Revisions of strongswan

buildservice-autocommit accepted request 573411 from Dominique Leuenberger's avatar Dominique Leuenberger (dimstar_suse) (revision 107)
auto commit by copy to link target
Dominique Leuenberger's avatar Dominique Leuenberger (dimstar_suse) accepted request 534431 from Jan Engelhardt's avatar Jan Engelhardt (jengelh) (revision 106)
- Update summaries and descriptions. Trim filler words and
  author list.
- Drop %if..%endif guards that are idempotent and do not affect
  the build result.
- Replace old $RPM_ shell variables.
buildservice-autocommit accepted request 521289 from Nirmoy Das's avatar Nirmoy Das (ndas) (revision 105)
auto commit by copy to link target
Nirmoy Das's avatar Nirmoy Das (ndas) accepted request 521273 from Nirmoy Das's avatar Nirmoy Das (ndas) (revision 104)
- Updated to strongSwan 5.6.0 providing the following changes:
    *Fixed a DoS vulnerability in the gmp plugin that was caused by insufficient input validation
    when verifying RSA signatures, which requires decryption with the operation m^e mod n,
    where m is the signature, and e and n are the exponent and modulus of the public key.
    The value m is an integer between 0 and n-1, however, the gmp plugin did not verify this.
    So if m equals n the calculation results in 0, in which case mpz_export() returns NULL.
    This result wasn't handled properly causing a null-pointer dereference.
    This vulnerability has been registered as CVE-2017-11185. (bsc#1051222)
    *New SWIMA IMC/IMV pair implements the draft-ietf-sacm-nea-swima-patnc Internet
    Draft and has been demonstrated at the IETF 99 Prague Hackathon.
    *The IMV database template has been adapted to achieve full compliance with the
    ISO 19770-2:2015 SWID tag standard.
    *The pt-tls-client can attach and use TPM 2.0 protected private keys via the --keyid parameter.
    *By default the /etc/swanctl/conf.d directory is created and *.conf files in it are included in the default
    swanctl.conf file.
    
    *The curl plugin now follows HTTP redirects (configurable via strongswan.conf).
    *The CHILD_SA rekeying was fixed in charon-tkm and the behavior is refined a bit more since 5.5.3
    *libtpmtss supports Intel's TSS2 Architecture Broker and Resource Manager interface (tcti-tabrmd).
    * more on https://wiki.strongswan.org/versions/66
Nirmoy Das's avatar Nirmoy Das (ndas) accepted request 521079 from Nirmoy Das's avatar Nirmoy Das (ndas) (revision 103)
- Updated to strongSwan 5.3.5(bsc#1050691) providing the following changes:
Nirmoy Das's avatar Nirmoy Das (ndas) accepted request 521071 from Nirmoy Das's avatar Nirmoy Das (ndas) (revision 102)
- fix "uintptr_t’ undeclared" compilation error.
  [+0006-fix-compilation-error-by-adding-stdint.h.patch]
buildservice-autocommit accepted request 514549 from Nirmoy Das's avatar Nirmoy Das (ndas) (revision 101)
auto commit by copy to link target
Nirmoy Das's avatar Nirmoy Das (ndas) accepted request 513652 from Nirmoy Das's avatar Nirmoy Das (ndas) (revision 99)
- Updated to strongSwan 5.3.5 providing the following changes:
    *Fixed a DoS vulnerability in the gmp plugin that was caused by insufficient input
    validation when verifying RSA signatures. More specifically, mpz_powm_sec() has two
    requirements regarding the passed exponent and modulus that the plugin did not
    enforce, if these are not met the calculation will result in a floating point exception
    that crashes the whole process.
    This vulnerability has been registered as CVE-2017-9022.
    Please refer to our blog for details.
    *Fixed a DoS vulnerability in the x509 plugin that was caused because the ASN.1 parser
    didn't handle ASN.1 CHOICE types properly, which could result in an infinite loop when
    parsing X.509 extensions that use such types.
    This vulnerability has been registered as CVE-2017-9023.
    Please refer to our blog for details.
    *The behavior during IKEv2 CHILD_SA rekeying has been changed in order to avoid
    traffic loss. When responding to a CREATE_CHILD_SA request to rekey a CHILD_SA
    the responder already has everything available to install and use the new CHILD_SA.
    However, this could lead to lost traffic as the initiator won't be able to process
    inbound packets until it processed the CREATE_CHILD_SA response and updated the
    inbound SA. To avoid this the responder now only installs the new inbound SA and
    delays installing the outbound SA until it receives the DELETE for the replaced CHILD_SA.
    *The messages transporting these DELETEs could reach the peer before packets sent
    with the deleted outbound SAs reach it. To reduce the chance of traffic loss due
    to this the inbound SA of the replaced CHILD_SA is not removed for a configurable
    amount of seconds (charon.delete_rekeyed_delay) after the DELETE has been processed.
    *The code base has been ported to Apple's ARM64 iOS platform, which required several
    changes regarding the use of variadic functions. This was necessary because the calling
    conventions for variadic and regular functions are different there.
    This means that assigning a non-variadic function to a variadic function pointer, as we
    did with our enumerator_t::enumerate() implementations and several callbacks, will
    result in crashes as the called function accesses the arguments differently than the
buildservice-autocommit accepted request 442527 from Marius Tomaschewski's avatar Marius Tomaschewski (mtomaschewski) (revision 98)
auto commit by copy to link target
Marius Tomaschewski's avatar Marius Tomaschewski (mtomaschewski) accepted request 406438 from Douglas Kosovic's avatar Douglas Kosovic (dkosovic) (revision 97)
NetowrkManager-l2tp-1.0.4 is broken with strongswan-5.2.2. The 'ipsec up {connection-name}' command never connects and goes into an infinite loop of failing and trying to re-connect.

NetowrkManager-l2tp works fine with earlier and later versions of strongswan, just not with strongswan-5.2.2.
buildservice-autocommit accepted request 344762 from Marius Tomaschewski's avatar Marius Tomaschewski (mtomaschewski) (revision 96)
auto commit by copy to link target
Marius Tomaschewski's avatar Marius Tomaschewski (mtomaschewski) committed (revision 95)
- Applied upstream fix for a authentication bypass vulnerability
  in the eap-mschapv2 plugin (CVE-2015-8023,bsc#953817).
  [+ 0007-strongswan-4.4.0-5.3.3_eap_mschapv2_state.patch]
buildservice-autocommit accepted request 311158 from Marius Tomaschewski's avatar Marius Tomaschewski (mtomaschewski) (revision 94)
auto commit by copy to link target
Marius Tomaschewski's avatar Marius Tomaschewski (mtomaschewski) committed (revision 93)
- Applied upstream fix for a rogue servers vulnerability, that may
  enable rogue servers able to authenticate itself with certificate
  issued by any CA the client trusts, to gain user credentials from
  a client in certain IKEv2 setups (bsc#933591,CVE-2015-4171).
  [+ 0006-strongswan-5.1.0-5.3.1_enforce_remote_auth.patch]
- Fix to apply unknown_payload patch if fips is disabled (<= 13.1)
  and renamed it to use number prefix corresponding with patch nr.
  [- strongswan-5.2.2-5.3.0_unknown_payload.patch,
   + 0005-strongswan-5.2.2-5.3.0_unknown_payload.patch]
buildservice-autocommit accepted request 309675 from Marius Tomaschewski's avatar Marius Tomaschewski (mtomaschewski) (revision 92)
auto commit by copy to link target
Marius Tomaschewski's avatar Marius Tomaschewski (mtomaschewski) committed (revision 91)
added references to patch file
Marius Tomaschewski's avatar Marius Tomaschewski (mtomaschewski) committed (revision 90)
- Applied upstream fix for a DoS and potential remote code execution
  vulnerability through payload type (bsc#931272,CVE-2015-3991)
  [+ strongswan-5.2.2-5.3.0_unknown_payload.patch]
Marius Tomaschewski's avatar Marius Tomaschewski (mtomaschewski) committed (revision 89)
- reverted last commit, not needed here
Marius Tomaschewski's avatar Marius Tomaschewski (mtomaschewski) committed (revision 88)
- Applied a fix by Marcus Meissner for a loop check in ipsec pki
  causing a segfault on attempt to create certificates when fips
  is enabled (bsc#918474,https://wiki.strongswan.org/issues/881)
  [+ 0006-strongswan-pkifix.918474.patch]
Displaying revisions 61 - 80 of 167
openSUSE Build Service is sponsored by