File openswan.changes of Package openswan
------------------------------------------------------------------- Mon Sep 7 09:23:44 CEST 2009 - mt@suse.de - Applied fixes for the asn1_length() function checks to complete the fixes for the RDN parser DoS vulnerability discovered by Orange Labs research team two months ago (bnc#525388). ------------------------------------------------------------------- Thu Jun 25 18:14:56 CEST 2009 - mt@suse.de - Applied fixes for a Denial-of-Service vulnerabilities found by Orange Labs vulnerability research team in the parsing of ASN.1 Relative Distinguished Names (RDNs), GENERALIZEDTIME and UTCTIME strings. Malformed X.509 certificate RDNs can cause the pluto and charon IKE daemons to crash and restart (CVE-2009-2185, bnc#515130). ------------------------------------------------------------------- Mon Mar 23 16:46:17 CET 2009 - mt@suse.de - Fix for a Denial-of-Service vulnerability where a DPD R_U_THERE or R_U_THERE_ACK NOTIFY message (RFC 3706, Dead Peer Detection) received on UDP port 500 or 4500 and not related to an existing ISAKMP Security Association causes an immediate crash of the IKEv1 pluto daemon while dereferencing a NULL state pointer (bnc#487762). ------------------------------------------------------------------- Tue Mar 10 14:41:19 CET 2009 - mt@suse.de - Removed moot livetest tool (bnc#483803, CVE-2008-4190). ------------------------------------------------------------------- Fri Sep 5 10:36:30 CEST 2008 - mt@suse.de - Updated from openswan-2.4.7 to 2.6.16, a new version series. It adopts to the actual NETKEY code in the linux kernel, provides many fixes and implements new features, as IKEv2 / IPv6 support. Review the CHANGES file for all details. - Dropped obsolete patches and hooks, adopted other patches and the spec file. ------------------------------------------------------------------- Mon Sep 10 15:26:56 CEST 2007 - mt@suse.de - Moved html and man3 documentation into openswan-doc - Added a Short-Description LSB tag and $remote_fs start requirement to the init script (openswan_40_rcscript.dif) - Added stop_on_removal/restart_on_update to rpm pre/postun - Cleaned up installation of the documentation as well as another problems mentioned by rpmlint. ------------------------------------------------------------------- Thu Jun 21 17:25:11 CEST 2007 - adrian@suse.de - fix changelog entry order ------------------------------------------------------------------- Fri Mar 23 13:50:14 CET 2007 - mt@suse.de - Bug #234042: Changed back internal nhelpers option default to use number of CPU-1 crypto worker. Added fallback to perform inline calculations in main process, when all worker are busy. Obsolete patch file: openswan_16_nhelpers_default.dif New patch file name: openswan_16_crypto_inline_fallback.dif ------------------------------------------------------------------- Fri Mar 16 19:58:00 CET 2007 - mt@suse.de - Bug #234042: Applied proposed patch fixing bogus crypto helper management code. The number of crypto helpers (nhelpers option) has to be set at least to number of tunnels/2 + 1 to take effect. New patch file: openswan_15_crypto_helper_fix.dif - Bug #234042: Applied fix to display correct crypto helper number in debug output of the pluto_do_crypto_op function. Changed the default of the nhelpers option to 0 (instead of number of CPU-1). This disables the crypto helpers by default (inline calculation). New patch file: openswan_16_nhelpers_default.dif ------------------------------------------------------------------- Fri Jan 19 11:08:15 CET 2007 - mt@suse.de - Updated to openswan-2.4.7, providing interop fix for Sonicwall and many other fixes and cleanups, see CHANGES file. - Adopted patches, removed obsolete patches: openswan_35_quiet-insmod.dif, openswan_37_aes_insmod.dif ------------------------------------------------------------------- Thu Jan 18 16:41:02 CET 2007 - mt@suse.de - Minimal patch fixing strncat calls and casts breaking strict aliasing rules as mentioned by the compiler, Bug #233586 ------------------------------------------------------------------- Wed Aug 30 14:47:36 CEST 2006 - mt@suse.de - updated to openswan-2.4.6, adopted patches. Now, the default ipsec.conf file contains "nhelpers=0" to avoid "failed to find any available worker" problems -- see also Bug #186061. ------------------------------------------------------------------- Thu Mar 16 12:31:28 CET 2006 - mt@suse.de - Bug #148385, fixed further documentation inconsistence pointed out by Martin Mrazik. ------------------------------------------------------------------- Thu Mar 9 03:08:30 CET 2006 - mt@suse.de - Bug #148385, fixed "ipsec auto" parameter in html docs (different file, same bug). ------------------------------------------------------------------- Wed Feb 8 12:31:31 CET 2006 - mt@suse.de - Bug #148385, fixed "ipsec auto" parameter in html docs. ------------------------------------------------------------------- Wed Jan 25 21:39:07 CET 2006 - mls@suse.de - converted neededforbuild to BuildRequires ------------------------------------------------------------------- Sat Jan 14 18:44:48 CET 2006 - kukuk@suse.de - Add gmp-devel to nfb ------------------------------------------------------------------- Mon Dec 19 15:12:53 CET 2005 - ro@suse.de - remove unpackaged symlinks ------------------------------------------------------------------- Fri Nov 18 18:06:32 CET 2005 - mt@suse.de - Updated to openswan-2.4.4 fixing 3DES and aggressive mode related deny of service (VU#226364, 273756/NISCC/ISAKMP) as well as other issues. Bug #134158. - Fixed link generation regex (openswan_08_doc-man2html.dif) - Removed man2html source - not used any more to generate docs. ------------------------------------------------------------------- Thu Oct 27 15:47:00 CEST 2005 - mt@suse.de - Updated to openswan-2.4.0 (final). It does not provide any relevant changes in the source code (klips natt info only). - Fixed Bug #116413 generation/installation of the html docs. ------------------------------------------------------------------- Wed Sep 7 11:59:31 CEST 2005 - mt@suse.de - Updated to openswan-2.4.0rc5 adding fix to dead peer detection cleanup and updown script. Adopted patches. - Fixed return codes for "rcipsec status". ------------------------------------------------------------------- Fri Aug 26 19:14:29 CEST 2005 - mt@suse.de - Updated to openswan 2.4.0rc4 adding minor fixes - Added workaround "plutowait=yes" setting to avoid failures of a first connect attempt in case where all crypto helpers was busy with setup of an other tunnel (Bug #412 on openswan.org). new patch file: openswan_42_plutowait-yes.dif ------------------------------------------------------------------- Tue Aug 23 12:53:31 CEST 2005 - mt@suse.de - Updated to openswan 2.4.0rc3 fixing a pluto crash when used with multiple L2TP/IPsec clients in transport mode behind NAT ------------------------------------------------------------------- Fri Aug 19 15:11:39 CEST 2005 - mt@suse.de - Updated to openswan 2.4.0rc1; obsoletetes patches: openswan_05_checkv199.dif, openswan_11_yyerror.dif, openswan_13_system.dif, openswan_20_noslave.dif, openswan_21_sigmask.dif, openswan_25_noxauth.dif, openswan_30_newhostkey.dif, openswan_36_ipsec_look.dif - Applied diverse fixes for signed issues from cvs head: new patch file: openswan_11_gcc4cvshead.dif ------------------------------------------------------------------- Tue Aug 16 11:18:30 CEST 2005 - mt@suse.de - added dummy states if aggressive mode is disabled to avoid build dependend state numbering (from CVS head) ------------------------------------------------------------------- Wed Aug 3 14:33:09 CEST 2005 - mt@suse.de - improved aggressive mode patch openswan_24_noaggressive.dif - merged updown patches 32 and 33 into openswan_32_updown-nexthop.dif, added skiping to add a route in some host to host tunnel cases - renamed 36_sourceip-mask patch to openswan_33_updown-srcmask.dif - renamed 12_gcc4sign patch to openswan_12_socklen.dif, improved - renamed 13_gcc4warn patch to openswan_13_system.dif, improved - added checks to ipsec look command to avoid "no such file" errors. new patch file: openswan_36_ipsec_look.dif - workaround to load aes-$arch crypto module if not aliased (x86_64) new patch file: openswan_37_aes_insmod.dif ------------------------------------------------------------------- Mon Jul 4 17:12:50 CEST 2005 - mt@suse.de - Bug #66215: patch for updown script to solve SNAT/MASQUERADE problems with recent kernels, using netmask of the remote (peer) network instead of /32 for source address. New patch file: openswan_36_sourceip-mask.dif ------------------------------------------------------------------- Mon Jul 4 15:09:05 CEST 2005 - mt@suse.de - removed most of the GCC4 patch (openswan_12_gcc4sign.dif) because it breaks at least the asn1 decoding (pem parsing). ------------------------------------------------------------------- Thu Jun 30 15:35:04 CEST 2005 - mt@suse.de - added openswan_24_noaggressive.dif and openswan_25_noxauth.dif patches fixing dependencies to USE_AGGRESSIVE USE_XAUTH flags - disabled AGGRESSIVE and XAUTH in openswan_00_features.dif - added a openswan prefix to several source files ------------------------------------------------------------------- Sat May 7 03:04:59 CEST 2005 - mt@suse.de - added openswan_13_gcc4warn.dif patch, fixing diverse unused system() return codes mentioned by gcc4 in code using -Werror ------------------------------------------------------------------- Sat May 7 02:00:06 CEST 2005 - mt@suse.de - fixed GCC4 patch ------------------------------------------------------------------- Sat May 7 00:59:25 CEST 2005 - mt@suse.de - started to update to openswan-2.3.1 - adopted patches to match new sources - renamed all patches to contain a number for manual applying and end with a .dif suffix ------------------------------------------------------------------- Wed May 4 14:10:35 CEST 2005 - yxu@suse.de - fixed for GCC4 ------------------------------------------------------------------- Mon Mar 21 17:20:44 CET 2005 - mt@suse.de - Bug #73863: added patch for _updown script to skip using nexthop (via parameter for ip route) if it is not reachable through any directly connected network (but via default route only). new patch file: openswan-updown-nexthop-not-local.dif ------------------------------------------------------------------- Fri Jan 14 14:27:47 CET 2005 - ro@suse.de - use sigprocmask instead of sigsetmask in invokepluto ------------------------------------------------------------------- Sun Sep 26 17:56:55 CEST 2004 - garloff@suse.de - Fix initscript exit codes and messages. [#42604] ------------------------------------------------------------------- Sat Sep 18 23:30:17 CEST 2004 - garloff@suse.de - Update to openswan-2.2.0: Fixes for SA Selectors on 2.6. - Add README.SUSE [#44368]. ------------------------------------------------------------------- Mon Sep 6 12:02:46 CEST 2004 - garloff@suse.de - Update to openswan-2.2.0dr4: NAT-T & X.509 security fixes - Drop openswan-dont-try-espinudp-on-ipv6.diff (integrated upstream) - Drop openswan-natt.diff (integrated upstream) ------------------------------------------------------------------- Sun Aug 29 02:02:40 CEST 2004 - garloff@suse.de - Drop notification message. ------------------------------------------------------------------- Thu Aug 19 10:54:44 CEST 2004 - garloff@suse.de - Fix _realsetup script. ------------------------------------------------------------------- Mon Aug 16 16:29:38 CEST 2004 - garloff@suse.de - Fix noklips patch (but leave it disabled) - NAT-T patch: The last message could have been wrongly be sent via the established tunnel. ------------------------------------------------------------------- Fri Aug 13 17:50:54 CEST 2004 - garloff@suse.de - Initial creation of openswan-2.2.0dr3 - Reuse many of the freeswan2 patches
