Hello community, here is the log from the commit of package strongswan for openSUSE:Factory checked in at 2016-11-29 12:50:28 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/strongswan (Old) and /work/SRC/openSUSE:Factory/.strongswan.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "strongswan" Changes: -------- --- /work/SRC/openSUSE:Factory/strongswan/strongswan.changes 2015-11-17 14:23:12.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.strongswan.new/strongswan.changes 2016-11-29 12:50:29.000000000 +0100 @@ -1,0 +2,145 @@ +Mon Jul 4 12:00:00 UTC 2016 - doug@uq.edu.au + +- Updated to strongSwan 5.3.5 providing the following changes: + Changes in version 5.3.5: + * Properly handle potential EINTR errors in sigwaitinfo(2) calls + that replaced sigwait(3) calls with 5.3.4. + * RADIUS retransmission timeouts are now configurable, courtesy + of Thom Troy. + Changes in version 5.3.4: + * Fixed an authentication bypass vulnerability in the + eap-mschapv2 plugin that was caused by insufficient + verification of the internal state when handling MSCHAPv2 + Success messages received by the client. This vulnerability + has been registered as CVE-2015-8023. + * The sha3 plugin implements the SHA3 Keccak-F1600 hash + algorithm family. Within the strongSwan framework SHA3 is + currently used for BLISS signatures only because the OIDs for + other signature algorithms haven't been defined yet. Also the + use of SHA3 for IKEv2 has not been standardized yet. + Changes in version 5.3.3: + * Added support for the ChaCha20/Poly1305 AEAD cipher specified + in RFC 7539 and RFC 7634 using the chacha20poly1305 ike/esp + proposal keyword. The new chapoly plugin implements the + cipher, if possible SSE-accelerated on x86/x64 architectures. + It is usable both in IKEv2 and the strongSwan libipsec ESP + backend. On Linux 4.2 or newer the kernel-netlink plugin can + configure the cipher for ESP SAs. + * The vici interface now supports the configuration of auxiliary + certification authority information as CRL and OCSP URIs. + * In the bliss plugin the c_indices derivation using a SHA-512 + based random oracle has been fixed, generalized and + standardized by employing the MGF1 mask generation function + with SHA-512. As a consequence BLISS signatures unsing the + improved oracle are not compatible with the earlier + implementation. + * Support for auto=route with right=%any for transport mode + connections has been added (the ikev2/trap-any scenario + provides examples). + * The starter daemon does not flush IPsec policies and SAs + anymore when it is stopped. Already existing duplicate + policies are now overwritten by the IKE daemon when it + installs its policies. + * Init limits (like charon.init_limit_half_open) can now + optionally be enforced when initiating SAs via VICI. For this, + IKE_SAs initiated by the daemon are now also counted as half + open SAs, which, as a side-effect, fixes the status output + while connecting (e.g. in ipsec status). + * Symmetric configuration of EAP methods in left|rightauth is + now possible when mutual EAP-only authentication is used + (previously, the client had to configure rightauth=eap or + rightauth=any, which prevented it from using this same config + as responder). + * The initiator flag in the IKEv2 header is compared again + (wasn't the case since 5.0.0) and packets that have the flag + set incorrectly are again ignored. + * Implemented a demo Hardcopy Device IMC/IMV pair based on the + "Hardcopy Device Health Assessment Trusted Network Connect + Binding" (HCD-TNC) document drafted by the IEEE Printer + Working Group (PWG). + * Fixed IF-M segmentation which failed in the presence of + multiple small attributes in front of a huge attribute to be + segmented. + Changes in version 5.3.2: + * Fixed a vulnerability that allowed rogue servers with a valid + certificate accepted by the client to trick it into disclosing + its username and even password (if the client accepts + EAP-GTC). This was caused because constraints against the + responder's authentication were enforced too late. This + vulnerability has been registered as CVE-2015-4171. + Changes in version 5.3.1: + * Fixed a denial-of-service and potential remote code execution + vulnerability triggered by IKEv1/IKEv2 messages that contain + payloads for the respective other IKE version. Such payload + are treated specially since 5.2.2 but because they were still + identified by their original payload type they were used as + such in some places causing invalid function pointer + dereferences. The vulnerability has been registered as + CVE-2015-3991. + * The new aesni plugin provides CBC, CTR, XCBC, CMAC, CCM and + GCM crypto primitives for AES-128/192/256. The plugin requires + AES-NI and PCLMULQDQ instructions and works on both x86 and + x64 architectures. It provides superior crypto performance in + userland without any external libraries. + Changes in version 5.3.0: + * Added support for IKEv2 make-before-break reauthentication. By + using a global CHILD_SA reqid allocation mechanism, charon + supports overlapping CHILD_SAs. This allows the use of + make-before-break instead of the previously supported + break-before-make reauthentication, avoiding connectivity gaps + during that procedure. As the new mechanism may fail with peers + not supporting it (such as any previous strongSwan release) it + must be explicitly enabled using the charon.make_before_break + strongswan.conf option. + * Support for "Signature Authentication in IKEv2" (RFC 7427) has + been added. This allows the use of stronger hash algorithms + for public key authentication. By default, signature schemes + are chosen based on the strength of the signature key, but + specific hash algorithms may be configured in leftauth. + * Key types and hash algorithms specified in rightauth are now + also checked against IKEv2 signature schemes. If such + constraints are used for certificate chain validation in + existing configurations, in particular with peers that don't + support RFC 7427, it may be necessary to disable this feature + with the charon.signature_authentication_constraints setting, + because the signature scheme used in classic IKEv2 public key + authentication may not be strong enough. + * The new connmark plugin allows a host to bind conntrack flows + to a specific CHILD_SA by applying and restoring the SA mark + to conntrack entries. This allows a peer to handle multiple + transport mode connections coming over the same NAT device for + client-initiated flows. A common use case is to protect + L2TP/IPsec, as supported by some systems. + * The forecast plugin can forward broadcast and multicast + messages between connected clients and a LAN. For CHILD_SA + using unique marks, it sets up the required Netfilter rules + and uses a multicast/broadcast listener that forwards such + messages to all connected clients. This plugin is designed for + Windows 7 IKEv2 clients, which announces its services over the + tunnel if the negotiated IPsec policy allows it. + * For the vici plugin a Python Egg has been added to allow + Python applications to control or monitor the IKE daemon using + the VICI interface, similar to the existing ruby gem. The + Python library has been contributed by Björn Schuberg. + * EAP server methods now can fulfill public key constraints, + such as rightcert or rightca. Additionally, public key and + signature constraints can be specified for EAP methods in the + rightauth keyword. Currently the EAP-TLS and EAP-TTLS methods + provide verification details to constraints checking. + * Upgrade of the BLISS post-quantum signature algorithm to the + improved BLISS-B variant. Can be used in conjunction with the + SHA256, SHA384 and SHA512 hash algorithms with SHA512 being + the default. + * The IF-IMV 1.4 interface now makes the IP address of the TNC + access requestor as seen by the TNC server available to all + IMVs. This information can be forwarded to policy enforcement + points (e.g. firewalls or routers). + * The new mutual tnccs-20 plugin parameter activates mutual TNC + measurements in PB-TNC half-duplex mode between two endpoints + over either a PT-EAP or PT-TLS transport medium. +- Adjusted file lists and removed obsolete patches + [- 0005-strongswan-5.2.2-5.3.0_unknown_payload.patch, + - 0006-strongswan-5.1.0-5.3.1_enforce_remote_auth.patch, + - 0007-strongswan-4.4.0-5.3.3_eap_mschapv2_state.patch] + +------------------------------------------------------------------- Old: ---- 0005-strongswan-5.2.2-5.3.0_unknown_payload.patch 0006-strongswan-5.1.0-5.3.1_enforce_remote_auth.patch 0007-strongswan-4.4.0-5.3.3_eap_mschapv2_state.patch strongswan-5.2.2-rpmlintrc strongswan-5.2.2.tar.bz2 strongswan-5.2.2.tar.bz2.sig New: ---- strongswan-5.3.5-rpmlintrc strongswan-5.3.5.tar.bz2 strongswan-5.3.5.tar.bz2.sig ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ strongswan.spec ++++++ --- /var/tmp/diff_new_pack.8PSM3A/_old 2016-11-29 12:50:31.000000000 +0100 +++ /var/tmp/diff_new_pack.8PSM3A/_new 2016-11-29 12:50:31.000000000 +0100 @@ -1,7 +1,7 @@ # # spec file for package strongswan # -# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,7 +17,7 @@ Name: strongswan -Version: 5.2.2 +Version: 5.3.5 Release: 0 %define upstream_version %{version} %define strongswan_docdir %{_docdir}/%{name} @@ -82,9 +82,6 @@ Patch3: %{name}_fipscheck.patch Patch4: %{name}_fipsfilter.patch %endif -Patch5: 0005-strongswan-5.2.2-5.3.0_unknown_payload.patch -Patch6: 0006-strongswan-5.1.0-5.3.1_enforce_remote_auth.patch -Patch7: 0007-strongswan-4.4.0-5.3.3_eap_mschapv2_state.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: bison BuildRequires: curl-devel @@ -295,9 +292,6 @@ %patch3 -p0 %patch4 -p1 %endif -%patch5 -p1 -%patch6 -p1 -%patch7 -p1 sed -e 's|@libexecdir@|%_libexecdir|g' \ < $RPM_SOURCE_DIR/strongswan.init.in \ > strongswan.init @@ -605,7 +599,6 @@ %dir %{_libexecdir}/ipsec %{_libexecdir}/ipsec/_copyright %{_libexecdir}/ipsec/_updown -%{_libexecdir}/ipsec/_updown_espmark %if %{with test} %{_libexecdir}/ipsec/conftest %endif @@ -632,8 +625,6 @@ %{strongswan_docdir}/LICENSE %{strongswan_docdir}/AUTHORS %{strongswan_docdir}/ChangeLog -%{_mandir}/man8/_updown.8* -%{_mandir}/man8/_updown_espmark.8* %{_mandir}/man8/scepclient.8* %files libs0 ++++++ strongswan-5.2.2-rpmlintrc -> strongswan-5.3.5-rpmlintrc ++++++ ++++++ strongswan-5.2.2.tar.bz2 -> strongswan-5.3.5.tar.bz2 ++++++ ++++ 145797 lines of diff (skipped)