Hello community, here is the log from the commit of package strongswan for openSUSE:Factory checked in at 2018-07-21 10:25:06 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/strongswan (Old) and /work/SRC/openSUSE:Factory/.strongswan.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "strongswan" Sat Jul 21 10:25:06 2018 rev:69 rq:624096 version:5.6.3 Changes: -------- --- /work/SRC/openSUSE:Factory/strongswan/strongswan.changes 2018-06-08 23:13:33.336202525 +0200 +++ /work/SRC/openSUSE:Factory/.strongswan.new/strongswan.changes 2018-07-21 10:25:08.590958604 +0200 @@ -1,0 +2,93 @@ +Wed Jun 6 22:14:57 UTC 2018 - bjorn....@gmail.com + +- Update to version 5.6.3 (CVE-2018-10811, boo#1093536, + CVE-2018-5388, boo#1094462): + * Fixed a DoS vulnerability in the IKEv2 key derivation if the + openssl plugin is used in FIPS mode and HMAC-MD5 is negotiated + as PRF. This vulnerability has been registered as + CVE-2018-10811, boo#1093536. + * Fixed a vulnerability in the stroke plugin, which did not check + the received length before reading a message from the socket. + Unless a group is configured, root privileges are required to + access that socket, so in the default configuration this + shouldn't be an issue. This vulnerability has been registered + as CVE-2018-5388, boo#1094462. + * CRLs that are not yet valid are now ignored to avoid problems + in scenarios where expired certificates are removed from new + CRLs and the clock on the host doing the revocation check is + trailing behind that of the host issuing CRLs. Not doing this + could result in accepting a revoked and expired certificate, if + it's still valid according to the trailing clock but not + contained anymore in not yet valid CRLs. + * The issuer of fetched CRLs is now compared to the issuer of the + checked certificate (#2608). + * CRL validation results other than revocation (e.g. a skipped + check because the CRL couldn't be fetched) are now stored also + for intermediate CA certificates and not only for end-entity + certificates, so a strict CRL policy can be enforced in such + cases. + * In compliance with RFC 4945, section 5.1.3.2, certificates used + for IKE must now either not contain a keyUsage extension (like + the ones generated by pki), or have at least one of the + digitalSignature or nonRepudiation bits set. + * New options for vici/swanctl allow forcing the local + termination of an IKE_SA. This might be useful in situations + where it's known the other end is not reachable anymore, or + that it already removed the IKE_SA, so retransmitting a DELETE + and waiting for a response would be pointless. + * Waiting only a certain amount of time for a response (i.e. + shorter than all retransmits would be) before destroying the + IKE_SA is also possible by additionally specifying a timeout in + the forced termination request. + * When removing routes, the kernel-netlink plugin now checks if + it tracks other routes for the same destination and replaces + the installed route instead of just removing it. Same during + installation, where existing routes previously weren't + replaced. This should allow using traps with virtual IPs on + Linux (#2162). + * The dhcp plugin now only sends the client identifier DHCP + option if the identity_lease setting is enabled (7b660944b6). + It can also send identities of up to 255 bytes length, instead + of the previous 64 bytes (30e886fe3b, 0e5b94d038). If a server + address is configured, DHCP requests are now sent from port 67 + instead of 68 to avoid ICMP port unreachables (becf027cd9). + * The handling of faulty INVALID_KE_PAYLOAD notifies (e.g. one + containing a DH group that wasn't proposed) during + CREATE_CHILD_SA exchanges has been improved (#2536). + * Roam events are now completely ignored for IKEv1 SAs (there is + no MOBIKE to handle such changes properly). + * ChaCha20/Poly1305 is now correctly proposed without key length + (#2614). For compatibility with older releases the + chacha20poly1305compat keyword may be included in proposals to + also propose the algorithm with a key length (c58434aeff). + * Configuration of hardware offload of IPsec SAs is now more + flexible and allows a new setting (auto), which automatically + uses it if the kernel and device both support it. If hw_offload + is set to yes and offloading is not supported, the CHILD_SA + installation now fails. + * The kernel-pfkey plugin optionally installs routes via internal + interface (one with an IP in the local traffic selector). On + FreeBSD, enabling this selects the correct source IP when + sending packets from the gateway itself (e811659323). + * SHA-2 based PRFs are supported in PKCS#8 files as generated by + OpenSSL 1.1 (#2574). + * The pki --verify tool may load CA certificates and CRLs from + directories. + * The IKE daemon now also switches to port 4500 if the remote + port is not 500 (e.g. because the remote maps the response to a + different port, as might happen on Azure), as long as the local + port is 500 (85bfab621d). + * Fixed an issue with DNS servers passed to NetworkManager in + charon-nm (ee8c25516a). + * Logged traffic selectors now always contain the protocol if + either protocol or port are set (a36d8097ed). + * Only the inbound SA/policy will be updated as reaction to IP + address changes for rekeyed CHILD_SAs that are kept around. + * The parser for strongswan.conf/swanctl.conf now accepts = + characters in values without having to put the value in quotes + (e.g. for Base64 encoded shared secrets). +- Rename strongswan-5.6.2-rpmlintrc to strongswan-rpmlintrc, + changing the version string on every version update makes no + sense. + +------------------------------------------------------------------- Old: ---- strongswan-5.6.2-rpmlintrc strongswan-5.6.2.tar.bz2 strongswan-5.6.2.tar.bz2.sig New: ---- strongswan-5.6.3.tar.bz2 strongswan-5.6.3.tar.bz2.sig strongswan-rpmlintrc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ strongswan.spec ++++++ --- /var/tmp/diff_new_pack.WUuokY/_old 2018-07-21 10:25:09.386958411 +0200 +++ /var/tmp/diff_new_pack.WUuokY/_new 2018-07-21 10:25:09.386958411 +0200 @@ -17,7 +17,7 @@ Name: strongswan -Version: 5.6.2 +Version: 5.6.3 Release: 0 %define upstream_version %{version} %define strongswan_docdir %{_docdir}/%{name} @@ -69,7 +69,7 @@ Source0: http://download.strongswan.org/strongswan-%{upstream_version}.tar.bz2 Source1: http://download.strongswan.org/strongswan-%{upstream_version}.tar.bz2.sig Source2: %{name}.init.in -Source3: %{name}-%{version}-rpmlintrc +Source3: %{name}-rpmlintrc Source4: README.SUSE Source5: %{name}.keyring %if %{with fipscheck} ++++++ strongswan-5.6.2.tar.bz2 -> strongswan-5.6.3.tar.bz2 ++++++ ++++ 23044 lines of diff (skipped) ++++++ strongswan-rpmlintrc ++++++ ### Known warnings: # - traditional name addFilter("strongswan.* incoherent-init-script-name ipsec") # - readme only, triggers full ipsec + ikev1&ikev2 install addFilter("strongswan.* no-binary") # - link to init script, covered by service(8) addFilter("strongswan.* no-manual-page-for-binary rcipsec") # - no, restating tunnels on update may break the update addFilter("strongswan.*restart_on_update-postun /etc/init.d/ipsec")