- Applied upstream fix for a denial-of-service and authorization
bypass vulnerability via crafted ID payload in strongswan 4.3.3
up to 5.1.0 (CVE-2013-6075, bnc#847506).
[0007-strongswan-4.3.3_5.1.0-bnc-847506-CVE-2013-6075.patch]
- Added a recursion limit to get_route in netlink plugin to avoid
a charon crash while trying to find a source address when local
left is set to %any on newer kernels sorting the default route
as first one (bnc#840826).
[0006-strongswan-4.6.4-bnc-840826-recursion-limit.patch]
- Applied upstream fix for a denial-of-service vulnerability, that
could be triggered by special XAuth usernames and EAP identities
(affected by this are 5.0.3 and 5.0.4), and local PEM files (all
versions since 4.1.11) (CVE-2013-5018,bnc#833278).
[0005-strongswan-4.3.0-5.0.4_is_asn1-CVE-2013-5018.bnc833278.patch]
- Applied upstream patch adjusting an internal thread id causing
charon keying daemon start failure (bnc#779038,strongswan#198):
openssl: Ensure the thread ID is never zero
This might otherwise cause problems because OpenSSL tries to
lock mutexes recursively if it assumes the lock is held by a
different thread e.g. during FIPS initialization.
See http://wiki.strongswan.org/issues/198 for more informations.
[0003-openssl-Ensure-the-thread-ID-is-never-zero.patch]