic curve DH groups and ECDSA certificates (Suite B, RFC 4869) * Optional built-in integrity and crypto tests for plugins and libraries * Smooth Linux desktop integration via the strongSwan NetworkManager applet This package triggers the installation of both, IKEv1 and IKEv2 daemons. Authors: -------- Andreas Steffen and others %package doc BuildArch: noarch Summary: OpenSource IPsec-based VPN Solution Group: Productivity/Networking/Security %description doc StrongSwan is an OpenSource IPsec-based VPN Solution for Linux This package provides the StrongSwan documentation. Authors: -------- Andreas Steffen and others %package libs0 Summary: OpenSource IPsec-based VPN Solution Group: Productivity/Networking/Security Conflicts: strongswan < %{version} %description libs0 StrongSwan is an OpenSource IPsec-based VPN Solution for Linux This package provides the strongswan library and plugins. %package ikev1 Summary: OpenSource IPsec-based VPN Solution Group: Productivity/Networking/Security Requires: iproute2 Requires: strongswan-ipsec = %{version} Requires: strongswan-libs0 = %{version} Provides: ikev1 Provides: pluto Provides: strongswan-daemon = %{version} Conflicts: freeswan openswan strongswan < %{version} %description ikev1 StrongSwan is an OpenSource IPsec-based VPN Solution for Linux This package provides the pluto IKEv1 daemon. %package ikev2 Summary: OpenSource IPsec-based VPN Solution Group: Productivity/Networking/Security Requires: iproute2 Requires: strongswan-daemon-starter = %{version} Requires: strongswan-libs0 = %{version} Provides: ikev2 Provides: strongswan-daemon = %{version} Conflicts: openswan strongswan < %{version} %description ikev2 StrongSwan is an OpenSource IPsec-based VPN Solution for Linux This package provides the charon IKEv2 daemon. %package ipsec Summary: OpenSource IPsec-based VPN Solution Group: Productivity/Networking/Security PreReq: grep %insserv_prereq %fillup_prereq Requires: strongswan-daemon = %{version} Requires: strongswan-libs0 = %{version} Provides: VPN Provides: ipsec Provides: strongswan = %{version} Provides: strongswan-daemon-starter = %{version} Obsoletes: strongswan < %{version} Conflicts: freeswan openswan %description ipsec StrongSwan is an OpenSource IPsec-based VPN Solution for Linux This package provides the /etc/init.d/ipsec service script and allows to maintain both, IKEv1 and IKEv2 daemons, using /etc/ipsec.conf and /etc/ipsec.sectes files. %if %with_mysql %package mysql Summary: OpenSource IPsec-based VPN Solution Group: Productivity/Networking/Security Requires: strongswan-libs0 = %{version} %description mysql StrongSwan is an OpenSource IPsec-based VPN Solution for Linux This package provides the strongswan mysql plugin. %endif %if %with_sqlite %package sqlite Summary: OpenSource IPsec-based VPN Solution Group: Productivity/Networking/Security Requires: strongswan-libs0 = %{version} %description sqlite StrongSwan is an OpenSource IPsec-based VPN Solution for Linux This package provides the strongswan sqlite plugin. %endif %if %with_nm %package nm Summary: OpenSource IPsec-based VPN Solution Group: Productivity/Networking/Security Requires: strongswan-ikev2 = %{version} Requires: strongswan-libs0 = %{version} Provides: strongswan-daemon-starter = %{version} %description nm StrongSwan is an OpenSource IPsec-based VPN Solution for Linux This package provides the NetworkManager plugin to control the charon IKEv2 daemon through D-Bus, designed to work using the NetworkManager-strongswan graphical user interface. %endif %if %with_tests %package tests Summary: OpenSource IPsec-based VPN Solution Group: Productivity/Networking/Security Requires: strongswan-libs0 = %{version} %description tests StrongSwan is an OpenSource IPsec-based VPN Solution for Linux This package provides the strongswan crypto test-vectors plugin and the load testing plugin for IKEv2 daemon. %endif %prep %setup -q -n %{name}-%{upstream_version} %patch1 -p0 %patch2 -p0 %patch3 -p1 %patch4 -p1 %patch5 -p1 sed -e 's|@libexecdir@|%_libexecdir|g' \ < $RPM_SOURCE_DIR/strongswan.init.in \ > strongswan.init %build CFLAGS="$RPM_OPT_FLAGS -W -Wall -Wno-pointer-sign -Wno-strict-aliasing" export RPM_OPT_FLAGS CFLAGS #libtoolize --force #autoreconf %configure \ --enable-integrity-test \ --with-capabilities=libcap \ --with-plugindir=%{strongswan_plugins} \ --with-resolv-conf=%{_localstatedir}/run/strongswan/resolv.conf \ --enable-smartcard \ --with-default-pkcs11=%{_libdir}/opensc-pkcs11.so \ --enable-cisco-quirks \ --enable-openssl \ --enable-agent \ --enable-md4 \ --enable-blowfish \ --enable-eap-sim \ --enable-eap-sim-file \ --enable-eap-simaka-sql \ --enable-eap-simaka-pseudonym \ --enable-eap-simaka-reauth \ --enable-eap-md5 \ --enable-eap-gtc \ --enable-eap-aka \ --enable-eap-radius \ --enable-eap-identity \ --enable-eap-mschapv2 \ --enable-eap-aka-3gpp2 \ --enable-ha \ --enable-dhcp \ --enable-farp \ --enable-sql \ --enable-attr-sql \ --enable-addrblock \ %if %with_mysql --enable-mysql \ %endif %if %with_sqlite --enable-sqlite \ %endif %if %with_gcrypt --enable-gcrypt \ %endif %if %with_nm --enable-nm \ %endif %if %with_tests --enable-load-tester \ --enable-test-vectors \ %endif --enable-ldap \ --enable-curl make %{?_smp_mflags:%_smp_mflags} %install export RPM_BUILD_ROOT install -m755 -d ${RPM_BUILD_ROOT}%{_sbindir}/ install -m755 -d ${RPM_BUILD_ROOT}%{_sysconfdir}/ipsec.d/ install -m755 -d ${RPM_BUILD_ROOT}%{_sysconfdir}/init.d/ install -m755 strongswan.init ${RPM_BUILD_ROOT}%{_sysconfdir}/init.d/ipsec ln -s %{_sysconfdir}/init.d/ipsec ${RPM_BUILD_ROOT}%{_sbindir}/rcipsec # make install DESTDIR="$RPM_BUILD_ROOT" # rm -f ${RPM_BUILD_ROOT}%{_sysconfdir}/ipsec.secrets cat << EOT > ${RPM_BUILD_ROOT}%{_sysconfdir}/ipsec.secrets # # ipsec.secrets # # This file holds the RSA private keys or the PSK preshared secrets for # the IKE/IPsec authentication. See the ipsec.secrets(5) manual page. # EOT # rm -f $RPM_BUILD_ROOT%{strongswan_libdir}/lib{charon,hydra,radius,strongswan,simaka}.so find $RPM_BUILD_ROOT%{strongswan_libdir} \ -name "*.a" -o -name "*.la" | xargs -r rm -f # install -m755 -d ${RPM_BUILD_ROOT}%{strongswan_docdir}/ install -m644 TODO NEWS README COPYING CREDITS \ ${RPM_SOURCE_DIR}/README.SUSE \ ${RPM_BUILD_ROOT}%{strongswan_docdir}/ install -m755 -d $RPM_BUILD_ROOT%{_localstatedir}/run/strongswan %post libs0 %{run_ldconfig} test -d %{_localstatedir}/run/strongswan || \ %{__mkdir_p} %{_localstatedir}/run/strongswan %postun libs0 %{run_ldconfig} %post ipsec %{fillup_and_insserv ipsec} %preun ipsec %{stop_on_removal ipsec} if test -s %{_sysconfdir}/ipsec.secrets.rpmsave; then cp -p --backup=numbered %{_sysconfdir}/ipsec.secrets.rpmsave %{_sysconfdir}/ipsec.secrets.rpmsave.old fi if test -s %{_sysconfdir}/ipsec.conf.rpmsave; then cp -p --backup=numbered %{_sysconfdir}/ipsec.conf.rpmsave %{_sysconfdir}/ipsec.conf.rpmsave.old fi %postun ipsec %{insserv_cleanup} %files %defattr(-,root,root) %dir %{strongswan_docdir} %{strongswan_docdir}/README.SUSE %files ipsec %defattr(-,root,root) %config(noreplace) %attr(600,root,root) %{_sysconfdir}/ipsec.conf %config(noreplace) %attr(600,root,root) %{_sysconfdir}/ipsec.secrets %dir %{_sysconfdir}/ipsec.d %dir %{_sysconfdir}/ipsec.d/crls %dir %{_sysconfdir}/ipsec.d/reqs %dir %{_sysconfdir}/ipsec.d/certs %dir %{_sysconfdir}/ipsec.d/acerts %dir %{_sysconfdir}/ipsec.d/aacerts %dir %{_sysconfdir}/ipsec.d/cacerts %dir %{_sysconfdir}/ipsec.d/ocspcerts %dir %attr(700,root,root) %{_sysconfdir}/ipsec.d/private %config %{_sysconfdir}/init.d/ipsec %{_sbindir}/rcipsec %{_sbindir}/ipsec %{_mandir}/man8/ipsec.8* %{_mandir}/man5/ipsec.conf.5* %{_mandir}/man5/ipsec.secrets.5* %{_mandir}/man5/strongswan.conf.5* %dir %{_libexecdir}/ipsec %{_libexecdir}/ipsec/_updown %{_libexecdir}/ipsec/_updown_espmark %{_libexecdir}/ipsec/_copyright %{_libexecdir}/ipsec/pki %{_libexecdir}/ipsec/openac %{_libexecdir}/ipsec/scepclient %{_libexecdir}/ipsec/starter %{_libexecdir}/ipsec/stroke %dir %{strongswan_plugins} %{strongswan_plugins}/libstrongswan-stroke.so %{strongswan_plugins}/libstrongswan-updown.so %files ikev1 %defattr(-,root,root) %dir %{_libexecdir}/ipsec %{_libexecdir}/ipsec/whack %{_libexecdir}/ipsec/pluto %{_libexecdir}/ipsec/_pluto_adns %files ikev2 %defattr(-,root,root) %dir %{_libexecdir}/ipsec %{_libexecdir}/ipsec/charon %files doc %defattr(-,root,root) %dir %{strongswan_docdir} %{strongswan_docdir}/TODO %{strongswan_docdir}/NEWS %{strongswan_docdir}/README %{strongswan_docdir}/COPYING %{strongswan_docdir}/CREDITS %{_mandir}/man3/anyaddr.3* %{_mandir}/man3/atoaddr.3* %{_mandir}/man3/atoasr.3* %{_mandir}/man3/atoul.3* %{_mandir}/man3/goodmask.3* %{_mandir}/man3/initaddr.3* %{_mandir}/man3/initsubnet.3* %{_mandir}/man3/portof.3* %{_mandir}/man3/rangetosubnet.3* %{_mandir}/man3/sameaddr.3* %{_mandir}/man3/subnetof.3* %{_mandir}/man3/ttoaddr.3* %{_mandir}/man3/ttodata.3* %{_mandir}/man3/ttosa.3* %{_mandir}/man3/ttoul.3* %{_mandir}/man8/_updown.8* %{_mandir}/man8/_updown_espmark.8* %{_mandir}/man8/openac.8* %{_mandir}/man8/pluto.8* %{_mandir}/man8/scepclient.8* %files libs0 %defattr(-,root,root) %config(noreplace) %attr(600,root,root) %{_sysconfdir}/strongswan.conf %dir %{_libexecdir}/ipsec %dir %{_libexecdir}/ipsec/pool %dir %{strongswan_libdir} %{strongswan_libdir}/libchecksum.so %{strongswan_libdir}/libhydra.so.0 %{strongswan_libdir}/libhydra.so.0.0.0 %{strongswan_libdir}/libcharon.so.0 %{strongswan_libdir}/libcharon.so.0.0.0 %{strongswan_libdir}/libradius.so.0 %{strongswan_libdir}/libradius.so.0.0.0 %{strongswan_libdir}/libsimaka.so.0 %{strongswan_libdir}/libsimaka.so.0.0.0 %{strongswan_libdir}/libstrongswan.so.0 %{strongswan_libdir}/libstrongswan.so.0.0.0 %dir %{strongswan_plugins} %{strongswan_plugins}/libstrongswan-addrblock.so %{strongswan_plugins}/libstrongswan-aes.so %{strongswan_plugins}/libstrongswan-agent.so %{strongswan_plugins}/libstrongswan-attr.so %{strongswan_plugins}/libstrongswan-attr-sql.so %{strongswan_plugins}/libstrongswan-blowfish.so %{strongswan_plugins}/libstrongswan-cmac.so %{strongswan_plugins}/libstrongswan-constraints.so %{strongswan_plugins}/libstrongswan-curl.so %{strongswan_plugins}/libstrongswan-des.so %{strongswan_plugins}/libstrongswan-dhcp.so %{strongswan_plugins}/libstrongswan-dnskey.so %{strongswan_plugins}/libstrongswan-eap-aka-3gpp2.so %{strongswan_plugins}/libstrongswan-eap-aka.so %{strongswan_plugins}/libstrongswan-eap-gtc.so %{strongswan_plugins}/libstrongswan-eap-identity.so %{strongswan_plugins}/libstrongswan-eap-md5.so %{strongswan_plugins}/libstrongswan-eap-mschapv2.so %{strongswan_plugins}/libstrongswan-eap-radius.so %{strongswan_plugins}/libstrongswan-eap-simaka-pseudonym.so %{strongswan_plugins}/libstrongswan-eap-simaka-reauth.so %{strongswan_plugins}/libstrongswan-eap-simaka-sql.so %{strongswan_plugins}/libstrongswan-eap-sim-file.so %{strongswan_plugins}/libstrongswan-eap-sim.so %{strongswan_plugins}/libstrongswan-farp.so %{strongswan_plugins}/libstrongswan-fips-prf.so %if %with_gcrypt %{strongswan_plugins}/libstrongswan-gcrypt.so %endif %{strongswan_plugins}/libstrongswan-gmp.so %{strongswan_plugins}/libstrongswan-ha.so %{strongswan_plugins}/libstrongswan-hmac.so %{strongswan_plugins}/libstrongswan-kernel-netlink.so %{strongswan_plugins}/libstrongswan-ldap.so %{strongswan_plugins}/libstrongswan-md4.so %{strongswan_plugins}/libstrongswan-md5.so %{strongswan_plugins}/libstrongswan-openssl.so %{strongswan_plugins}/libstrongswan-pem.so %{strongswan_plugins}/libstrongswan-pgp.so %{strongswan_plugins}/libstrongswan-pkcs1.so %{strongswan_plugins}/libstrongswan-pkcs8.so %{strongswan_plugins}/libstrongswan-pubkey.so %{strongswan_plugins}/libstrongswan-random.so %{strongswan_plugins}/libstrongswan-resolve.so %{strongswan_plugins}/libstrongswan-revocation.so %{strongswan_plugins}/libstrongswan-sha1.so %{strongswan_plugins}/libstrongswan-sha2.so %{strongswan_plugins}/libstrongswan-socket*.so %{strongswan_plugins}/libstrongswan-sql.so %{strongswan_plugins}/libstrongswan-x509.so %{strongswan_plugins}/libstrongswan-xauth.so %{strongswan_plugins}/libstrongswan-xcbc.so %dir %ghost %{_localstatedir}/run/strongswan %if %with_nm %files nm %defattr(-,root,root) %dir %{_libexecdir}/ipsec %dir %{strongswan_plugins} %{strongswan_plugins}/libstrongswan-nm.so %endif %if %with_mysql %files mysql %defattr(-,root,root) %dir %{strongswan_plugins} %{strongswan_plugins}/libstrongswan-mysql.so %endif %if %with_sqlite %files sqlite %defattr(-,root,root) %dir %{strongswan_plugins} %{strongswan_plugins}/libstrongswan-sqlite.so %endif %if %with_tests %files tests %defattr(-,root,root) %dir %{strongswan_plugins} %{strongswan_plugins}/libstrongswan-load-tester.so %{strongswan_plugins}/libstrongswan-test-vectors.so %endif %changelog ++++++ 0001-openssl-Ensure-the-thread-ID-is-never-zero.patch ++++++ >From 901dbc1077f6c9bd29369cad848bc79a29c1a65b Mon Sep 17 00:00:00 2001 From: Tobias Brunner <[email protected]> Date: Sat, 30 Jun 2012 10:05:41 +0200 Subject: [PATCH] openssl: Ensure the thread ID is never zero This might otherwise cause problems because OpenSSL tries to lock mutexes recursively if it assumes the lock is held by a different thread e.g. during FIPS initialization. --- src/libstrongswan/plugins/openssl/openssl_plugin.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) diff --git a/src/libstrongswan/plugins/openssl/openssl_plugin.c b/src/libstrongswan/plugins/openssl/openssl_plugin.c index 5a11412..7daa92b 100644 --- a/src/libstrongswan/plugins/openssl/openssl_plugin.c +++ b/src/libstrongswan/plugins/openssl/openssl_plugin.c @@ -129,7 +129,9 @@ static void destroy_function(struct CRYPTO_dynlock_value *lock, */ static unsigned long id_function(void) { - return (unsigned long)thread_current_id(); + /* ensure the thread ID is never zero, otherwise OpenSSL might try to + * acquire locks recursively */ + return 1 + (unsigned long)thread_current_id(); } /** -- 1.7.7 ++++++ 0003-Check-return-value-of-ECDSA_Verify-correctly.patch ++++++ >From 0faaab20cd9c4a519fb6269ab6c8be15d0b61864 Mon Sep 17 00:00:00 2001 From: Martin Willi <[email protected]> Date: Tue, 9 Apr 2013 10:56:09 +0200 Subject: Check return value of ECDSA_Verify() correctly --- src/libstrongswan/plugins/openssl/openssl_ec_public_key.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c b/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c index c8a45f7..38cc8be 100644 --- a/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c +++ b/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c @@ -124,7 +124,7 @@ static bool verify_der_signature(private_openssl_ec_public_key_t *this, if (openssl_hash_chunk(nid_hash, data, &hash)) { valid = ECDSA_verify(0, hash.ptr, hash.len, - signature.ptr, signature.len, this->ec); + signature.ptr, signature.len, this->ec) == 1; free(hash.ptr); } return valid; -- 1.7.10.4 ++++++ 0004-strongswan-4.3.0-5.0.4_is_asn1-CVE-2013-5018.bnc833278.patch ++++++ References: CVE-2013-5018,bnc#833278 Upstream: yes >From 057265e0183ddf52d56f21adaf0db0f3dc6585a4 Mon Sep 17 00:00:00 2001 From: Tobias Brunner <[email protected]> Date: Mon, 29 Jul 2013 23:45:38 +0200 Subject: [PATCH] asn1: Fix handling of invalid ASN.1 length in is_asn1() Fixes CVE-2013-5018. --- src/libstrongswan/asn1/asn1.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/libstrongswan/asn1/asn1.c b/src/libstrongswan/asn1/asn1.c index 68f37f4..d860ad9 100644 --- a/src/libstrongswan/asn1/asn1.c +++ b/src/libstrongswan/asn1/asn1.c @@ -642,6 +642,11 @@ bool is_asn1(chunk_t blob) len = asn1_length(&blob); + if (len == ASN1_INVALID_LENGTH) + { + return FALSE; + } + /* exact match */ if (len == blob.len) { -- 1.7.10.4 ++++++ README.SUSE ++++++ Dear Customer, please note, that the strongswan release 4.5 changes the keyexchange mode to IKEv2 as default -- from strongswan-4.5.0/NEWS: "[...] IMPORTANT: the default keyexchange mode 'ike' is changing with release 4.5 from 'ikev1' to 'ikev2', thus commemorating the five year anniversary of the IKEv2 RFC 4306 and its mature successor RFC 5996. The time has definitively come for IKEv1 to go into retirement and to cede its place to the much more robust, powerful and versatile IKEv2 protocol! [...]" This requires adoption of either the "conn %default" or all other IKEv1 "conn" sections in the /etc/ipsec.conf to use explicit: keyexchange=ikev1 The strongswan package does no provide any files any more, but triggers the installation of both, IKEv1 (pluto) and IKEv2 (charon) daemons and the traditional starter scripts inclusive of the /etc/init.d/ipsec init script and /etc/ipsec.conf file. There is a new strongswan-nm package with a NetworkManager plugin to control the charon IKEv2 daemon through D-Bus, designed to work using the NetworkManager-strongswan graphical user interface. It does not depend on the traditional starter scripts, but on the IKEv2 charon daemon and plugins only. Have a lot of fun... ++++++ strongswan-4.6.4-fmt-warnings.patch ++++++ --- src/checksum/checksum_builder.c +++ src/checksum/checksum_builder.c 2012/02/15 13:08:35 @@ -64,9 +64,9 @@ static void build_checksum(char *path, c fprintf(stderr, "dlopen failed: %s\n", dlerror()); } } - printf("\t{\"%-25s%7u, 0x%08x, %6u, 0x%08x},\n", + printf("\t{\"%-25s%7zu, 0x%08x, %6zu, 0x%08x},\n", name, fsize, fsum, ssize, ssum); - fprintf(stderr, "\"%-25s%7u / 0x%08x %6u / 0x%08x\n", + fprintf(stderr, "\"%-25s%7zu / 0x%08x %6zu / 0x%08x\n", name, fsize, fsum, ssize, ssum); } @@ -106,14 +106,14 @@ static void build_binary_checksum(char * pos = strrchr(binary, '.'); if (pos && streq(pos, ".so")) { - snprintf(name, sizeof(name), "%.*s\",", pos - binary, binary); + snprintf(name, sizeof(name), "%.*s\",", (int)(pos - binary), binary); if (streq(name, "libstrongswan\",")) { snprintf(sname, sizeof(sname), "%s", "library_init"); } else { - snprintf(sname, sizeof(sname), "%.*s_init", pos - binary, binary); + snprintf(sname, sizeof(sname), "%.*s_init", (int)(pos - binary), binary); } build_checksum(path, name, sname); } ++++++ strongswan-4.6.4-rpmlintrc ++++++ ### Known warnings: # - traditional name addFilter("strongswan.* incoherent-init-script-name ipsec") # - readme only, triggers full ipsec + ikev1&ikev2 install addFilter("strongswan.* no-binary") # - link to init script, covered by service(8) addFilter("strongswan.* no-manual-page-for-binary rcipsec") # - no, restating tunnels on update may break the update addFilter("strongswan.*restart_on_update-postun /etc/init.d/ipsec") ++++++ strongswan.init.in ++++++ #!/bin/bash # # SUSE/LSB system startup script for strongswan ipsec # # Copyright (C) 2007 Marius Tomaschewski, SUSE / Novell Inc. # based on /etc/init.d/skeleton.compat by Kurt Garloff. # # This library is free software; you can redistribute it and/or modify it # under the terms of the GNU Lesser General Public License as published by # the Free Software Foundation; either version 2.1 of the License, or (at # your option) any later version. # # This library is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # Lesser General Public License for more details. # # You should have received a copy of the GNU Lesser General Public # License along with this library; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, # USA. # # /etc/init.d/ipsec # and its symbolic link # /usr/sbin/rcipsec # # LSB compatible service control script; see http://www.linuxbase.org/spec/ # Please send feedback to http://www.suse.de/feedback/ # # Note: This script uses functions rc_XXX defined in /etc/rc.status on # UnitedLinux/SUSE/Novell based Linux distributions. However, it shoule # work on other distributions as well, by using the LSB (Linux Standard # Base) or RH functions or by open coding the needed functions. # # chkconfig: 345 99 00 # description: StrongSwan IPsec # ### BEGIN INIT INFO # Provides: ipsec # Required-Start: $syslog $remote_fs $named # Should-Start: $time # Required-Stop: $syslog $remote_fs $named # Should-Stop: $time # Default-Start: 3 5 # Default-Stop: 0 1 2 6 # Short-Description: StrongSwan IPsec # Description: StrongSwan IPsec provides encrypted and authenticated # communication via a unsafe network, such as the internet. # This scripts loads the kernel modules and starts the user-space setup. ### END INIT INFO # Check for missing binaries (stale symlinks should not happen) # Note: Special treatment of stop for LSB conformance IPSEC_CMD="/usr/sbin/ipsec" test -x $IPSEC_CMD || { echo "$IPSEC_CMD not installed"; if [ "$1" = "stop" ]; then exit 0; else exit 5; fi; } IPSEC_STARTER="@libexecdir@/ipsec/starter" test -x $IPSEC_STARTER || { echo "$IPSEC_STARTER not installed"; if [ "$1" = "stop" ]; then exit 0; else exit 5; fi; } # The pid file of the ipsec starter IPSEC_PIDFILE="/var/run/starter.pid" # Check for existence of needed config files IPSEC_CONFIG="/etc/ipsec.conf" test -r $IPSEC_CONFIG || { echo "$IPSEC_CONFIG not existing"; if [ "$1" = "stop" ]; then exit 0; else exit 6; fi; } IPSEC_SECRET="/etc/ipsec.secrets" test -r $IPSEC_SECRET || { echo "$IPSEC_SECRET not existing"; if [ "$1" = "stop" ]; then exit 0; else exit 6; fi; } # Source LSB init functions # providing start_daemon, killproc, pidofproc, # log_success_msg, log_failure_msg and log_warning_msg. # This is currently not used by UnitedLinux based distributions and # not needed for init scripts for UnitedLinux only. If it is used, # the functions from rc.status should not be sourced or used. #. /lib/lsb/init-functions # Shell functions sourced from /etc/rc.status: # rc_check check and set local and overall rc status # rc_status check and set local and overall rc status # rc_status -v be verbose in local rc status and clear it afterwards # rc_status -v -r ditto and clear both the local and overall rc status # rc_status -s display "skipped" and exit with status 3 # rc_status -u display "unused" and exit with status 3 # rc_failed set local and overall rc status to failed # rc_failed <num> set local and overall rc status to <num> # rc_reset clear both the local and overall rc status # rc_exit exit appropriate to overall rc status # rc_active checks whether a service is activated by symlinks # Use the SUSE rc_ init script functions; # emulate them on LSB, RH and other systems # Default: Assume sysvinit binaries exist start_daemon() { /sbin/start_daemon ${1+"$@"}; } killproc() { /sbin/killproc ${1+"$@"}; } pidofproc() { /sbin/pidofproc ${1+"$@"}; } checkproc() { /sbin/checkproc ${1+"$@"}; } if test -e /etc/rc.status; then # SUSE rc script library . /etc/rc.status else export LC_ALL=POSIX _cmd=$1 declare -a _SMSG if test "${_cmd}" = "status"; then _SMSG=(running dead dead unused unknown reserved) _RC_UNUSED=3 else _SMSG=(done failed failed missed failed skipped unused failed failed reserved) _RC_UNUSED=6 fi if test -e /lib/lsb/init-functions; then # LSB . /lib/lsb/init-functions echo_rc() { if test ${_RC_RV} = 0; then log_success_msg " [${_SMSG[${_RC_RV}]}] " else log_failure_msg " [${_SMSG[${_RC_RV}]}] " fi } # TODO: Add checking for lockfiles checkproc() { pidofproc ${1+"$@"} >/dev/null 2>&1; } elif test -e /etc/init.d/functions; then # RHAT . /etc/init.d/functions echo_rc() { #echo -n " [${_SMSG[${_RC_RV}]}] " if test ${_RC_RV} = 0; then success " [${_SMSG[${_RC_RV}]}] " else failure " [${_SMSG[${_RC_RV}]}] " fi } checkproc() { status ${1+"$@"}; } start_daemon() { daemon ${1+"$@"}; } else # emulate it echo_rc() { echo " [${_SMSG[${_RC_RV}]}] "; } fi rc_reset() { _RC_RV=0; } rc_failed() { if test -z "$1"; then _RC_RV=1; elif test "$1" != "0"; then _RC_RV=$1; fi return ${_RC_RV} } rc_check() { rc_failed $? } rc_status() { rc_failed $? if test "$1" = "-r"; then _RC_RV=0; shift; fi if test "$1" = "-s"; then rc_failed 5; echo_rc; rc_failed 3; shift; fi if test "$1" = "-u"; then rc_failed ${_RC_UNUSED}; echo_rc; rc_failed 3; shift; fi if test "$1" = "-v"; then echo_rc; shift; fi if test "$1" = "-r"; then _RC_RV=0; shift; fi return ${_RC_RV} } rc_exit() { exit ${_RC_RV}; } rc_active() { local x for x in /etc/rc.d/rc[0-9].d/S[0-9][0-9]${1} ; do test -e $x && return 0 || break done return 1 } fi # Reset status of this service rc_reset # Return values acc. to LSB for all commands but status: # 0 - success # 1 - generic or unspecified error # 2 - invalid or excess argument(s) # 3 - unimplemented feature (e.g. "reload") # 4 - user had insufficient privileges # 5 - program is not installed # 6 - program is not configured # 7 - program is not running # 8--199 - reserved (8--99 LSB, 100--149 distrib, 150--199 appl) # # Note that starting an already running service, stopping # or restarting a not-running service as well as the restart # with force-reload (in case signaling is not supported) are # considered a success. case "$1" in start) $IPSEC_CMD start 2>&1 rc_status -v1 ;; stop) $IPSEC_CMD stop 2>&1 rc_status -v1 ;; try-restart|condrestart) ## Do a restart only if the service was active before. ## Note: try-restart is now part of LSB (as of 1.9). ## RH has a similar command named condrestart. if test "$1" = "condrestart"; then echo "${attn} Use try-restart ${done}(LSB)${attn} rather than condrestart ${warn}(RH)${norm}" fi $0 status if test $? = 0; then $0 restart else rc_reset # Not running is not a failure. fi # Remember status and be quiet rc_status ;; restart) ## Stop the service and regardless of whether it was ## running or not, start it again. $0 stop sleep 2 $0 start # Remember status and be quiet rc_status ;; reload|force-reload) $IPSEC_CMD reload rc_status -v1 ;; status) # Return value is slightly different for the status command: # 0 - service up and running # 1 - service dead, but /var/run/ pid file exists # 2 - service dead, but /var/lock/ lock file exists # 3 - service not running (unused) # 4 - service status unknown :-( # 5--199 reserved (5--99 LSB, 100--149 distro, 150--199 appl.) echo -n "Checking for service strongSwan IPsec " #checkproc $IPSEC_STARTER $IPSEC_CMD status 2>&1 >/dev/null # NOTE: rc_status knows that we called this init script with # "status" option and adapts its messages accordingly. rc_status -v ;; probe) ## Optional: Probe for the necessity of a reload, print out the ## argument to this init script which is required for a reload. ## Note: probe is not (yet) part of LSB (as of 1.9) test $IPSEC_CONFIG -nt $IPSEC_PIDFILE || \ test $IPSEC_SECRET -nt $IPSEC_PIDFILE && echo reload ;; *) echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|reload|probe}" exit 1 ;; esac rc_exit ++++++ strongswan_modprobe_syslog.patch ++++++ --- src/starter/klips.c +++ src/starter/klips.c 2010/03/02 16:43:05 @@ -34,7 +34,7 @@ starter_klips_init(void) /* ipsec module makes the pf_key proc interface visible */ if (stat(PROC_MODULES, &stb) == 0) { - ignore_result(system("modprobe -qv ipsec")); + ignore_result(system("modprobe -s ipsec")); } /* now test again */ @@ -48,9 +48,9 @@ starter_klips_init(void) } /* load crypto algorithm modules */ - ignore_result(system("modprobe -qv ipsec_aes")); - ignore_result(system("modprobe -qv ipsec_blowfish")); - ignore_result(system("modprobe -qv ipsec_sha2")); + ignore_result(system("modprobe -s ipsec_aes")); + ignore_result(system("modprobe -s ipsec_blowfish")); + ignore_result(system("modprobe -s ipsec_sha2")); DBG(DBG_CONTROL, DBG_log("Found KLIPS IPsec stack") --- src/starter/netkey.c +++ src/starter/netkey.c 2010/03/02 16:43:05 @@ -34,7 +34,7 @@ starter_netkey_init(void) /* af_key module makes the netkey proc interface visible */ if (stat(PROC_MODULES, &stb) == 0) { - ignore_result(system("modprobe -qv af_key")); + ignore_result(system("modprobe -s af_key")); } /* now test again */ @@ -50,11 +50,11 @@ starter_netkey_init(void) /* make sure that all required IPsec modules are loaded */ if (stat(PROC_MODULES, &stb) == 0) { - ignore_result(system("modprobe -qv ah4")); - ignore_result(system("modprobe -qv esp4")); - ignore_result(system("modprobe -qv ipcomp")); - ignore_result(system("modprobe -qv xfrm4_tunnel")); - ignore_result(system("modprobe -qv xfrm_user")); + ignore_result(system("modprobe -s ah4")); + ignore_result(system("modprobe -s esp4")); + ignore_result(system("modprobe -s ipcomp")); + ignore_result(system("modprobe -s xfrm4_tunnel")); + ignore_result(system("modprobe -s xfrm_user")); } DBG(DBG_CONTROL, -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
