Hello community, here is the log from the commit of package strongswan for openSUSE:13.1 checked in at 2013-11-04 09:31:53 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:13.1/strongswan (Old) and /work/SRC/openSUSE:13.1/.strongswan.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "strongswan" Changes: -------- --- /work/SRC/openSUSE:13.1/strongswan/strongswan.changes 2013-09-23 11:09:41.000000000 +0200 +++ /work/SRC/openSUSE:13.1/.strongswan.new/strongswan.changes 2013-11-04 09:31:59.000000000 +0100 @@ -1,0 +2,63 @@ +Fri Nov 1 12:28:39 UTC 2013 - m...@suse.de + +- Updated to strongSwan 5.1.1 minor release addressing two security + fixes (bnc#847506,CVE-2013-6075, bnc#847509,CVE-2013-6076): + - Fixed a denial-of-service vulnerability and potential authorization + bypass triggered by a crafted ID_DER_ASN1_DN ID payload. The cause + is an insufficient length check when comparing such identities. The + vulnerability has been registered as CVE-2013-6075. + - Fixed a denial-of-service vulnerability triggered by a crafted IKEv1 + fragmentation payload. The cause is a NULL pointer dereference. The + vulnerability has been registered as CVE-2013-6076. + - The lean stand-alone pt-tls-client can set up a RFC 6876 PT-TLS + session with a strongSwan policy enforcement point which uses the + tnc-pdp charon plugin. + - The new TCG TNC SWID IMC/IMV pair supports targeted SWID requests + for either full SWID Tag or concise SWID Tag ID inventories. + - The XAuth backend in eap-radius now supports multiple XAuth + exchanges for different credential types and display messages. + All user input gets concatenated and verified with a single + User-Password RADIUS attribute on the AAA. With an AAA supporting + it, one for example can implement Password+Token authentication with + proper dialogs on iOS and OS X clients. - charon supports IKEv1 Mode + Config exchange in push mode. The ipsec.conf modeconfig=push option + enables it for both client and server, the same way as pluto used it. + - Using the "ah" ipsec.conf keyword on both IKEv1 and IKEv2 + connections, charon can negotiate and install Security Associations + integrity-protected by the Authentication Header protocol. Supported + are plain AH(+IPComp) SAs only, but not the deprecated RFC2401 style + ESP+AH bundles. + - The generation of initialization vectors for IKE and ESP (when using + libipsec) is now modularized and IVs for e.g. AES-GCM are now correctly + allocated sequentially, while other algorithms like AES-CBC still + use random IVs. + - The left and right options in ipsec.conf can take multiple address + ranges and subnets. This allows connection matching against a larger + set of addresses, for example to use a different connection for clients + connecting from a internal network. + - For all those who have a queasy feeling about the NIST elliptic curve + set, the Brainpool curves introduced for use with IKE by RFC 6932 might + be a more trustworthy alternative. + - The kernel-libipsec userland IPsec backend now supports usage + statistics, volume based rekeying and accepts ESPv3 style TFC padded + packets. + - With two new strongswan.conf options fwmarks can be used to implement + host-to-host tunnels with kernel-libipsec. + - load-tester supports transport mode connections and more complex + traffic selectors, including such using unique ports for each tunnel. + - The new dnscert plugin provides support for authentication via CERT + RRs that are protected via DNSSEC. The plugin was created by Ruslan + N. Marchenko. + - The eap-radius plugin supports forwarding of several Cisco Unity + specific RADIUS attributes in corresponding configuration payloads. + - Database transactions are now abstracted and implemented by the two + backends. If you use MySQL make sure all tables use the InnoDB engine. + - libstrongswan now can provide an experimental custom implementation + of the printf family functions based on klibc if neither Vstr nor + glibc style printf hooks are available. This can avoid the Vstr + dependency on some systems at the cost of slower and less complete + printf functions. +- Adjusted file lists: this version installs the pki utility and manuals + in common /usr directories and additional ipsec/pt-tls-client helper. + +------------------------------------------------------------------- Old: ---- strongswan-5.1.0-rpmlintrc strongswan-5.1.0.tar.bz2 strongswan-5.1.0.tar.bz2.sig New: ---- strongswan-5.1.1-rpmlintrc strongswan-5.1.1.tar.bz2 strongswan-5.1.1.tar.bz2.sig ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ strongswan.spec ++++++ --- /var/tmp/diff_new_pack.V28nS3/_old 2013-11-04 09:31:59.000000000 +0100 +++ /var/tmp/diff_new_pack.V28nS3/_new 2013-11-04 09:31:59.000000000 +0100 @@ -17,7 +17,7 @@ Name: strongswan -Version: 5.1.0 +Version: 5.1.1 Release: 0 %define upstream_version %{version} %define strongswan_docdir %{_docdir}/%{name} @@ -421,7 +421,9 @@ %config %{_sysconfdir}/init.d/ipsec %{_sbindir}/rcipsec %endif +%{_bindir}/pki %{_sbindir}/ipsec +%{_mandir}/man1/pki*.1* %{_mandir}/man8/ipsec.8* %{_mandir}/man5/ipsec.conf.5* %{_mandir}/man5/ipsec.secrets.5* @@ -433,8 +435,8 @@ %{_libexecdir}/ipsec/conftest %{_libexecdir}/ipsec/duplicheck %{_libexecdir}/ipsec/openac -%{_libexecdir}/ipsec/pki %{_libexecdir}/ipsec/pool +%{_libexecdir}/ipsec/pt-tls-client %{_libexecdir}/ipsec/scepclient %{_libexecdir}/ipsec/starter %{_libexecdir}/ipsec/stroke ++++++ strongswan-5.1.0-rpmlintrc -> strongswan-5.1.1-rpmlintrc ++++++ ++++++ strongswan-5.1.0.tar.bz2 -> strongswan-5.1.1.tar.bz2 ++++++ ++++ 172689 lines of diff (skipped) -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org