Hello community,
here is the log from the commit of package strongswan for openSUSE:Factory checked in at 2016-11-29 12:50:28
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/strongswan (Old)
and /work/SRC/openSUSE:Factory/.strongswan.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "strongswan"
Changes:
--------
--- /work/SRC/openSUSE:Factory/strongswan/strongswan.changes 2015-11-17 14:23:12.000000000 +0100
+++ /work/SRC/openSUSE:Factory/.strongswan.new/strongswan.changes 2016-11-29 12:50:29.000000000 +0100
@@ -1,0 +2,145 @@
+Mon Jul 4 12:00:00 UTC 2016 - doug(a)uq.edu.au
+
+- Updated to strongSwan 5.3.5 providing the following changes:
+ Changes in version 5.3.5:
+ * Properly handle potential EINTR errors in sigwaitinfo(2) calls
+ that replaced sigwait(3) calls with 5.3.4.
+ * RADIUS retransmission timeouts are now configurable, courtesy
+ of Thom Troy.
+ Changes in version 5.3.4:
+ * Fixed an authentication bypass vulnerability in the
+ eap-mschapv2 plugin that was caused by insufficient
+ verification of the internal state when handling MSCHAPv2
+ Success messages received by the client. This vulnerability
+ has been registered as CVE-2015-8023.
+ * The sha3 plugin implements the SHA3 Keccak-F1600 hash
+ algorithm family. Within the strongSwan framework SHA3 is
+ currently used for BLISS signatures only because the OIDs for
+ other signature algorithms haven't been defined yet. Also the
+ use of SHA3 for IKEv2 has not been standardized yet.
+ Changes in version 5.3.3:
+ * Added support for the ChaCha20/Poly1305 AEAD cipher specified
+ in RFC 7539 and RFC 7634 using the chacha20poly1305 ike/esp
+ proposal keyword. The new chapoly plugin implements the
+ cipher, if possible SSE-accelerated on x86/x64 architectures.
+ It is usable both in IKEv2 and the strongSwan libipsec ESP
+ backend. On Linux 4.2 or newer the kernel-netlink plugin can
+ configure the cipher for ESP SAs.
+ * The vici interface now supports the configuration of auxiliary
+ certification authority information as CRL and OCSP URIs.
+ * In the bliss plugin the c_indices derivation using a SHA-512
+ based random oracle has been fixed, generalized and
+ standardized by employing the MGF1 mask generation function
+ with SHA-512. As a consequence BLISS signatures unsing the
+ improved oracle are not compatible with the earlier
+ implementation.
+ * Support for auto=route with right=%any for transport mode
+ connections has been added (the ikev2/trap-any scenario
+ provides examples).
+ * The starter daemon does not flush IPsec policies and SAs
+ anymore when it is stopped. Already existing duplicate
+ policies are now overwritten by the IKE daemon when it
+ installs its policies.
+ * Init limits (like charon.init_limit_half_open) can now
+ optionally be enforced when initiating SAs via VICI. For this,
+ IKE_SAs initiated by the daemon are now also counted as half
+ open SAs, which, as a side-effect, fixes the status output
+ while connecting (e.g. in ipsec status).
+ * Symmetric configuration of EAP methods in left|rightauth is
+ now possible when mutual EAP-only authentication is used
+ (previously, the client had to configure rightauth=eap or
+ rightauth=any, which prevented it from using this same config
+ as responder).
+ * The initiator flag in the IKEv2 header is compared again
+ (wasn't the case since 5.0.0) and packets that have the flag
+ set incorrectly are again ignored.
+ * Implemented a demo Hardcopy Device IMC/IMV pair based on the
+ "Hardcopy Device Health Assessment Trusted Network Connect
+ Binding" (HCD-TNC) document drafted by the IEEE Printer
+ Working Group (PWG).
+ * Fixed IF-M segmentation which failed in the presence of
+ multiple small attributes in front of a huge attribute to be
+ segmented.
+ Changes in version 5.3.2:
+ * Fixed a vulnerability that allowed rogue servers with a valid
+ certificate accepted by the client to trick it into disclosing
+ its username and even password (if the client accepts
+ EAP-GTC). This was caused because constraints against the
+ responder's authentication were enforced too late. This
+ vulnerability has been registered as CVE-2015-4171.
+ Changes in version 5.3.1:
+ * Fixed a denial-of-service and potential remote code execution
+ vulnerability triggered by IKEv1/IKEv2 messages that contain
+ payloads for the respective other IKE version. Such payload
+ are treated specially since 5.2.2 but because they were still
+ identified by their original payload type they were used as
+ such in some places causing invalid function pointer
+ dereferences. The vulnerability has been registered as
+ CVE-2015-3991.
+ * The new aesni plugin provides CBC, CTR, XCBC, CMAC, CCM and
+ GCM crypto primitives for AES-128/192/256. The plugin requires
+ AES-NI and PCLMULQDQ instructions and works on both x86 and
+ x64 architectures. It provides superior crypto performance in
+ userland without any external libraries.
+ Changes in version 5.3.0:
+ * Added support for IKEv2 make-before-break reauthentication. By
+ using a global CHILD_SA reqid allocation mechanism, charon
+ supports overlapping CHILD_SAs. This allows the use of
+ make-before-break instead of the previously supported
+ break-before-make reauthentication, avoiding connectivity gaps
+ during that procedure. As the new mechanism may fail with peers
+ not supporting it (such as any previous strongSwan release) it
+ must be explicitly enabled using the charon.make_before_break
+ strongswan.conf option.
+ * Support for "Signature Authentication in IKEv2" (RFC 7427) has
+ been added. This allows the use of stronger hash algorithms
+ for public key authentication. By default, signature schemes
+ are chosen based on the strength of the signature key, but
+ specific hash algorithms may be configured in leftauth.
+ * Key types and hash algorithms specified in rightauth are now
+ also checked against IKEv2 signature schemes. If such
+ constraints are used for certificate chain validation in
+ existing configurations, in particular with peers that don't
+ support RFC 7427, it may be necessary to disable this feature
+ with the charon.signature_authentication_constraints setting,
+ because the signature scheme used in classic IKEv2 public key
+ authentication may not be strong enough.
+ * The new connmark plugin allows a host to bind conntrack flows
+ to a specific CHILD_SA by applying and restoring the SA mark
+ to conntrack entries. This allows a peer to handle multiple
+ transport mode connections coming over the same NAT device for
+ client-initiated flows. A common use case is to protect
+ L2TP/IPsec, as supported by some systems.
+ * The forecast plugin can forward broadcast and multicast
+ messages between connected clients and a LAN. For CHILD_SA
+ using unique marks, it sets up the required Netfilter rules
+ and uses a multicast/broadcast listener that forwards such
+ messages to all connected clients. This plugin is designed for
+ Windows 7 IKEv2 clients, which announces its services over the
+ tunnel if the negotiated IPsec policy allows it.
+ * For the vici plugin a Python Egg has been added to allow
+ Python applications to control or monitor the IKE daemon using
+ the VICI interface, similar to the existing ruby gem. The
+ Python library has been contributed by Björn Schuberg.
+ * EAP server methods now can fulfill public key constraints,
+ such as rightcert or rightca. Additionally, public key and
+ signature constraints can be specified for EAP methods in the
+ rightauth keyword. Currently the EAP-TLS and EAP-TTLS methods
+ provide verification details to constraints checking.
+ * Upgrade of the BLISS post-quantum signature algorithm to the
+ improved BLISS-B variant. Can be used in conjunction with the
+ SHA256, SHA384 and SHA512 hash algorithms with SHA512 being
+ the default.
+ * The IF-IMV 1.4 interface now makes the IP address of the TNC
+ access requestor as seen by the TNC server available to all
+ IMVs. This information can be forwarded to policy enforcement
+ points (e.g. firewalls or routers).
+ * The new mutual tnccs-20 plugin parameter activates mutual TNC
+ measurements in PB-TNC half-duplex mode between two endpoints
+ over either a PT-EAP or PT-TLS transport medium.
+- Adjusted file lists and removed obsolete patches
+ [- 0005-strongswan-5.2.2-5.3.0_unknown_payload.patch,
+ - 0006-strongswan-5.1.0-5.3.1_enforce_remote_auth.patch,
+ - 0007-strongswan-4.4.0-5.3.3_eap_mschapv2_state.patch]
+
+-------------------------------------------------------------------
Old:
----
0005-strongswan-5.2.2-5.3.0_unknown_payload.patch
0006-strongswan-5.1.0-5.3.1_enforce_remote_auth.patch
0007-strongswan-4.4.0-5.3.3_eap_mschapv2_state.patch
strongswan-5.2.2-rpmlintrc
strongswan-5.2.2.tar.bz2
strongswan-5.2.2.tar.bz2.sig
New:
----
strongswan-5.3.5-rpmlintrc
strongswan-5.3.5.tar.bz2
strongswan-5.3.5.tar.bz2.sig
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ strongswan.spec ++++++
--- /var/tmp/diff_new_pack.8PSM3A/_old 2016-11-29 12:50:31.000000000 +0100
+++ /var/tmp/diff_new_pack.8PSM3A/_new 2016-11-29 12:50:31.000000000 +0100
@@ -1,7 +1,7 @@
#
# spec file for package strongswan
#
-# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -17,7 +17,7 @@
Name: strongswan
-Version: 5.2.2
+Version: 5.3.5
Release: 0
%define upstream_version %{version}
%define strongswan_docdir %{_docdir}/%{name}
@@ -82,9 +82,6 @@
Patch3: %{name}_fipscheck.patch
Patch4: %{name}_fipsfilter.patch
%endif
-Patch5: 0005-strongswan-5.2.2-5.3.0_unknown_payload.patch
-Patch6: 0006-strongswan-5.1.0-5.3.1_enforce_remote_auth.patch
-Patch7: 0007-strongswan-4.4.0-5.3.3_eap_mschapv2_state.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: bison
BuildRequires: curl-devel
@@ -295,9 +292,6 @@
%patch3 -p0
%patch4 -p1
%endif
-%patch5 -p1
-%patch6 -p1
-%patch7 -p1
sed -e 's|@libexecdir@|%_libexecdir|g' \
< $RPM_SOURCE_DIR/strongswan.init.in \
> strongswan.init
@@ -605,7 +599,6 @@
%dir %{_libexecdir}/ipsec
%{_libexecdir}/ipsec/_copyright
%{_libexecdir}/ipsec/_updown
-%{_libexecdir}/ipsec/_updown_espmark
%if %{with test}
%{_libexecdir}/ipsec/conftest
%endif
@@ -632,8 +625,6 @@
%{strongswan_docdir}/LICENSE
%{strongswan_docdir}/AUTHORS
%{strongswan_docdir}/ChangeLog
-%{_mandir}/man8/_updown.8*
-%{_mandir}/man8/_updown_espmark.8*
%{_mandir}/man8/scepclient.8*
%files libs0
++++++ strongswan-5.2.2-rpmlintrc -> strongswan-5.3.5-rpmlintrc ++++++
++++++ strongswan-5.2.2.tar.bz2 -> strongswan-5.3.5.tar.bz2 ++++++
++++ 145797 lines of diff (skipped)