auto commit by copy to link target

• Files Changed
• Browse Source

- Updated to strongSwan 4.6.4 release:
  - Fixed a security vulnerability in the gmp plugin. If this
    plugin was used for RSA signature verification an empty or
    zeroed signature was handled as a legitimate one
    (bnc#761325, CVE-2012-2388).
  - Fixed several issues with reauthentication and address updates.

• Files Changed
• Browse Source

auto commit by copy to link target

• Files Changed
• Browse Source

- Updated to strongSwan 4.6.3 release:
  - The tnc-pdp plugin implements a RADIUS server interface allowing
    a strongSwan TNC server to act as a Policy Decision Point.
  - The eap-radius authentication backend enforces Session-Timeout
    attributes using RFC4478 repeated authentication and acts upon
    RADIUS Dynamic Authorization extensions, RFC 5176. Currently
    supported are disconnect requests and CoA messages containing
    a Session-Timeout.
  - The eap-radius plugin can forward arbitrary RADIUS attributes
    from and to clients using custom IKEv2 notify payloads. The new
    radattr plugin reads attributes to include from files and prints
    received attributes to the console.
  - Added support for untruncated MD5 and SHA1 HMACs in ESP as used
    in RFC 4595.
  - The cmac plugin implements the AES-CMAC-96 and AES-CMAC-PRF-128
    algorithms as defined in RFC 4494 and RFC 4615, respectively.
  - The resolve plugin automatically installs nameservers via
    resolvconf(8), if it is installed, instead of modifying
    /etc/resolv.conf directly.
  - The IKEv2 charon daemon supports now raw RSA public keys in RFC
    3110 DNSKEY and PKCS#1 file format.
  - The farp plugin sends ARP responses for any tunneled address,
    not only virtual IPs.
  - Charon resolves hosts again during additional keying tries.
  - Fixed switching back to original address pair during MOBIKE.
  - When resending IKE_SA_INIT with a COOKIE charon reuses the previous
    DH value, as specified in RFC 5996.
    This has an effect on the lifecycle of diffie_hellman_t, see
    source:src/libcharon/sa/keymat.h#39 for details.
  - COOKIEs are now kept enabled a bit longer to avoid certain race

• Files Changed
• Browse Source

auto commit by copy to link target

• Files Changed
• Browse Source

update to 4.6.2

• Files Changed
• Browse Source

auto commit by copy to link target

• Files Changed
• Browse Source

- Fixed rpmlint runlevel & fsf warnings, updated rpmlintrc

• Files Changed
• Browse Source

- Updated to strongSwan 4.6.1 release:
  Changes in 4.6.1:
  - Because of changing checksums before and after installation which caused
    the integrity tests to fail we avoided directly linking libsimaka,
    libtls and libtnccs to those libcharon plugins which make use of these
    dynamiclibraries.
    Instead we linked the libraries to the charon daemon. Unfortunately
    Ubuntu 11.10 activated the --as-needed ld option which discards explicit
    links to dynamic libraries that are not actually used by the charon
    daemon itself, thus causing failures during the loading of the plugins
    which depend on these libraries for resolving external symbols.
  - Therefore our approach of computing  integrity checksums for plugins had
    to be changed radically by moving the hash generation from the
    compilation to the post-installation phase.
  Changes in 4.6.0:
  - The new libstrongswan certexpire plugin collects expiration information
    of all used certificates and exports them to CSV files. It either
    directly exports them or uses cron style scheduling for batch exports.
  - Starter passes unresolved hostnames to charon, allowing it to do name
    resolution not before the connection attempt. This is especially useful
    with connections between hosts using dynamic IP addresses.
    Thanks to Mirko Parthey for the initial patch.
  - The android plugin can now be used without the Android frontend patch
    and provides DNS server registration and logging to logcat.
  - Pluto and starter (plus stroke and whack) have been ported to Android.
  - Support for ECDSA private and public key operations has been added to
    the pkcs11 plugin.  The plugin now also provides DH and ECDH via PKCS#11
    and can use tokens as random number generators (RNG).  By default only
    private key operations are enabled, more advanced features have to be
    enabled by their option in strongswan.conf.  This also applies to public

• Files Changed
• Browse Source

Only glib.h can be included, fix compilation.

• Files Changed
• Browse Source

auto commit by copy to link target

• Files Changed
• Browse Source

- remove call to suse_update_config (very old work around)

• Files Changed
• Browse Source

auto commit by copy to link target

• Files Changed
• Browse Source

generated via source service

• Files Changed
• Browse Source

- remove _service file, too fragile

• Files Changed
• Browse Source

- Fixed version in last changelog entry
- Updated to strongSwan 4.5.3 release, changes overview since 4.5.2:

• Files Changed
• Browse Source

auto commit by copy to link target

• Files Changed
• Browse Source

generated via source service

• Files Changed
• Browse Source

- Fixed some fmt warnings in libchecksum, adopted paths in the spec file

• Files Changed
• Browse Source

- Updated to strongSwan 4.5.2 release, changes overview since 4.5.2:
  * Our private libraries (e.g. libstrongswan) are not installed directly in
    prefix/lib anymore. Instead a subdirectory is used (prefix/lib/ipsec/ by
    default). The plugins directory is also moved from libexec/ipsec/ to that
    directory.
  * The dynamic IMC/IMV libraries were moved from the plugins directory to
    a new imcvs directory in the prefix/lib/ipsec/ subdirectory.
  * Job priorities were introduced to prevent thread starvation caused by too
    many threads handling blocking operations (such as CRL fetching).
  * Two new strongswan.conf options allow to fine-tune performance on IKEv2
    gateways by dropping IKE_SA_INIT requests on high load.
  * IKEv2 charon daemon supports PASS and DROP shunt policies
    preventing traffic to go through IPsec connections. Installation of the
    shunt policies either via the XFRM netfilter or PFKEYv2 IPsec kernel
    interfaces.
  * The history of policies installed in the kernel is now tracked so that e.g.
    trap policies are correctly updated when reauthenticated SAs are terminated.
  * IMC/IMV Scanner pair implementing the RFC 5792 PA-TNC (IF-M) protocol.
    Using "netstat -l" the IMC scans open listening ports on the TNC client
    and sends a port list to the IMV which based on a port policy decides if
    the client is admitted to the network.
  * IMC/IMV Test pair implementing the RFC 5792 PA-TNC (IF-M) protocol.
  * The IKEv2 close action does not use the same value as the ipsec.conf dpdaction
    setting, but the value defined by its own closeaction keyword. The action
    is triggered if the remote peer closes a CHILD_SA unexpectedly.

• Files Changed
• Browse Source