Hello community,
here is the log from the commit of package strongswan for openSUSE:13.1 checked
in at 2013-11-04 09:31:53
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:13.1/strongswan (Old)
and /work/SRC/openSUSE:13.1/.strongswan.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "strongswan"
Changes:
--------
--- /work/SRC/openSUSE:13.1/strongswan/strongswan.changes 2013-09-23
11:09:41.000000000 +0200
+++ /work/SRC/openSUSE:13.1/.strongswan.new/strongswan.changes 2013-11-04
09:31:59.000000000 +0100
@@ -1,0 +2,63 @@
+Fri Nov 1 12:28:39 UTC 2013 - m...@suse.de
+
+- Updated to strongSwan 5.1.1 minor release addressing two security
+ fixes (bnc#847506,CVE-2013-6075, bnc#847509,CVE-2013-6076):
+ - Fixed a denial-of-service vulnerability and potential authorization
+ bypass triggered by a crafted ID_DER_ASN1_DN ID payload. The cause
+ is an insufficient length check when comparing such identities. The
+ vulnerability has been registered as CVE-2013-6075.
+ - Fixed a denial-of-service vulnerability triggered by a crafted IKEv1
+ fragmentation payload. The cause is a NULL pointer dereference. The
+ vulnerability has been registered as CVE-2013-6076.
+ - The lean stand-alone pt-tls-client can set up a RFC 6876 PT-TLS
+ session with a strongSwan policy enforcement point which uses the
+ tnc-pdp charon plugin.
+ - The new TCG TNC SWID IMC/IMV pair supports targeted SWID requests
+ for either full SWID Tag or concise SWID Tag ID inventories.
+ - The XAuth backend in eap-radius now supports multiple XAuth
+ exchanges for different credential types and display messages.
+ All user input gets concatenated and verified with a single
+ User-Password RADIUS attribute on the AAA. With an AAA supporting
+ it, one for example can implement Password+Token authentication with
+ proper dialogs on iOS and OS X clients. - charon supports IKEv1 Mode
+ Config exchange in push mode. The ipsec.conf modeconfig=push option
+ enables it for both client and server, the same way as pluto used it.
+ - Using the "ah" ipsec.conf keyword on both IKEv1 and IKEv2
+ connections, charon can negotiate and install Security Associations
+ integrity-protected by the Authentication Header protocol. Supported
+ are plain AH(+IPComp) SAs only, but not the deprecated RFC2401 style
+ ESP+AH bundles.
+ - The generation of initialization vectors for IKE and ESP (when using
+ libipsec) is now modularized and IVs for e.g. AES-GCM are now correctly
+ allocated sequentially, while other algorithms like AES-CBC still
+ use random IVs.
+ - The left and right options in ipsec.conf can take multiple address
+ ranges and subnets. This allows connection matching against a larger
+ set of addresses, for example to use a different connection for clients
+ connecting from a internal network.
+ - For all those who have a queasy feeling about the NIST elliptic curve
+ set, the Brainpool curves introduced for use with IKE by RFC 6932 might
+ be a more trustworthy alternative.
+ - The kernel-libipsec userland IPsec backend now supports usage
+ statistics, volume based rekeying and accepts ESPv3 style TFC padded
+ packets.
+ - With two new strongswan.conf options fwmarks can be used to implement
+ host-to-host tunnels with kernel-libipsec.
+ - load-tester supports transport mode connections and more complex
+ traffic selectors, including such using unique ports for each tunnel.
+ - The new dnscert plugin provides support for authentication via CERT
+ RRs that are protected via DNSSEC. The plugin was created by Ruslan
+ N. Marchenko.
+ - The eap-radius plugin supports forwarding of several Cisco Unity
+ specific RADIUS attributes in corresponding configuration payloads.
+ - Database transactions are now abstracted and implemented by the two
+ backends. If you use MySQL make sure all tables use the InnoDB engine.
+ - libstrongswan now can provide an experimental custom implementation
+ of the printf family functions based on klibc if neither Vstr nor
+ glibc style printf hooks are available. This can avoid the Vstr
+ dependency on some systems at the cost of slower and less complete
+ printf functions.
+- Adjusted file lists: this version installs the pki utility and manuals
+ in common /usr directories and additional ipsec/pt-tls-client helper.
+
+-------------------------------------------------------------------
Old:
----
strongswan-5.1.0-rpmlintrc
strongswan-5.1.0.tar.bz2
strongswan-5.1.0.tar.bz2.sig
New:
----
strongswan-5.1.1-rpmlintrc
strongswan-5.1.1.tar.bz2
strongswan-5.1.1.tar.bz2.sig
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ strongswan.spec ++++++
--- /var/tmp/diff_new_pack.V28nS3/_old 2013-11-04 09:31:59.000000000 +0100
+++ /var/tmp/diff_new_pack.V28nS3/_new 2013-11-04 09:31:59.000000000 +0100
@@ -17,7 +17,7 @@
Name: strongswan
-Version: 5.1.0
+Version: 5.1.1
Release: 0
%define upstream_version %{version}
%define strongswan_docdir %{_docdir}/%{name}
@@ -421,7 +421,9 @@
%config %{_sysconfdir}/init.d/ipsec
%{_sbindir}/rcipsec
%endif
+%{_bindir}/pki
%{_sbindir}/ipsec
+%{_mandir}/man1/pki*.1*
%{_mandir}/man8/ipsec.8*
%{_mandir}/man5/ipsec.conf.5*
%{_mandir}/man5/ipsec.secrets.5*
@@ -433,8 +435,8 @@
%{_libexecdir}/ipsec/conftest
%{_libexecdir}/ipsec/duplicheck
%{_libexecdir}/ipsec/openac
-%{_libexecdir}/ipsec/pki
%{_libexecdir}/ipsec/pool
+%{_libexecdir}/ipsec/pt-tls-client
%{_libexecdir}/ipsec/scepclient
%{_libexecdir}/ipsec/starter
%{_libexecdir}/ipsec/stroke
++++++ strongswan-5.1.0-rpmlintrc -> strongswan-5.1.1-rpmlintrc ++++++
++++++ strongswan-5.1.0.tar.bz2 -> strongswan-5.1.1.tar.bz2 ++++++
++++ 172689 lines of diff (skipped)
--
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org
