Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package strongswan for openSUSE:Factory checked in at 2021-11-27 00:50:27 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/strongswan (Old) and /work/SRC/openSUSE:Factory/.strongswan.new.1895 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "strongswan" Sat Nov 27 00:50:27 2021 rev:78 rq:933164 version:5.9.4 Changes: -------- --- /work/SRC/openSUSE:Factory/strongswan/strongswan.changes 2021-09-29 20:19:00.962986025 +0200 +++ /work/SRC/openSUSE:Factory/.strongswan.new.1895/strongswan.changes 2021-11-27 00:50:36.974948763 +0100 @@ -1,0 +2,36 @@ +Mon Nov 22 16:19:08 UTC 2021 - Bj??rn Lie <[email protected]> + +- Update to version 5.9.4: + * Fixed a denial-of-service vulnerability in the gmp plugin that + was caused by an integer overflow when processing RSASSA-PSS + signatures with very large salt lengths. This vulnerability has + been registered as CVE-2021-41990. Please refer to our blog for + details. + * Fixed a denial-of-service vulnerability in the in-memory + certificate cache if certificates are replaced and a very large + random value caused an integer overflow. This vulnerability has + been registered as CVE-2021-41991. Please refer to our blog for + details. + * Fixed a related flaw that caused the daemon to accept and cache + an infinite number of versions of a valid certificate by + modifying the parameters in the signatureAlgorithm field of the + outer X.509 Certificate structure. + * AUTH_LIFETIME notifies are now only sent by a responder if it + can't reauthenticate the IKE_SA itself due to asymmetric + authentication (i.e. EAP) or the use of virtual IPs. + * Several corner cases with reauthentication have been fixed + (48fbe1d, 36161fe, 0d373e2). + * Serial number generation in several pki sub-commands has been + fixed so they don't start with an unintended zero byte. + * Loading SSH public keys via vici has been improved. + * Shared secrets, PEM files, vici messages, PF_KEY messages, + swanctl configs and other data is properly wiped from memory. + * Use a longer dummy key to initialize HMAC instances in the + openssl plugin in case it's used in FIPS-mode. + * The --enable-tpm option now implies --enable-tss-tss2 as the + plugin doesn't do anything without a TSS 2.0. + * libtpmtss is initialized in all programs and libraries that use + it. + * Migrated testing scripts to Python 3. + +------------------------------------------------------------------- Old: ---- strongswan-5.9.3.tar.bz2 strongswan-5.9.3.tar.bz2.sig New: ---- strongswan-5.9.4.tar.bz2 strongswan-5.9.4.tar.bz2.sig ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ strongswan.spec ++++++ --- /var/tmp/diff_new_pack.Nc1etU/_old 2021-11-27 00:50:37.714946209 +0100 +++ /var/tmp/diff_new_pack.Nc1etU/_new 2021-11-27 00:50:37.718946195 +0100 @@ -17,7 +17,7 @@ Name: strongswan -Version: 5.9.3 +Version: 5.9.4 Release: 0 %define upstream_version %{version} %define strongswan_docdir %{_docdir}/%{name} @@ -558,6 +558,7 @@ %endif %{_bindir}/pki %{_bindir}/pt-tls-client +%{_bindir}/tpm_extendpcr %{_sbindir}/ipsec %{_sbindir}/swanctl %{_mandir}/man1/pki*.1* ++++++ strongswan-5.9.3.tar.bz2 -> strongswan-5.9.4.tar.bz2 ++++++ ++++ 9079 lines of diff (skipped)
