Hello community,
here is the log from the commit of package strongswan for openSUSE:Factory
checked in at 2018-06-08 23:13:27
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/strongswan (Old)
and /work/SRC/openSUSE:Factory/.strongswan.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "strongswan"
Fri Jun 8 23:13:27 2018 rev:68 rq:613646 version:5.6.2
Changes:
--------
--- /work/SRC/openSUSE:Factory/strongswan/strongswan.changes 2018-03-24
16:15:21.275552728 +0100
+++ /work/SRC/openSUSE:Factory/.strongswan.new/strongswan.changes
2018-06-08 23:13:33.336202525 +0200
@@ -1,0 +2,68 @@
+Tue Apr 17 13:24:38 UTC 2018 - bjorn....@gmail.com
+
+- Update to version 5.6.2:
+ * Fixed a DoS vulnerability in the parser for PKCS#1 RSASSA-PSS
+ signatures that was caused by insufficient input validation.
+ One of the configurable parameters in algorithm identifier
+ structures for RSASSA-PSS signatures is the mask generation
+ function (MGF). Only MGF1 is currently specified for this
+ purpose. However, this in turn takes itself a parameter that
+ specifies the underlying hash function. strongSwan's parser did
+ not correctly handle the case of this parameter being absent,
+ causing an undefined data read. This vulnerability has been
+ registered as CVE-2018-6459.
+ * When rekeying IKEv2 IKE_SAs the previously negotiated DH group
+ will be reused, instead of using the first configured group,
+ which avoids an additional exchange if the peer previously
+ selected a different DH group via INVALID_KE_PAYLOAD notify.
+ The same is also done when rekeying CHILD_SAs except for the
+ first rekeying of the CHILD_SA that was created with the
+ IKE_SA, where no DH group was negotiated yet. Also, the
+ selected DH group is moved to the front in all sent proposals
+ that contain it and all proposals that don't are moved to the
+ back in order to convey the preference for this group to the
+ peer.
+ * Handling of MOBIKE task queuing has been improved. In
+ particular, the response to an address update (with NAT-D
+ payloads) is not ignored anymore if only an address list update
+ or DPD is queued as that could prevent updating the UDP
+ encapsulation in the kernel.
+ * On Linux, roam events may optionally be triggered by changes to
+ the routing rules, which can be useful if routing rules
+ (instead of e.g. route metrics) are used to switch from one to
+ another interface (i.e. from one to another routing table).
+ Since routing rules are currently not evaluated when doing
+ route lookups this is only useful if the kernel-based route
+ lookup is used (4664992f7d).
+ * The fallback drop policies installed to avoid traffic leaks
+ when replacing addresses in installed policies are now replaced
+ by temporary drop policies, which also prevent acquires because
+ we currently delete and reinstall IPsec SAs to update their
+ addresses (35ef1b032d).
+ * Access X.509 certificates held in non-volatile storage of a TPM
+ 2.0 referenced via the NV index.
+ * Adding the --keyid parameter to pki --print allows to print
+ private keys or certificates stored in a smartcard or a TPM
+ 2.0.
+ * Fixed proposal selection if a peer incorrectly sends DH groups
+ in the ESP proposal during IKE_AUTH and also if a DH group is
+ configured in the local ESP proposal and
+ charon.prefer_configured_proposals is disabled (d058fd3c32).
+ * The lookup for PSK secrets for IKEv1 has been improved for
+ certain scenarios (see #2497 for details).
+ * MSKs received via RADIUS are now padded to 64 bytes to avoid
+ compatibility issues with EAP-MSCHAPv2 and PRFs that have a
+ block size < 64 bytes (e.g. AES-XCBC-PRF-128, see 73cbce6013).
+ * The tpm_extendpcr command line tool extends a digest into a TPM
+ PCR.
+ * Ported the NetworkManager backend from the deprecated
+ libnm-glib to libnm.
+ * The save-keys debugging/development plugin saves IKE and/or ESP
+ keys to files compatible with Wireshark.
+- Following upstreams port, replace NetworkManager-devel with
+ pkgconfig(libnm) BuildRequires.
+- Refresh patches with quilt.
+- Disable strongswan_fipsfilter.patch, needs rebase or dropping,
+ the file it patches no longer exists in tarball.
+
+-------------------------------------------------------------------
Old:
----
strongswan-5.6.0-rpmlintrc
strongswan-5.6.0.tar.bz2
strongswan-5.6.0.tar.bz2.sig
New:
----
strongswan-5.6.2-rpmlintrc
strongswan-5.6.2.tar.bz2
strongswan-5.6.2.tar.bz2.sig
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ strongswan.spec ++++++
--- /var/tmp/diff_new_pack.sAVnb2/_old 2018-06-08 23:13:34.292168003 +0200
+++ /var/tmp/diff_new_pack.sAVnb2/_new 2018-06-08 23:13:34.296167859 +0200
@@ -17,7 +17,7 @@
Name: strongswan
-Version: 5.6.0
+Version: 5.6.2
Release: 0
%define upstream_version %{version}
%define strongswan_docdir %{_docdir}/%{name}
@@ -62,7 +62,7 @@
%bcond_with systemd
%endif
Summary: IPsec-based VPN solution
-License: GPL-2.0+
+License: GPL-2.0-or-later
Group: Productivity/Networking/Security
Url: http://www.strongswan.org/
Requires: strongswan-ipsec = %{version}
@@ -80,6 +80,7 @@
Patch2: %{name}_ipsec_service.patch
%if %{with fipscheck}
Patch3: %{name}_fipscheck.patch
+# Patch4 needs rebase, file it patches no longer exists in tarball.
Patch4: %{name}_fipsfilter.patch
%endif
Patch5: 0005-ikev1-Don-t-retransmit-Aggressive-Mode-response.patch
@@ -107,7 +108,7 @@
BuildRequires: libgcrypt-devel
%endif
%if %{with nm}
-BuildRequires: NetworkManager-devel
+BuildRequires: pkgconfig(libnm)
%endif
%if %{with systemd}
%{?systemd_requires}
@@ -253,11 +254,12 @@
%prep
%setup -q -n %{name}-%{upstream_version}
-%patch1 -p0
-%patch2 -p0
+%patch1 -p1
+%patch2 -p1
%if %{with fipscheck}
%patch3 -p1
-%patch4 -p1
+# Needs rebase, file it patches no longer exists.
+#patch4 -p1
%endif
%patch5 -p1
%patch6 -p1
@@ -617,6 +619,7 @@
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/swanctl.conf
%config(noreplace) %attr(600,root,root)
%{strongswan_configs}/charon/addrblock.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/aes.conf
+%config(noreplace) %attr(600,root,root)
%{strongswan_configs}/charon/counters.conf
%config(noreplace) %attr(600,root,root)
%{strongswan_configs}/charon/curve25519.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/vici.conf
%if %{with afalg}
@@ -671,6 +674,7 @@
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/led.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/md4.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/md5.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/mgf1.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/nonce.conf
%config(noreplace) %attr(600,root,root)
%{strongswan_configs}/charon/openssl.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/pem.conf
@@ -742,6 +746,7 @@
%{strongswan_plugins}/libstrongswan-ccm.so
%{strongswan_plugins}/libstrongswan-certexpire.so
%{strongswan_plugins}/libstrongswan-cmac.so
+%{strongswan_plugins}/libstrongswan-counters.so
%{strongswan_plugins}/libstrongswan-constraints.so
%{strongswan_plugins}/libstrongswan-coupling.so
%{strongswan_plugins}/libstrongswan-ctr.so
@@ -784,6 +789,7 @@
%{strongswan_plugins}/libstrongswan-led.so
%{strongswan_plugins}/libstrongswan-md4.so
%{strongswan_plugins}/libstrongswan-md5.so
+%{strongswan_plugins}/libstrongswan-mgf1.so
%{strongswan_plugins}/libstrongswan-nonce.so
%{strongswan_plugins}/libstrongswan-openssl.so
%{strongswan_plugins}/libstrongswan-pem.so
@@ -842,6 +848,7 @@
%{strongswan_templates}/config/plugins/ccm.conf
%{strongswan_templates}/config/plugins/certexpire.conf
%{strongswan_templates}/config/plugins/cmac.conf
+%{strongswan_templates}/config/plugins/counters.conf
%{strongswan_templates}/config/plugins/constraints.conf
%{strongswan_templates}/config/plugins/coupling.conf
%{strongswan_templates}/config/plugins/ctr.conf
@@ -884,6 +891,7 @@
%{strongswan_templates}/config/plugins/led.conf
%{strongswan_templates}/config/plugins/md4.conf
%{strongswan_templates}/config/plugins/md5.conf
+%{strongswan_templates}/config/plugins/mgf1.conf
%{strongswan_templates}/config/plugins/nonce.conf
%{strongswan_templates}/config/plugins/openssl.conf
%{strongswan_templates}/config/plugins/pem.conf
++++++ 0006-fix-compilation-error-by-adding-stdint.h.patch ++++++
--- /var/tmp/diff_new_pack.sAVnb2/_old 2018-06-08 23:13:34.320166992 +0200
+++ /var/tmp/diff_new_pack.sAVnb2/_new 2018-06-08 23:13:34.320166992 +0200
@@ -15,10 +15,10 @@
src/libstrongswan/utils/utils/memory.h | 2 ++
1 file changed, 2 insertions(+)
-diff --git a/src/libstrongswan/utils/utils/memory.h
b/src/libstrongswan/utils/utils/memory.h
-index b978e7c..55aaaf5 100644
---- a/src/libstrongswan/utils/utils/memory.h
-+++ b/src/libstrongswan/utils/utils/memory.h
+Index: strongswan-5.6.2/src/libstrongswan/utils/utils/memory.h
+===================================================================
+--- strongswan-5.6.2.orig/src/libstrongswan/utils/utils/memory.h
2017-08-14 08:48:41.000000000 +0200
++++ strongswan-5.6.2/src/libstrongswan/utils/utils/memory.h 2018-04-17
16:53:57.590335103 +0200
@@ -22,6 +22,8 @@
#ifndef MEMORY_H_
#define MEMORY_H_
@@ -28,6 +28,3 @@
/**
* Helper function that compares two binary blobs for equality
*/
---
-2.14.1
-
++++++ strongswan-5.6.0-rpmlintrc -> strongswan-5.6.2-rpmlintrc ++++++
++++++ strongswan-5.6.0.tar.bz2 -> strongswan-5.6.2.tar.bz2 ++++++
++++ 76449 lines of diff (skipped)
++++++ strongswan_ipsec_service.patch ++++++
--- /var/tmp/diff_new_pack.sAVnb2/_old 2018-06-08 23:13:41.095922303 +0200
+++ /var/tmp/diff_new_pack.sAVnb2/_new 2018-06-08 23:13:41.099922158 +0200
@@ -1,6 +1,8 @@
---- init/systemd/strongswan.service.in
-+++ init/systemd/strongswan.service.in 2012/10/31 15:21:11
-@@ -8,3 +8,4 @@ StandardOutput=syslog
+Index: strongswan-5.6.2/init/systemd/strongswan.service.in
+===================================================================
+--- strongswan-5.6.2.orig/init/systemd/strongswan.service.in 2017-02-07
08:04:04.000000000 +0100
++++ strongswan-5.6.2/init/systemd/strongswan.service.in 2018-04-17
16:53:57.546334751 +0200
+@@ -9,3 +9,4 @@ Restart=on-abnormal
[Install]
WantedBy=multi-user.target
++++++ strongswan_modprobe_syslog.patch ++++++
--- /var/tmp/diff_new_pack.sAVnb2/_old 2018-06-08 23:13:41.107921869 +0200
+++ /var/tmp/diff_new_pack.sAVnb2/_new 2018-06-08 23:13:41.107921869 +0200
@@ -1,5 +1,7 @@
---- src/starter/klips.c
-+++ src/starter/klips.c 2012/10/30 17:07:23
+Index: strongswan-5.6.2/src/starter/klips.c
+===================================================================
+--- strongswan-5.6.2.orig/src/starter/klips.c 2016-04-22 22:01:35.000000000
+0200
++++ strongswan-5.6.2/src/starter/klips.c 2018-04-17 16:53:57.534334655
+0200
@@ -30,7 +30,7 @@ bool starter_klips_init(void)
/* ipsec module makes the pf_key proc interface visible */
if (stat(PROC_MODULES, &stb) == 0)
@@ -22,9 +24,11 @@
DBG2(DBG_APP, "found KLIPS IPsec stack");
return TRUE;
---- src/starter/netkey.c
-+++ src/starter/netkey.c 2012/10/30 17:07:02
-@@ -31,7 +31,7 @@ bool starter_netkey_init(void)
+Index: strongswan-5.6.2/src/starter/netkey.c
+===================================================================
+--- strongswan-5.6.2.orig/src/starter/netkey.c 2016-04-22 22:01:35.000000000
+0200
++++ strongswan-5.6.2/src/starter/netkey.c 2018-04-17 16:53:57.534334655
+0200
+@@ -30,7 +30,7 @@ bool starter_netkey_init(void)
/* af_key module makes the netkey proc interface visible */
if (stat(PROC_MODULES, &stb) == 0)
{
@@ -33,7 +37,7 @@
}
/* now test again */
-@@ -45,11 +45,11 @@ bool starter_netkey_init(void)
+@@ -44,11 +44,11 @@ bool starter_netkey_init(void)
/* make sure that all required IPsec modules are loaded */
if (stat(PROC_MODULES, &stb) == 0)
{
