[strongswan/el6] New upstream release
Jamie Nguyen
jamielinux at fedoraproject.org
Mon Jul 15 22:58:23 UTC 2013
commit 84852c31c60ae123dad4676979539e96384cb790
Author: Avesh Agarwal <avagarwa at redhat.com>
Date: Wed May 1 16:07:32 2013 -0400
New upstream release
- Fixes fo CVE-2013-2944
- Enabled support for OS IMV/IMC
- Created and applied a patch to disable ECP in fedora, because
Openssl in Fedora does not allow ECP_256 and ECP_384. It makes
it non-compliant to TCG's PTS standard, but there is no choice
right now. see redhat bz # 319901.
- Enabled Trousers support for TPM based operations.
.gitignore | 1 +
sources | 2 +-
strongswan-pts-ecp-disable.patch | 20 ++++++++++++++++++++
strongswan.spec | 23 +++++++++++++++++++++--
4 files changed, 43 insertions(+), 3 deletions(-)
---
diff --git a/.gitignore b/.gitignore
index 81bf4de..d316010 100644
--- a/.gitignore
+++ b/.gitignore
@@ -3,3 +3,4 @@
/strongswan-5.0.1.tar.bz2
/strongswan-5.0.2.tar.bz2
/strongswan-5.0.3.tar.bz2
+/strongswan-5.0.4.tar.bz2
diff --git a/sources b/sources
index bb79e8d..c5e1904 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-12e0a7a1be2ca0490c69146899e8a9bb strongswan-5.0.3.tar.bz2
+0ab0397b44b197febfd0f89148344035 strongswan-5.0.4.tar.bz2
diff --git a/strongswan-pts-ecp-disable.patch b/strongswan-pts-ecp-disable.patch
new file mode 100644
index 0000000..6cd3ff4
--- /dev/null
+++ b/strongswan-pts-ecp-disable.patch
@@ -0,0 +1,20 @@
+diff -urNp strongswan-5.0.4-patched/src/libpts/pts/pts_dh_group.c strongswan-5.0.4-current/src/libpts/pts/pts_dh_group.c
+--- strongswan-5.0.4-patched/src/libpts/pts/pts_dh_group.c 2013-05-01 15:50:51.332560748 -0400
++++ strongswan-5.0.4-current/src/libpts/pts/pts_dh_group.c 2013-05-01 15:57:53.545271367 -0400
+@@ -74,6 +74,16 @@ bool pts_dh_group_probe(pts_dh_group_t *
+ {
+ DBG1(DBG_PTS, format2, "mandatory", diffie_hellman_group_names,
+ ECP_256_BIT);
++ /* Openssl in Fedora does not allow ECP_256 and ECP_384, so lets not die
++ * here. As far as, there is one dh group available, lets continue. It makes
++ * it non-compliant to TCG's PTS standard, but there is no choice right now.
++ * see redhat bz # 319901.
++ */
++ if(*dh_groups != PTS_DH_GROUP_NONE)
++ {
++ return TRUE;
++ }
++
+ }
+ return FALSE;
+ }
diff --git a/strongswan.spec b/strongswan.spec
index c9cda40..af19112 100644
--- a/strongswan.spec
+++ b/strongswan.spec
@@ -1,12 +1,13 @@
Name: strongswan
-Version: 5.0.3
-Release: 2%{?dist}
+Version: 5.0.4
+Release: 1%{?dist}
Summary: An OpenSource IPsec-based VPN Solution
Group: System Environment/Daemons
License: GPLv2+
URL: http://www.strongswan.org/
Source0: http://download.strongswan.org/%{name}-%{version}.tar.bz2
Patch0: strongswan-init.patch
+Patch1: strongswan-pts-ecp-disable.patch
BuildRequires: gmp-devel
BuildRequires: libcurl-devel
BuildRequires: openldap-devel
@@ -15,6 +16,7 @@ BuildRequires: NetworkManager-devel
BuildRequires: NetworkManager-glib-devel
BuildRequires: sqlite-devel
BuildRequires: gettext-devel
+BuildRequires: trousers-devel
%if 0%{?fedora} >= 15 || 0%{?rhel} >= 7
BuildRequires: systemd-units
@@ -53,6 +55,7 @@ IF-IMC/IMV interface.
%prep
%setup -q
%patch0 -p1
+%patch1 -p1
echo "For migration from 4.6 to 5.0 see http://wiki.strongswan.org/projects/strongswan/wiki/CharonPlutoIKEv1" > README.Fedora
%build
@@ -63,6 +66,7 @@ echo "For migration from 4.6 to 5.0 see http://wiki.strongswan.org/projects/stro
--sysconfdir=%{_sysconfdir}/%{name} \
--with-ipsecdir=%{_libexecdir}/%{name} \
--with-ipseclibdir=%{_libdir}/%{name} \
+ --with-tss=trousers \
--enable-openssl \
--enable-md4 \
--enable-xauth-eap \
@@ -82,6 +86,8 @@ echo "For migration from 4.6 to 5.0 see http://wiki.strongswan.org/projects/stro
--enable-imv-scanner \
--enable-imc-attestation \
--enable-imv-attestation \
+ --enable-imv-os \
+ --enable-imc-os \
--enable-eap-tnc \
--enable-tnccs-20 \
--enable-tnc-imc \
@@ -213,9 +219,11 @@ install -D -m 755 init/sysvinit/%{name} %{buildroot}/%{_initddir}/%{name}
%dir %{_libdir}/%{name}/imcvs/imc-attestation.so
%dir %{_libdir}/%{name}/imcvs/imc-scanner.so
%dir %{_libdir}/%{name}/imcvs/imc-test.so
+%dir %{_libdir}/%{name}/imcvs/imc-os.so
%dir %{_libdir}/%{name}/imcvs/imv-attestation.so
%dir %{_libdir}/%{name}/imcvs/imv-scanner.so
%dir %{_libdir}/%{name}/imcvs/imv-test.so
+%dir %{_libdir}/%{name}/imcvs/imv-os.so
%dir %{_libdir}/%{name}/plugins
%{_libdir}/%{name}/plugins/lib%{name}-pkcs7.so
%{_libdir}/%{name}/plugins/lib%{name}-sqlite.so
@@ -227,6 +235,7 @@ install -D -m 755 init/sysvinit/%{name} %{buildroot}/%{_initddir}/%{name}
%{_libdir}/%{name}/plugins/lib%{name}-eap-radius.so
%dir %{_libexecdir}/%{name}
%{_libexecdir}/%{name}/attest
+%{_libexecdir}/%{name}/pacman
%files NetworkManager
@@ -271,6 +280,16 @@ fi
%endif
%changelog
+* Wed May 1 2013 Avesh Agarwal <avagarwa at redhat.com> - 5.0.4-1
+- New upstream release
+- Fixes fo CVE-2013-2944
+- Enabled support for OS IMV/IMC
+- Created and applied a patch to disable ECP in fedora, because
+ Openssl in Fedora does not allow ECP_256 and ECP_384. It makes
+ it non-compliant to TCG's PTS standard, but there is no choice
+ right now. see redhat bz # 319901.
+- Enabled Trousers support for TPM based operations.
+
* Sat Apr 20 2013 Pavel Šimerda <psimerda at redhat.com> - 5.0.3-2
- Rebuilt for a single specfile for rawhide/f19/f18/el6
More information about the scm-commits
mailing list