commit strongswan for openSUSE:Factory
Hello community,
here is the log from the commit of package strongswan for openSUSE:Factory
checked in at 2020-09-23 18:36:53
Comparing /work/SRC/openSUSE:Factory/strongswan (Old)
and /work/SRC/openSUSE:Factory/.strongswan.new.4249 (New)
Package is "strongswan"
Wed Sep 23 18:36:53 2020 rev:76 rq:834251 version:5.9.0
Changes:
--- /work/SRC/openSUSE:Factory/strongswan/strongswan.changes2020-09-05
23:57:43.639113374 +0200
+++ /work/SRC/openSUSE:Factory/.strongswan.new.4249/strongswan.changes
2020-09-23 18:37:06.829144914 +0200
@@ -1,0 +2,18 @@
+Mon Sep 7 08:38:01 UTC 2020 - Jan Engelhardt
+
+- Update to release 5.9.0
+ * Prefer AEAD algorithms for ESP; this puts AES-GCM in a default
+AEAD proposal in front of the previous default proposal.
+ * If a connection fails after getting redirected, we now
+restart connecting to the original host, not the one
+redirected to.
+ * For peers that don't send the EAP_ONLY_AUTHENTICATION notify
+but still expect to use EAP-only authentication, the
+charon.force_eap_only_authentication option can be enabled to
+force this type of authentication even on non-compliant
+peers.
+ * IPv6 virtual IPs are now always enumerated, ignoring the
+charon.prefer_temporary_addrs setting, which should fix route
+installation if the latter is enabled.
+
+---
Old:
strongswan-5.8.4.tar.bz2
strongswan-5.8.4.tar.bz2.sig
New:
strongswan-5.9.0.tar.bz2
strongswan-5.9.0.tar.bz2.sig
Other differences:
--
++ strongswan.spec ++
--- /var/tmp/diff_new_pack.rU9Bg2/_old 2020-09-23 18:37:08.913146729 +0200
+++ /var/tmp/diff_new_pack.rU9Bg2/_new 2020-09-23 18:37:08.913146729 +0200
@@ -17,7 +17,7 @@
Name: strongswan
-Version:5.8.4
+Version:5.9.0
Release:0
%define upstream_version %{version}
%define strongswan_docdir%{_docdir}/%{name}
@@ -478,13 +478,13 @@
%postun libs0 -p /sbin/ldconfig
-%pre ipsec
%if %{with systemd}
+%pre ipsec
%service_add_pre %{name}.service
%endif
-%post ipsec
%if %{with systemd}
+%post ipsec
%service_add_post %{name}.service
%endif
@@ -503,8 +503,8 @@
%{_sysconfdir}/ipsec.conf.rpmsave.old
fi
-%postun ipsec
%if %{with systemd}
+%postun ipsec
%service_del_postun %{name}.service
%endif
++ strongswan-5.8.4.tar.bz2 -> strongswan-5.9.0.tar.bz2 ++
13073 lines of diff (skipped)
commit strongswan for openSUSE:Factory
Hello community,
here is the log from the commit of package strongswan for openSUSE:Factory
checked in at 2020-09-05 23:57:31
Comparing /work/SRC/openSUSE:Factory/strongswan (Old)
and /work/SRC/openSUSE:Factory/.strongswan.new.3399 (New)
Package is "strongswan"
Sat Sep 5 23:57:31 2020 rev:75 rq:831324 version:5.8.4
Changes:
--- /work/SRC/openSUSE:Factory/strongswan/strongswan.changes2020-05-07
15:05:51.415752556 +0200
+++ /work/SRC/openSUSE:Factory/.strongswan.new.3399/strongswan.changes
2020-09-05 23:57:43.639113374 +0200
@@ -1,0 +2,5 @@
+Tue Sep 1 16:31:02 UTC 2020 - Jan Engelhardt
+
+- Enable bypass-lan strongswan plugin
+
+---
Other differences:
--
++ strongswan.spec ++
--- /var/tmp/diff_new_pack.aUsUGV/_old 2020-09-05 23:57:45.407114259 +0200
+++ /var/tmp/diff_new_pack.aUsUGV/_new 2020-09-05 23:57:45.415114263 +0200
@@ -365,6 +365,7 @@
--enable-ldap \
--enable-soup \
--enable-curl \
+ --enable-bypass-lan \
--disable-static
make %{?_smp_mflags}
@@ -446,6 +447,8 @@
install -c -m750 _fipscheck %{buildroot}/%{_libexecdir}/ipsec/
install -c -m644 %{_sourcedir}/fips-enforce.conf \
%{buildroot}/%{strongswan_configs}/charon/zzz_fips-enforce.conf
+# disable bypass-lan plugin by default
+sed -i 's/\(load[ ]*=[ ]*\)yes/\1no/g'
%{buildroot}/%{strongswan_configs}/charon/bypass-lan.conf
# create fips hmac hashes _after_ install post run
%{expand:%%global __os_install_post {%__os_install_post
for f in %{buildroot}/%{strongswan_libdir}/lib*.so.*.*.* \
@@ -713,6 +716,7 @@
%config(noreplace) %attr(600,root,root)
%{strongswan_configs}/charon/xauth-generic.conf
%config(noreplace) %attr(600,root,root)
%{strongswan_configs}/charon/xauth-pam.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/xcbc.conf
+%config(noreplace) %attr(600,root,root)
%{strongswan_configs}/charon/bypass-lan.conf
%dir %{strongswan_libdir}
%if %{with integrity}
%{strongswan_libdir}/libchecksum.so
@@ -828,6 +832,7 @@
%{strongswan_plugins}/libstrongswan-xcbc.so
%{strongswan_plugins}/libstrongswan-curve25519.so
%{strongswan_plugins}/libstrongswan-vici.so
+%{strongswan_plugins}/libstrongswan-bypass-lan.so
%dir %{strongswan_datadir}
%dir %{strongswan_templates}
%dir %{strongswan_templates}/config
@@ -933,6 +938,7 @@
%{strongswan_templates}/config/plugins/xcbc.conf
%{strongswan_templates}/config/plugins/curve25519.conf
%{strongswan_templates}/config/plugins/vici.conf
+%{strongswan_templates}/config/plugins/bypass-lan.conf
%if %{with systemd}
%{strongswan_templates}/config/strongswan.d/charon-systemd.conf
%endif
commit strongswan for openSUSE:Factory
Hello community,
here is the log from the commit of package strongswan for openSUSE:Factory
checked in at 2020-05-07 15:05:48
Comparing /work/SRC/openSUSE:Factory/strongswan (Old)
and /work/SRC/openSUSE:Factory/.strongswan.new.2738 (New)
Package is "strongswan"
Thu May 7 15:05:48 2020 rev:74 rq:800175 version:5.8.4
Changes:
--- /work/SRC/openSUSE:Factory/strongswan/strongswan.changes2020-04-02
17:42:32.361358110 +0200
+++ /work/SRC/openSUSE:Factory/.strongswan.new.2738/strongswan.changes
2020-05-07 15:05:51.415752556 +0200
@@ -1,0 +2,62 @@
+Fri May 1 09:39:42 UTC 2020 - Bjørn Lie
+
+- Update to version 5.8.4:
+ * In IKEv1 Quick Mode make sure that a proposal exists before
+determining lifetimes (fixes a crash due to a null-pointer
+dereference in 5.8.3).
+ * OpenSSL currently doesn't support squeezing bytes out of a
+SHAKE128/256 XOF (support was added with 5.8.3) multiple times.
+Unfortunately, EVP_DigestFinalXOF() completely resets the
+context and later calls not simply fail, they cause a
+null-pointer dereference in libcrypto. c5c1898d73 fixes the
+crash at the cost of repeating initializing the whole state and
+allocating too much data for subsequent calls (hopefully, once
+the OpenSSL issue 7894 is resolved we can implement this more
+efficiently).
+ * On 32-bit platforms, reading arbitrary 32-bit integers from
+config files (e.g. for charon.spi_min/max) has been fixed.
+ * charon-nm now allows using fixed source ports.
+- Changes from version 5.8.3:
+ * Updates for the NM plugin (and backend, which has to be updated
+to be compatible):
++ EAP-TLS authentication (#2097)
++ Certificate source (file, agent, smartcard) is selectable
+ independently
++ Add support to configure local and remote identities (#2581)
++ Support configuring a custom server port (#625)
++ Show hint regarding password storage policy
++ Replaced the term "gateway" with "server"
++ Fixes build issues due to use of deprecated GLib
+ macros/functions
++ Updated Glade file to GTK 3.2
+ * The NM backend now supports reauthentication and redirection.
+ * Previously used reqids are now reallocated, which works around
+an issue on FreeBSD where the kernel doesn't allow the daemon
+to use reqids > 16383 (#2315).
+ * On Linux, throw type routes are installed in table 220 for
+passthrough policies. The kernel will then fall back on routes
+in routing tables with lower priorities for matching traffic.
+This way, they require less information (e.g. no interface or
+source IP) and can be installed earlier and are not affected by
+updates.
+ * For IKEv1, the lifetimes of the actually selected transform are
+returned to the initiator, which is an issue if the peer uses
+different lifetimes for different transforms (#3329). We now
+also return the correct transform and proposal IDs (proposal ID
+was always 0, transform ID 1). IKE_SAs are now not
+re-established anymore (e.g. after several retransmits) if a
+deletion has been queued (#3335).
+ * Added support for Ed448 keys and certificates via openssl
+plugin and pki tool.
+ * Added support for SHA-3 and SHAKE128/256 in the openssl plugin.
+ * The use of algorithm IDs from the private use range can now be
+enabled globally, to use them even if no strongSwan vendor ID
+was exchanged (05e373aeb0).
+ * Fixed a compiler issue that may have caused invalid keyUsage
+extensions in certificates (#3249).
+ * A lot of spelling fixes.
+ * Fixed several reported issues.
+- Drop 0006-Resolve-multiple-definition-of-swanctl_dir.patch: Fixed
+ upstream.
+
+---
Old:
0006-Resolve-multiple-definition-of-swanctl_dir.patch
strongswan-5.8.2.tar.bz2
strongswan-5.8.2.tar.bz2.sig
New:
strongswan-5.8.4.tar.bz2
strongswan-5.8.4.tar.bz2.sig
Other differences:
--
++ strongswan.spec ++
--- /var/tmp/diff_new_pack.WTkLVc/_old 2020-05-07 15:05:52.587755149 +0200
+++ /var/tmp/diff_new_pack.WTkLVc/_new 2020-05-07 15:05:52.591755157 +0200
@@ -17,7 +17,7 @@
Name: strongswan
-Version:5.8.2
+Version:5.8.4
Release:0
%define upstream_version %{version}
%define strongswan_docdir%{_docdir}/%{name}
@@ -80,7 +80,6 @@
Patch3: %{name}_fipscheck.patch
%endif
Patch5: 0005-ikev1-Don-t-retransmit-Aggressive-Mode-response.patch
-Patch6: 0006-Resolve-multiple-definition-of-swanctl_dir.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: bison
BuildRequires: curl-devel
@@ -257,7 +256,6 @@
%patch3 -p1
commit strongswan for openSUSE:Factory
Hello community,
here is the log from the commit of package strongswan for openSUSE:Factory
checked in at 2020-04-02 17:42:30
Comparing /work/SRC/openSUSE:Factory/strongswan (Old)
and /work/SRC/openSUSE:Factory/.strongswan.new.3248 (New)
Package is "strongswan"
Thu Apr 2 17:42:30 2020 rev:73 rq:790269 version:5.8.2
Changes:
--- /work/SRC/openSUSE:Factory/strongswan/strongswan.changes2020-02-22
18:59:53.625576003 +0100
+++ /work/SRC/openSUSE:Factory/.strongswan.new.3248/strongswan.changes
2020-04-02 17:42:32.361358110 +0200
@@ -1,0 +2,6 @@
+Tue Mar 31 16:42:23 UTC 2020 - Madhu Mohan Nelemane
+
+- Fix to resolve multiple definitions for swanctl_dir (bsc#1164493)
+ [+ 0006-Resolve-multiple-definition-of-swanctl_dir.patch ]
+
+---
New:
0006-Resolve-multiple-definition-of-swanctl_dir.patch
Other differences:
--
++ strongswan.spec ++
--- /var/tmp/diff_new_pack.jDj5Ft/_old 2020-04-02 17:42:33.117358695 +0200
+++ /var/tmp/diff_new_pack.jDj5Ft/_new 2020-04-02 17:42:33.121358698 +0200
@@ -80,7 +80,7 @@
Patch3: %{name}_fipscheck.patch
%endif
Patch5: 0005-ikev1-Don-t-retransmit-Aggressive-Mode-response.patch
-
+Patch6: 0006-Resolve-multiple-definition-of-swanctl_dir.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: bison
BuildRequires: curl-devel
@@ -257,6 +257,7 @@
%patch3 -p1
%endif
%patch5 -p1
+%patch6 -p1
sed -e 's|@libexecdir@|%_libexecdir|g'\
< %{_sourcedir}/strongswan.init.in \
> strongswan.init
++ 0006-Resolve-multiple-definition-of-swanctl_dir.patch ++
diff -Naur strongswan-5.8.2.orig/src/swanctl/swanctl.h
strongswan-5.8.2/src/swanctl/swanctl.h
--- strongswan-5.8.2.orig/src/swanctl/swanctl.h 2018-12-14 16:48:24.0
+0100
+++ strongswan-5.8.2/src/swanctl/swanctl.h 2020-03-26 07:54:21.876224209
+0100
@@ -30,7 +30,7 @@
/**
* Base directory for credentials and config
*/
-char *swanctl_dir;
+extern char *swanctl_dir;
/**
* Configuration file for connections, etc.
commit strongswan for openSUSE:Factory
Hello community,
here is the log from the commit of package strongswan for openSUSE:Factory
checked in at 2020-02-22 18:59:49
Comparing /work/SRC/openSUSE:Factory/strongswan (Old)
and /work/SRC/openSUSE:Factory/.strongswan.new.26092 (New)
Package is "strongswan"
Sat Feb 22 18:59:49 2020 rev:72 rq:775000 version:5.8.2
Changes:
--- /work/SRC/openSUSE:Factory/strongswan/strongswan.changes2020-02-06
13:18:31.164651471 +0100
+++ /work/SRC/openSUSE:Factory/.strongswan.new.26092/strongswan.changes
2020-02-22 18:59:53.625576003 +0100
@@ -1,0 +2,14 @@
+Mon Feb 17 20:26:37 UTC 2020 - Johannes Kastl
+
+- move file %{_datadir}/dbus-1/system.d/nm-strongswan-service.conf
+ to strongswan-nm subpackage, as it is needed for the
+ NetworkManager plugin that uses strongswan-nm, not
+ strongswan-ipsec
+ This fixes the following error:
+ ```
+ Failed to initialize a plugin instance: Connection ":1.153" is not
+ allowed to own the service "org.freedesktop.NetworkManager.strongswan"
+ due to security policies in the configuration file
+ ```
+
+---
Other differences:
--
++ strongswan.spec ++
--- /var/tmp/diff_new_pack.9nrSTo/_old 2020-02-22 18:59:54.905578482 +0100
+++ /var/tmp/diff_new_pack.9nrSTo/_new 2020-02-22 18:59:54.909578489 +0100
@@ -548,7 +548,6 @@
%if %{with systemd}
%{_unitdir}/strongswan-starter.service
%{_unitdir}/strongswan.service
-%{_datadir}/dbus-1/system.d/nm-strongswan-service.conf
%{_sbindir}/rcstrongswan
%{_sbindir}/charon-systemd
%else
@@ -957,6 +956,7 @@
%dir %{_libexecdir}/ipsec
%dir %{strongswan_plugins}
%{_libexecdir}/ipsec/charon-nm
+%{_datadir}/dbus-1/system.d/nm-strongswan-service.conf
%endif
%if %{with mysql}
commit strongswan for openSUSE:Factory
Hello community,
here is the log from the commit of package strongswan for openSUSE:Factory
checked in at 2020-02-06 13:18:28
Comparing /work/SRC/openSUSE:Factory/strongswan (Old)
and /work/SRC/openSUSE:Factory/.strongswan.new.26092 (New)
Package is "strongswan"
Thu Feb 6 13:18:28 2020 rev:71 rq:769616 version:5.8.2
Changes:
--- /work/SRC/openSUSE:Factory/strongswan/strongswan.changes2020-01-29
13:11:12.033949593 +0100
+++ /work/SRC/openSUSE:Factory/.strongswan.new.26092/strongswan.changes
2020-02-06 13:18:31.164651471 +0100
@@ -1,0 +2,8 @@
+Thu Jan 30 13:43:50 UTC 2020 - Bjørn Lie
+
+- Drop upstream fixed patches:
+ * strongswan_modprobe_syslog.patch
+ * strongswan_fipsfilter.patch
+ * 0006-fix-compilation-error-by-adding-stdint.h.patch
+
+---
Old:
0006-fix-compilation-error-by-adding-stdint.h.patch
strongswan_fipsfilter.patch
strongswan_modprobe_syslog.patch
Other differences:
--
++ strongswan.spec ++
--- /var/tmp/diff_new_pack.Lqu7kz/_old 2020-02-06 13:18:32.236651997 +0100
+++ /var/tmp/diff_new_pack.Lqu7kz/_new 2020-02-06 13:18:32.236651997 +0100
@@ -75,17 +75,12 @@
Source6:fipscheck.sh.in
Source7:fips-enforce.conf
%endif
-# Needs rebase
-Patch1: %{name}_modprobe_syslog.patch
Patch2: %{name}_ipsec_service.patch
%if %{with fipscheck}
Patch3: %{name}_fipscheck.patch
-# Patch4 needs rebase, file it patches no longer exists in tarball.
-Patch4: %{name}_fipsfilter.patch
%endif
Patch5: 0005-ikev1-Don-t-retransmit-Aggressive-Mode-response.patch
-# Needs rebase
-Patch6: 0006-fix-compilation-error-by-adding-stdint.h.patch
+
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: bison
BuildRequires: curl-devel
@@ -257,17 +252,11 @@
%prep
%setup -q -n %{name}-%{upstream_version}
-# Needs rebase, file it patches no longer exists.
-#patch1 -p1
%patch2 -p1
%if %{with fipscheck}
%patch3 -p1
-# Needs rebase, file it patches no longer exists.
-#patch4 -p1
%endif
%patch5 -p1
-# Needs rebase.
-#patch6 -p1
sed -e 's|@libexecdir@|%_libexecdir|g'\
< %{_sourcedir}/strongswan.init.in \
> strongswan.init
commit strongswan for openSUSE:Factory
Hello community,
here is the log from the commit of package strongswan for openSUSE:Factory
checked in at 2020-01-29 13:10:50
Comparing /work/SRC/openSUSE:Factory/strongswan (Old)
and /work/SRC/openSUSE:Factory/.strongswan.new.26092 (New)
Package is "strongswan"
Wed Jan 29 13:10:50 2020 rev:70 rq:767305 version:5.8.2
Changes:
--- /work/SRC/openSUSE:Factory/strongswan/strongswan.changes2018-07-21
10:25:08.590958604 +0200
+++ /work/SRC/openSUSE:Factory/.strongswan.new.26092/strongswan.changes
2020-01-29 13:11:12.033949593 +0100
@@ -1,0 +2,26 @@
+Sun Jan 26 08:54:01 UTC 2020 - Jan Engelhardt
+
+- Replace %__-type macro indirections. Update homepage URL to https.
+
+---
+Mon Jan 6 22:06:58 UTC 2020 - Bjørn Lie
+
+- Update to version 5.8.2:
+ * The systemd service units have changed their name.
+"strongswan" is now "strongswan-starter", and
+"strongswan-swanctl" is now "strongswan".
+After installation, you need to `systemctl disable` the old
+name and `systemctl enable`+start the new one.
+ * Fix CVE-2018-17540, CVE-2018-16151 and CVE-2018-16152.
+ * boo#1109845 and boo#1107874.
+- Please check included NEWS file for info on what other changes
+ that have been done in versions 5.8.2, 5.8.1 5.8.0, 5.7.2, 5.7.1
+ and 5.7.0.
+- Rebase strongswan_ipsec_service.patch.
+- Disable patches that need rebase or dropping:
+ * strongswan_modprobe_syslog.patch
+ * 0006-fix-compilation-error-by-adding-stdint.h.patch
+- Add conditional pkgconfig(libsystemd) BuildRequires: New
+ dependency.
+
+---
Old:
strongswan-5.6.3.tar.bz2
strongswan-5.6.3.tar.bz2.sig
New:
strongswan-5.8.2.tar.bz2
strongswan-5.8.2.tar.bz2.sig
Other differences:
--
++ strongswan.spec ++
--- /var/tmp/diff_new_pack.S6pmoQ/_old 2020-01-29 13:11:15.093951157 +0100
+++ /var/tmp/diff_new_pack.S6pmoQ/_new 2020-01-29 13:11:15.093951157 +0100
@@ -1,7 +1,7 @@
#
# spec file for package strongswan
#
-# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2020 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -12,12 +12,12 @@
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
-# Please submit bugfixes or comments via http://bugs.opensuse.org/
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
Name: strongswan
-Version:5.6.3
+Version:5.8.2
Release:0
%define upstream_version %{version}
%define strongswan_docdir%{_docdir}/%{name}
@@ -64,8 +64,7 @@
Summary:IPsec-based VPN solution
License:GPL-2.0-or-later
Group: Productivity/Networking/Security
-Url:http://www.strongswan.org/
-Requires: strongswan-ipsec = %{version}
+URL:https://www.strongswan.org/
Source0:
http://download.strongswan.org/strongswan-%{upstream_version}.tar.bz2
Source1:
http://download.strongswan.org/strongswan-%{upstream_version}.tar.bz2.sig
Source2:%{name}.init.in
@@ -76,6 +75,7 @@
Source6:fipscheck.sh.in
Source7:fips-enforce.conf
%endif
+# Needs rebase
Patch1: %{name}_modprobe_syslog.patch
Patch2: %{name}_ipsec_service.patch
%if %{with fipscheck}
@@ -84,6 +84,7 @@
Patch4: %{name}_fipsfilter.patch
%endif
Patch5: 0005-ikev1-Don-t-retransmit-Aggressive-Mode-response.patch
+# Needs rebase
Patch6: 0006-fix-compilation-error-by-adding-stdint.h.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: bison
@@ -112,6 +113,7 @@
%endif
%if %{with systemd}
%{?systemd_requires}
+BuildRequires: pkgconfig(libsystemd)
%endif
BuildRequires: iptables
%if %{with systemd}
@@ -126,6 +128,7 @@
BuildRequires: fipscheck
%endif
BuildRequires: libtool
+Requires: strongswan-ipsec = %{version}
%description
StrongSwan is an IPsec-based VPN solution for Linux.
@@ -159,9 +162,9 @@
This package triggers the installation of both, IKEv1 and IKEv2 daemons.
%package doc
-BuildArch: noarch
Summary:Documentation for strongSwan
Group: Documentation/Man
+BuildArch: noarch
%description doc
StrongSwan is an IPsec-based VPN solution for Linux.
@@ -254,7 +257,8 @@
%prep
%setup -q -n %{name}-%{upstream_version}
-%patch1 -p1
+# Needs rebase, file it patches no longer exists.
+#patch1 -p1
%patch2 -p1
%if %{with fipscheck}
%patch3 -p1
@@ -262,7 +266,8 @@
#patch4 -p1
%endif
%patch5 -p1
commit strongswan for openSUSE:Factory
Hello community, here is the log from the commit of package strongswan for openSUSE:Factory checked in at 2018-07-21 10:25:06 Comparing /work/SRC/openSUSE:Factory/strongswan (Old) and /work/SRC/openSUSE:Factory/.strongswan.new (New) Package is "strongswan" Sat Jul 21 10:25:06 2018 rev:69 rq:624096 version:5.6.3 Changes: --- /work/SRC/openSUSE:Factory/strongswan/strongswan.changes2018-06-08 23:13:33.336202525 +0200 +++ /work/SRC/openSUSE:Factory/.strongswan.new/strongswan.changes 2018-07-21 10:25:08.590958604 +0200 @@ -1,0 +2,93 @@ +Wed Jun 6 22:14:57 UTC 2018 - bjorn@gmail.com + +- Update to version 5.6.3 (CVE-2018-10811, boo#1093536, + CVE-2018-5388, boo#1094462): + * Fixed a DoS vulnerability in the IKEv2 key derivation if the +openssl plugin is used in FIPS mode and HMAC-MD5 is negotiated +as PRF. This vulnerability has been registered as +CVE-2018-10811, boo#1093536. + * Fixed a vulnerability in the stroke plugin, which did not check +the received length before reading a message from the socket. +Unless a group is configured, root privileges are required to +access that socket, so in the default configuration this +shouldn't be an issue. This vulnerability has been registered +as CVE-2018-5388, boo#1094462. + * CRLs that are not yet valid are now ignored to avoid problems +in scenarios where expired certificates are removed from new +CRLs and the clock on the host doing the revocation check is +trailing behind that of the host issuing CRLs. Not doing this +could result in accepting a revoked and expired certificate, if +it's still valid according to the trailing clock but not +contained anymore in not yet valid CRLs. + * The issuer of fetched CRLs is now compared to the issuer of the +checked certificate (#2608). + * CRL validation results other than revocation (e.g. a skipped +check because the CRL couldn't be fetched) are now stored also +for intermediate CA certificates and not only for end-entity +certificates, so a strict CRL policy can be enforced in such +cases. + * In compliance with RFC 4945, section 5.1.3.2, certificates used +for IKE must now either not contain a keyUsage extension (like +the ones generated by pki), or have at least one of the +digitalSignature or nonRepudiation bits set. + * New options for vici/swanctl allow forcing the local +termination of an IKE_SA. This might be useful in situations +where it's known the other end is not reachable anymore, or +that it already removed the IKE_SA, so retransmitting a DELETE +and waiting for a response would be pointless. + * Waiting only a certain amount of time for a response (i.e. +shorter than all retransmits would be) before destroying the +IKE_SA is also possible by additionally specifying a timeout in +the forced termination request. + * When removing routes, the kernel-netlink plugin now checks if +it tracks other routes for the same destination and replaces +the installed route instead of just removing it. Same during +installation, where existing routes previously weren't +replaced. This should allow using traps with virtual IPs on +Linux (#2162). + * The dhcp plugin now only sends the client identifier DHCP +option if the identity_lease setting is enabled (7b660944b6). +It can also send identities of up to 255 bytes length, instead +of the previous 64 bytes (30e886fe3b, 0e5b94d038). If a server +address is configured, DHCP requests are now sent from port 67 +instead of 68 to avoid ICMP port unreachables (becf027cd9). + * The handling of faulty INVALID_KE_PAYLOAD notifies (e.g. one +containing a DH group that wasn't proposed) during +CREATE_CHILD_SA exchanges has been improved (#2536). + * Roam events are now completely ignored for IKEv1 SAs (there is +no MOBIKE to handle such changes properly). + * ChaCha20/Poly1305 is now correctly proposed without key length +(#2614). For compatibility with older releases the +chacha20poly1305compat keyword may be included in proposals to +also propose the algorithm with a key length (c58434aeff). + * Configuration of hardware offload of IPsec SAs is now more +flexible and allows a new setting (auto), which automatically +uses it if the kernel and device both support it. If hw_offload +is set to yes and offloading is not supported, the CHILD_SA +installation now fails. + * The kernel-pfkey plugin optionally installs routes via internal +interface (one with an IP in the local traffic selector). On +FreeBSD, enabling this selects the correct source IP when +sending packets from the gateway itself (e811659323). + * SHA-2 based PRFs are supported in PKCS#8 files as generated by +OpenSSL 1.1
commit strongswan for openSUSE:Factory
Hello community, here is the log from the commit of package strongswan for openSUSE:Factory checked in at 2018-06-08 23:13:27 Comparing /work/SRC/openSUSE:Factory/strongswan (Old) and /work/SRC/openSUSE:Factory/.strongswan.new (New) Package is "strongswan" Fri Jun 8 23:13:27 2018 rev:68 rq:613646 version:5.6.2 Changes: --- /work/SRC/openSUSE:Factory/strongswan/strongswan.changes2018-03-24 16:15:21.275552728 +0100 +++ /work/SRC/openSUSE:Factory/.strongswan.new/strongswan.changes 2018-06-08 23:13:33.336202525 +0200 @@ -1,0 +2,68 @@ +Tue Apr 17 13:24:38 UTC 2018 - bjorn@gmail.com + +- Update to version 5.6.2: + * Fixed a DoS vulnerability in the parser for PKCS#1 RSASSA-PSS +signatures that was caused by insufficient input validation. +One of the configurable parameters in algorithm identifier +structures for RSASSA-PSS signatures is the mask generation +function (MGF). Only MGF1 is currently specified for this +purpose. However, this in turn takes itself a parameter that +specifies the underlying hash function. strongSwan's parser did +not correctly handle the case of this parameter being absent, +causing an undefined data read. This vulnerability has been +registered as CVE-2018-6459. + * When rekeying IKEv2 IKE_SAs the previously negotiated DH group +will be reused, instead of using the first configured group, +which avoids an additional exchange if the peer previously +selected a different DH group via INVALID_KE_PAYLOAD notify. +The same is also done when rekeying CHILD_SAs except for the +first rekeying of the CHILD_SA that was created with the +IKE_SA, where no DH group was negotiated yet. Also, the +selected DH group is moved to the front in all sent proposals +that contain it and all proposals that don't are moved to the +back in order to convey the preference for this group to the +peer. + * Handling of MOBIKE task queuing has been improved. In +particular, the response to an address update (with NAT-D +payloads) is not ignored anymore if only an address list update +or DPD is queued as that could prevent updating the UDP +encapsulation in the kernel. + * On Linux, roam events may optionally be triggered by changes to +the routing rules, which can be useful if routing rules +(instead of e.g. route metrics) are used to switch from one to +another interface (i.e. from one to another routing table). +Since routing rules are currently not evaluated when doing +route lookups this is only useful if the kernel-based route +lookup is used (4664992f7d). + * The fallback drop policies installed to avoid traffic leaks +when replacing addresses in installed policies are now replaced +by temporary drop policies, which also prevent acquires because +we currently delete and reinstall IPsec SAs to update their +addresses (35ef1b032d). + * Access X.509 certificates held in non-volatile storage of a TPM +2.0 referenced via the NV index. + * Adding the --keyid parameter to pki --print allows to print +private keys or certificates stored in a smartcard or a TPM +2.0. + * Fixed proposal selection if a peer incorrectly sends DH groups +in the ESP proposal during IKE_AUTH and also if a DH group is +configured in the local ESP proposal and +charon.prefer_configured_proposals is disabled (d058fd3c32). + * The lookup for PSK secrets for IKEv1 has been improved for +certain scenarios (see #2497 for details). + * MSKs received via RADIUS are now padded to 64 bytes to avoid +compatibility issues with EAP-MSCHAPv2 and PRFs that have a +block size < 64 bytes (e.g. AES-XCBC-PRF-128, see 73cbce6013). + * The tpm_extendpcr command line tool extends a digest into a TPM +PCR. + * Ported the NetworkManager backend from the deprecated +libnm-glib to libnm. + * The save-keys debugging/development plugin saves IKE and/or ESP +keys to files compatible with Wireshark. +- Following upstreams port, replace NetworkManager-devel with + pkgconfig(libnm) BuildRequires. +- Refresh patches with quilt. +- Disable strongswan_fipsfilter.patch, needs rebase or dropping, + the file it patches no longer exists in tarball. + +--- Old: strongswan-5.6.0-rpmlintrc strongswan-5.6.0.tar.bz2 strongswan-5.6.0.tar.bz2.sig New: strongswan-5.6.2-rpmlintrc strongswan-5.6.2.tar.bz2 strongswan-5.6.2.tar.bz2.sig Other differences: -- ++ strongswan.spec ++ --- /var/tmp/diff_new_pack.sAVnb2/_old 2018-06-08 23:13:34.292168003 +0200 +++ /var/tmp/diff_new_pack.sAVnb2/_new 2018-06-08 23:13:34.296167859 +0200 @@ -17,7
commit strongswan for openSUSE:Factory
Hello community,
here is the log from the commit of package strongswan for openSUSE:Factory
checked in at 2018-03-24 16:15:16
Comparing /work/SRC/openSUSE:Factory/strongswan (Old)
and /work/SRC/openSUSE:Factory/.strongswan.new (New)
Package is "strongswan"
Sat Mar 24 16:15:16 2018 rev:67 rq:590079 version:5.6.0
Changes:
--- /work/SRC/openSUSE:Factory/strongswan/strongswan.changes2018-02-07
18:41:11.660798108 +0100
+++ /work/SRC/openSUSE:Factory/.strongswan.new/strongswan.changes
2018-03-24 16:15:21.275552728 +0100
@@ -1,0 +2,5 @@
+Fri Mar 16 08:55:10 UTC 2018 - mmnelem...@suse.com
+
+- Removed unused requires and macro calls(bsc#1083261)
+
+---
Other differences:
--
++ strongswan.spec ++
--- /var/tmp/diff_new_pack.RDDJF3/_old 2018-03-24 16:15:22.891494476 +0100
+++ /var/tmp/diff_new_pack.RDDJF3/_new 2018-03-24 16:15:22.895494332 +0100
@@ -1,7 +1,7 @@
#
# spec file for package strongswan
#
-# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -194,7 +194,6 @@
%package ipsec
Summary:IPsec-based VPN solution
Group: Productivity/Networking/Security
-PreReq: grep %insserv_prereq %fillup_prereq
Requires: strongswan-libs0 = %{version}
Provides: VPN
Provides: ipsec
@@ -488,8 +487,6 @@
%post ipsec
%if %{with systemd}
%service_add_post %{name}.service
-%else
-%{fillup_and_insserv ipsec}
%endif
%preun ipsec
@@ -510,8 +507,6 @@
%postun ipsec
%if %{with systemd}
%service_del_postun %{name}.service
-%else
-%{insserv_cleanup}
%endif
%files
commit strongswan for openSUSE:Factory
Hello community,
here is the log from the commit of package strongswan for openSUSE:Factory
checked in at 2018-02-07 18:41:10
Comparing /work/SRC/openSUSE:Factory/strongswan (Old)
and /work/SRC/openSUSE:Factory/.strongswan.new (New)
Package is "strongswan"
Wed Feb 7 18:41:10 2018 rev:66 rq:573411 version:5.6.0
Changes:
--- /work/SRC/openSUSE:Factory/strongswan/strongswan.changes2017-09-07
22:15:53.940274130 +0200
+++ /work/SRC/openSUSE:Factory/.strongswan.new/strongswan.changes
2018-02-07 18:41:11.660798108 +0100
@@ -1,0 +2,9 @@
+Tue Oct 17 11:27:54 UTC 2017 - jeng...@inai.de
+
+- Update summaries and descriptions. Trim filler words and
+ author list.
+- Drop %if..%endif guards that are idempotent and do not affect
+ the build result.
+- Replace old $RPM_ shell variables.
+
+---
Other differences:
--
++ strongswan.spec ++
--- /var/tmp/diff_new_pack.0TXGjS/_old 2018-02-07 18:41:12.552756343 +0100
+++ /var/tmp/diff_new_pack.0TXGjS/_new 2018-02-07 18:41:12.552756343 +0100
@@ -61,7 +61,7 @@
%else
%bcond_with systemd
%endif
-Summary:OpenSource IPsec-based VPN Solution
+Summary:IPsec-based VPN solution
License:GPL-2.0+
Group: Productivity/Networking/Security
Url:http://www.strongswan.org/
@@ -127,17 +127,16 @@
BuildRequires: libtool
%description
-StrongSwan is an OpenSource IPsec-based VPN Solution for Linux
+StrongSwan is an IPsec-based VPN solution for Linux.
-* runs both on Linux 2.4 (KLIPS IPsec) and Linux 2.6 (NETKEY IPsec) kernels
-* implements both the IKEv1 and IKEv2 (RFC 4306) key exchange protocols
+* Implements both the IKEv1 and IKEv2 (RFC 4306) key exchange protocols
* Fully tested support of IPv6 IPsec tunnel and transport connections
-* Dynamical IP address and interface update with IKEv2 MOBIKE (RFC 4555)
+* Dynamic IP address and interface update with IKEv2 MOBIKE (RFC 4555)
* Automatic insertion and deletion of IPsec-policy-based firewall rules
* Strong 128/192/256 bit AES or Camellia encryption, 3DES support
-* NAT-Traversal via UDP encapsulation and port floating (RFC 3947)
+* NAT Traversal via UDP encapsulation and port floating (RFC 3947)
* Dead Peer Detection (DPD, RFC 3706) takes care of dangling tunnels
-* Static virtual IPs and IKEv1 ModeConfig pull and push modes
+* Static virtual IP addresses and IKEv1 ModeConfig pull and push modes
* XAUTH server and client functionality on top of IKEv1 Main Mode
authentication
* Virtual IP address pool managed by IKE daemon or SQL database
* Secure IKEv2 EAP user authentication (EAP-SIM, EAP-AKA, EAP-MSCHAPv2, etc.)
@@ -154,46 +153,32 @@
* Modular plugins for crypto algorithms and relational database interfaces
* Support of elliptic curve DH groups and ECDSA certificates (Suite B, RFC
4869)
* Optional built-in integrity and crypto tests for plugins and libraries
-* Smooth Linux desktop integration via the strongSwan NetworkManager applet
+* Linux desktop integration via the strongSwan NetworkManager applet
This package triggers the installation of both, IKEv1 and IKEv2 daemons.
-Authors:
-
-Andreas Steffen
-and others
-
%package doc
BuildArch: noarch
-Summary:OpenSource IPsec-based VPN Solution
-Group: Productivity/Networking/Security
+Summary:Documentation for strongSwan
+Group: Documentation/Man
%description doc
-StrongSwan is an OpenSource IPsec-based VPN Solution for Linux
+StrongSwan is an IPsec-based VPN solution for Linux.
This package provides the StrongSwan documentation.
-
-
-Authors:
-
-Andreas Steffen
-and others
-
%package libs0
-Summary:OpenSource IPsec-based VPN Solution
+Summary:strongSwan core libraries and basic plugins
Group: Productivity/Networking/Security
Conflicts: strongswan < %{version}
%description libs0
-StrongSwan is an OpenSource IPsec-based VPN Solution for Linux
+StrongSwan is an IPsec-based VPN solution for Linux.
This package provides the strongswan library and plugins.
-%if %{with fipscheck}
-
%package hmac
-Summary:HMAC files for FIPS-140-2 integrity
+Summary:HMAC files for FIPS-140-2 integrity in strongSwan
Group: Productivity/Networking/Security
Requires: fipscheck
Requires: strongswan-ipsec = %{version}
@@ -206,10 +191,8 @@
"ipsec start" action is executed, when FIPS-140-2 compliant operation
mode is enabled.
-%endif
-
%package ipsec
-Summary:OpenSource IPsec-based VPN Solution
+Summary:IPsec-based VPN solution
Group: Productivity/Networking/Security
PreReq: grep %insserv_prereq %fillup_prereq
commit strongswan for openSUSE:Factory
Hello community,
here is the log from the commit of package strongswan for openSUSE:Factory
checked in at 2017-09-07 22:15:13
Comparing /work/SRC/openSUSE:Factory/strongswan (Old)
and /work/SRC/openSUSE:Factory/.strongswan.new (New)
Package is "strongswan"
Thu Sep 7 22:15:13 2017 rev:65 rq:521289 version:5.6.0
Changes:
--- /work/SRC/openSUSE:Factory/strongswan/strongswan.changes2017-08-24
18:46:10.094058758 +0200
+++ /work/SRC/openSUSE:Factory/.strongswan.new/strongswan.changes
2017-09-07 22:15:53.940274130 +0200
@@ -1,0 +2,37 @@
+Tue Sep 5 17:10:11 CEST 2017 - n...@suse.de
+
+- Updated to strongSwan 5.6.0 providing the following changes:
+*Fixed a DoS vulnerability in the gmp plugin that was caused by
insufficient input validation
+when verifying RSA signatures, which requires decryption with the
operation m^e mod n,
+where m is the signature, and e and n are the exponent and modulus of the
public key.
+The value m is an integer between 0 and n-1, however, the gmp plugin did
not verify this.
+So if m equals n the calculation results in 0, in which case mpz_export()
returns NULL.
+This result wasn't handled properly causing a null-pointer dereference.
+This vulnerability has been registered as CVE-2017-11185. (bsc#1051222)
+
+*New SWIMA IMC/IMV pair implements the draft-ietf-sacm-nea-swima-patnc
Internet
+Draft and has been demonstrated at the IETF 99 Prague Hackathon.
+
+*The IMV database template has been adapted to achieve full compliance
with the
+ISO 19770-2:2015 SWID tag standard.
+
+*The pt-tls-client can attach and use TPM 2.0 protected private keys via
the --keyid parameter.
+
+*By default the /etc/swanctl/conf.d directory is created and *.conf files
in it are included in the default
+swanctl.conf file.
+
+*The curl plugin now follows HTTP redirects (configurable via
strongswan.conf).
+
+*The CHILD_SA rekeying was fixed in charon-tkm and the behavior is refined
a bit more since 5.5.3
+
+*libtpmtss supports Intel's TSS2 Architecture Broker and Resource Manager
interface (tcti-tabrmd).
+
+* more on https://wiki.strongswan.org/versions/66
+
+---
+Tue Sep 5 11:33:01 CEST 2017 - n...@suse.de
+
+- fix "uintptr_t’ undeclared" compilation error.
+ [+0006-fix-compilation-error-by-adding-stdint.h.patch]
+
+---
@@ -4 +41 @@
-- Updated to strongSwan 5.3.5 providing the following changes:
+- Updated to strongSwan 5.3.5(bsc#1050691) providing the following changes:
Old:
strongswan-5.5.3-rpmlintrc
strongswan-5.5.3.tar.bz2
strongswan-5.5.3.tar.bz2.sig
New:
0006-fix-compilation-error-by-adding-stdint.h.patch
strongswan-5.6.0-rpmlintrc
strongswan-5.6.0.tar.bz2
strongswan-5.6.0.tar.bz2.sig
Other differences:
--
++ strongswan.spec ++
--- /var/tmp/diff_new_pack.oqa5nE/_old 2017-09-07 22:15:54.976128160 +0200
+++ /var/tmp/diff_new_pack.oqa5nE/_new 2017-09-07 22:15:54.980127597 +0200
@@ -17,7 +17,7 @@
Name: strongswan
-Version:5.5.3
+Version:5.6.0
Release:0
%define upstream_version %{version}
%define strongswan_docdir%{_docdir}/%{name}
@@ -83,6 +83,7 @@
Patch4: %{name}_fipsfilter.patch
%endif
Patch5: 0005-ikev1-Don-t-retransmit-Aggressive-Mode-response.patch
+Patch6: 0006-fix-compilation-error-by-adding-stdint.h.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: bison
BuildRequires: curl-devel
@@ -294,6 +295,7 @@
%patch4 -p1
%endif
%patch5 -p1
+%patch6 -p1
sed -e 's|@libexecdir@|%_libexecdir|g'\
< $RPM_SOURCE_DIR/strongswan.init.in \
> strongswan.init
@@ -495,9 +497,9 @@
$RPM_BUILD_ROOT%{_libexecdir}/ipsec/starter \
$RPM_BUILD_ROOT%{_libexecdir}/ipsec/pool \
$RPM_BUILD_ROOT%{_libexecdir}/ipsec/scepclient \
-$RPM_BUILD_ROOT%{_libexecdir}/ipsec/pt-tls-client \
$RPM_BUILD_ROOT%{_libexecdir}/ipsec/imv_policy_manager \
$RPM_BUILD_ROOT%{_libexecdir}/ipsec/_fipscheck \
+$RPM_BUILD_ROOT%{_bindir}/pt-tls-client \
$RPM_BUILD_ROOT%{_sbindir}/ipsec \
;
do
@@ -568,6 +570,7 @@
%{_libexecdir}/ipsec/_fipscheck
%{_libexecdir}/ipsec/.*.hmac
%{_sbindir}/.ipsec.hmac
+%{_bindir}/.pt-tls-client.hmac
%endif
%files ipsec
@@ -594,9 +597,11 @@
%{_sbindir}/rcipsec
%endif
%{_bindir}/pki
+%{_bindir}/pt-tls-client
%{_sbindir}/ipsec
%{_sbindir}/swanctl
%{_mandir}/man1/pki*.1*
+%{_mandir}/man1/pt-tls-client.1*
commit strongswan for openSUSE:Factory
Hello community, here is the log from the commit of package strongswan for openSUSE:Factory checked in at 2017-08-24 18:45:53 Comparing /work/SRC/openSUSE:Factory/strongswan (Old) and /work/SRC/openSUSE:Factory/.strongswan.new (New) Package is "strongswan" Thu Aug 24 18:45:53 2017 rev:64 rq:514549 version:5.5.3 Changes: --- /work/SRC/openSUSE:Factory/strongswan/strongswan.changes2016-11-29 12:50:29.0 +0100 +++ /work/SRC/openSUSE:Factory/.strongswan.new/strongswan.changes 2017-08-24 18:46:10.094058758 +0200 @@ -1,0 +2,80 @@ +Mon Jul 31 18:30:28 CEST 2017 - n...@suse.de + +- Updated to strongSwan 5.3.5 providing the following changes: +*Fixed a DoS vulnerability in the gmp plugin that was caused by insufficient input +validation when verifying RSA signatures. More specifically, mpz_powm_sec() has two +requirements regarding the passed exponent and modulus that the plugin did not +enforce, if these are not met the calculation will result in a floating point exception +that crashes the whole process. +This vulnerability has been registered as CVE-2017-9022. +Please refer to our blog for details. + +*Fixed a DoS vulnerability in the x509 plugin that was caused because the ASN.1 parser +didn't handle ASN.1 CHOICE types properly, which could result in an infinite loop when +parsing X.509 extensions that use such types. +This vulnerability has been registered as CVE-2017-9023. +Please refer to our blog for details. + +*The behavior during IKEv2 CHILD_SA rekeying has been changed in order to avoid +traffic loss. When responding to a CREATE_CHILD_SA request to rekey a CHILD_SA +the responder already has everything available to install and use the new CHILD_SA. +However, this could lead to lost traffic as the initiator won't be able to process +inbound packets until it processed the CREATE_CHILD_SA response and updated the +inbound SA. To avoid this the responder now only installs the new inbound SA and +delays installing the outbound SA until it receives the DELETE for the replaced CHILD_SA. + +*The messages transporting these DELETEs could reach the peer before packets sent +with the deleted outbound SAs reach it. To reduce the chance of traffic loss due +to this the inbound SA of the replaced CHILD_SA is not removed for a configurable +amount of seconds (charon.delete_rekeyed_delay) after the DELETE has been processed. + +*The code base has been ported to Apple's ARM64 iOS platform, which required several +changes regarding the use of variadic functions. This was necessary because the calling +conventions for variadic and regular functions are different there. +This means that assigning a non-variadic function to a variadic function pointer, as we +did with our enumerator_t::enumerate() implementations and several callbacks, will +result in crashes as the called function accesses the arguments differently than the +caller provided them. To avoid this issue the enumerator_t interface has been changed +and the signature of the callback functions for enumerator_create_filter() and two +methods on linked_list_t have been changed. Refer to the developer notes below +for details. + +*Adds support for fuzzing the certificate parser provided by the default plugins +(x509, pem, gmp etc.) on Google's OSS-Fuzz infrastructure (or generally with +libFuzzer). Several issues found while fuzzing these plugins were fixed. + +*Two new options have been added to charon's retransmission settings: +retransmit_limit and retransmit_jitter. The former adds an upper limit to the +calculated retransmission timeout, the latter randomly reduces it. +Refer to Retransmission for details. + +*A bug in swanctl's --load-creds command was fixed that caused unencrypted +private keys to get unloaded if the command was called multiple times. +The load-key VICI command now returns the key ID of the loaded key on success. + +*The credential manager now enumerates local credential sets before global ones. +This means certificates supplied by the peer will now be preferred over certificates +with the same identity that may be locally stored (e.g. in the certificate cache). + +*Adds support for hardware offload of IPsec SAs as introduced by Linux 4.11 for +specific hardware that supports this. + +*The pki tool loads the curve25519 plugin by default. +[- 0006-Make-sure-the-modulus-is-odd-and-the-exponent-not-zero.patch, + - 0007-asn1-parser-Fix-CHOICE-parsing.patch] +- libhydra is removed as all kernel plugins moved to libcharon + +--- +Tue May 23 14:25:32 CEST 2017 -
commit strongswan for openSUSE:Factory
Hello community, here is the log from the commit of package strongswan for openSUSE:Factory checked in at 2016-11-29 12:50:28 Comparing /work/SRC/openSUSE:Factory/strongswan (Old) and /work/SRC/openSUSE:Factory/.strongswan.new (New) Package is "strongswan" Changes: --- /work/SRC/openSUSE:Factory/strongswan/strongswan.changes2015-11-17 14:23:12.0 +0100 +++ /work/SRC/openSUSE:Factory/.strongswan.new/strongswan.changes 2016-11-29 12:50:29.0 +0100 @@ -1,0 +2,145 @@ +Mon Jul 4 12:00:00 UTC 2016 - d...@uq.edu.au + +- Updated to strongSwan 5.3.5 providing the following changes: + Changes in version 5.3.5: + * Properly handle potential EINTR errors in sigwaitinfo(2) calls +that replaced sigwait(3) calls with 5.3.4. + * RADIUS retransmission timeouts are now configurable, courtesy +of Thom Troy. + Changes in version 5.3.4: + * Fixed an authentication bypass vulnerability in the +eap-mschapv2 plugin that was caused by insufficient +verification of the internal state when handling MSCHAPv2 +Success messages received by the client. This vulnerability +has been registered as CVE-2015-8023. + * The sha3 plugin implements the SHA3 Keccak-F1600 hash +algorithm family. Within the strongSwan framework SHA3 is +currently used for BLISS signatures only because the OIDs for +other signature algorithms haven't been defined yet. Also the +use of SHA3 for IKEv2 has not been standardized yet. + Changes in version 5.3.3: + * Added support for the ChaCha20/Poly1305 AEAD cipher specified +in RFC 7539 and RFC 7634 using the chacha20poly1305 ike/esp +proposal keyword. The new chapoly plugin implements the +cipher, if possible SSE-accelerated on x86/x64 architectures. +It is usable both in IKEv2 and the strongSwan libipsec ESP +backend. On Linux 4.2 or newer the kernel-netlink plugin can +configure the cipher for ESP SAs. + * The vici interface now supports the configuration of auxiliary +certification authority information as CRL and OCSP URIs. + * In the bliss plugin the c_indices derivation using a SHA-512 +based random oracle has been fixed, generalized and +standardized by employing the MGF1 mask generation function +with SHA-512. As a consequence BLISS signatures unsing the +improved oracle are not compatible with the earlier +implementation. + * Support for auto=route with right=%any for transport mode +connections has been added (the ikev2/trap-any scenario +provides examples). + * The starter daemon does not flush IPsec policies and SAs +anymore when it is stopped. Already existing duplicate +policies are now overwritten by the IKE daemon when it +installs its policies. + * Init limits (like charon.init_limit_half_open) can now +optionally be enforced when initiating SAs via VICI. For this, +IKE_SAs initiated by the daemon are now also counted as half +open SAs, which, as a side-effect, fixes the status output +while connecting (e.g. in ipsec status). + * Symmetric configuration of EAP methods in left|rightauth is +now possible when mutual EAP-only authentication is used +(previously, the client had to configure rightauth=eap or +rightauth=any, which prevented it from using this same config +as responder). + * The initiator flag in the IKEv2 header is compared again +(wasn't the case since 5.0.0) and packets that have the flag +set incorrectly are again ignored. + * Implemented a demo Hardcopy Device IMC/IMV pair based on the +"Hardcopy Device Health Assessment Trusted Network Connect +Binding" (HCD-TNC) document drafted by the IEEE Printer +Working Group (PWG). + * Fixed IF-M segmentation which failed in the presence of +multiple small attributes in front of a huge attribute to be +segmented. + Changes in version 5.3.2: + * Fixed a vulnerability that allowed rogue servers with a valid +certificate accepted by the client to trick it into disclosing +its username and even password (if the client accepts +EAP-GTC). This was caused because constraints against the +responder's authentication were enforced too late. This +vulnerability has been registered as CVE-2015-4171. + Changes in version 5.3.1: + * Fixed a denial-of-service and potential remote code execution +vulnerability triggered by IKEv1/IKEv2 messages that contain +payloads for the respective other IKE version. Such payload +are treated specially since 5.2.2 but because they were still +identified by their original payload type they were used as +such in some places causing invalid function pointer +dereferences. The vulnerability has been registered as +CVE-2015-3991. + * The new aesni plugin provides CBC, CTR, XCBC, CMAC, CCM and +GCM
commit strongswan for openSUSE:Factory
Hello community,
here is the log from the commit of package strongswan for openSUSE:Factory
checked in at 2015-11-17 14:23:11
Comparing /work/SRC/openSUSE:Factory/strongswan (Old)
and /work/SRC/openSUSE:Factory/.strongswan.new (New)
Package is "strongswan"
Changes:
--- /work/SRC/openSUSE:Factory/strongswan/strongswan.changes2015-06-09
08:50:35.0 +0200
+++ /work/SRC/openSUSE:Factory/.strongswan.new/strongswan.changes
2015-11-17 14:23:12.0 +0100
@@ -1,0 +2,7 @@
+Fri Nov 13 10:25:59 UTC 2015 - m...@suse.de
+
+- Applied upstream fix for a authentication bypass vulnerability
+ in the eap-mschapv2 plugin (CVE-2015-8023,bsc#953817).
+ [+ 0007-strongswan-4.4.0-5.3.3_eap_mschapv2_state.patch]
+
+---
New:
0007-strongswan-4.4.0-5.3.3_eap_mschapv2_state.patch
Other differences:
--
++ strongswan.spec ++
--- /var/tmp/diff_new_pack.daWJKm/_old 2015-11-17 14:23:13.0 +0100
+++ /var/tmp/diff_new_pack.daWJKm/_new 2015-11-17 14:23:13.0 +0100
@@ -84,6 +84,7 @@
%endif
Patch5: 0005-strongswan-5.2.2-5.3.0_unknown_payload.patch
Patch6: 0006-strongswan-5.1.0-5.3.1_enforce_remote_auth.patch
+Patch7: 0007-strongswan-4.4.0-5.3.3_eap_mschapv2_state.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: bison
BuildRequires: curl-devel
@@ -296,6 +297,7 @@
%endif
%patch5 -p1
%patch6 -p1
+%patch7 -p1
sed -e 's|@libexecdir@|%_libexecdir|g'\
< $RPM_SOURCE_DIR/strongswan.init.in \
> strongswan.init
++ 0007-strongswan-4.4.0-5.3.3_eap_mschapv2_state.patch ++
>From 91762f11e223e33b82182150d7c4cf7c2ec3cefa Mon Sep 17 00:00:00 2001
From: Tobias Brunner
Date: Thu, 29 Oct 2015 11:18:27 +0100
References: CVE-2015-8023, bsc#953817
Subject: [PATCH] eap-mschapv2: Only succeed authentication if MSK was
established
An MSK is only established if the client successfully authenticated
itself and only then must we accept an MSCHAPV2_SUCCESS message.
Fixes CVE-2015-8023
---
src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c | 6 +-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c
b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c
index f7f39f9841d2..931e3c41dde4 100644
--- a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c
+++ b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c
@@ -1145,7 +1145,11 @@ METHOD(eap_method_t, process_server, status_t,
}
case MSCHAPV2_SUCCESS:
{
- return SUCCESS;
+ if (this->msk.ptr)
+ {
+ return SUCCESS;
+ }
+ break;
}
case MSCHAPV2_FAILURE:
{
--
1.9.1
commit strongswan for openSUSE:Factory
Hello community,
here is the log from the commit of package strongswan for openSUSE:Factory
checked in at 2015-06-09 08:49:35
Comparing /work/SRC/openSUSE:Factory/strongswan (Old)
and /work/SRC/openSUSE:Factory/.strongswan.new (New)
Package is strongswan
Changes:
--- /work/SRC/openSUSE:Factory/strongswan/strongswan.changes2015-06-02
10:12:06.0 +0200
+++ /work/SRC/openSUSE:Factory/.strongswan.new/strongswan.changes
2015-06-09 08:50:35.0 +0200
@@ -1,0 +2,13 @@
+Thu Jun 4 10:54:29 UTC 2015 - m...@suse.de
+
+- Applied upstream fix for a rogue servers vulnerability, that may
+ enable rogue servers able to authenticate itself with certificate
+ issued by any CA the client trusts, to gain user credentials from
+ a client in certain IKEv2 setups (bsc#933591,CVE-2015-4171).
+ [+ 0006-strongswan-5.1.0-5.3.1_enforce_remote_auth.patch]
+- Fix to apply unknown_payload patch if fips is disabled (= 13.1)
+ and renamed it to use number prefix corresponding with patch nr.
+ [- strongswan-5.2.2-5.3.0_unknown_payload.patch,
+ + 0005-strongswan-5.2.2-5.3.0_unknown_payload.patch]
+
+---
Old:
strongswan-5.2.2-5.3.0_unknown_payload.patch
New:
0005-strongswan-5.2.2-5.3.0_unknown_payload.patch
0006-strongswan-5.1.0-5.3.1_enforce_remote_auth.patch
Other differences:
--
++ strongswan.spec ++
--- /var/tmp/diff_new_pack.8RVH2s/_old 2015-06-09 08:50:36.0 +0200
+++ /var/tmp/diff_new_pack.8RVH2s/_new 2015-06-09 08:50:36.0 +0200
@@ -82,7 +82,8 @@
Patch3: %{name}_fipscheck.patch
Patch4: %{name}_fipsfilter.patch
%endif
-Patch5: %{name}-5.2.2-5.3.0_unknown_payload.patch
+Patch5: 0005-strongswan-5.2.2-5.3.0_unknown_payload.patch
+Patch6: 0006-strongswan-5.1.0-5.3.1_enforce_remote_auth.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: bison
BuildRequires: curl-devel
@@ -292,8 +293,9 @@
%if %{with fipscheck}
%patch3 -p0
%patch4 -p1
-%patch5 -p1
%endif
+%patch5 -p1
+%patch6 -p1
sed -e 's|@libexecdir@|%_libexecdir|g'\
$RPM_SOURCE_DIR/strongswan.init.in \
strongswan.init
++ 0005-strongswan-5.2.2-5.3.0_unknown_payload.patch ++
From 7733b99198111ef1f30a964e15e93cb1e6d27a85 Mon Sep 17 00:00:00 2001
From: Tobias Brunner tob...@strongswan.org
Date: Fri, 15 May 2015 11:15:57 +0200
References: bsc#931272,CVE-2015-3991
Subject: [PATCH] unknown-payload: Use a new private payload type and make
original type available
This fixes a DoS and potential remote code execution vulnerability that was
caused because the original payload type that was returned previously was
used to cast such payload objects to payloads of the indicated type (e.g.
when logging notify payloads with a payload type for the wrong IKE version).
Fixes CVE-2015-3991.
---
src/libcharon/encoding/message.c | 2 +-
src/libcharon/encoding/payloads/payload.c | 2 ++
src/libcharon/encoding/payloads/payload.h | 7 ++-
src/libcharon/encoding/payloads/unknown_payload.c | 8
src/libcharon/encoding/payloads/unknown_payload.h | 8
src/libcharon/sa/ikev2/task_manager_v2.c | 18 ++
6 files changed, 35 insertions(+), 10 deletions(-)
diff --git a/src/libcharon/encoding/message.c b/src/libcharon/encoding/message.c
index 1ee2cf81b035..478f531eae28 100644
--- a/src/libcharon/encoding/message.c
+++ b/src/libcharon/encoding/message.c
@@ -2513,7 +2513,7 @@ static status_t decrypt_payloads(private_message_t *this,
keymat_t *keymat)
was_encrypted = encrypted fragment payload;
}
- if (payload_is_known(type, this-major_version)
!was_encrypted
+ if (type != PL_UNKNOWN !was_encrypted
!is_connectivity_check(this, payload)
this-exchange_type != AGGRESSIVE)
{
diff --git a/src/libcharon/encoding/payloads/payload.c
b/src/libcharon/encoding/payloads/payload.c
index a1cd2f945588..f7c2754e05c3 100644
--- a/src/libcharon/encoding/payloads/payload.c
+++ b/src/libcharon/encoding/payloads/payload.c
@@ -97,6 +97,7 @@ ENUM_NEXT(payload_type_names, PLV1_NAT_D_DRAFT_00_03,
PLV1_FRAGMENT, PLV2_FRAGME
#endif /* ME */
ENUM_NEXT(payload_type_names, PL_HEADER, PLV1_ENCRYPTED, PLV1_FRAGMENT,
HEADER,
+ UNKNOWN,
PROPOSAL_SUBSTRUCTURE,
PROPOSAL_SUBSTRUCTURE_V1,
TRANSFORM_SUBSTRUCTURE,
@@ -167,6 +168,7 @@ ENUM_NEXT(payload_type_short_names, PLV1_NAT_D_DRAFT_00_03,
PLV1_FRAGMENT, PLV2_
#endif /* ME */
ENUM_NEXT(payload_type_short_names, PL_HEADER, PLV1_ENCRYPTED, PLV1_FRAGMENT,
commit strongswan for openSUSE:Factory
Hello community,
here is the log from the commit of package strongswan for openSUSE:Factory
checked in at 2015-06-02 10:12:05
Comparing /work/SRC/openSUSE:Factory/strongswan (Old)
and /work/SRC/openSUSE:Factory/.strongswan.new (New)
Package is strongswan
Changes:
--- /work/SRC/openSUSE:Factory/strongswan/strongswan.changes2015-02-27
11:00:10.0 +0100
+++ /work/SRC/openSUSE:Factory/.strongswan.new/strongswan.changes
2015-06-02 10:12:06.0 +0200
@@ -1,0 +2,7 @@
+Mon Jun 1 16:18:35 UTC 2015 - m...@suse.de
+
+- Applied upstream fix for a DoS and potential remote code execution
+ vulnerability through payload type (bsc#931272,CVE-2015-3991)
+ [+ strongswan-5.2.2-5.3.0_unknown_payload.patch]
+
+---
New:
strongswan-5.2.2-5.3.0_unknown_payload.patch
Other differences:
--
++ strongswan.spec ++
--- /var/tmp/diff_new_pack.Zwzdf0/_old 2015-06-02 10:12:07.0 +0200
+++ /var/tmp/diff_new_pack.Zwzdf0/_new 2015-06-02 10:12:07.0 +0200
@@ -1,7 +1,7 @@
#
# spec file for package strongswan
#
-# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -82,6 +82,7 @@
Patch3: %{name}_fipscheck.patch
Patch4: %{name}_fipsfilter.patch
%endif
+Patch5: %{name}-5.2.2-5.3.0_unknown_payload.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: bison
BuildRequires: curl-devel
@@ -291,6 +292,7 @@
%if %{with fipscheck}
%patch3 -p0
%patch4 -p1
+%patch5 -p1
%endif
sed -e 's|@libexecdir@|%_libexecdir|g'\
$RPM_SOURCE_DIR/strongswan.init.in \
++ strongswan-5.2.2-5.3.0_unknown_payload.patch ++
From 7733b99198111ef1f30a964e15e93cb1e6d27a85 Mon Sep 17 00:00:00 2001
From: Tobias Brunner tob...@strongswan.org
Date: Fri, 15 May 2015 11:15:57 +0200
References: bsc#931272,CVE-2015-3991
Subject: [PATCH] unknown-payload: Use a new private payload type and make
original type available
This fixes a DoS and potential remote code execution vulnerability that was
caused because the original payload type that was returned previously was
used to cast such payload objects to payloads of the indicated type (e.g.
when logging notify payloads with a payload type for the wrong IKE version).
Fixes CVE-2015-3991.
---
src/libcharon/encoding/message.c | 2 +-
src/libcharon/encoding/payloads/payload.c | 2 ++
src/libcharon/encoding/payloads/payload.h | 7 ++-
src/libcharon/encoding/payloads/unknown_payload.c | 8
src/libcharon/encoding/payloads/unknown_payload.h | 8
src/libcharon/sa/ikev2/task_manager_v2.c | 18 ++
6 files changed, 35 insertions(+), 10 deletions(-)
diff --git a/src/libcharon/encoding/message.c b/src/libcharon/encoding/message.c
index 1ee2cf81b035..478f531eae28 100644
--- a/src/libcharon/encoding/message.c
+++ b/src/libcharon/encoding/message.c
@@ -2513,7 +2513,7 @@ static status_t decrypt_payloads(private_message_t *this,
keymat_t *keymat)
was_encrypted = encrypted fragment payload;
}
- if (payload_is_known(type, this-major_version)
!was_encrypted
+ if (type != PL_UNKNOWN !was_encrypted
!is_connectivity_check(this, payload)
this-exchange_type != AGGRESSIVE)
{
diff --git a/src/libcharon/encoding/payloads/payload.c
b/src/libcharon/encoding/payloads/payload.c
index a1cd2f945588..f7c2754e05c3 100644
--- a/src/libcharon/encoding/payloads/payload.c
+++ b/src/libcharon/encoding/payloads/payload.c
@@ -97,6 +97,7 @@ ENUM_NEXT(payload_type_names, PLV1_NAT_D_DRAFT_00_03,
PLV1_FRAGMENT, PLV2_FRAGME
#endif /* ME */
ENUM_NEXT(payload_type_names, PL_HEADER, PLV1_ENCRYPTED, PLV1_FRAGMENT,
HEADER,
+ UNKNOWN,
PROPOSAL_SUBSTRUCTURE,
PROPOSAL_SUBSTRUCTURE_V1,
TRANSFORM_SUBSTRUCTURE,
@@ -167,6 +168,7 @@ ENUM_NEXT(payload_type_short_names, PLV1_NAT_D_DRAFT_00_03,
PLV1_FRAGMENT, PLV2_
#endif /* ME */
ENUM_NEXT(payload_type_short_names, PL_HEADER, PLV1_ENCRYPTED, PLV1_FRAGMENT,
HDR,
+ UNKN,
PROP,
PROP,
TRANS,
diff --git a/src/libcharon/encoding/payloads/payload.h
b/src/libcharon/encoding/payloads/payload.h
index 920779bd1032..72003894f307 100644
--- a/src/libcharon/encoding/payloads/payload.h
+++ b/src/libcharon/encoding/payloads/payload.h
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2007 Tobias Brunner
commit strongswan for openSUSE:Factory
Hello community, here is the log from the commit of package strongswan for openSUSE:Factory checked in at 2015-02-27 10:59:38 Comparing /work/SRC/openSUSE:Factory/strongswan (Old) and /work/SRC/openSUSE:Factory/.strongswan.new (New) Package is strongswan Changes: --- /work/SRC/openSUSE:Factory/strongswan/strongswan.changes2014-11-26 10:33:58.0 +0100 +++ /work/SRC/openSUSE:Factory/.strongswan.new/strongswan.changes 2015-02-27 11:00:10.0 +0100 @@ -1,0 +2,99 @@ +Mon Jan 5 14:38:46 UTC 2015 - m...@suse.de + +- Updated to strongSwan 5.2.2 providing the following changes: + Changes in version 5.2.2: + * Fixed a denial-of-service vulnerability triggered by an IKEv2 Key Exchange +payload that contains the Diffie-Hellman group 1025. This identifier was +used internally for DH groups with custom generator and prime. Because +these arguments are missing when creating DH objects based on the KE +payload an invalid pointer dereference occurred. This allowed an attacker +to crash the IKE daemon with a single IKE_SA_INIT message containing such +a KE payload. The vulnerability has been registered as CVE-2014-9221. + * The left/rightid options in ipsec.conf, or any other identity in +strongSwan, now accept prefixes to enforce an explicit type, such as +email: or fqdn:. Note that no conversion is done for the remaining string, +refer to ipsec.conf(5) for details. + * The post-quantum Bimodal Lattice Signature Scheme (BLISS) can be used as +an IKEv2 public key authentication method. The pki tool offers full +support for the generation of BLISS key pairs and certificates. + * Fixed mapping of integrity algorithms negotiated for AH via IKEv1. +This could cause interoperability issues when connecting to older versions +of charon. + Changes in version 5.2.1: + * The new charon-systemd IKE daemon implements an IKE daemon tailored for +use with systemd. It avoids the dependency on ipsec starter and uses +swanctl as configuration backend, building a simple and lightweight +solution. It supports native systemd journal logging. + * Support for IKEv2 fragmentation as per RFC 7383 has been added. Like IKEv1 +fragmentation it can be enabled by setting fragmentation=yes in ipsec.conf. + * Support of the TCG TNC IF-M Attribute Segmentation specification proposal. +All attributes can be segmented. Additionally TCG/SWID Tag, TCG/SWID Tag ID +and IETF/Installed Packages attributes can be processed incrementally on a +per segment basis. + * The new ext-auth plugin calls an external script to implement custom IKE_SA +authorization logic, courtesy of Vyronas Tsingaras. + * For the vici plugin a ruby gem has been added to allow ruby applications to +control or monitor the IKE daemon. The vici documentation has been updated +to include a description of the available operations and some simple +examples using both the libvici C interface and the ruby gem. + Changes in version 5.2.0: + * strongSwan has been ported to the Windows platform. Using a MinGW toolchain, +many parts of the strongSwan codebase run natively on Windows 7 / 2008 R2 +and newer releases. charon-svc implements a Windows IKE service based on +libcharon, the kernel-iph and kernel-wfp plugins act as networking and IPsec +backend on the Windows platform. socket-win provides a native IKE socket +implementation, while winhttp fetches CRL and OCSP information using the +WinHTTP API. + * The new vici plugin provides a Versatile IKE Configuration Interface for +charon. Using the stable IPC interface, external applications can configure, +control and monitor the IKE daemon. Instead of scripting the ipsec tool +and generating ipsec.conf, third party applications can use the new interface +for more control and better reliability. + * Built upon the libvici client library, swanctl implements the first user of +the VICI interface. Together with a swanctl.conf configuration file, +connections can be defined, loaded and managed. swanctl provides a portable, +complete IKE configuration and control interface for the command line. +The first six swanctl example scenarios have been added. + * The SWID IMV implements a JSON-based REST API which allows the exchange +of SWID tags and Software IDs with the strongTNC policy manager. + * The SWID IMC can extract all installed packages from the dpkg (Debian, +Ubuntu, Linux Mint etc.), rpm (Fedora, RedHat, OpenSUSE, etc.), or +pacman (Arch Linux, Manjaro, etc.) package managers, respectively, using +the swidGenerator (https://github.com/strongswan/swidGenerator) which +generates SWID tags according to the new ISO/IEC 19770-2:2014 standard. + * All IMVs now share the access
commit strongswan for openSUSE:Factory
Hello community,
here is the log from the commit of package strongswan for openSUSE:Factory
checked in at 2014-11-26 10:33:53
Comparing /work/SRC/openSUSE:Factory/strongswan (Old)
and /work/SRC/openSUSE:Factory/.strongswan.new (New)
Package is strongswan
Changes:
--- /work/SRC/openSUSE:Factory/strongswan/strongswan.changes2014-07-21
22:35:06.0 +0200
+++ /work/SRC/openSUSE:Factory/.strongswan.new/strongswan.changes
2014-11-26 10:33:58.0 +0100
@@ -1,0 +2,44 @@
+Tue Nov 25 11:22:06 UTC 2014 - m...@suse.de
+
+- Updated strongswan-hmac package description (bsc#856322).
+
+---
+Fri Nov 21 12:03:59 UTC 2014 - m...@suse.de
+
+- Disabled explicit gpg validation; osc source_validator does it.
+- Guarded fipscheck and hmac package in the spec file for 13.1.
+
+---
+Thu Nov 20 07:43:43 UTC 2014 - m...@suse.de
+
+- Added generation of fips hmac hash files using fipshmac utility
+ and a _fipscheck script to verify binaries/libraries/plugings
+ shipped in the strongswan-hmac package.
+ With enabled fips in the kernel, the ipsec script will call it
+ before any action or in a enforced/manual ipsec _fipscheck call.
+ Added config file to load openssl and kernel af-alg plugins, but
+ not all the other modules which provide further/alternative algs.
+ Applied a filter disallowing non-approved algorithms in fips mode.
+ (fate#316931,bnc#856322).
+ [+ strongswan_fipscheck.patch, strongswan_fipsfilter.patch]
+- Fixed file list in the optional (disabled) strongswan-test package.
+- Fixed build of the strongswan built-in integrity checksum library
+ and enabled building it only on architectures tested to work.
+- Fix to use bug number 897048 instead 856322 in last changes entry.
+- Applied an upstream patch reverting to store algorithms in the
+ registration order again as ordering them by identifier caused
+ weaker algorithms to be proposed first by default (bsc#897512).
+ [+0001-restore-registration-algorithm-order.bug897512.patch]
+
+---
+Fri Sep 26 16:02:09 UTC 2014 - m...@suse.de
+
+- Re-enabled gcrypt plugin and reverted to not enforce fips again
+ as this breaks gcrypt and openssl plugins when the fips pattern
+ option is not installed (fate#316931,bnc#856322).
+ [- strongswan-fips-disablegcrypt.patch]
+- Added empty strongswan-hmac package supposed to provide fips hmac
+ files and enforce fips compliant operation later (bnc#856322).
+- Cleaned up conditional build flags in the rpm spec file.
+
+---
Old:
strongswan-fips-disablegcrypt.patch
New:
0001-restore-registration-algorithm-order.bug897512.patch
fips-enforce.conf
fipscheck.sh.in
strongswan_fipscheck.patch
strongswan_fipsfilter.patch
Other differences:
--
++ strongswan.spec ++
--- /var/tmp/diff_new_pack.kd5GaV/_old 2014-11-26 10:34:00.0 +0100
+++ /var/tmp/diff_new_pack.kd5GaV/_new 2014-11-26 10:34:00.0 +0100
@@ -31,16 +31,27 @@
%else
%bcond_with tests
%endif
-%if 0%{suse_version} 1110
-%bcond_without mysql
+%if 0%{suse_version} 1310
+%bcond_without fipscheck
%else
-%bcond_with mysql
+%bcond_with fipscheck
+%endif
+%ifarch %{ix86} ppc64le
+%bcond_without integrity
+%else
+%bcond_with integrity
%endif
%if 0%{suse_version} 1110
+%bcond_without farp
+%bcond_without afalg
+%bcond_without mysql
%bcond_without sqlite
%bcond_without gcrypt
%bcond_without nm
%else
+%bcond_with farp
+%bcond_with afalg
+%bcond_with mysql
%bcond_with sqlite
%bcond_with gcrypt
%bcond_with nm
@@ -61,16 +72,23 @@
Source3:%{name}-%{version}-rpmlintrc
Source4:README.SUSE
Source5:%{name}.keyring
+%if %{with fipscheck}
+Source6:fipscheck.sh.in
+Source7:fips-enforce.conf
+%endif
Patch1: %{name}_modprobe_syslog.patch
Patch2: %{name}_ipsec_service.patch
-Patch3: %{name}-fips-disablegcrypt.patch
+%if %{with fipscheck}
+Patch3: %{name}_fipscheck.patch
+Patch4: %{name}_fipsfilter.patch
+%endif
+Patch5: 0001-restore-registration-algorithm-order.bug897512.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: bison
BuildRequires: curl-devel
BuildRequires: flex
BuildRequires: gmp-devel
BuildRequires: gperf
-BuildRequires: gpg-offline
BuildRequires: libcap-devel
BuildRequires: libopenssl-devel
BuildRequires: libsoup-devel
@@ -91,11 +109,21 @@
BuildRequires: NetworkManager-devel
%endif
%if %{with systemd}
-BuildRequires:
commit strongswan for openSUSE:Factory
Hello community,
here is the log from the commit of package strongswan for openSUSE:Factory
checked in at 2014-07-21 21:40:28
Comparing /work/SRC/openSUSE:Factory/strongswan (Old)
and /work/SRC/openSUSE:Factory/.strongswan.new (New)
Package is strongswan
Changes:
--- /work/SRC/openSUSE:Factory/strongswan/strongswan.changes2014-06-30
21:50:27.0 +0200
+++ /work/SRC/openSUSE:Factory/.strongswan.new/strongswan.changes
2014-07-21 22:35:06.0 +0200
@@ -1,0 +2,7 @@
+Thu Jul 3 13:39:45 UTC 2014 - meiss...@suse.com
+
+- disable gcrypt plugin by default, so it will only use openssl
+ fate#316931 [+strongswan-fips-disablegcrypt.patch]
+- enable fips mode 2
+
+---
New:
strongswan-fips-disablegcrypt.patch
Other differences:
--
++ strongswan.spec ++
--- /var/tmp/diff_new_pack.OYj06Q/_old 2014-07-21 22:35:07.0 +0200
+++ /var/tmp/diff_new_pack.OYj06Q/_new 2014-07-21 22:35:07.0 +0200
@@ -63,6 +63,7 @@
Source5:%{name}.keyring
Patch1: %{name}_modprobe_syslog.patch
Patch2: %{name}_ipsec_service.patch
+Patch3: %{name}-fips-disablegcrypt.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: bison
BuildRequires: curl-devel
@@ -243,6 +244,7 @@
%setup -q -n %{name}-%{upstream_version}
%patch1 -p0
%patch2 -p0
+%patch3 -p1
sed -e 's|@libexecdir@|%_libexecdir|g'\
$RPM_SOURCE_DIR/strongswan.init.in \
strongswan.init
@@ -257,6 +259,7 @@
--enable-integrity-test \
--with-capabilities=libcap \
--with-plugindir=%{strongswan_plugins} \
+ --with-fips=2 \
--with-resolv-conf=%{_rundir}/%{name}/resolv.conf \
--with-piddir=%{_rundir}/%{name} \
--enable-pkcs11 \
++ strongswan-fips-disablegcrypt.patch ++
References: fate#316931
Index: strongswan-5.1.3/conf/plugins/gcrypt.conf
===
--- strongswan-5.1.3.orig/conf/plugins/gcrypt.conf
+++ strongswan-5.1.3/conf/plugins/gcrypt.conf
@@ -2,7 +2,7 @@ gcrypt {
# Whether to load the plugin. Can also be an integer to increase the
# priority of this plugin.
-load = yes
+load = no
# Use faster random numbers in gcrypt; for testing only, produces weak
keys!
# quick_random = no
--
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit strongswan for openSUSE:Factory
Hello community,
here is the log from the commit of package strongswan for openSUSE:Factory
checked in at 2014-06-30 21:45:22
Comparing /work/SRC/openSUSE:Factory/strongswan (Old)
and /work/SRC/openSUSE:Factory/.strongswan.new (New)
Package is strongswan
Changes:
--- /work/SRC/openSUSE:Factory/strongswan/strongswan.changes2014-04-17
14:09:48.0 +0200
+++ /work/SRC/openSUSE:Factory/.strongswan.new/strongswan.changes
2014-06-30 21:45:50.0 +0200
@@ -1,0 +2,9 @@
+Fri Jun 20 17:38:07 UTC 2014 - crrodrig...@opensuse.org
+
+- Fix build in factory
+* Do not include var/run directories in package
+* Move runtime data to /run and provide tmpfiles.d snippet
+* Add proper systemd macros to rpm scriptlets.
+* Do not buildRequire library package libnl1, it is not used.
+
+---
Other differences:
--
++ strongswan.spec ++
--- /var/tmp/diff_new_pack.SvxZmt/_old 2014-06-30 21:45:52.0 +0200
+++ /var/tmp/diff_new_pack.SvxZmt/_new 2014-06-30 21:45:52.0 +0200
@@ -90,10 +90,11 @@
BuildRequires: NetworkManager-devel
%endif
%if %{with systemd}
-BuildRequires: systemd-devel
+BuildRequires: pkgconfig(systemd)
%endif
BuildRequires: iptables
-BuildRequires: libnl = 1.1
+%{!?_rundir: %global _rundir /run}
+%{!?_tmpfilesdir: %global _tmpfilesdir /usr/lib/tmpfiles.d}
%description
StrongSwan is an OpenSource IPsec-based VPN Solution for Linux
@@ -256,7 +257,8 @@
--enable-integrity-test \
--with-capabilities=libcap \
--with-plugindir=%{strongswan_plugins} \
- --with-resolv-conf=%{_localstatedir}/run/strongswan/resolv.conf \
+ --with-resolv-conf=%{_rundir}/%{name}/resolv.conf \
+ --with-piddir=%{_rundir}/%{name} \
--enable-pkcs11 \
--enable-openssl \
--enable-agent \
@@ -331,7 +333,8 @@
%endif
--enable-ldap \
--enable-soup \
- --enable-curl
+ --enable-curl \
+ --disable-static
make %{?_smp_mflags:%_smp_mflags}
%install
@@ -358,8 +361,7 @@
#
rm -f $RPM_BUILD_ROOT%{strongswan_libdir}/lib{charon,hydra,strongswan,pttls}.so
rm -f $RPM_BUILD_ROOT%{strongswan_libdir}/lib{radius,simaka,tls,tnccs,imcv}.so
-find $RPM_BUILD_ROOT%{strongswan_libdir} \
- -name *.a -o -name *.la | xargs -r rm -f
+find $RPM_BUILD_ROOT%{strongswan_libdir} -type f -name *.la -delete
#
install -d -m755 ${RPM_BUILD_ROOT}%{strongswan_docdir}/
install -c -m644 TODO NEWS README COPYING LICENSE \
@@ -367,20 +369,23 @@
${RPM_BUILD_ROOT}%{strongswan_docdir}/
install -c -m644 ${RPM_SOURCE_DIR}/README.SUSE \
${RPM_BUILD_ROOT}%{strongswan_docdir}/
-install -d -m755 $RPM_BUILD_ROOT%{_localstatedir}/run/strongswan
-%post libs0
-%{run_ldconfig}
-test -d %{_localstatedir}/run/strongswan || \
-%{__mkdir_p} %{_localstatedir}/run/strongswan
+%{__install} -d -m 0755 %{buildroot}%{_tmpfilesdir}
+echo 'd %{_rundir}/%{name} 0770 root root'
%{buildroot}%{_tmpfilesdir}/%{name}.conf
-%postun libs0
-%{run_ldconfig}
+%post libs0 -p /sbin/ldconfig
+
+%postun libs0 -p /sbin/ldconfig
+
+%pre ipsec
+%service_add_pre %{name}.service
%post ipsec
%if ! %{with systemd}
%{fillup_and_insserv ipsec}
%endif
+%{?tmpfiles_create: %tmpfiles_create %{_tmpfilesdir}/%{name}.conf }
+%service_add_post %{name}.service
%preun ipsec
%if ! %{with systemd}
@@ -394,12 +399,15 @@
cp -p --backup=numbered %{_sysconfdir}/ipsec.conf.rpmsave \
%{_sysconfdir}/ipsec.conf.rpmsave.old
fi
+%service_del_preun %{name}.service
%postun ipsec
%if ! %{with systemd}
%{insserv_cleanup}
%endif
+%service_del_postun %{name}.service
+
%files
%defattr(-,root,root)
%dir %{strongswan_docdir}
@@ -448,6 +456,7 @@
%dir %{strongswan_plugins}
%{strongswan_plugins}/libstrongswan-stroke.so
%{strongswan_plugins}/libstrongswan-updown.so
+%{_tmpfilesdir}/%{name}.conf
%files doc
%defattr(-,root,root)
@@ -662,7 +671,6 @@
%{strongswan_plugins}/libstrongswan-xauth-generic.so
%{strongswan_plugins}/libstrongswan-xauth-pam.so
%{strongswan_plugins}/libstrongswan-xcbc.so
-%dir %ghost %{_localstatedir}/run/strongswan
%dir %{strongswan_datadir}
%dir %{strongswan_templates}
%dir %{strongswan_templates}/config
--
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit strongswan for openSUSE:Factory
Hello community, here is the log from the commit of package strongswan for openSUSE:Factory checked in at 2014-04-17 14:09:47 Comparing /work/SRC/openSUSE:Factory/strongswan (Old) and /work/SRC/openSUSE:Factory/.strongswan.new (New) Package is strongswan Changes: --- /work/SRC/openSUSE:Factory/strongswan/strongswan.changes2013-11-01 17:44:21.0 +0100 +++ /work/SRC/openSUSE:Factory/.strongswan.new/strongswan.changes 2014-04-17 14:09:48.0 +0200 @@ -1,0 +2,72 @@ +Mon Apr 14 23:36:07 UTC 2014 - m...@suse.de + +- Updated to strongSwan 5.1.3 providing the following changes: + - Fixed an authentication bypass vulnerability triggered by rekeying +an unestablished IKEv2 SA while it gets actively initiated. This +allowed an attacker to trick a peer's IKE_SA state to established, +without the need to provide any valid authentication credentials. +(CVE-2014-2338, bnc#870572). + - The acert plugin evaluates X.509 Attribute Certificates. Group +membership information encoded as strings can be used to fulfill +authorization checks defined with the rightgroups option. +Attribute Certificates can be loaded locally or get exchanged in +IKEv2 certificate payloads. + - The pki command gained support to generate X.509 Attribute +Certificates using the --acert subcommand, while the --print +command supports the ac type. The openac utility has been removed +in favor of the new pki functionality. + - The libtls TLS 1.2 implementation as used by EAP-(T)TLS and other +protocols has been extended by AEAD mode support, currently limited +to AES-GCM. + - Fixed an issue where CRL/OCSP trustchain validation broke enforcing +CA constraints + - Limited OCSP signing to specific certificates to improve performance + - authKeyIdentifier is not added to self-signed certificates anymore + - Fixed the comparison of IKE configs if only the cipher suites were +different + +--- +Wed Apr 2 05:53:21 UTC 2014 - m...@suse.de + +- Updated to strongSwan 5.1.2 providing the following changes: + - A new default configuration file layout is introduced. The new +default strongswan.conf file mainly includes config snippets from +the strongswan.d and strongswan.d/charon directories (the latter +containing snippets for all plugins). The snippets, with commented +defaults, are automatically generated and installed, if they don't +exist yet. Also installed in $prefix/share/strongswan/templates so +existing files can be compared to the current defaults. + - As an alternative to the non-extensible charon.load setting, the +plugins to load in charon (and optionally other applications) can +now be determined via the charon.plugins.name.load setting for +each plugin (enabled in the new default strongswan.conf file via the +charon.load_modular option). The load setting optionally takes a +numeric priority value that allows reordering the plugins (otherwise +the default plugin order is preserved). + - All strongswan.conf settings that were formerly defined in library +specific global sections are now application specific (e.g. +settings for plugins in libstrongswan.plugins can now be set only +for charon in charon.plugins). The old options are still supported, +which now allows to define defaults for all applications in the +libstrongswan section. + - The ntru libstrongswan plugin supports NTRUEncrypt as a post-quantum +computer IKE key exchange mechanism. The implementation is based on +the ntru-crypto library from the NTRUOpenSourceProject. +The supported security strengths are ntru112, ntru128, ntru192, and +ntru256. Since the private DH group IDs 1030..1033 have been +assigned, the strongSwan Vendor ID must be sent in order to use NTRU +(charon.send_vendor_id = yes). + - Defined a TPMRA remote attestation workitem and added support for it +to the Attestation IMV. + - Compatibility issues between IPComp (compress=yes) and +leftfirewall=yes as well as multiple subnets in left|rightsubnet +have been fixed. + - When enabling its session strongswan.conf option, the xauth-pam +plugin opens and closes a PAM session for each established IKE_SA. +Patch courtesy of Andrea Bonomi. + - The strongSwan unit testing framework has been rewritten without the +check dependency for improved flexibility and portability. It now +properly supports multi-threaded and memory leak testing and brings +a bunch of new test cases. + +--- Old: strongswan-5.1.1-rpmlintrc strongswan-5.1.1.tar.bz2 strongswan-5.1.1.tar.bz2.sig New: strongswan-5.1.3-rpmlintrc
commit strongswan for openSUSE:Factory
Hello community, here is the log from the commit of package strongswan for openSUSE:Factory checked in at 2013-11-01 17:44:20 Comparing /work/SRC/openSUSE:Factory/strongswan (Old) and /work/SRC/openSUSE:Factory/.strongswan.new (New) Package is strongswan Changes: --- /work/SRC/openSUSE:Factory/strongswan/strongswan.changes2013-08-05 20:55:12.0 +0200 +++ /work/SRC/openSUSE:Factory/.strongswan.new/strongswan.changes 2013-11-01 17:44:21.0 +0100 @@ -1,0 +2,63 @@ +Fri Nov 1 12:28:39 UTC 2013 - m...@suse.de + +- Updated to strongSwan 5.1.1 minor release addressing two security + fixes (bnc#847506,CVE-2013-6075, bnc#847509,CVE-2013-6076): + - Fixed a denial-of-service vulnerability and potential authorization +bypass triggered by a crafted ID_DER_ASN1_DN ID payload. The cause +is an insufficient length check when comparing such identities. The +vulnerability has been registered as CVE-2013-6075. + - Fixed a denial-of-service vulnerability triggered by a crafted IKEv1 +fragmentation payload. The cause is a NULL pointer dereference. The +vulnerability has been registered as CVE-2013-6076. + - The lean stand-alone pt-tls-client can set up a RFC 6876 PT-TLS +session with a strongSwan policy enforcement point which uses the +tnc-pdp charon plugin. + - The new TCG TNC SWID IMC/IMV pair supports targeted SWID requests +for either full SWID Tag or concise SWID Tag ID inventories. + - The XAuth backend in eap-radius now supports multiple XAuth +exchanges for different credential types and display messages. +All user input gets concatenated and verified with a single +User-Password RADIUS attribute on the AAA. With an AAA supporting +it, one for example can implement Password+Token authentication with +proper dialogs on iOS and OS X clients. - charon supports IKEv1 Mode +Config exchange in push mode. The ipsec.conf modeconfig=push option +enables it for both client and server, the same way as pluto used it. + - Using the ah ipsec.conf keyword on both IKEv1 and IKEv2 +connections, charon can negotiate and install Security Associations +integrity-protected by the Authentication Header protocol. Supported +are plain AH(+IPComp) SAs only, but not the deprecated RFC2401 style +ESP+AH bundles. + - The generation of initialization vectors for IKE and ESP (when using +libipsec) is now modularized and IVs for e.g. AES-GCM are now correctly +allocated sequentially, while other algorithms like AES-CBC still +use random IVs. + - The left and right options in ipsec.conf can take multiple address +ranges and subnets. This allows connection matching against a larger +set of addresses, for example to use a different connection for clients +connecting from a internal network. + - For all those who have a queasy feeling about the NIST elliptic curve +set, the Brainpool curves introduced for use with IKE by RFC 6932 might +be a more trustworthy alternative. + - The kernel-libipsec userland IPsec backend now supports usage +statistics, volume based rekeying and accepts ESPv3 style TFC padded +packets. + - With two new strongswan.conf options fwmarks can be used to implement +host-to-host tunnels with kernel-libipsec. + - load-tester supports transport mode connections and more complex +traffic selectors, including such using unique ports for each tunnel. + - The new dnscert plugin provides support for authentication via CERT +RRs that are protected via DNSSEC. The plugin was created by Ruslan +N. Marchenko. + - The eap-radius plugin supports forwarding of several Cisco Unity +specific RADIUS attributes in corresponding configuration payloads. + - Database transactions are now abstracted and implemented by the two +backends. If you use MySQL make sure all tables use the InnoDB engine. + - libstrongswan now can provide an experimental custom implementation +of the printf family functions based on klibc if neither Vstr nor +glibc style printf hooks are available. This can avoid the Vstr +dependency on some systems at the cost of slower and less complete +printf functions. +- Adjusted file lists: this version installs the pki utility and manuals + in common /usr directories and additional ipsec/pt-tls-client helper. + +--- Old: strongswan-5.1.0-rpmlintrc strongswan-5.1.0.tar.bz2 strongswan-5.1.0.tar.bz2.sig New: strongswan-5.1.1-rpmlintrc strongswan-5.1.1.tar.bz2 strongswan-5.1.1.tar.bz2.sig Other differences: -- ++ strongswan.spec ++ --- /var/tmp/diff_new_pack.TFhq8g/_old 2013-11-01
commit strongswan for openSUSE:Factory
Hello community, here is the log from the commit of package strongswan for openSUSE:Factory checked in at 2013-08-05 20:55:10 Comparing /work/SRC/openSUSE:Factory/strongswan (Old) and /work/SRC/openSUSE:Factory/.strongswan.new (New) Package is strongswan Changes: --- /work/SRC/openSUSE:Factory/strongswan/strongswan.changes2013-05-02 12:01:36.0 +0200 +++ /work/SRC/openSUSE:Factory/.strongswan.new/strongswan.changes 2013-08-05 20:55:12.0 +0200 @@ -1,0 +2,73 @@ +Mon Aug 5 13:48:11 UTC 2013 - m...@suse.de + +- Updated to strongSwan 5.1.0 release (bnc#833278, CVE-2013-5018): + - Fixed a denial-of-service vulnerability triggered by specific XAuth +usernames and EAP identities (since 5.0.3), and PEM files (since +4.1.11). The crash was caused by insufficient error handling in the +is_asn1() function. The vulnerability has been registered as +CVE-2013-5018. + - The new charon-cmd command line IKE client can establish road +warrior connections using IKEv1 or IKEv2 with different +authentication profiles. It does not depend on any configuration +files and can be configured using a few simple command line options. + - The kernel-pfroute networking backend has been greatly improved. +It now can install virtual IPs on TUN devices on OS X and FreeBSD, +allowing these systems to act as a client in common road warrior +scenarios. + - The new kernel-libipsec plugin uses TUN devices and libipsec to +provide IPsec processing in userland on Linux, FreeBSD and Mac OS X. + - The eap-radius plugin can now serve as an XAuth backend called +xauth-radius, directly verifying XAuth credentials using RADIUS +User-Name/User-Password attributes. This is more efficient than the +existing xauth-eap+eap-radius combination, and allows RADIUS servers +without EAP support to act as AAA backend for IKEv1. + - The new osx-attr plugin installs configuration attributes (currently +DNS servers) via SystemConfiguration on Mac OS X. The keychain +plugin provides certificates from the OS X keychain service. + - The sshkey plugin parses SSH public keys, which, together with the +--agent option for charon-cmd, allows the use of ssh-agent for +authentication. To configure SSH keys in ipsec.conf the +left|rightrsasigkey options are replaced with left|rightsigkey, +which now take public keys in one of three formats: SSH (RFC 4253, +ssh: prefix), DNSKEY (RFC 3110, dns: prefix), and PKCS#1 (the +default, no prefix). + - Extraction of certificates and private keys from PKCS#12 files is +now provided by the new pkcs12 plugin or the openssl plugin. +charon-cmd (--p12) as well as charon (via P12 token in +ipsec.secrets) can make use of this. + - IKEv2 can now negotiate transport mode and IPComp in NAT situations. + - IKEv2 exchange initiators now properly close an established IKE or +CHILD_SA on error conditions using an additional exchange, keeping +state in sync between peers. + - Using a SQL database interface a Trusted Network Connect (TNC) +Policy Manager can generate specific measurement workitems for an +arbitrary number of Integrity Measurement Verifiers (IMVs) based on +the history of the VPN user and/or device. + - Several core classes in libstrongswan are now tested with unit +tests. These can be enabled with --enable-unit-tests and run with +'make check'. +Coverage reports can be generated with --enable-coverage and 'make +coverage' (this disables any optimization, so it should not be +enabled when building production releases). + - The leak-detective developer tool has been greatly improved. It +works much faster/stabler with multiple threads, does not use +deprecated malloc hooks anymore and has been ported to OS X. + - chunk_hash() is now based on SipHash-2-4 with a random key. This +provides better distribution and prevents hash flooding attacks +when used with hashtables. + - All default plugins implement the get_features() method to define +features and their dependencies. The plugin loader has been +improved, so that plugins in a custom load statement can be ordered +freely or to express preferences without being affected by +dependencies between plugin features. + - A centralized thread can take care for watching multiple file +descriptors concurrently. This removes the need for a dedicated +listener threads in various plugins. The number of reserved +threads for such tasks has been reduced to about five, depending on +the plugin configuration. + - Plugins that can be controlled by a UNIX socket IPC mechanism gained +network transparency. Third party applications querying these +plugins now can use TCP connections from a different host.
commit strongswan for openSUSE:Factory
Hello community,
here is the log from the commit of package strongswan for openSUSE:Factory
checked in at 2013-05-02 12:01:35
Comparing /work/SRC/openSUSE:Factory/strongswan (Old)
and /work/SRC/openSUSE:Factory/.strongswan.new (New)
Package is strongswan
Changes:
--- /work/SRC/openSUSE:Factory/strongswan/strongswan.changes2012-12-14
11:18:09.0 +0100
+++ /work/SRC/openSUSE:Factory/.strongswan.new/strongswan.changes
2013-05-02 12:01:36.0 +0200
@@ -1,0 +2,25 @@
+Tue Apr 30 12:48:44 UTC 2013 - m...@suse.de
+
+- Updated to strongSwan 5.0.4 release (bnc#815236, CVE-2013-2944):
+ - Fixed a security vulnerability in the openssl plugin which was
+reported by Kevin Wojtysiak. The vulnerability has been registered
+as CVE-2013-2944. Before the fix, if the openssl plugin's ECDSA
+signature verification was used, due to a misinterpretation of the
+error code returned by the OpenSSL ECDSA_verify() function, an empty
+or zeroed signature was accepted as a legitimate one. Refer to our
+blog for details.
+ - The handling of a couple of other non-security relevant OpenSSL
+return codes was fixed as well.
+ - The tnc_ifmap plugin now publishes virtual IPv4 and IPv6 addresses
+via its TCG TNC IF-MAP 2.1 interface.
+ - The charon.initiator_only strongswan.conf option causes charon to
+ignore IKE initiation requests.
+ - The openssl plugin can now use the openssl-fips library.
+ The version 5.0.3 provides new ipseckey plugin, enabling authentication
+ based on trustworthy public keys stored as IPSECKEY resource records in
+ the DNS and protected by DNSSEC and new openssl plugin using the AES-NI
+ accelerated version of AES-GCM if the hardware supports it.
+ See http://wiki.strongswan.org/projects/strongswan/wiki/Changelog50
+ for a list of all changes since the 5.0.1 release.
+
+---
Old:
strongswan-5.0.1-rpmlintrc
strongswan-5.0.1.tar.bz2
strongswan-5.0.1.tar.bz2.sig
New:
strongswan-5.0.4-rpmlintrc
strongswan-5.0.4.tar.bz2
strongswan-5.0.4.tar.bz2.sig
Other differences:
--
++ strongswan.spec ++
--- /var/tmp/diff_new_pack.cVMGaj/_old 2013-05-02 12:01:38.0 +0200
+++ /var/tmp/diff_new_pack.cVMGaj/_new 2013-05-02 12:01:38.0 +0200
@@ -1,7 +1,7 @@
#
# spec file for package strongswan
#
-# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -17,7 +17,7 @@
Name: strongswan
-Version:5.0.1
+Version:5.0.4
Release:0
%define upstream_version %{version}
%define strongswan_docdir %{_docdir}/%{name}
@@ -28,12 +28,12 @@
%else
%bcond_with tests
%endif
-%if 1
+%if 0%{suse_version} 1110
%bcond_without mysql
%else
%bcond_with mysql
%endif
-%if 0%{suse_version} = 1110
+%if 0%{suse_version} 1110
%bcond_without sqlite
%bcond_without gcrypt
%bcond_without nm
@@ -319,6 +319,8 @@
%endif
%if %{with nm}
--enable-nm \
+%else
+ --disable-nm \
%endif
%if %{with tests}
--enable-load-tester \
@@ -351,7 +353,7 @@
#
EOT
#
-rm -f $RPM_BUILD_ROOT%{strongswan_libdir}/lib{charon,hydra,strongswan}.so
+rm -f $RPM_BUILD_ROOT%{strongswan_libdir}/lib{charon,hydra,strongswan,pttls}.so
rm -f $RPM_BUILD_ROOT%{strongswan_libdir}/lib{radius,simaka,tls,tnccs,imcv}.so
find $RPM_BUILD_ROOT%{strongswan_libdir} \
-name *.a -o -name *.la | xargs -r rm -f
@@ -464,6 +466,7 @@
%{strongswan_libdir}/libchecksum.so
%{strongswan_libdir}/libcharon.so.*
%{strongswan_libdir}/libhydra.so.*
+%{strongswan_libdir}/libpttls.so.*
%{strongswan_libdir}/libradius.so.*
%{strongswan_libdir}/libsimaka.so.*
%{strongswan_libdir}/libstrongswan.so.*
@@ -532,6 +535,7 @@
%{strongswan_plugins}/libstrongswan-pgp.so
%{strongswan_plugins}/libstrongswan-pkcs1.so
%{strongswan_plugins}/libstrongswan-pkcs11.so
+%{strongswan_plugins}/libstrongswan-pkcs7.so
%{strongswan_plugins}/libstrongswan-pkcs8.so
%{strongswan_plugins}/libstrongswan-pubkey.so
%{strongswan_plugins}/libstrongswan-radattr.so
++ strongswan-5.0.1-rpmlintrc - strongswan-5.0.4-rpmlintrc ++
++ strongswan-5.0.1.tar.bz2 - strongswan-5.0.4.tar.bz2 ++
247583 lines of diff (skipped)
--
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit strongswan for openSUSE:Factory
Hello community,
here is the log from the commit of package strongswan for openSUSE:Factory
checked in at 2012-12-14 11:18:07
Comparing /work/SRC/openSUSE:Factory/strongswan (Old)
and /work/SRC/openSUSE:Factory/.strongswan.new (New)
Package is strongswan, Maintainer is m...@suse.com
Changes:
--- /work/SRC/openSUSE:Factory/strongswan/strongswan.changes2012-11-18
20:27:11.0 +0100
+++ /work/SRC/openSUSE:Factory/.strongswan.new/strongswan.changes
2012-12-14 11:18:09.0 +0100
@@ -1,0 +2,5 @@
+Thu Nov 29 19:13:40 CET 2012 - sbra...@suse.cz
+
+- Verify GPG signature.
+
+---
New:
strongswan.keyring
Other differences:
--
++ strongswan.spec ++
--- /var/tmp/diff_new_pack.inCgsA/_old 2012-12-14 11:18:11.0 +0100
+++ /var/tmp/diff_new_pack.inCgsA/_new 2012-12-14 11:18:11.0 +0100
@@ -57,6 +57,7 @@
Source2:%{name}.init.in
Source3:%{name}-%{version}-rpmlintrc
Source4:README.SUSE
+Source5:%{name}.keyring
Patch1: %{name}_modprobe_syslog.patch
Patch2: %{name}_ipsec_service.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
@@ -65,6 +66,7 @@
BuildRequires: flex
BuildRequires: gmp-devel
BuildRequires: gperf
+BuildRequires: gpg-offline
BuildRequires: libcap-devel
BuildRequires: libopenssl-devel
BuildRequires: libsoup-devel
@@ -233,6 +235,7 @@
%endif
%prep
+%gpg_verify %{S:1}
%setup -q -n %{name}-%{upstream_version}
%patch1 -p0
%patch2 -p0
++ strongswan.keyring ++
pub 3072R/B34DBA77 2009-06-12
uid Andreas Steffen andreas.stef...@strongswan.org
sub 3072g/0E10E91A 2009-08-20
-BEGIN PGP PUBLIC KEY BLOCK-
Version: GnuPG v2.0.19 (GNU/Linux)
mQGNBEoycP0BDACzL8ymURD7gnaNbGx2VGieNQr/gNISWhqgHaeUxuSkrInxl89A
ClvN7DoF2cD7slEqIMQh/8t6xVzmh9teu5uyeV1eyG/CuFMUqawXqpn/sYa2SkgX
C/qHB2hIbFg2K4k5LJHxzqHb1OdtOcU6lHg9yrvYcoO+FTVR+rYaVgYbbbziTB/v
hAAzvdTdgwMgoQMSXA7FsJ0mALny4IeiCoi6S6qRVDm4zcu11UFT9g1VmhmeHqtU
SQso72bPKKhYvu7ZaQrLhkvY9inWr6m9dxV8Zgb1ivZGhzsNzrhGAsz9jmiB5POF
Mfph0hREMiS33ph/YMJducGQHYGEza9mKBdUaaAAEL3fCpde7vRa+c5Gc/Y5RUB7
iUsb2KQY+7xTiSUnCHbsMwhndG0dJspVXcz6X+2S3Ty4GaiqkvxI9KLiwiECNl0I
oLX5s/FIW6KW+GnxJTp/3h6vvqm8i0+yIwk+ETM4XfhHMwuPkDyf6km1ag3nIUw6
pSSfnQMPhj5rXIMAEQEAAbQwQW5kcmVhcyBTdGVmZmVuIDxhbmRyZWFzLnN0ZWZm
ZW5Ac3Ryb25nc3dhbi5vcmc+iQG3BBMBAgAhBQJKMnD9AhsDBwsJCAcDAgEEFQII
AwQWAgMBAh4BAheAAAoJEN9CwXCzTbp3t5AL/jrXnnGIHLn8M9rmyoeNe7JQUE5A
GSV3UFaZHgHmjbvIHA+dRvh1MPlHuWbaZkHVPtRFvFtEgksc944+XcKoNoExKGKr
wLQcUExUiQ0IyNwH70u7f1uFNcbY85Oue5ASzm+wAntnmIlNsN+MHewRWC6f6gYn
1aHwsvh09fz0A34v9wdtim2ek/Voxe3AIDIw2MTNmwF61pXEsrH0wqYnGhYLZ7Qb
thnDnHQaUd3IPSa6uAgOOiCoCbKCvP4u/iVm0rmXN9uzmm/i4Y0cE3DopGsqrR5D
fWYJjgP4KBCln0LgWtYI8pcYcmA5E+l+fijNcMidtzWHMW2Mj0oZZsO+wlRUYLGh
/jRASgq7rXuxV+oGKcBn4RqSHlZ5/BYlvowUxnNFC4tLLlneHidS8TurjacM3fwR
MP5NMmcS5d9sVLG1uxl+/g2cRMtphHiziz+79jDc+tSxqRO5lhqyItAD6LC2GxB3
iC5afnMx49+YWzhUTeL/KfkrD9w3/n7O00kLtLkDDQRKjOHDEAwAxdh8W7j/QhE3
KZNmJGsK/QtJ72zZRGRcdUPH6GG//GaAG5hSCjM8q+0MR/G+31uk32RbzRIj1sHQ
8fY0znxPmaeD1wow0hCbDTq+Ep3K8ouaqoqjlP4rd+I94OtxNfXgmllf7BDOZ6lI
wUY8ba8cFCPYsv8ZvRXo82XfwFYevQ9kTLqkJT52mMyPZLwYx4DNwuqFtQQEBLKg
IVXVgpK6SE72MFP8vyFsdrL0ORgxoWI6PIHbnIRY1KiWUzOSrqirZUHH9MPuzFuB
R0+jEAajeKoxycn0ILLM5PBAEFXFgBdtNNCtshe1fR5aPsXcGZsZRjc7mbAHLRqa
pVhk7oX31WrGqGHkSM/GAnf3aAzsnCkO5+Tje2iyuoG5OhQbHsvMBOtdvQrwnorl
56EguzuK1mGDsczNsuAYRcKiasCWpsjoytDH+dGEQmKXydD9r06cxPx+mWmWKLo4
w+k4mMC0lFRYKi83cwTpaMpHOeW4+3d1tJfkCQy+vjUz4aZJ/WSXAAMFDACqmeXA
Al7WssHkjVZ/vwQfHLHNMZsGEEucvV7KNqMF4Fe6nRbbE6GJOuz6taeFkJIppBqV
xhSNOsf5soOXfGp0IgYoC37GPI6AAb4UnG5GVcaAMQAXUYcwfDGGuV/EO5pPrEyP
jy++GvjhxcKV3HmUuAfcgyhTGhDOVPxU28Roz3+8Eig085v+lyqAsgFduBrf+ZV+
lHjIOSXSWmTiT8EVSA3fpN14/qhltudhdGIZ/pCW303H9Bd9c4Uc9OzYhRr1VpO6
lpYfTFNey8KQL4z9Kjt0RPscz2hYDOJ1cTFWs/4Z+9mBJODwrnIiORLlgV2NlP5E
ZY4MccVFd9K7E/OPQdt3Uv6+6BjYRntY7wsX617T5Rmj8n6AhbpngmWg2D6wRfm7
TyI0Wtz5icCoJIEHQwB/3EhBzQl7tBc0cClwCYm7nTYRt+SL2tfylWy9Leail+ay
M6zwMW0klV42E4u8DCy/aJrwmEiVwuwGbXL6z46M9EZguof38MTEmLsHls+JAZ8E
GAECAAkFAkqM4cMCGwwACgkQ30LBcLNNunffBgv/b/v3eQoZTWgOB5MnXhIrg/Ki
kYTYbnEG9wWM7XIST8bpP7f/UKyD44CCVJH7SVTGAXeyjglnuYXy4FwaTdFmm6al
W0sCp4rnmADi5BLLzQlCUa5J0iZ+oAZnAH60BezUM+CYz/QBW3NJmP3323PeM4H4
MZ0vLv3wgaLkFlaK/eASBoC7KuZWAnvsNOdLQ29L4BYgW2Jwk1+PxszjT369DsMU
Y3iY6gM9rM71Ajd8x98hd1r26LILGntAEEXxs+13Kka7J4GCqf8/J9ZR01dDp8QM
+M9EHFLnthpAyUuSXm5Qlglavnf7tU6AA0SFuA0pP5CXVLG1DLT1fJvNOqjdzPsf
u/48AM2Lpxj0gKt1yDQc890GxwnOL1iZ6+XMh9/ujWy7Q7dI4M2mthwYFXldWrPS
CmMToWfl62BxPdY5FIECXeRwTIO9sI0LQVc2eAG8lDsge05q1nJFxo9WKr7ewAdF
b/fMIr7XMwoMj2SQSy/tZVCBnDXR5Gw5HSxRnIAS
=ze82
-END PGP PUBLIC KEY BLOCK-
--
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For
commit strongswan for openSUSE:Factory
Hello community,
here is the log from the commit of package strongswan for openSUSE:Factory
checked in at 2012-11-18 20:27:10
Comparing /work/SRC/openSUSE:Factory/strongswan (Old)
and /work/SRC/openSUSE:Factory/.strongswan.new (New)
Package is strongswan, Maintainer is m...@suse.com
Changes:
--- /work/SRC/openSUSE:Factory/strongswan/strongswan.changes2012-11-08
21:54:07.0 +0100
+++ /work/SRC/openSUSE:Factory/.strongswan.new/strongswan.changes
2012-11-18 20:27:11.0 +0100
@@ -1,0 +2,5 @@
+Fri Nov 16 04:02:32 UTC 2012 - crrodrig...@opensuse.org
+
+- Fix systemd unit dir
+
+---
Other differences:
--
++ strongswan.spec ++
--- /var/tmp/diff_new_pack.mF6RXb/_old 2012-11-18 20:27:12.0 +0100
+++ /var/tmp/diff_new_pack.mF6RXb/_new 2012-11-18 20:27:12.0 +0100
@@ -411,7 +411,7 @@
%dir %{_sysconfdir}/ipsec.d/ocspcerts
%dir %attr(700,root,root) %{_sysconfdir}/ipsec.d/private
%if %{with systemd}
-/lib/systemd/system/strongswan.service
+%{_unitdir}/strongswan.service
%else
%config %{_sysconfdir}/init.d/ipsec
%{_sbindir}/rcipsec
--
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit strongswan for openSUSE:Factory
Hello community,
here is the log from the commit of package strongswan for openSUSE:Factory
checked in at 2012-11-08 21:54:04
Comparing /work/SRC/openSUSE:Factory/strongswan (Old)
and /work/SRC/openSUSE:Factory/.strongswan.new (New)
Package is strongswan, Maintainer is m...@suse.com
Changes:
--- /work/SRC/openSUSE:Factory/strongswan/strongswan.changes2012-09-11
09:20:15.0 +0200
+++ /work/SRC/openSUSE:Factory/.strongswan.new/strongswan.changes
2012-11-08 21:54:07.0 +0100
@@ -1,0 +2,37 @@
+Wed Oct 31 15:25:16 UTC 2012 - m...@suse.de
+
+- Updated to strongSwan 5.0.1 release. Changes digest:
+ - Introduced the sending of the standard IETF Assessment Result
+PA-TNC attribute by all strongSwan Integrity Measurement Verifiers.
+ - Extended PTS Attestation IMC/IMV pair to provide full evidence of
+the Linux IMA measurement process. All pertinent file information
+of a Linux OS can be collected and stored in an SQL database.
+ - The PA-TNC and PB-TNC protocols can now process huge data payloads.
+ - The xauth-pam backend can authenticate IKEv1 XAuth and Hybrid
+authenticated clients against any PAM service.
+ - The new unity plugin brings support for some parts of the IKEv1
+Cisco Unity Extensions.
+ - The kernel-netlink plugin supports the new strongswan.conf option
+charon.install_virtual_ip_on.
+ - Job handling in controller_t was fixed, which occasionally caused
+crashes on ipsec up/down.
+ - Fixed transmission EAP-MSCHAPv2 user name if it contains a domain
+part.
+ Changes digest from strongSwan 5.0.0 version:
+ * The charon IKE daemon gained experimental support for the IKEv1
+protocol. Pluto has been removed from the 5.x series.
+ * The NetworkManager charon plugin of previous releases is now
+provided by a separate executable (charon-nm) and it should work
+again with NM 0.9.
+ * scepclient was updated and it now works fine with Windows Server
+2008 R2.
+ For full list of the changes, please read the NEWS file shipped
+ in the strongswan-doc package or online:
+ http://wiki.strongswan.org/projects/strongswan/wiki/Changelog50
+- Adopted spec file, enabled several plugins, e.g.: ccm, certexpire,
+ coupling, ctr, duplicheck, eap-dynamic, eap-peap, eap-tls, eap-tnc,
+ eap-ttls, gcm, nonce, radattr, tnc, tnccs, unity, xauth-eap and pam.
+- Changed to install strongswan.service with alias to ipsec.service
+ instead of the /etc/init.d/ipsec init script on openSUSE 12.2.
+
+---
Old:
0001-openssl-Ensure-the-thread-ID-is-never-zero.patch
strongswan-4.6.4-fmt-warnings.patch
strongswan-4.6.4-rpmlintrc
strongswan-4.6.4.tar.bz2
strongswan-4.6.4.tar.bz2.sig
New:
strongswan-5.0.1-rpmlintrc
strongswan-5.0.1.tar.bz2
strongswan-5.0.1.tar.bz2.sig
strongswan_ipsec_service.patch
Other differences:
--
++ strongswan.spec ++
--- /var/tmp/diff_new_pack.LCpsll/_old 2012-11-08 21:54:08.0 +0100
+++ /var/tmp/diff_new_pack.LCpsll/_new 2012-11-08 21:54:08.0 +0100
@@ -17,23 +17,40 @@
Name: strongswan
-Version:4.6.4
+Version:5.0.1
Release:0
%define upstream_version %{version}
%define strongswan_docdir %{_docdir}/%{name}
%define strongswan_libdir %{_libdir}/ipsec
%define strongswan_plugins %{strongswan_libdir}/plugins
-%definewith_mysql 1
-%definewith_sqlite 0%{suse_version} = 1110
-%definewith_gcrypt 0%{suse_version} = 1110
-%definewith_nm 0%{suse_version} = 1110
-%definewith_tests 0
+%if 0
+%bcond_without tests
+%else
+%bcond_with tests
+%endif
+%if 1
+%bcond_without mysql
+%else
+%bcond_with mysql
+%endif
+%if 0%{suse_version} = 1110
+%bcond_without sqlite
+%bcond_without gcrypt
+%bcond_without nm
+%else
+%bcond_with sqlite
+%bcond_with gcrypt
+%bcond_with nm
+%endif
+%if 0%{suse_version} 1220
+%bcond_without systemd
+%else
+%bcond_with systemd
+%endif
Summary:OpenSource IPsec-based VPN Solution
License:GPL-2.0+
Group: Productivity/Networking/Security
Url:http://www.strongswan.org/
-Requires: strongswan-ikev1 = %{version}
-Requires: strongswan-ikev2 = %{version}
Requires: strongswan-ipsec = %{version}
Source0:
http://download.strongswan.org/strongswan-%{upstream_version}.tar.bz2
Source1:
http://download.strongswan.org/strongswan-%{upstream_version}.tar.bz2.sig
@@ -41,8 +58,7 @@
Source3:%{name}-%{version}-rpmlintrc
Source4:README.SUSE
Patch1:
commit strongswan for openSUSE:Factory
Hello community,
here is the log from the commit of package strongswan for openSUSE:Factory
checked in at 2012-09-11 09:20:14
Comparing /work/SRC/openSUSE:Factory/strongswan (Old)
and /work/SRC/openSUSE:Factory/.strongswan.new (New)
Package is strongswan, Maintainer is m...@suse.com
Changes:
--- /work/SRC/openSUSE:Factory/strongswan/strongswan.changes2012-06-01
07:24:23.0 +0200
+++ /work/SRC/openSUSE:Factory/.strongswan.new/strongswan.changes
2012-09-11 09:20:15.0 +0200
@@ -1,0 +2,11 @@
+Fri Sep 7 08:36:57 UTC 2012 - m...@suse.de
+
+- Applied upstream patch adjusting an internal thread id causing
+ charon keying daemon start failure (bnc#779038,strongswan#198):
+openssl: Ensure the thread ID is never zero
+This might otherwise cause problems because OpenSSL tries to
+lock mutexes recursively if it assumes the lock is held by a
+different thread e.g. during FIPS initialization.
+ See http://wiki.strongswan.org/issues/198 for more informations.
+
+---
New:
0001-openssl-Ensure-the-thread-ID-is-never-zero.patch
Other differences:
--
++ strongswan.spec ++
--- /var/tmp/diff_new_pack.AVMzFR/_old 2012-09-11 09:20:17.0 +0200
+++ /var/tmp/diff_new_pack.AVMzFR/_new 2012-09-11 09:20:17.0 +0200
@@ -42,6 +42,7 @@
Source4:README.SUSE
Patch1: %{name}_modprobe_syslog.patch
Patch2: %{name}-%{version}-fmt-warnings.patch
+Patch3: 0001-openssl-Ensure-the-thread-ID-is-never-zero.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: bison
BuildRequires: curl-devel
@@ -249,6 +250,7 @@
%setup -q -n %{name}-%{upstream_version}
%patch1 -p0
%patch2 -p0
+%patch3 -p1
sed -e 's|@libexecdir@|%_libexecdir|g'\
$RPM_SOURCE_DIR/strongswan.init.in \
strongswan.init
++ 0001-openssl-Ensure-the-thread-ID-is-never-zero.patch ++
From 901dbc1077f6c9bd29369cad848bc79a29c1a65b Mon Sep 17 00:00:00 2001
From: Tobias Brunner tob...@strongswan.org
Date: Sat, 30 Jun 2012 10:05:41 +0200
Subject: [PATCH] openssl: Ensure the thread ID is never zero
This might otherwise cause problems because OpenSSL tries to lock
mutexes recursively if it assumes the lock is held by a different
thread e.g. during FIPS initialization.
---
src/libstrongswan/plugins/openssl/openssl_plugin.c |4 +++-
1 files changed, 3 insertions(+), 1 deletions(-)
diff --git a/src/libstrongswan/plugins/openssl/openssl_plugin.c
b/src/libstrongswan/plugins/openssl/openssl_plugin.c
index 5a11412..7daa92b 100644
--- a/src/libstrongswan/plugins/openssl/openssl_plugin.c
+++ b/src/libstrongswan/plugins/openssl/openssl_plugin.c
@@ -129,7 +129,9 @@ static void destroy_function(struct CRYPTO_dynlock_value
*lock,
*/
static unsigned long id_function(void)
{
- return (unsigned long)thread_current_id();
+ /* ensure the thread ID is never zero, otherwise OpenSSL might try to
+* acquire locks recursively */
+ return 1 + (unsigned long)thread_current_id();
}
/**
--
1.7.7
--
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit strongswan for openSUSE:Factory
Hello community,
here is the log from the commit of package strongswan for openSUSE:Factory
checked in at 2012-06-01 07:24:16
Comparing /work/SRC/openSUSE:Factory/strongswan (Old)
and /work/SRC/openSUSE:Factory/.strongswan.new (New)
Package is strongswan, Maintainer is m...@suse.com
Changes:
--- /work/SRC/openSUSE:Factory/strongswan/strongswan.changes2012-05-10
14:34:47.0 +0200
+++ /work/SRC/openSUSE:Factory/.strongswan.new/strongswan.changes
2012-06-01 07:24:23.0 +0200
@@ -1,0 +2,10 @@
+Thu May 31 16:08:43 UTC 2012 - m...@suse.com
+
+- Updated to strongSwan 4.6.4 release:
+ - Fixed a security vulnerability in the gmp plugin. If this
+plugin was used for RSA signature verification an empty or
+zeroed signature was handled as a legitimate one
+(bnc#761325, CVE-2012-2388).
+ - Fixed several issues with reauthentication and address updates.
+
+---
Old:
strongswan-4.6.3-fmt-warnings.patch
strongswan-4.6.3-rpmlintrc
strongswan-4.6.3.tar.bz2
strongswan-4.6.3.tar.bz2.sig
New:
strongswan-4.6.4-fmt-warnings.patch
strongswan-4.6.4-rpmlintrc
strongswan-4.6.4.tar.bz2
strongswan-4.6.4.tar.bz2.sig
Other differences:
--
++ strongswan.spec ++
--- /var/tmp/diff_new_pack.Qmioi2/_old 2012-06-01 07:24:24.0 +0200
+++ /var/tmp/diff_new_pack.Qmioi2/_new 2012-06-01 07:24:24.0 +0200
@@ -17,7 +17,7 @@
Name: strongswan
-Version:4.6.3
+Version:4.6.4
Release:0
%define upstream_version %{version}
%define strongswan_docdir %{_docdir}/%{name}
++ strongswan-4.6.3-fmt-warnings.patch -
strongswan-4.6.4-fmt-warnings.patch ++
++ strongswan-4.6.3-rpmlintrc - strongswan-4.6.4-rpmlintrc ++
++ strongswan-4.6.3.tar.bz2 - strongswan-4.6.4.tar.bz2 ++
32210 lines of diff (skipped)
--
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit strongswan for openSUSE:Factory
Hello community,
here is the log from the commit of package strongswan for openSUSE:Factory
checked in at 2012-05-10 14:34:18
Comparing /work/SRC/openSUSE:Factory/strongswan (Old)
and /work/SRC/openSUSE:Factory/.strongswan.new (New)
Package is strongswan, Maintainer is m...@suse.com
Changes:
--- /work/SRC/openSUSE:Factory/strongswan/strongswan.changes2012-03-16
13:26:16.0 +0100
+++ /work/SRC/openSUSE:Factory/.strongswan.new/strongswan.changes
2012-05-10 14:34:47.0 +0200
@@ -1,0 +2,40 @@
+Thu May 10 09:15:38 UTC 2012 - m...@suse.com
+
+- Updated to strongSwan 4.6.3 release:
+ - The tnc-pdp plugin implements a RADIUS server interface allowing
+a strongSwan TNC server to act as a Policy Decision Point.
+ - The eap-radius authentication backend enforces Session-Timeout
+attributes using RFC4478 repeated authentication and acts upon
+RADIUS Dynamic Authorization extensions, RFC 5176. Currently
+supported are disconnect requests and CoA messages containing
+a Session-Timeout.
+ - The eap-radius plugin can forward arbitrary RADIUS attributes
+from and to clients using custom IKEv2 notify payloads. The new
+radattr plugin reads attributes to include from files and prints
+received attributes to the console.
+ - Added support for untruncated MD5 and SHA1 HMACs in ESP as used
+in RFC 4595.
+ - The cmac plugin implements the AES-CMAC-96 and AES-CMAC-PRF-128
+algorithms as defined in RFC 4494 and RFC 4615, respectively.
+ - The resolve plugin automatically installs nameservers via
+resolvconf(8), if it is installed, instead of modifying
+/etc/resolv.conf directly.
+ - The IKEv2 charon daemon supports now raw RSA public keys in RFC
+3110 DNSKEY and PKCS#1 file format.
+ - The farp plugin sends ARP responses for any tunneled address,
+not only virtual IPs.
+ - Charon resolves hosts again during additional keying tries.
+ - Fixed switching back to original address pair during MOBIKE.
+ - When resending IKE_SA_INIT with a COOKIE charon reuses the previous
+DH value, as specified in RFC 5996.
+This has an effect on the lifecycle of diffie_hellman_t, see
+source:src/libcharon/sa/keymat.h#39 for details.
+ - COOKIEs are now kept enabled a bit longer to avoid certain race
+conditions the commit message to 1b7debcc has some details.
+ - The new stroke user-creds command allows to set username/password
+for a connection.
+ - strongswan.conf option added to set identifier for syslog(3) logging.
+ - Added a workaround for null-terminated XAuth secrets (as sent by
+Android 4).
+
+---
Old:
strongswan-4.6.2-fmt-warnings.patch
strongswan-4.6.2-glib.patch
strongswan-4.6.2-rpmlintrc
strongswan-4.6.2.tar.bz2
strongswan-4.6.2.tar.bz2.sig
New:
strongswan-4.6.3-fmt-warnings.patch
strongswan-4.6.3-rpmlintrc
strongswan-4.6.3.tar.bz2
strongswan-4.6.3.tar.bz2.sig
Other differences:
--
++ strongswan.spec ++
--- /var/tmp/diff_new_pack.qC4Jx2/_old 2012-05-10 14:34:48.0 +0200
+++ /var/tmp/diff_new_pack.qC4Jx2/_new 2012-05-10 14:34:48.0 +0200
@@ -16,9 +16,8 @@
#
-
Name: strongswan
-Version:4.6.2
+Version:4.6.3
Release:0
%define upstream_version %{version}
%define strongswan_docdir %{_docdir}/%{name}
@@ -43,7 +42,6 @@
Source4:README.SUSE
Patch1: %{name}_modprobe_syslog.patch
Patch2: %{name}-%{version}-fmt-warnings.patch
-Patch3: %{name}-%{version}-glib.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: bison
BuildRequires: curl-devel
@@ -110,6 +108,7 @@
%package doc
BuildArch: noarch
Summary:OpenSource IPsec-based VPN Solution
+Group: Productivity/Networking/Security
%description doc
StrongSwan is an OpenSource IPsec-based VPN Solution for Linux
@@ -125,6 +124,7 @@
%package libs0
Summary:OpenSource IPsec-based VPN Solution
+Group: Productivity/Networking/Security
Conflicts: strongswan %{version}
%description libs0
@@ -134,11 +134,13 @@
%package ikev1
Summary:OpenSource IPsec-based VPN Solution
+Group: Productivity/Networking/Security
Requires: iproute2
-Requires: strongswan-libs0 = %{version}
Requires: strongswan-ipsec = %{version}
-Provides: strongswan-daemon = %{version} ikev1
+Requires: strongswan-libs0 = %{version}
+Provides: ikev1
Provides: pluto
+Provides: strongswan-daemon = %{version}
Conflicts: freeswan openswan strongswan %{version}
%description ikev1
@@ -148,10 +150,12 @@
%package
commit strongswan for openSUSE:Factory
Hello community,
here is the log from the commit of package strongswan for openSUSE:Factory
checked in at 2012-03-16 13:26:15
Comparing /work/SRC/openSUSE:Factory/strongswan (Old)
and /work/SRC/openSUSE:Factory/.strongswan.new (New)
Package is strongswan, Maintainer is m...@suse.com
Changes:
--- /work/SRC/openSUSE:Factory/strongswan/strongswan.changes2012-02-16
15:02:26.0 +0100
+++ /work/SRC/openSUSE:Factory/.strongswan.new/strongswan.changes
2012-03-16 13:26:16.0 +0100
@@ -1,0 +2,21 @@
+Sat Mar 3 00:10:34 UTC 2012 - tabra...@novell.com
+
+- Updated to strongSwan 4.6.2 release:
+ Changes in 4.6.2:
+ - Upgraded the TCG IF-IMC and IF-IMV C API to the upcoming version 1.3
+which supports IF-TNCCS 2.0 long message types, the exclusive flags
+and multiple IMC/IMV IDs. Both the TNC Client and Server as well as
+the Test, Scanner, and Attestation IMC/IMV pairs were updated.
+ - Fully implemented the TCG Attestation PTS Protocol: Binding to IF-M
+standard (TLV-based messages only). TPM-based remote attestation of
+Linux IMA (Integrity Measurement Architecture) possible. Measurement
+reference values are automatically stored in an SQLite database.
+ - The EAP-RADIUS authentication backend supports RADIUS accounting. It sends
+start/stop messages containing Username, Framed-IP and Input/Output-Octets
+attributes and has been tested against FreeRADIUS and Microsoft NPS.
+ - Added support for PKCS#8 encoded private keys via the libstrongswan
+pkcs8 plugin. This is the default format used by some OpenSSL tools since
+version 1.0.0 (e.g. openssl req with -keyout).
+ - Added session resumption support to the strongSwan TLS stack.
+
+---
Old:
strongswan-4.6.1-fmt-warnings.patch
strongswan-4.6.1-glib.patch
strongswan-4.6.1-rpmlintrc
strongswan-4.6.1.tar.bz2
strongswan-4.6.1.tar.bz2.sig
New:
strongswan-4.6.2-fmt-warnings.patch
strongswan-4.6.2-glib.patch
strongswan-4.6.2-rpmlintrc
strongswan-4.6.2.tar.bz2
strongswan-4.6.2.tar.bz2.sig
Other differences:
--
++ strongswan.spec ++
--- /var/tmp/diff_new_pack.PX1oaP/_old 2012-03-16 13:26:18.0 +0100
+++ /var/tmp/diff_new_pack.PX1oaP/_new 2012-03-16 13:26:18.0 +0100
@@ -18,7 +18,7 @@
Name: strongswan
-Version:4.6.1
+Version:4.6.2
Release:0
%define upstream_version %{version}
%define strongswan_docdir %{_docdir}/%{name}
@@ -486,6 +486,7 @@
%{strongswan_plugins}/libstrongswan-pem.so
%{strongswan_plugins}/libstrongswan-pgp.so
%{strongswan_plugins}/libstrongswan-pkcs1.so
+%{strongswan_plugins}/libstrongswan-pkcs8.so
%{strongswan_plugins}/libstrongswan-pubkey.so
%{strongswan_plugins}/libstrongswan-random.so
%{strongswan_plugins}/libstrongswan-resolve.so
++ strongswan-4.6.1-fmt-warnings.patch -
strongswan-4.6.2-fmt-warnings.patch ++
++ strongswan-4.6.1-glib.patch - strongswan-4.6.2-glib.patch ++
++ strongswan-4.6.1-rpmlintrc - strongswan-4.6.2-rpmlintrc ++
++ strongswan-4.6.1.tar.bz2 - strongswan-4.6.2.tar.bz2 ++
64395 lines of diff (skipped)
--
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit strongswan for openSUSE:Factory
Hello community, here is the log from the commit of package strongswan for openSUSE:Factory checked in at 2012-02-16 15:01:43 Comparing /work/SRC/openSUSE:Factory/strongswan (Old) and /work/SRC/openSUSE:Factory/.strongswan.new (New) Package is strongswan, Maintainer is m...@suse.com Changes: --- /work/SRC/openSUSE:Factory/strongswan/strongswan.changes2011-12-25 17:42:14.0 +0100 +++ /work/SRC/openSUSE:Factory/.strongswan.new/strongswan.changes 2012-02-16 15:02:26.0 +0100 @@ -1,0 +2,53 @@ +Wed Feb 15 13:31:40 UTC 2012 - m...@suse.com + +- Updated to strongSwan 4.6.1 release: + Changes in 4.6.1: + - Because of changing checksums before and after installation which caused +the integrity tests to fail we avoided directly linking libsimaka, +libtls and libtnccs to those libcharon plugins which make use of these +dynamiclibraries. +Instead we linked the libraries to the charon daemon. Unfortunately +Ubuntu 11.10 activated the --as-needed ld option which discards explicit +links to dynamic libraries that are not actually used by the charon +daemon itself, thus causing failures during the loading of the plugins +which depend on these libraries for resolving external symbols. + - Therefore our approach of computing integrity checksums for plugins had +to be changed radically by moving the hash generation from the +compilation to the post-installation phase. + Changes in 4.6.0: + - The new libstrongswan certexpire plugin collects expiration information +of all used certificates and exports them to CSV files. It either +directly exports them or uses cron style scheduling for batch exports. + - Starter passes unresolved hostnames to charon, allowing it to do name +resolution not before the connection attempt. This is especially useful +with connections between hosts using dynamic IP addresses. +Thanks to Mirko Parthey for the initial patch. + - The android plugin can now be used without the Android frontend patch +and provides DNS server registration and logging to logcat. + - Pluto and starter (plus stroke and whack) have been ported to Android. + - Support for ECDSA private and public key operations has been added to +the pkcs11 plugin. The plugin now also provides DH and ECDH via PKCS#11 +and can use tokens as random number generators (RNG). By default only +private key operations are enabled, more advanced features have to be +enabled by their option in strongswan.conf. This also applies to public +key operations (even for keys not stored on the token) which were +enabled by default before. + - The libstrongswan plugin system now supports detailed plugin +dependencies. Many plugins have been extended to export its capabilities +and requirements. This allows the plugin loader to resolve plugin +loading order automatically, and in future releases, to dynamically load +the required features on demand. +Existing third party plugins are source (but not binary) compatible if +they properly initialize the new get_features() plugin function to NULL. + - The tnc-ifmap plugin implements a TNC IF-MAP 2.0 client which can +deliver metadata about IKE_SAs via a SOAP interface to a MAP server. +The tnc-ifmap plugin requires the Apache Axis2/C library. +- Merged patches, changed strongswan-doc to be a noarch package. +- Fixed rpmlint runlevel fsf warnings, updated rpmlintrc + +--- +Mon Feb 6 10:27:00 UTC 2012 - a...@suse.de + +- Only glib.h can be included, fix compilation. + +--- Old: strongswan-4.5.3-fmt-warnings.patch strongswan-4.5.3-rpmlintrc strongswan-4.5.3.tar.bz2 strongswan-4.5.3.tar.bz2.sig New: strongswan-4.6.1-fmt-warnings.patch strongswan-4.6.1-glib.patch strongswan-4.6.1-rpmlintrc strongswan-4.6.1.tar.bz2 strongswan-4.6.1.tar.bz2.sig Other differences: -- ++ strongswan.spec ++ --- /var/tmp/diff_new_pack.XrqVjV/_old 2012-02-16 15:02:27.0 +0100 +++ /var/tmp/diff_new_pack.XrqVjV/_new 2012-02-16 15:02:27.0 +0100 @@ -1,7 +1,7 @@ # # spec file for package strongswan # -# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -15,8 +15,10 @@ # Please submit bugfixes or comments via http://bugs.opensuse.org/ # + + Name: strongswan -Version:4.5.3 +Version:4.6.1
commit strongswan for openSUSE:Factory
Hello community,
here is the log from the commit of package strongswan for openSUSE:Factory
checked in at 2011-12-25 17:41:51
Comparing /work/SRC/openSUSE:Factory/strongswan (Old)
and /work/SRC/openSUSE:Factory/.strongswan.new (New)
Package is strongswan, Maintainer is m...@suse.com
Changes:
--- /work/SRC/openSUSE:Factory/strongswan/strongswan.changes2011-09-23
12:47:00.0 +0200
+++ /work/SRC/openSUSE:Factory/.strongswan.new/strongswan.changes
2011-12-25 17:42:14.0 +0100
@@ -1,0 +2,5 @@
+Wed Dec 21 10:31:49 UTC 2011 - co...@suse.com
+
+- remove call to suse_update_config (very old work around)
+
+---
Other differences:
--
++ strongswan.spec ++
--- /var/tmp/diff_new_pack.aYPkkN/_old 2011-12-25 17:42:15.0 +0100
+++ /var/tmp/diff_new_pack.aYPkkN/_new 2011-12-25 17:42:15.0 +0100
@@ -15,12 +15,9 @@
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
-# norootforbuild
-
-
Name: strongswan
Version:4.5.3
-Release:3
+Release:0
%define upstream_version %{version}
%define strongswan_docdir %{_docdir}/%{name}
%define strongswan_libdir %{_libdir}/ipsec
@@ -30,14 +27,13 @@
%definewith_gcrypt 0%{suse_version} = 1110
%definewith_nm 0%{suse_version} = 1110
%definewith_tests 0
+Summary:OpenSource IPsec-based VPN Solution
License:GPL-2.0+
Group: Productivity/Networking/Security
-Summary:OpenSource IPsec-based VPN Solution
Url:http://www.strongswan.org/
Requires: strongswan-ikev1 = %{version}
Requires: strongswan-ikev2 = %{version}
Requires: strongswan-ipsec = %{version}
-AutoReqProv:on
Source0:
http://download.strongswan.org/strongswan-%{upstream_version}.tar.bz2
Source1:
http://download.strongswan.org/strongswan-%{upstream_version}.tar.bz2.sig
Source2:%{name}.init.in
@@ -46,11 +42,16 @@
Patch1: %{name}_modprobe_syslog.patch
Patch2: %{name}-%{version}-fmt-warnings.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
-BuildRequires: bison flex gmp-devel gperf pkg-config
+BuildRequires: bison
+BuildRequires: curl-devel
+BuildRequires: flex
+BuildRequires: gmp-devel
+BuildRequires: gperf
BuildRequires: libcap-devel
BuildRequires: libopenssl-devel
BuildRequires: openldap2-devel
-BuildRequires: curl-devel pam-devel
+BuildRequires: pam-devel
+BuildRequires: pkg-config
%if %with_mysql
BuildRequires: libmysqlclient-devel
%endif
@@ -63,7 +64,8 @@
%if %with_nm
BuildRequires: NetworkManager-devel
%endif
-BuildRequires: iptables libnl = 1.1
+BuildRequires: iptables
+BuildRequires: libnl = 1.1
%description
StrongSwan is an OpenSource IPsec-based VPN Solution for Linux
@@ -103,9 +105,7 @@
and others
%package doc
-License:GPL-2.0+
Summary:OpenSource IPsec-based VPN Solution
-Group: Productivity/Networking/Security
%description doc
StrongSwan is an OpenSource IPsec-based VPN Solution for Linux
@@ -120,9 +120,7 @@
and others
%package libs0
-License:GPL-2.0+
Summary:OpenSource IPsec-based VPN Solution
-Group: Productivity/Networking/Security
Conflicts: strongswan %{version}
%description libs0
@@ -131,9 +129,7 @@
This package provides the strongswan library and plugins.
%package ikev1
-License:GPL-2.0+
Summary:OpenSource IPsec-based VPN Solution
-Group: Productivity/Networking/Security
Requires: iproute2
Requires: strongswan-libs0 = %{version}
Requires: strongswan-ipsec = %{version}
@@ -147,9 +143,7 @@
This package provides the pluto IKEv1 daemon.
%package ikev2
-License:GPL-2.0+
Summary:OpenSource IPsec-based VPN Solution
-Group: Productivity/Networking/Security
Requires: iproute2
Requires: strongswan-libs0 = %{version}
Requires: strongswan-daemon-starter = %{version}
@@ -162,9 +156,7 @@
This package provides the charon IKEv2 daemon.
%package ipsec
-License:GPL-2.0+
Summary:OpenSource IPsec-based VPN Solution
-Group: Productivity/Networking/Security
PreReq: grep %insserv_prereq %fillup_prereq
Requires: strongswan-libs0 = %{version}
Requires: strongswan-daemon = %{version}
@@ -183,9 +175,7 @@
%if %with_mysql
%package mysql
-License:GPL-2.0+
Summary:OpenSource IPsec-based VPN Solution
-Group: Productivity/Networking/Security
Requires: strongswan-libs0 = %{version}
%description mysql
@@ -198,9 +188,7
commit strongswan for openSUSE:Factory
Hello community,
here is the log from the commit of package strongswan for openSUSE:Factory
checked in at 2011-12-06 19:06:11
Comparing /work/SRC/openSUSE:Factory/strongswan (Old)
and /work/SRC/openSUSE:Factory/.strongswan.new (New)
Package is strongswan, Maintainer is m...@suse.com
Changes:
Other differences:
--
++ strongswan.spec ++
--- /var/tmp/diff_new_pack.OZdeHX/_old 2011-12-06 19:39:22.0 +0100
+++ /var/tmp/diff_new_pack.OZdeHX/_new 2011-12-06 19:39:22.0 +0100
@@ -30,7 +30,7 @@
%definewith_gcrypt 0%{suse_version} = 1110
%definewith_nm 0%{suse_version} = 1110
%definewith_tests 0
-License:GPLv2+
+License:GPL-2.0+
Group: Productivity/Networking/Security
Summary:OpenSource IPsec-based VPN Solution
Url:http://www.strongswan.org/
@@ -103,7 +103,7 @@
and others
%package doc
-License:GPLv2+
+License:GPL-2.0+
Summary:OpenSource IPsec-based VPN Solution
Group: Productivity/Networking/Security
@@ -120,7 +120,7 @@
and others
%package libs0
-License:GPLv2+
+License:GPL-2.0+
Summary:OpenSource IPsec-based VPN Solution
Group: Productivity/Networking/Security
Conflicts: strongswan %{version}
@@ -131,7 +131,7 @@
This package provides the strongswan library and plugins.
%package ikev1
-License:GPLv2+
+License:GPL-2.0+
Summary:OpenSource IPsec-based VPN Solution
Group: Productivity/Networking/Security
Requires: iproute2
@@ -147,7 +147,7 @@
This package provides the pluto IKEv1 daemon.
%package ikev2
-License:GPLv2+
+License:GPL-2.0+
Summary:OpenSource IPsec-based VPN Solution
Group: Productivity/Networking/Security
Requires: iproute2
@@ -162,7 +162,7 @@
This package provides the charon IKEv2 daemon.
%package ipsec
-License:GPLv2+
+License:GPL-2.0+
Summary:OpenSource IPsec-based VPN Solution
Group: Productivity/Networking/Security
PreReq: grep %insserv_prereq %fillup_prereq
@@ -183,7 +183,7 @@
%if %with_mysql
%package mysql
-License:GPLv2+
+License:GPL-2.0+
Summary:OpenSource IPsec-based VPN Solution
Group: Productivity/Networking/Security
Requires: strongswan-libs0 = %{version}
@@ -198,7 +198,7 @@
%if %with_sqlite
%package sqlite
-License:GPLv2+
+License:GPL-2.0+
Summary:OpenSource IPsec-based VPN Solution
Group: Productivity/Networking/Security
Requires: strongswan-libs0 = %{version}
@@ -213,7 +213,7 @@
%if %with_nm
%package nm
-License:GPLv2+
+License:GPL-2.0+
Summary:OpenSource IPsec-based VPN Solution
Group: Productivity/Networking/Security
Requires: strongswan-libs0 = %{version}
@@ -234,7 +234,7 @@
%package tests
-License:GPLv2+
+License:GPL-2.0+
Summary:OpenSource IPsec-based VPN Solution
Group: Productivity/Networking/Security
Requires: strongswan-libs0 = %{version}
--
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit strongswan for openSUSE:Factory
Hello community,
here is the log from the commit of package strongswan for openSUSE:Factory
checked in at Tue Sep 13 12:32:32 CEST 2011.
--- strongswan/strongswan.changes 2011-09-08 18:07:15.0 +0200
+++ /mounts/work_src_done/STABLE/strongswan/strongswan.changes 2011-09-12
11:27:04.0 +0200
@@ -1,0 +2,10 @@
+Mon Sep 12 09:26:51 UTC 2011 - co...@suse.com
+
+- remove _service file, too fragile
+
+---
+Mon Sep 12 08:24:36 UTC 2011 - m...@suse.com
+
+- Fixed version in last changelog entry
+
+---
@@ -4 +14 @@
-- Updated to strongSwan 4.5.2 release, changes overview since 4.5.2:
+- Updated to strongSwan 4.5.3 release, changes overview since 4.5.2:
calling whatdependson for head-i586
Old:
_service
_service:download_url:strongswan-4.5.3.tar.bz2
_service:download_url:strongswan-4.5.3.tar.bz2.sig
New:
strongswan-4.5.3.tar.bz2
strongswan-4.5.3.tar.bz2.sig
Other differences:
--
++ strongswan.spec ++
--- /var/tmp/diff_new_pack.oT2zlf/_old 2011-09-13 12:32:25.0 +0200
+++ /var/tmp/diff_new_pack.oT2zlf/_new 2011-09-13 12:32:25.0 +0200
@@ -20,7 +20,7 @@
Name: strongswan
Version:4.5.3
-Release:1
+Release:3
%define upstream_version %{version}
%define strongswan_docdir %{_docdir}/%{name}
%define strongswan_libdir %{_libdir}/ipsec
@@ -233,6 +233,7 @@
%package tests
+
License:GPLv2+
Summary:OpenSource IPsec-based VPN Solution
Group: Productivity/Networking/Security
Remember to have fun...
--
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit strongswan for openSUSE:Factory
Hello community,
here is the log from the commit of package strongswan for openSUSE:Factory
checked in at Fri Sep 9 12:27:05 CEST 2011.
--- strongswan/strongswan.changes 2011-05-29 16:37:57.0 +0200
+++ /mounts/work_src_done/STABLE/strongswan/strongswan.changes 2011-09-08
18:07:15.0 +0200
@@ -1,0 +2,30 @@
+Thu Sep 8 16:06:46 UTC 2011 - m...@suse.com
+
+- Updated to strongSwan 4.5.2 release, changes overview since 4.5.2:
+ * Our private libraries (e.g. libstrongswan) are not installed directly in
+prefix/lib anymore. Instead a subdirectory is used (prefix/lib/ipsec/ by
+default). The plugins directory is also moved from libexec/ipsec/ to that
+directory.
+ * The dynamic IMC/IMV libraries were moved from the plugins directory to
+a new imcvs directory in the prefix/lib/ipsec/ subdirectory.
+ * Job priorities were introduced to prevent thread starvation caused by too
+many threads handling blocking operations (such as CRL fetching).
+ * Two new strongswan.conf options allow to fine-tune performance on IKEv2
+gateways by dropping IKE_SA_INIT requests on high load.
+ * IKEv2 charon daemon supports PASS and DROP shunt policies
+preventing traffic to go through IPsec connections. Installation of the
+shunt policies either via the XFRM netfilter or PFKEYv2 IPsec kernel
+interfaces.
+ * The history of policies installed in the kernel is now tracked so that e.g.
+trap policies are correctly updated when reauthenticated SAs are
terminated.
+ * IMC/IMV Scanner pair implementing the RFC 5792 PA-TNC (IF-M) protocol.
+Using netstat -l the IMC scans open listening ports on the TNC client
+and sends a port list to the IMV which based on a port policy decides if
+the client is admitted to the network.
+ * IMC/IMV Test pair implementing the RFC 5792 PA-TNC (IF-M) protocol.
+ * The IKEv2 close action does not use the same value as the ipsec.conf
dpdaction
+setting, but the value defined by its own closeaction keyword. The action
+is triggered if the remote peer closes a CHILD_SA unexpectedly.
+- Fixed some fmt warnings in libchecksum, adopted paths in the spec file
+
+---
calling whatdependson for head-i586
Old:
_service:download_url:strongswan-4.5.2.tar.bz2
_service:download_url:strongswan-4.5.2.tar.bz2.sig
strongswan-4.5.2-rpmlintrc
New:
_service:download_url:strongswan-4.5.3.tar.bz2
_service:download_url:strongswan-4.5.3.tar.bz2.sig
strongswan-4.5.3-fmt-warnings.patch
strongswan-4.5.3-rpmlintrc
Other differences:
--
++ strongswan.spec ++
--- /var/tmp/diff_new_pack.KVQOKf/_old 2011-09-09 12:26:51.0 +0200
+++ /var/tmp/diff_new_pack.KVQOKf/_new 2011-09-09 12:26:51.0 +0200
@@ -19,16 +19,17 @@
Name: strongswan
-%define upstream_version 4.5.2
+Version:4.5.3
+Release:1
+%define upstream_version %{version}
%define strongswan_docdir %{_docdir}/%{name}
-%define strongswan_plugins %{_libexecdir}/ipsec/plugins
+%define strongswan_libdir %{_libdir}/ipsec
+%define strongswan_plugins %{strongswan_libdir}/plugins
%definewith_mysql 1
%definewith_sqlite 0%{suse_version} = 1110
%definewith_gcrypt 0%{suse_version} = 1110
%definewith_nm 0%{suse_version} = 1110
%definewith_tests 0
-Version:4.5.2
-Release:1
License:GPLv2+
Group: Productivity/Networking/Security
Summary:OpenSource IPsec-based VPN Solution
@@ -43,6 +44,7 @@
Source3:%{name}-%{version}-rpmlintrc
Source4:README.SUSE
Patch1: %{name}_modprobe_syslog.patch
+Patch2: %{name}-%{version}-fmt-warnings.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: bison flex gmp-devel gperf pkg-config
BuildRequires: libcap-devel
@@ -61,6 +63,7 @@
%if %with_nm
BuildRequires: NetworkManager-devel
%endif
+BuildRequires: iptables libnl = 1.1
%description
StrongSwan is an OpenSource IPsec-based VPN Solution for Linux
@@ -229,6 +232,7 @@
%if %with_tests
%package tests
+
License:GPLv2+
Summary:OpenSource IPsec-based VPN Solution
Group: Productivity/Networking/Security
@@ -245,6 +249,7 @@
%prep
%setup -q -n %{name}-%{upstream_version}
%patch1 -p0
+%patch2 -p0
sed -e 's|@libexecdir@|%_libexecdir|g'\
$RPM_SOURCE_DIR/strongswan.init.in \
strongswan.init
@@ -325,8 +330,8 @@
#
EOT
#
-rm -f $RPM_BUILD_ROOT%{_libdir}/lib*.{so,a,la}
-find $RPM_BUILD_ROOT%{_libexecdir}/ipsec \
+rm -f $RPM_BUILD_ROOT%{strongswan_libdir}/lib{charon,hydra,strongswan}.so
+find $RPM_BUILD_ROOT%{strongswan_libdir} \
-name *.a -o -name *.la | xargs -r rm -f
#
commit strongswan for openSUSE:Factory
Hello community,
here is the log from the commit of package strongswan for openSUSE:Factory
checked in at Tue Jun 28 11:25:18 CEST 2011.
--- strongswan/strongswan.changes 2010-11-22 10:12:07.0 +0100
+++ /mounts/work_src_done/STABLE/strongswan/strongswan.changes 2011-05-29
16:37:57.0 +0200
@@ -1,0 +2,58 @@
+Sun May 29 16:37:00 UTC 2011 - jcnen...@googlemail.com
+
+- Updated to strongSwan 4.5.2 release, changes overview since 4.5.1:
+ * The whitelist plugin for the IKEv2 daemon maintains an in-memory identity
+whitelist. Any connection attempt of peers not whitelisted will get
rejected.
+The 'ipsec whitelist' utility provides a simple command line frontend for
+whitelist administration.
+ * The duplicheck plugin provides a specialized form of duplicate checking,
+doing a liveness check on the old SA and optionally notify a third party
+application about detected duplicates.
+ * The coupling plugin permanently couples two or more devices by limiting
+authentication to previously used certificates.
+ * In the case that the peer config and child config don't have the same name
+(usually in SQL database defined connections), ipsec up|route peer config
+starts|routes all associated child configs and ipsec up|route child
config
+only starts|routes the specific child config.
+ * fixed the encoding and parsing of X.509 certificate policy statements
(CPS).
+ * Duncan Salerno contributed the eap-sim-pcsc plugin implementing a
+pcsc-lite based SIM card backend.
+ * The eap-peap plugin implements the EAP PEAP protocol. Interoperates
+successfully with a FreeRADIUS server and Windows 7 Agile VPN clients.
+ * The IKEv2 daemon charon rereads strongswan.conf on SIGHUP and instructs
+all plugins to reload. Currently only the eap-radius and the attr plugins
+support configuration reloading.
+ * Added userland support to the IKEv2 daemon for Extended Sequence Numbers
+support coming with Linux 2.6.39. To enable ESN on a connection, add
+the 'esn' keyword to the proposal. The default proposal uses 32-bit
sequence
+numbers only ('noesn'), and the same value is used if no ESN mode is
+specified. To negotiate ESN support with the peer, include both, e.g.
+esp=aes128-sha1-esn-noesn.
+ * In addition to ESN, Linux 2.6.39 gained support for replay windows larger
+than 32 packets. The new global strongswan.conf option
'charon.replay_window'
+configures the size of the replay window, in packets.
+
+---
+Mon Mar 14 10:59:32 UTC 2011 - m...@suse.de
+
+- Updated to strongSwan 4.5.1 release, changes overview since 4.5.0:
+ * Implements RFC 5793 Posture Broker Protocol (BP)
+ * Re-implemented TNCCS 1.1 protocol
+ * Allows to store IKE and ESP proposals in an SQL database
+ * Allows to store CRL and OCSP cert points in an SQL database
+ * New 'include' statement in strongswan.conf allows recursions
+ * Modifications of strongswan.conf parser, cause syntax attr plugin
+syntax changes.
+ * ipsec listalgs now appends the plugin registering an algo
+ * Adds support for Traffic Flow Confidentiality with Linux 2.6.38
+ * New af-alg plugin allows to use new primitives in 2.6.38 crypto api
+and removes the need for additional userland implementations.
+ * IKEv2 daemon supports the INITIAL_CONTACT notify
+ * conftest conformance testing framework
+ * new constraints plugin provides advanced X.509 constraint checking
+ * left/rightauth ipsec.conf keywords accept minimum strengths
+ * basic support for delta CRLs
+ See the NEWS file or http://download.strongswan.org/CHANGES4.txt
+ for a detailed description of the changes.
+
+---
calling whatdependson for head-i586
Old:
strongswan-4.4.0-rpmlintrc
strongswan-4.5.0-rpmlintrc
strongswan-4.5.0.tar.bz2
strongswan-4.5.0.tar.bz2.sig
New:
_service
_service:download_url:strongswan-4.5.2.tar.bz2
_service:download_url:strongswan-4.5.2.tar.bz2.sig
strongswan-4.5.2-rpmlintrc
Other differences:
--
++ strongswan.spec ++
--- /var/tmp/diff_new_pack.YtzpYH/_old 2011-06-28 11:13:12.0 +0200
+++ /var/tmp/diff_new_pack.YtzpYH/_new 2011-06-28 11:13:12.0 +0200
@@ -1,7 +1,7 @@
#
-# spec file for package strongswan (Version 4.5.0)
+# spec file for package strongswan
#
-# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -19,7 +19,7 @@
Name: strongswan
-%define upstream_version 4.5.0
+%define upstream_version 4.5.2
%define
