Revisions of strongswan
Mohd Saquib (msaquib)
accepted
request 1077377
from
Mohd Saquib (msaquib)
(revision 147)
- Allow to use stroke aka ipsec interface by default instead of vici aka swanctl interface which is current upstream's default. strongswan.service which enables swanctl interface is masked to stop interfering with the ipsec interface (bsc#1184144) - Removes deprecated SysV support
buildservice-autocommit
accepted
request 1068724
from
Jan Engelhardt (jengelh)
(revision 146)
Jan Engelhardt (jengelh)
(revision 146)
baserev update by copy to link target
Mohd Saquib (msaquib)
accepted
request 1068696
from
Mohd Saquib (msaquib)
(revision 143)
- Added patch to fix a vulnerability in incorrectly accepted untrusted public key with incorrect refcount (CVE-2023-26463 boo#1208608) [+ CVE-2023-26463_tls_auth_bypass_exp_pointer.patch]
Mohd Saquib (msaquib)
accepted
request 1068689
from
Mohd Saquib (msaquib)
(revision 142)
- Fixed a vulnerability in incorrectly accepted untrusted public key with incorrect refcount (CVE-2023-26463 boo#1208608).
buildservice-autocommit
accepted
request 1046554
from
Jan Engelhardt (jengelh)
(revision 141)
Jan Engelhardt (jengelh)
(revision 141)
baserev update by copy to link target
Dominique Leuenberger (dimstar_suse)
committed
(revision 139)
Jan Engelhardt (jengelh)
accepted
request 991798
from
Peter Conrad (p_conrad)
(revision 136)
This resolves one issue in particular that caused failures in Tumbleweed, see https://forums.opensuse.org/showthread.php/569960-Latest-strongswan-ipsec-crashes-on-startup . - Update to release 5.9.7 * The IKEv2 key derivation is now delayed until the keys are actually needed to process or send the next message. * Inbound IKEv2 messages, in particular requests, are now processed differently. * The retransmission logic in the dhcp plugin has been fixed (#1154). * The connmark plugin now considers configured masks in installed firewall rules (#1087). * Child config selection has been fixed as responder in cases where multiple children use transport mode traffic selectors (#1143). * The outbound SA/policy is now also removed after IKEv1 CHILD_SA rekeyings (#1041). * The openssl plugin supports AES and Camellia in CTR mode (112bb46). * The AES-XCBC/CMAC PRFs are demoted in the default proposal (after HMAC-based PRFs) since they were never widely adopted * The kdf plugin is now automatically enabled if any of the aesni, cmac or xcbc plugins are enabled, or if none of the plugins that directly provide HMAC-based KDFs are enabled (botan, openssl or wolfssl). * The CALLBACK macros (and some other issues) have been fixed when compiling with GCC 12 (#1053).
Jan Engelhardt (jengelh)
accepted
request 962674
from
Marcus Meissner (msmeissn)
(revision 134)
resubmit without hacky namespace change - prf-plus-modularization.patch: updated from upstream branch after certifier feedback, SKEYSEED generated via HKDF-Extract.
Jan Engelhardt (jengelh)
accepted
request 960489
from
Marcus Meissner (msmeissn)
(revision 133)
- Added prf-plus-modularization.patch that outsources the IKE key derivation to openssl. (will be merged to 5.9.6) - package the kdf config, template and plugin
Jan Engelhardt (jengelh)
accepted
request 950382
from
Marcus Meissner (msmeissn)
(revision 132)
add more references for later sle import
Jan Engelhardt (jengelh)
accepted
request 949255
from
Marcus Meissner (msmeissn)
(revision 130)
This adds bug references to changes file that are in SLES 15 SP2,
to allow potential reintegration to SLES.
old: network:vpn/strongswan
new: home:msmeissn:branches:network:vpn/strongswan rev None
Index: strongswan.changes
===================================================================
--- strongswan.changes (revision 129)
+++ strongswan.changes (revision 2)
@@ -12,12 +12,12 @@
was caused by an integer overflow when processing RSASSA-PSS
signatures with very large salt lengths. This vulnerability has
been registered as CVE-2021-41990. Please refer to our blog for
- details.
+ details. (bsc#1191367)
* Fixed a denial-of-service vulnerability in the in-memory
certificate cache if certificates are replaced and a very large
random value caused an integer overflow. This vulnerability has
been registered as CVE-2021-41991. Please refer to our blog for
- details.
+ details. (bsc#1191435)
* Fixed a related flaw that caused the daemon to accept and cache
an infinite number of versions of a valid certificate by
modifying the parameters in the signatureAlgorithm field of the
@@ -46,7 +46,7 @@
- Update to version 5.9.3:
* Added AES-ECB, SHA-3 and SHAKE-256 support to the wolfssl
plugin.
- * Added AES-CCM support to the openssl plugin (#353).
+ * Added AES-CCM support to the openssl plugin (#353 bsc#1185363).
* The x509 and the openssl plugins now consider the
authorityKeyIdentifier, if available, before verifying
signatures, which avoids unnecessary signature verifications
@@ -70,6 +70,9 @@
- Replace libsoup-devel with pkgconfig(libsoup-2.4) BuildRequires,
as this is what really checks for. Needed as libsoup-3.0 is
released.
+- 5.9.1
+ - README: added a missing " to pki example command (bsc#1167880)
+ - fixed a libgcrypt call in FIPS mode (bsc#1180801)
-------------------------------------------------------------------
Mon Sep 7 08:38:01 UTC 2020 - Jan Engelhardt <jengelh@inai.de>
Jan Engelhardt (jengelh)
accepted
request 933481
from
Johannes Segitz (jsegitz)
(revision 129)
Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
Jan Engelhardt (jengelh)
accepted
request 933151
from
Bjørn Lie (iznogood)
(revision 128)
- Update to version 5.9.4:
* Fixed a denial-of-service vulnerability in the gmp plugin that
was caused by an integer overflow when processing RSASSA-PSS
signatures with very large salt lengths. This vulnerability has
been registered as CVE-2021-41990. Please refer to our blog for
details.
* Fixed a denial-of-service vulnerability in the in-memory
certificate cache if certificates are replaced and a very large
random value caused an integer overflow. This vulnerability has
been registered as CVE-2021-41991. Please refer to our blog for
details.
* Fixed a related flaw that caused the daemon to accept and cache
an infinite number of versions of a valid certificate by
modifying the parameters in the signatureAlgorithm field of the
outer X.509 Certificate structure.
* AUTH_LIFETIME notifies are now only sent by a responder if it
can't reauthenticate the IKE_SA itself due to asymmetric
authentication (i.e. EAP) or the use of virtual IPs.
* Several corner cases with reauthentication have been fixed
(48fbe1d, 36161fe, 0d373e2).
* Serial number generation in several pki sub-commands has been
fixed so they don't start with an unintended zero byte.
* Loading SSH public keys via vici has been improved.
* Shared secrets, PEM files, vici messages, PF_KEY messages,
swanctl configs and other data is properly wiped from memory.
* Use a longer dummy key to initialize HMAC instances in the
openssl plugin in case it's used in FIPS-mode.
* The --enable-tpm option now implies --enable-tss-tss2 as the
plugin doesn't do anything without a TSS 2.0.
* libtpmtss is initialized in all programs and libraries that use
it.
* Migrated testing scripts to Python 3.
Displaying revisions 21 - 40 of 167
