Hello community,
here is the log from the commit of package strongswan for openSUSE:Factory
checked in at 2013-08-05 20:55:10
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/strongswan (Old)
and /work/SRC/openSUSE:Factory/.strongswan.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "strongswan"
Changes:
--------
--- /work/SRC/openSUSE:Factory/strongswan/strongswan.changes 2013-05-02
12:01:36.000000000 +0200
+++ /work/SRC/openSUSE:Factory/.strongswan.new/strongswan.changes
2013-08-05 20:55:12.000000000 +0200
@@ -1,0 +2,73 @@
+Mon Aug 5 13:48:11 UTC 2013 - m...@suse.de
+
+- Updated to strongSwan 5.1.0 release (bnc#833278, CVE-2013-5018):
+ - Fixed a denial-of-service vulnerability triggered by specific XAuth
+ usernames and EAP identities (since 5.0.3), and PEM files (since
+ 4.1.11). The crash was caused by insufficient error handling in the
+ is_asn1() function. The vulnerability has been registered as
+ CVE-2013-5018.
+ - The new charon-cmd command line IKE client can establish road
+ warrior connections using IKEv1 or IKEv2 with different
+ authentication profiles. It does not depend on any configuration
+ files and can be configured using a few simple command line options.
+ - The kernel-pfroute networking backend has been greatly improved.
+ It now can install virtual IPs on TUN devices on OS X and FreeBSD,
+ allowing these systems to act as a client in common road warrior
+ scenarios.
+ - The new kernel-libipsec plugin uses TUN devices and libipsec to
+ provide IPsec processing in userland on Linux, FreeBSD and Mac OS X.
+ - The eap-radius plugin can now serve as an XAuth backend called
+ xauth-radius, directly verifying XAuth credentials using RADIUS
+ User-Name/User-Password attributes. This is more efficient than the
+ existing xauth-eap+eap-radius combination, and allows RADIUS servers
+ without EAP support to act as AAA backend for IKEv1.
+ - The new osx-attr plugin installs configuration attributes (currently
+ DNS servers) via SystemConfiguration on Mac OS X. The keychain
+ plugin provides certificates from the OS X keychain service.
+ - The sshkey plugin parses SSH public keys, which, together with the
+ --agent option for charon-cmd, allows the use of ssh-agent for
+ authentication. To configure SSH keys in ipsec.conf the
+ left|rightrsasigkey options are replaced with left|rightsigkey,
+ which now take public keys in one of three formats: SSH (RFC 4253,
+ ssh: prefix), DNSKEY (RFC 3110, dns: prefix), and PKCS#1 (the
+ default, no prefix).
+ - Extraction of certificates and private keys from PKCS#12 files is
+ now provided by the new pkcs12 plugin or the openssl plugin.
+ charon-cmd (--p12) as well as charon (via P12 token in
+ ipsec.secrets) can make use of this.
+ - IKEv2 can now negotiate transport mode and IPComp in NAT situations.
+ - IKEv2 exchange initiators now properly close an established IKE or
+ CHILD_SA on error conditions using an additional exchange, keeping
+ state in sync between peers.
+ - Using a SQL database interface a Trusted Network Connect (TNC)
+ Policy Manager can generate specific measurement workitems for an
+ arbitrary number of Integrity Measurement Verifiers (IMVs) based on
+ the history of the VPN user and/or device.
+ - Several core classes in libstrongswan are now tested with unit
+ tests. These can be enabled with --enable-unit-tests and run with
+ 'make check'.
+ Coverage reports can be generated with --enable-coverage and 'make
+ coverage' (this disables any optimization, so it should not be
+ enabled when building production releases).
+ - The leak-detective developer tool has been greatly improved. It
+ works much faster/stabler with multiple threads, does not use
+ deprecated malloc hooks anymore and has been ported to OS X.
+ - chunk_hash() is now based on SipHash-2-4 with a random key. This
+ provides better distribution and prevents hash flooding attacks
+ when used with hashtables.
+ - All default plugins implement the get_features() method to define
+ features and their dependencies. The plugin loader has been
+ improved, so that plugins in a custom load statement can be ordered
+ freely or to express preferences without being affected by
+ dependencies between plugin features.
+ - A centralized thread can take care for watching multiple file
+ descriptors concurrently. This removes the need for a dedicated
+ listener threads in various plugins. The number of "reserved"
+ threads for such tasks has been reduced to about five, depending on
+ the plugin configuration.
+ - Plugins that can be controlled by a UNIX socket IPC mechanism gained
+ network transparency. Third party applications querying these
+ plugins now can use TCP connections from a different host.
+ - libipsec now supports AES-GCM.
+
+-------------------------------------------------------------------
Old:
----
strongswan-5.0.4-rpmlintrc
strongswan-5.0.4.tar.bz2
strongswan-5.0.4.tar.bz2.sig
New:
----
strongswan-5.1.0-rpmlintrc
strongswan-5.1.0.tar.bz2
strongswan-5.1.0.tar.bz2.sig
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ strongswan.spec ++++++
--- /var/tmp/diff_new_pack.cmMF51/_old 2013-08-05 20:55:13.000000000 +0200
+++ /var/tmp/diff_new_pack.cmMF51/_new 2013-08-05 20:55:13.000000000 +0200
@@ -17,7 +17,7 @@
Name: strongswan
-Version: 5.0.4
+Version: 5.1.0
Release: 0
%define upstream_version %{version}
%define strongswan_docdir %{_docdir}/%{name}
@@ -439,6 +439,8 @@
%{_libexecdir}/ipsec/starter
%{_libexecdir}/ipsec/stroke
%{_libexecdir}/ipsec/charon
+%{_libexecdir}/ipsec/_imv_policy
+%{_libexecdir}/ipsec/imv_policy_manager
%dir %{strongswan_plugins}
%{strongswan_plugins}/libstrongswan-stroke.so
%{strongswan_plugins}/libstrongswan-updown.so
@@ -535,11 +537,13 @@
%{strongswan_plugins}/libstrongswan-pgp.so
%{strongswan_plugins}/libstrongswan-pkcs1.so
%{strongswan_plugins}/libstrongswan-pkcs11.so
+%{strongswan_plugins}/libstrongswan-pkcs12.so
%{strongswan_plugins}/libstrongswan-pkcs7.so
%{strongswan_plugins}/libstrongswan-pkcs8.so
%{strongswan_plugins}/libstrongswan-pubkey.so
%{strongswan_plugins}/libstrongswan-radattr.so
%{strongswan_plugins}/libstrongswan-random.so
+%{strongswan_plugins}/libstrongswan-rc2.so
%{strongswan_plugins}/libstrongswan-resolve.so
%{strongswan_plugins}/libstrongswan-revocation.so
%{strongswan_plugins}/libstrongswan-sha1.so
@@ -548,6 +552,7 @@
%{strongswan_plugins}/libstrongswan-socket-default.so
%{strongswan_plugins}/libstrongswan-soup.so
%{strongswan_plugins}/libstrongswan-sql.so
+%{strongswan_plugins}/libstrongswan-sshkey.so
%{strongswan_plugins}/libstrongswan-tnc-imc.so
%{strongswan_plugins}/libstrongswan-tnc-imv.so
%{strongswan_plugins}/libstrongswan-tnc-pdp.so
++++++ strongswan-5.0.4-rpmlintrc -> strongswan-5.1.0-rpmlintrc ++++++
++++++ strongswan-5.0.4.tar.bz2 -> strongswan-5.1.0.tar.bz2 ++++++
++++ 133024 lines of diff (skipped)
--
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org
