Hello community,
here is the log from the commit of package strongswan for openSUSE:13.1 checked
in at 2013-11-04 09:31:53
Comparing /work/SRC/openSUSE:13.1/strongswan (Old)
and /work/SRC/openSUSE:13.1/.strongswan.new (New)
Package is strongswan
Changes:
--- /work/SRC/openSUSE:13.1/strongswan/strongswan.changes 2013-09-23
11:09:41.0 +0200
+++ /work/SRC/openSUSE:13.1/.strongswan.new/strongswan.changes 2013-11-04
09:31:59.0 +0100
@@ -1,0 +2,63 @@
+Fri Nov 1 12:28:39 UTC 2013 - m...@suse.de
+
+- Updated to strongSwan 5.1.1 minor release addressing two security
+ fixes (bnc#847506,CVE-2013-6075, bnc#847509,CVE-2013-6076):
+ - Fixed a denial-of-service vulnerability and potential authorization
+bypass triggered by a crafted ID_DER_ASN1_DN ID payload. The cause
+is an insufficient length check when comparing such identities. The
+vulnerability has been registered as CVE-2013-6075.
+ - Fixed a denial-of-service vulnerability triggered by a crafted IKEv1
+fragmentation payload. The cause is a NULL pointer dereference. The
+vulnerability has been registered as CVE-2013-6076.
+ - The lean stand-alone pt-tls-client can set up a RFC 6876 PT-TLS
+session with a strongSwan policy enforcement point which uses the
+tnc-pdp charon plugin.
+ - The new TCG TNC SWID IMC/IMV pair supports targeted SWID requests
+for either full SWID Tag or concise SWID Tag ID inventories.
+ - The XAuth backend in eap-radius now supports multiple XAuth
+exchanges for different credential types and display messages.
+All user input gets concatenated and verified with a single
+User-Password RADIUS attribute on the AAA. With an AAA supporting
+it, one for example can implement Password+Token authentication with
+proper dialogs on iOS and OS X clients. - charon supports IKEv1 Mode
+Config exchange in push mode. The ipsec.conf modeconfig=push option
+enables it for both client and server, the same way as pluto used it.
+ - Using the ah ipsec.conf keyword on both IKEv1 and IKEv2
+connections, charon can negotiate and install Security Associations
+integrity-protected by the Authentication Header protocol. Supported
+are plain AH(+IPComp) SAs only, but not the deprecated RFC2401 style
+ESP+AH bundles.
+ - The generation of initialization vectors for IKE and ESP (when using
+libipsec) is now modularized and IVs for e.g. AES-GCM are now correctly
+allocated sequentially, while other algorithms like AES-CBC still
+use random IVs.
+ - The left and right options in ipsec.conf can take multiple address
+ranges and subnets. This allows connection matching against a larger
+set of addresses, for example to use a different connection for clients
+connecting from a internal network.
+ - For all those who have a queasy feeling about the NIST elliptic curve
+set, the Brainpool curves introduced for use with IKE by RFC 6932 might
+be a more trustworthy alternative.
+ - The kernel-libipsec userland IPsec backend now supports usage
+statistics, volume based rekeying and accepts ESPv3 style TFC padded
+packets.
+ - With two new strongswan.conf options fwmarks can be used to implement
+host-to-host tunnels with kernel-libipsec.
+ - load-tester supports transport mode connections and more complex
+traffic selectors, including such using unique ports for each tunnel.
+ - The new dnscert plugin provides support for authentication via CERT
+RRs that are protected via DNSSEC. The plugin was created by Ruslan
+N. Marchenko.
+ - The eap-radius plugin supports forwarding of several Cisco Unity
+specific RADIUS attributes in corresponding configuration payloads.
+ - Database transactions are now abstracted and implemented by the two
+backends. If you use MySQL make sure all tables use the InnoDB engine.
+ - libstrongswan now can provide an experimental custom implementation
+of the printf family functions based on klibc if neither Vstr nor
+glibc style printf hooks are available. This can avoid the Vstr
+dependency on some systems at the cost of slower and less complete
+printf functions.
+- Adjusted file lists: this version installs the pki utility and manuals
+ in common /usr directories and additional ipsec/pt-tls-client helper.
+
+---
Old:
strongswan-5.1.0-rpmlintrc
strongswan-5.1.0.tar.bz2
strongswan-5.1.0.tar.bz2.sig
New:
strongswan-5.1.1-rpmlintrc
strongswan-5.1.1.tar.bz2
strongswan-5.1.1.tar.bz2.sig
Other differences:
--
++ strongswan.spec ++
--- /var/tmp/diff_new_pack.V28nS3/_old 2013-11-04 09:31:59.0 +0100
+++
