Hello community,
here is the log from the commit of package strongswan for openSUSE:Factory
checked in at 2018-07-21 10:25:06
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/strongswan (Old)
and /work/SRC/openSUSE:Factory/.strongswan.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "strongswan"
Sat Jul 21 10:25:06 2018 rev:69 rq:624096 version:5.6.3
Changes:
--------
--- /work/SRC/openSUSE:Factory/strongswan/strongswan.changes 2018-06-08
23:13:33.336202525 +0200
+++ /work/SRC/openSUSE:Factory/.strongswan.new/strongswan.changes
2018-07-21 10:25:08.590958604 +0200
@@ -1,0 +2,93 @@
+Wed Jun 6 22:14:57 UTC 2018 - bjorn....@gmail.com
+
+- Update to version 5.6.3 (CVE-2018-10811, boo#1093536,
+ CVE-2018-5388, boo#1094462):
+ * Fixed a DoS vulnerability in the IKEv2 key derivation if the
+ openssl plugin is used in FIPS mode and HMAC-MD5 is negotiated
+ as PRF. This vulnerability has been registered as
+ CVE-2018-10811, boo#1093536.
+ * Fixed a vulnerability in the stroke plugin, which did not check
+ the received length before reading a message from the socket.
+ Unless a group is configured, root privileges are required to
+ access that socket, so in the default configuration this
+ shouldn't be an issue. This vulnerability has been registered
+ as CVE-2018-5388, boo#1094462.
+ * CRLs that are not yet valid are now ignored to avoid problems
+ in scenarios where expired certificates are removed from new
+ CRLs and the clock on the host doing the revocation check is
+ trailing behind that of the host issuing CRLs. Not doing this
+ could result in accepting a revoked and expired certificate, if
+ it's still valid according to the trailing clock but not
+ contained anymore in not yet valid CRLs.
+ * The issuer of fetched CRLs is now compared to the issuer of the
+ checked certificate (#2608).
+ * CRL validation results other than revocation (e.g. a skipped
+ check because the CRL couldn't be fetched) are now stored also
+ for intermediate CA certificates and not only for end-entity
+ certificates, so a strict CRL policy can be enforced in such
+ cases.
+ * In compliance with RFC 4945, section 5.1.3.2, certificates used
+ for IKE must now either not contain a keyUsage extension (like
+ the ones generated by pki), or have at least one of the
+ digitalSignature or nonRepudiation bits set.
+ * New options for vici/swanctl allow forcing the local
+ termination of an IKE_SA. This might be useful in situations
+ where it's known the other end is not reachable anymore, or
+ that it already removed the IKE_SA, so retransmitting a DELETE
+ and waiting for a response would be pointless.
+ * Waiting only a certain amount of time for a response (i.e.
+ shorter than all retransmits would be) before destroying the
+ IKE_SA is also possible by additionally specifying a timeout in
+ the forced termination request.
+ * When removing routes, the kernel-netlink plugin now checks if
+ it tracks other routes for the same destination and replaces
+ the installed route instead of just removing it. Same during
+ installation, where existing routes previously weren't
+ replaced. This should allow using traps with virtual IPs on
+ Linux (#2162).
+ * The dhcp plugin now only sends the client identifier DHCP
+ option if the identity_lease setting is enabled (7b660944b6).
+ It can also send identities of up to 255 bytes length, instead
+ of the previous 64 bytes (30e886fe3b, 0e5b94d038). If a server
+ address is configured, DHCP requests are now sent from port 67
+ instead of 68 to avoid ICMP port unreachables (becf027cd9).
+ * The handling of faulty INVALID_KE_PAYLOAD notifies (e.g. one
+ containing a DH group that wasn't proposed) during
+ CREATE_CHILD_SA exchanges has been improved (#2536).
+ * Roam events are now completely ignored for IKEv1 SAs (there is
+ no MOBIKE to handle such changes properly).
+ * ChaCha20/Poly1305 is now correctly proposed without key length
+ (#2614). For compatibility with older releases the
+ chacha20poly1305compat keyword may be included in proposals to
+ also propose the algorithm with a key length (c58434aeff).
+ * Configuration of hardware offload of IPsec SAs is now more
+ flexible and allows a new setting (auto), which automatically
+ uses it if the kernel and device both support it. If hw_offload
+ is set to yes and offloading is not supported, the CHILD_SA
+ installation now fails.
+ * The kernel-pfkey plugin optionally installs routes via internal
+ interface (one with an IP in the local traffic selector). On
+ FreeBSD, enabling this selects the correct source IP when
+ sending packets from the gateway itself (e811659323).
+ * SHA-2 based PRFs are supported in PKCS#8 files as generated by
+ OpenSSL 1.1 (#2574).
+ * The pki --verify tool may load CA certificates and CRLs from
+ directories.
+ * The IKE daemon now also switches to port 4500 if the remote
+ port is not 500 (e.g. because the remote maps the response to a
+ different port, as might happen on Azure), as long as the local
+ port is 500 (85bfab621d).
+ * Fixed an issue with DNS servers passed to NetworkManager in
+ charon-nm (ee8c25516a).
+ * Logged traffic selectors now always contain the protocol if
+ either protocol or port are set (a36d8097ed).
+ * Only the inbound SA/policy will be updated as reaction to IP
+ address changes for rekeyed CHILD_SAs that are kept around.
+ * The parser for strongswan.conf/swanctl.conf now accepts =
+ characters in values without having to put the value in quotes
+ (e.g. for Base64 encoded shared secrets).
+- Rename strongswan-5.6.2-rpmlintrc to strongswan-rpmlintrc,
+ changing the version string on every version update makes no
+ sense.
+
+-------------------------------------------------------------------
Old:
----
strongswan-5.6.2-rpmlintrc
strongswan-5.6.2.tar.bz2
strongswan-5.6.2.tar.bz2.sig
New:
----
strongswan-5.6.3.tar.bz2
strongswan-5.6.3.tar.bz2.sig
strongswan-rpmlintrc
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ strongswan.spec ++++++
--- /var/tmp/diff_new_pack.WUuokY/_old 2018-07-21 10:25:09.386958411 +0200
+++ /var/tmp/diff_new_pack.WUuokY/_new 2018-07-21 10:25:09.386958411 +0200
@@ -17,7 +17,7 @@
Name: strongswan
-Version: 5.6.2
+Version: 5.6.3
Release: 0
%define upstream_version %{version}
%define strongswan_docdir %{_docdir}/%{name}
@@ -69,7 +69,7 @@
Source0:
http://download.strongswan.org/strongswan-%{upstream_version}.tar.bz2
Source1:
http://download.strongswan.org/strongswan-%{upstream_version}.tar.bz2.sig
Source2: %{name}.init.in
-Source3: %{name}-%{version}-rpmlintrc
+Source3: %{name}-rpmlintrc
Source4: README.SUSE
Source5: %{name}.keyring
%if %{with fipscheck}
++++++ strongswan-5.6.2.tar.bz2 -> strongswan-5.6.3.tar.bz2 ++++++
++++ 23044 lines of diff (skipped)
++++++ strongswan-rpmlintrc ++++++
### Known warnings:
# - traditional name
addFilter("strongswan.* incoherent-init-script-name ipsec")
# - readme only, triggers full ipsec + ikev1&ikev2 install
addFilter("strongswan.* no-binary")
# - link to init script, covered by service(8)
addFilter("strongswan.* no-manual-page-for-binary rcipsec")
# - no, restating tunnels on update may break the update
addFilter("strongswan.*restart_on_update-postun /etc/init.d/ipsec")
