Hello community,
here is the log from the commit of package strongswan for openSUSE:Factory checked in at 2015-02-27 10:59:38
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/strongswan (Old)
and /work/SRC/openSUSE:Factory/.strongswan.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "strongswan"
Changes:
--------
--- /work/SRC/openSUSE:Factory/strongswan/strongswan.changes 2014-11-26 10:33:58.000000000 +0100
+++ /work/SRC/openSUSE:Factory/.strongswan.new/strongswan.changes 2015-02-27 11:00:10.000000000 +0100
@@ -1,0 +2,99 @@
+Mon Jan 5 14:38:46 UTC 2015 - mt@suse.de
+
+- Updated to strongSwan 5.2.2 providing the following changes:
+ Changes in version 5.2.2:
+ * Fixed a denial-of-service vulnerability triggered by an IKEv2 Key Exchange
+ payload that contains the Diffie-Hellman group 1025. This identifier was
+ used internally for DH groups with custom generator and prime. Because
+ these arguments are missing when creating DH objects based on the KE
+ payload an invalid pointer dereference occurred. This allowed an attacker
+ to crash the IKE daemon with a single IKE_SA_INIT message containing such
+ a KE payload. The vulnerability has been registered as CVE-2014-9221.
+ * The left/rightid options in ipsec.conf, or any other identity in
+ strongSwan, now accept prefixes to enforce an explicit type, such as
+ email: or fqdn:. Note that no conversion is done for the remaining string,
+ refer to ipsec.conf(5) for details.
+ * The post-quantum Bimodal Lattice Signature Scheme (BLISS) can be used as
+ an IKEv2 public key authentication method. The pki tool offers full
+ support for the generation of BLISS key pairs and certificates.
+ * Fixed mapping of integrity algorithms negotiated for AH via IKEv1.
+ This could cause interoperability issues when connecting to older versions
+ of charon.
+ Changes in version 5.2.1:
+ * The new charon-systemd IKE daemon implements an IKE daemon tailored for
+ use with systemd. It avoids the dependency on ipsec starter and uses
+ swanctl as configuration backend, building a simple and lightweight
+ solution. It supports native systemd journal logging.
+ * Support for IKEv2 fragmentation as per RFC 7383 has been added. Like IKEv1
+ fragmentation it can be enabled by setting fragmentation=yes in ipsec.conf.
+ * Support of the TCG TNC IF-M Attribute Segmentation specification proposal.
+ All attributes can be segmented. Additionally TCG/SWID Tag, TCG/SWID Tag ID
+ and IETF/Installed Packages attributes can be processed incrementally on a
+ per segment basis.
+ * The new ext-auth plugin calls an external script to implement custom IKE_SA
+ authorization logic, courtesy of Vyronas Tsingaras.
+ * For the vici plugin a ruby gem has been added to allow ruby applications to
+ control or monitor the IKE daemon. The vici documentation has been updated
+ to include a description of the available operations and some simple
+ examples using both the libvici C interface and the ruby gem.
+ Changes in version 5.2.0:
+ * strongSwan has been ported to the Windows platform. Using a MinGW toolchain,
+ many parts of the strongSwan codebase run natively on Windows 7 / 2008 R2
+ and newer releases. charon-svc implements a Windows IKE service based on
+ libcharon, the kernel-iph and kernel-wfp plugins act as networking and IPsec
+ backend on the Windows platform. socket-win provides a native IKE socket
+ implementation, while winhttp fetches CRL and OCSP information using the
+ WinHTTP API.
+ * The new vici plugin provides a Versatile IKE Configuration Interface for
+ charon. Using the stable IPC interface, external applications can configure,
+ control and monitor the IKE daemon. Instead of scripting the ipsec tool
+ and generating ipsec.conf, third party applications can use the new interface
+ for more control and better reliability.
+ * Built upon the libvici client library, swanctl implements the first user of
+ the VICI interface. Together with a swanctl.conf configuration file,
+ connections can be defined, loaded and managed. swanctl provides a portable,
+ complete IKE configuration and control interface for the command line.
+ The first six swanctl example scenarios have been added.
+ * The SWID IMV implements a JSON-based REST API which allows the exchange
+ of SWID tags and Software IDs with the strongTNC policy manager.
+ * The SWID IMC can extract all installed packages from the dpkg (Debian,
+ Ubuntu, Linux Mint etc.), rpm (Fedora, RedHat, OpenSUSE, etc.), or
+ pacman (Arch Linux, Manjaro, etc.) package managers, respectively, using
+ the swidGenerator (https://github.com/strongswan/swidGenerator) which
+ generates SWID tags according to the new ISO/IEC 19770-2:2014 standard.
+ * All IMVs now share the access requestor ID, device ID and product info
+ of an access requestor via a common imv_session object.
+ * The Attestation IMC/IMV pair supports the IMA-NG measurement format
+ introduced with the Linux 3.13 kernel.
+ * The aikgen tool generates an Attestation Identity Key bound to a TPM.
+ * Implemented the PT-EAP transport protocol (RFC 7171) for Trusted Network
+ Connect.
+ * The ipsec.conf replay_window option defines connection specific IPsec
+ replay windows. Original patch courtesy of Zheng Zhong and Christophe
+ Gouault from 6Wind.
+- Adjusted file lists and removed obsolete patches
+ [- 0005-restore-registration-algorithm-order.bug897512.patch,
+ - 0006-strongswan-5.1.2-5.2.1_modp_custom.CVE-2014-9221.patch]
+- Adopted/Merged fipscheck patches
+ [* strongswan_fipscheck.patch, strongswan_fipsfilter.patch]
+
+-------------------------------------------------------------------
+Wed Dec 17 10:15:23 UTC 2014 - mt@suse.de
+
+- Disallow brainpool elliptic curve groups in fips mode (bnc#856322).
+ [* strongswan_fipsfilter.patch]
+
+-------------------------------------------------------------------
+Thu Dec 11 10:21:01 UTC 2014 - mt@suse.de
+
+- Applied an upstream fix for a denial-of-service vulnerability,
+ which can be triggered by an IKEv2 Key Exchange payload, that
+ contains the Diffie-Hellman group 1025 (bsc#910491,CVE-2014-9221).
+ [+ 0006-strongswan-5.1.2-5.2.1_modp_custom.CVE-2014-9221.patch]
+- Adjusted whilelist of approved algorithms in fips mode (bsc#856322).
+ [* strongswan_fipsfilter.patch]
+- Renamed patch file to match it's patch number:
+ [- 0001-restore-registration-algorithm-order.bug897512.patch,
+ + 0005-restore-registration-algorithm-order.bug897512.patch]
+
+-------------------------------------------------------------------
Old:
----
0001-restore-registration-algorithm-order.bug897512.patch
strongswan-5.1.3-rpmlintrc
strongswan-5.1.3.tar.bz2
strongswan-5.1.3.tar.bz2.sig
New:
----
strongswan-5.2.2-rpmlintrc
strongswan-5.2.2.tar.bz2
strongswan-5.2.2.tar.bz2.sig
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ strongswan.spec ++++++
--- /var/tmp/diff_new_pack.wkO8yA/_old 2015-02-27 11:00:12.000000000 +0100
+++ /var/tmp/diff_new_pack.wkO8yA/_new 2015-02-27 11:00:12.000000000 +0100
@@ -1,7 +1,7 @@
#
# spec file for package strongswan
#
-# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -17,7 +17,7 @@
Name: strongswan
-Version: 5.1.3
+Version: 5.2.2
Release: 0
%define upstream_version %{version}
%define strongswan_docdir %{_docdir}/%{name}
@@ -82,7 +82,6 @@
Patch3: %{name}_fipscheck.patch
Patch4: %{name}_fipsfilter.patch
%endif
-Patch5: 0001-restore-registration-algorithm-order.bug897512.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: bison
BuildRequires: curl-devel
@@ -293,7 +292,6 @@
%patch3 -p0
%patch4 -p1
%endif
-%patch5 -p1
sed -e 's|@libexecdir@|%_libexecdir|g' \
< $RPM_SOURCE_DIR/strongswan.init.in \
> strongswan.init
@@ -643,10 +641,11 @@
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon-logging.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/imcv.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/pki.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/pool.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/scepclient.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/starter.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/tnc.conf
-%config(noreplace) %attr(600,root,root) %{strongswan_configs}/tools.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/addrblock.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/aes.conf
%if %{with afalg}
@@ -949,10 +948,11 @@
%{strongswan_templates}/config/strongswan.d/charon-logging.conf
%{strongswan_templates}/config/strongswan.d/charon.conf
%{strongswan_templates}/config/strongswan.d/imcv.conf
+%{strongswan_templates}/config/strongswan.d/pki.conf
%{strongswan_templates}/config/strongswan.d/pool.conf
+%{strongswan_templates}/config/strongswan.d/scepclient.conf
%{strongswan_templates}/config/strongswan.d/starter.conf
%{strongswan_templates}/config/strongswan.d/tnc.conf
-%{strongswan_templates}/config/strongswan.d/tools.conf
%{strongswan_templates}/database/imv/data.sql
%{strongswan_templates}/database/imv/tables.sql
@@ -982,6 +982,7 @@
%dir %{strongswan_templates}/database
%dir %{strongswan_templates}/database/sql
%{strongswan_templates}/config/plugins/mysql.conf
+%{strongswan_templates}/database/imv/tables-mysql.sql
%{strongswan_templates}/database/sql/mysql.sql
%endif
++++++ strongswan-5.1.3-rpmlintrc -> strongswan-5.2.2-rpmlintrc ++++++
++++++ strongswan-5.1.3.tar.bz2 -> strongswan-5.2.2.tar.bz2 ++++++
++++ 249224 lines of diff (skipped)
++++++ strongswan_fipscheck.patch ++++++
--- /var/tmp/diff_new_pack.wkO8yA/_old 2015-02-27 11:00:18.000000000 +0100
+++ /var/tmp/diff_new_pack.wkO8yA/_new 2015-02-27 11:00:18.000000000 +0100
@@ -1,6 +1,6 @@
--- src/ipsec/_ipsec.in
-+++ src/ipsec/_ipsec.in 2014/11/07 11:28:25
-@@ -44,6 +44,26 @@ export IPSEC_DIR IPSEC_BINDIR IPSEC_SBIN
++++ src/ipsec/_ipsec.in
+@@ -44,6 +44,26 @@ export IPSEC_DIR IPSEC_BINDIR IPSEC_SBINDIR IPSEC_CONFDIR IPSEC_PIDDIR IPSEC_SCR
IPSEC_DISTRO="Institute for Internet Technologies and Applications\nUniversity of Applied Sciences Rapperswil, Switzerland"
@@ -26,8 +26,8 @@
+
case "$1" in
'')
- echo "Usage: $IPSEC_SCRIPT command argument ..."
-@@ -166,6 +186,7 @@ rereadall|purgeocsp|listcounters|resetco
+ echo "$IPSEC_SCRIPT command [arguments]"
+@@ -155,6 +175,7 @@ rereadall|purgeocsp|listcounters|resetcounters)
shift
if [ -e $IPSEC_CHARON_PID ]
then
@@ -35,7 +35,7 @@
$IPSEC_STROKE "$op" "$@"
rc="$?"
fi
-@@ -175,6 +196,7 @@ purgeike|purgecrls|purgecerts)
+@@ -164,6 +185,7 @@ purgeike|purgecrls|purgecerts)
rc=7
if [ -e $IPSEC_CHARON_PID ]
then
@@ -43,7 +43,7 @@
$IPSEC_STROKE "$1"
rc="$?"
fi
-@@ -208,6 +230,7 @@ route|unroute)
+@@ -197,6 +219,7 @@ route|unroute)
fi
if [ -e $IPSEC_CHARON_PID ]
then
@@ -51,7 +51,7 @@
$IPSEC_STROKE "$op" "$1"
rc="$?"
fi
-@@ -217,6 +240,7 @@ secrets)
+@@ -206,6 +229,7 @@ secrets)
rc=7
if [ -e $IPSEC_CHARON_PID ]
then
@@ -59,7 +59,7 @@
$IPSEC_STROKE rereadsecrets
rc="$?"
fi
-@@ -224,6 +248,7 @@ secrets)
+@@ -213,6 +237,7 @@ secrets)
;;
start)
shift
@@ -67,7 +67,7 @@
if [ -d /var/lock/subsys ]; then
touch /var/lock/subsys/ipsec
fi
-@@ -297,6 +322,7 @@ up)
+@@ -286,6 +311,7 @@ up)
rc=7
if [ -e $IPSEC_CHARON_PID ]
then
@@ -75,7 +75,7 @@
$IPSEC_STROKE up "$1"
rc="$?"
fi
-@@ -332,6 +358,11 @@ esac
+@@ -325,6 +351,11 @@ esac
cmd="$1"
shift
++++++ strongswan_fipsfilter.patch ++++++
--- /var/tmp/diff_new_pack.wkO8yA/_old 2015-02-27 11:00:18.000000000 +0100
+++ /var/tmp/diff_new_pack.wkO8yA/_new 2015-02-27 11:00:18.000000000 +0100
@@ -1,5 +1,12 @@
+From 8f3f1bd6907df8221a93c849ed4b43474444e13b Mon Sep 17 00:00:00 2001
+From: Marius Tomaschewski
participants (1)
-
root@hilbert.suse.de