Hello community,
here is the log from the commit of package strongswan for openSUSE:Factory
checked in at Thu Apr 2 18:51:34 CEST 2009.
--------
--- strongswan/strongswan.changes 2008-10-20 09:27:15.000000000 +0200
+++ strongswan/strongswan.changes 2009-03-31 17:21:40.000000000 +0200
@@ -1,0 +2,27 @@
+Tue Mar 31 11:19:03 CEST 2009 - mt@suse.de
+
+- Updated to strongSwan 4.2.14 release that fixes a grave DPD
+ denial of service vulnerability registered as CVE-2009-0790,
+ that had been slumbering in the code for many years:
+ * A vulnerability in the Dead Peer Detection (RFC 3706) code
+ was found by Gerd v. Egidy of
+ Intra2net AG affecting all Openswan and strongSwan releases.
+ A malicious (or expired ISAKMP) R_U_THERE or R_U_THERE_ACK
+ Dead Peer Detection packet can cause the pluto IKE daemon to
+ crash and restart. No authentication or encryption is required
+ to trigger this bug. One spoofed UDP packet can cause the pluto
+ IKE daemon to restart and be unresponsive for a few seconds
+ while restarting. This DPD null state vulnerability has been
+ officially registered as CVE-2009-0790 and is fixed by this
+ release.
+ * The new server-side EAP RADIUS plugin (--enable-eap-radius)
+ relays EAP messages to and from a RADIUS server. Succesfully
+ tested with with a freeradius server using EAP-MD5 and EAP-SIM.
+ * ASN.1 to time_t conversion caused a time wrap-around for dates
+ after Jan 18 03:14:07 UTC 2038 on 32-bit platforms.
+ As a workaround such dates are set to the maximum representable
+ time, i.e. Jan 19 03:14:07 UTC 2038.
+ * Distinguished Names containing wildcards (*) are not sent in the
+ IDr payload anymore.
+
+-------------------------------------------------------------------
calling whatdependson for head-i586
Old:
----
strongswan-4.2.8.dif
strongswan-4.2.8-rpmlintrc
strongswan-4.2.8.tar.bz2
strongswan-4.2.8.tar.bz2.sig
New:
----
strongswan-4.2.14-rpmlintrc
strongswan-4.2.14.tar.bz2
strongswan-4.2.14.tar.bz2.sig
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ strongswan.spec ++++++
--- /var/tmp/diff_new_pack.Rw5527/_old 2009-04-02 18:50:16.000000000 +0200
+++ /var/tmp/diff_new_pack.Rw5527/_new 2009-04-02 18:50:16.000000000 +0200
@@ -1,7 +1,7 @@
#
-# spec file for package strongswan (Version 4.2.8)
+# spec file for package strongswan (Version 4.2.14)
#
-# Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -19,9 +19,9 @@
Name: strongswan
-%define upstream_version 4.2.8
+%define upstream_version 4.2.14
%define strongswan_docdir %{_docdir}/%{name}
-Version: 4.2.8
+Version: 4.2.14
Release: 1
License: GPL v2 or later
Group: Productivity/Networking/Security
@@ -38,8 +38,7 @@
Source2: %{name}.init.in
Source3: %{name}-%{version}-rpmlintrc
Patch1: %{name}_modprobe_syslog.dif
-Patch2: %{name}-%{upstream_version}.dif
-Patch3: %{name}_update-dns-server.dif
+Patch2: %{name}_update-dns-server.dif
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: bison flex gmp-devel gperf pkg-config
%if 0%{?suse_version} >= 1030
@@ -136,7 +135,6 @@
%setup -q -n %{name}-%{upstream_version}
%patch1 -p0
%patch2 -p0
-%patch3 -p0
sed -e 's|@libexecdir@|%_libexecdir|g' \
< $RPM_SOURCE_DIR/strongswan.init.in \
> strongswan.init
@@ -269,6 +267,30 @@
%{_mandir}/man8/starter.8*
%changelog
+* Tue Mar 31 2009 mt@suse.de
+- Updated to strongSwan 4.2.14 release that fixes a grave DPD
+ denial of service vulnerability registered as CVE-2009-0790,
+ that had been slumbering in the code for many years:
+ * A vulnerability in the Dead Peer Detection (RFC 3706) code
+ was found by Gerd v. Egidy of
+ Intra2net AG affecting all Openswan and strongSwan releases.
+ A malicious (or expired ISAKMP) R_U_THERE or R_U_THERE_ACK
+ Dead Peer Detection packet can cause the pluto IKE daemon to
+ crash and restart. No authentication or encryption is required
+ to trigger this bug. One spoofed UDP packet can cause the pluto
+ IKE daemon to restart and be unresponsive for a few seconds
+ while restarting. This DPD null state vulnerability has been
+ officially registered as CVE-2009-0790 and is fixed by this
+ release.
+ * The new server-side EAP RADIUS plugin (--enable-eap-radius)
+ relays EAP messages to and from a RADIUS server. Succesfully
+ tested with with a freeradius server using EAP-MD5 and EAP-SIM.
+ * ASN.1 to time_t conversion caused a time wrap-around for dates
+ after Jan 18 03:14:07 UTC 2038 on 32-bit platforms.
+ As a workaround such dates are set to the maximum representable
+ time, i.e. Jan 19 03:14:07 UTC 2038.
+ * Distinguished Names containing wildcards (*) are not sent in the
+ IDr payload anymore.
* Mon Oct 20 2008 mt@suse.de
- Updated to 4.2.8 release:
* IKEv2 charon daemon supports authentication based on raw public
@@ -360,7 +382,7 @@
- Added patch adding a missed file name argument in printf call in the
scripts/thread_analysis.c file -- resulting binary is not installed.
- Removed obsolete patches crash_badcfg_reload and old-caps-version.
-* Tue Jul 01 2008 mt@suse.de
+* Mon Jun 30 2008 mt@suse.de
- Added fix that explicitly enables version 1 linux capabilities
on version 2 systems to aviod that the charon and pluto daemons
exit because of failed capset call (bnc#404989).
++++++ strongswan-4.2.8-rpmlintrc -> strongswan-4.2.14-rpmlintrc ++++++
--- strongswan/strongswan-4.2.8-rpmlintrc 2008-10-14 13:21:50.000000000 +0200
+++ strongswan/strongswan-4.2.14-rpmlintrc 2009-04-02 17:06:12.000000000 +0200
@@ -1,4 +1,3 @@
addFilter('strongswan.* shlib-policy-missing-suffix')
addFilter("strongswan.* incoherent-init-script-name ipsec")
addFilter("strongswan.* devel-file-in-non-devel-package .*/usr/lib.*/ipsec/plugins")
-
++++++ strongswan-4.2.8.tar.bz2 -> strongswan-4.2.14.tar.bz2 ++++++
++++ 183773 lines of diff (skipped)
++++++ strongswan_modprobe_syslog.dif ++++++
--- /var/tmp/diff_new_pack.Rw5527/_old 2009-04-02 18:50:23.000000000 +0200
+++ /var/tmp/diff_new_pack.Rw5527/_new 2009-04-02 18:50:23.000000000 +0200
@@ -1,11 +1,35 @@
+--- src/starter/klips.c
++++ src/starter/klips.c 2009/03/23 10:46:01
+@@ -36,7 +36,7 @@ starter_klips_init(void)
+ /* ipsec module makes the pf_key proc interface visible */
+ if (stat(PROC_MODULES, &stb) == 0)
+ {
+- ignore_result(system("modprobe -qv ipsec"));
++ ignore_result(system("modprobe -a ipsec"));
+ }
+
+ /* now test again */
+@@ -50,9 +50,9 @@ starter_klips_init(void)
+ }
+
+ /* load crypto algorithm modules */
+- ignore_result(system("modprobe -qv ipsec_aes"));
+- ignore_result(system("modprobe -qv ipsec_blowfish"));
+- ignore_result(system("modprobe -qv ipsec_sha2"));
++ ignore_result(system("modprobe -s ipsec_aes"));
++ ignore_result(system("modprobe -s ipsec_blowfish"));
++ ignore_result(system("modprobe -s ipsec_sha2"));
+
+ DBG(DBG_CONTROL,
+ DBG_log("Found KLIPS IPsec stack")
--- src/starter/netkey.c
-+++ src/starter/netkey.c 2007/12/06 09:05:30
++++ src/starter/netkey.c 2009/03/23 10:46:34
@@ -36,7 +36,7 @@ starter_netkey_init(void)
/* af_key module makes the netkey proc interface visible */
if (stat(PROC_MODULES, &stb) == 0)
{
-- system("modprobe -qv af_key");
-+ system("modprobe -s af_key");
+- ignore_result(system("modprobe -qv af_key"));
++ ignore_result(system("modprobe -s af_key"));
}
/* now test again */
@@ -13,16 +37,16 @@
/* make sure that all required IPsec modules are loaded */
if (stat(PROC_MODULES, &stb) == 0)
{
-- system("modprobe -qv ah4");
-- system("modprobe -qv esp4");
-- system("modprobe -qv ipcomp");
-- system("modprobe -qv xfrm4_tunnel");
-- system("modprobe -qv xfrm_user");
-+ system("modprobe -s ah4");
-+ system("modprobe -s esp4");
-+ system("modprobe -s ipcomp");
-+ system("modprobe -s xfrm4_tunnel");
-+ system("modprobe -s xfrm_user");
+- ignore_result(system("modprobe -qv ah4"));
+- ignore_result(system("modprobe -qv esp4"));
+- ignore_result(system("modprobe -qv ipcomp"));
+- ignore_result(system("modprobe -qv xfrm4_tunnel"));
+- ignore_result(system("modprobe -qv xfrm_user"));
++ ignore_result(system("modprobe -s ah4"));
++ ignore_result(system("modprobe -s esp4"));
++ ignore_result(system("modprobe -s ipcomp"));
++ ignore_result(system("modprobe -s xfrm4_tunnel"));
++ ignore_result(system("modprobe -s xfrm_user"));
}
DBG(DBG_CONTROL,
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Remember to have fun...
--
To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-commit+help@opensuse.org