Hello community, here is the log from the commit of package strongswan for openSUSE:Factory checked in at 2013-08-05 20:55:10 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/strongswan (Old) and /work/SRC/openSUSE:Factory/.strongswan.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "strongswan" Changes: -------- --- /work/SRC/openSUSE:Factory/strongswan/strongswan.changes 2013-05-02 12:01:36.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.strongswan.new/strongswan.changes 2013-08-05 20:55:12.000000000 +0200 @@ -1,0 +2,73 @@ +Mon Aug 5 13:48:11 UTC 2013 - m...@suse.de + +- Updated to strongSwan 5.1.0 release (bnc#833278, CVE-2013-5018): + - Fixed a denial-of-service vulnerability triggered by specific XAuth + usernames and EAP identities (since 5.0.3), and PEM files (since + 4.1.11). The crash was caused by insufficient error handling in the + is_asn1() function. The vulnerability has been registered as + CVE-2013-5018. + - The new charon-cmd command line IKE client can establish road + warrior connections using IKEv1 or IKEv2 with different + authentication profiles. It does not depend on any configuration + files and can be configured using a few simple command line options. + - The kernel-pfroute networking backend has been greatly improved. + It now can install virtual IPs on TUN devices on OS X and FreeBSD, + allowing these systems to act as a client in common road warrior + scenarios. + - The new kernel-libipsec plugin uses TUN devices and libipsec to + provide IPsec processing in userland on Linux, FreeBSD and Mac OS X. + - The eap-radius plugin can now serve as an XAuth backend called + xauth-radius, directly verifying XAuth credentials using RADIUS + User-Name/User-Password attributes. This is more efficient than the + existing xauth-eap+eap-radius combination, and allows RADIUS servers + without EAP support to act as AAA backend for IKEv1. + - The new osx-attr plugin installs configuration attributes (currently + DNS servers) via SystemConfiguration on Mac OS X. The keychain + plugin provides certificates from the OS X keychain service. + - The sshkey plugin parses SSH public keys, which, together with the + --agent option for charon-cmd, allows the use of ssh-agent for + authentication. To configure SSH keys in ipsec.conf the + left|rightrsasigkey options are replaced with left|rightsigkey, + which now take public keys in one of three formats: SSH (RFC 4253, + ssh: prefix), DNSKEY (RFC 3110, dns: prefix), and PKCS#1 (the + default, no prefix). + - Extraction of certificates and private keys from PKCS#12 files is + now provided by the new pkcs12 plugin or the openssl plugin. + charon-cmd (--p12) as well as charon (via P12 token in + ipsec.secrets) can make use of this. + - IKEv2 can now negotiate transport mode and IPComp in NAT situations. + - IKEv2 exchange initiators now properly close an established IKE or + CHILD_SA on error conditions using an additional exchange, keeping + state in sync between peers. + - Using a SQL database interface a Trusted Network Connect (TNC) + Policy Manager can generate specific measurement workitems for an + arbitrary number of Integrity Measurement Verifiers (IMVs) based on + the history of the VPN user and/or device. + - Several core classes in libstrongswan are now tested with unit + tests. These can be enabled with --enable-unit-tests and run with + 'make check'. + Coverage reports can be generated with --enable-coverage and 'make + coverage' (this disables any optimization, so it should not be + enabled when building production releases). + - The leak-detective developer tool has been greatly improved. It + works much faster/stabler with multiple threads, does not use + deprecated malloc hooks anymore and has been ported to OS X. + - chunk_hash() is now based on SipHash-2-4 with a random key. This + provides better distribution and prevents hash flooding attacks + when used with hashtables. + - All default plugins implement the get_features() method to define + features and their dependencies. The plugin loader has been + improved, so that plugins in a custom load statement can be ordered + freely or to express preferences without being affected by + dependencies between plugin features. + - A centralized thread can take care for watching multiple file + descriptors concurrently. This removes the need for a dedicated + listener threads in various plugins. The number of "reserved" + threads for such tasks has been reduced to about five, depending on + the plugin configuration. + - Plugins that can be controlled by a UNIX socket IPC mechanism gained + network transparency. Third party applications querying these + plugins now can use TCP connections from a different host. + - libipsec now supports AES-GCM. + +------------------------------------------------------------------- Old: ---- strongswan-5.0.4-rpmlintrc strongswan-5.0.4.tar.bz2 strongswan-5.0.4.tar.bz2.sig New: ---- strongswan-5.1.0-rpmlintrc strongswan-5.1.0.tar.bz2 strongswan-5.1.0.tar.bz2.sig ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ strongswan.spec ++++++ --- /var/tmp/diff_new_pack.cmMF51/_old 2013-08-05 20:55:13.000000000 +0200 +++ /var/tmp/diff_new_pack.cmMF51/_new 2013-08-05 20:55:13.000000000 +0200 @@ -17,7 +17,7 @@ Name: strongswan -Version: 5.0.4 +Version: 5.1.0 Release: 0 %define upstream_version %{version} %define strongswan_docdir %{_docdir}/%{name} @@ -439,6 +439,8 @@ %{_libexecdir}/ipsec/starter %{_libexecdir}/ipsec/stroke %{_libexecdir}/ipsec/charon +%{_libexecdir}/ipsec/_imv_policy +%{_libexecdir}/ipsec/imv_policy_manager %dir %{strongswan_plugins} %{strongswan_plugins}/libstrongswan-stroke.so %{strongswan_plugins}/libstrongswan-updown.so @@ -535,11 +537,13 @@ %{strongswan_plugins}/libstrongswan-pgp.so %{strongswan_plugins}/libstrongswan-pkcs1.so %{strongswan_plugins}/libstrongswan-pkcs11.so +%{strongswan_plugins}/libstrongswan-pkcs12.so %{strongswan_plugins}/libstrongswan-pkcs7.so %{strongswan_plugins}/libstrongswan-pkcs8.so %{strongswan_plugins}/libstrongswan-pubkey.so %{strongswan_plugins}/libstrongswan-radattr.so %{strongswan_plugins}/libstrongswan-random.so +%{strongswan_plugins}/libstrongswan-rc2.so %{strongswan_plugins}/libstrongswan-resolve.so %{strongswan_plugins}/libstrongswan-revocation.so %{strongswan_plugins}/libstrongswan-sha1.so @@ -548,6 +552,7 @@ %{strongswan_plugins}/libstrongswan-socket-default.so %{strongswan_plugins}/libstrongswan-soup.so %{strongswan_plugins}/libstrongswan-sql.so +%{strongswan_plugins}/libstrongswan-sshkey.so %{strongswan_plugins}/libstrongswan-tnc-imc.so %{strongswan_plugins}/libstrongswan-tnc-imv.so %{strongswan_plugins}/libstrongswan-tnc-pdp.so ++++++ strongswan-5.0.4-rpmlintrc -> strongswan-5.1.0-rpmlintrc ++++++ ++++++ strongswan-5.0.4.tar.bz2 -> strongswan-5.1.0.tar.bz2 ++++++ ++++ 133024 lines of diff (skipped) -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org