openSUSE: 2020:0403-1: moderate: strongswan

    Date 29 Mar 2020
    386
    Posted By LinuxSecurity Advisories
    An update that fixes one vulnerability is now available.
       openSUSE Security Update: Security update for strongswan
    ______________________________________________________________________________
    
    Announcement ID:    openSUSE-SU-2020:0403-1
    Rating:             moderate
    References:         #1079548 
    Cross-References:   CVE-2018-6459
    Affected Products:
                        openSUSE Leap 15.1
    ______________________________________________________________________________
    
       An update that fixes one vulnerability is now available.
    
    Description:
    
       This update for strongswan fixes the following issues:
    
       Strongswan was updated to version 5.8.2 (jsc#SLE-11370).
    
       Security issue fixed:
    
       - CVE-2018-6459: Fixed a DoS vulnerability in the parser for PKCS#1
         RSASSA-PSS signatures that was caused by insufficient input validation
         (bsc#1079548).
    
       Full changelogs:
    
       Version 5.8.2
    
         * Identity-based CA constraints, which enforce that the certificate
           chain of the remote peer contains a CA certificate with a specific
           identity, are supported via vici/swanctl.conf. This is similar to the
           existing CA constraints but doesn't require that the CA certificate is
           locally installed, for instance, intermediate CA certificates received
           from the peers. Wildcard identity matching (e.g. ..., OU=Research,
           CN=*) could also be used for the latter but requires trust in the
           intermediate CAs to only issue certificates with legitimate subject
           DNs (e.g. the "Sales" CA must not issue certificates with
           OU=Research). With the new constraint that's not necessary as long as
           a path length basic constraint (--pathlen for pki --issue) prevents
           intermediate CAs from issuing further intermediate CAs.
         * Intermediate CA certificates may now be sent in hash-and-URL encoding
           by configuring a base URL for the parent CA (#3234,
           swanctl/rw-hash-and-url-multi-level).
         * Implemented NIST SP-800-90A Deterministic Random Bit Generator (DRBG)
           based on AES-CTR and SHA2-HMAC modes. Currently used by the gmp and
           ntru plugins.
         * Random nonces sent in an OCSP requests are now expected in the
           corresponding OCSP responses.
         * The kernel-netlink plugin now ignores deprecated IPv6 addresses for
           MOBIKE. Whether temporary
           or permanent IPv6 addresses are included now depends on the
            charon.prefer_temporary_addrs setting (#3192).
         * Extended Sequence Numbers (ESN) are configured via PF_KEY if supported
           by the kernel.
         * The PF_KEY socket's receive buffer in the kernel-pfkey plugin is now
           cleared before sending requests, as many of the messages sent by the
           kernel are sent as broadcasts to all PF_KEY sockets. This is an issue
           if an external tool is used to manage SAs/policies unrelated to IPsec
           (#3225).
         * The vici plugin now uses unique section names for CHILD_SAs in
           child-updown events (7c74ce9190).
         * For individually deleted CHILD_SAs (in particular for IKEv1) the vici
           child-updown event now includes more information about the CHILD_SAs
           such as traffic statistics (#3198).
         * Custom loggers are correctly re-registered if log levels are changed
           via stroke loglevel (#3182).
         * Avoid lockups during startup on low entropy systems when using OpenSSL
           1.1.1 (095a2c2eac).
         * Instead of failing later when setting a key, creating HMACs via
           openssl plugin now fails instantly if the underlying hash algorithm
           isn't supported (e.g. MD5 in FIPS-mode) so fallbacks to other plugins
           work properly (#3284).
         * Exponents of RSA keys read from TPM 2.0 via SAPI are correctly
           converted (8ee1242f1438).
         * Routing table IDs > 255 are supported for custom routes on Linux.
         * To avoid races, the check for hardware offloading support in the
           kernel-netlink plugin is performed during initialization of the plugin
           (a605452c03).
         * The D-Bus config file for charon-nm is now installed in
           $(datadir)/dbus-1/system.d instead of $(sysconfdir)/dbus-1/system.d,
           which is intended for sysadmin overrides. INVALID_MAJOR_VERSION
           notifies are now correctly sent in messages of the same exchange type
           and with the same message ID as the request.
         * IKEv2 SAs are now immediately destroyed when sending or receiving
           INVALID_SYNTAX notifies in authenticated messages.
         * For developers working from the repository the configure script now
           aborts if GNU gperf is not found.
    
       Version 5.8.1
    
         * RDNs in DNs of X.509 certificates can now optionally be matched less
           strict. The global strongswan.conf option charon.rdn_matching takes
           two alternative values that cause the matching algorithm to either
           ignore the order of matched RDNs (reordered) or additionally (relaxed)
           accept DNs that contain more RDNs than configured (unmatched RDNs are
           treated like wildcard matches).
         * The updown plugin now passes the same interface to the script that is
           also used for the automatically installed routes, that is, the
           interface over which the peer is reached instead of the interface on
           which the local address is found (#3095).
         * TPM 2.0 contexts are now protected by a mutex to prevent issues if
           multiple IKE_SAs use the same private key concurrently (4b25885025).
         * Do a rekey check after the third QM message was received (#3060).
         * If available, explicit_bzero() is now used as memwipe() instead of our
           own implementation.
         * An .editorconfig file has been added, mainly so Github shows files
           with proper indentation (68346b6962).
         * The internal certificate of the load-tester plugin has been modified
           so it can again be used as end-entity cert with 5.6.3 and later
           (#3139).
         * The maximum data length of received COOKIE notifies (64 bytes) is now
           enforced (#3160).
    
       Version 5.8.0
    
         * The systemd service units have been renamed. The modern unit, which
           was called strongswan-swanctl, is now called strongswan (the previous
           name is configured as alias in the unit, for which a symlink is
           created when the unit is enabled). The legacy unit is now called
           strongswan-starter.
         * Support for XFRM interfaces (available since Linux 4.19) has been
           added, which are intended to replace VTI devices (they are similar but
           offer several advantages, for instance, they are not bound to an
           address or address family).
         * IPsec SAs and policies are associated with such interfaces via
           interface IDs that can be configured in swanctl.conf (dynamic IDs may
           optionally be allocated for each SA and even direction). It's possible
           to use separate interfaces for in- and outbound traffic (or
           only use an interface in one direction and regular policies in the
            other).
         * Interfaces may be created dynamically via updown/vici scripts, or
           statically before or after establishing the SAs. Routes must be added
           manually as needed (the daemon will not install any routes for
           outbound policies with an interface ID).
         * When moving XFRM interfaces to other network namespaces they retain
           access to the SAs and policies installed in the original namespace,
           which allows providing IPsec tunnels for processes in other network
           namespaces without giving them access to the IPsec keys or IKE
           credentials. More information can be found on the page about
           route-based VPNs.
         * Initiation of childless IKE_SAs is supported (RFC 6023). If enabled
           and supported by the responder, no CHILD_SA is established during
           IKE_AUTH. Instead, all CHILD_SAs are created with CREATE_CHILD_SA
           exchanges. This allows using a separate DH exchange even for the first
           CHILD_SA, which is otherwise created during IKE_AUTH with keys derived
           from the IKE_SA's key material.
         * The swanctl --initiate command may be used to initiate only the IKE_SA
           via --ike
           option if --child is omitted and the peer supports this extension.
         * The NetworkManager backend and plugin support IPv6.
         * The new wolfssl plugin is a wrapper around the wolfSSL crypto library.
           Thanks to Sean Parkinson of wolfSSL Inc. for the initial patch.
         * IKE SPIs may optionally be labeled via the charon.spi_mask|label
           options in strongswan.conf. This feature was extracted from
           charon-tkm, however, now applies the mask/label in network order.
         * The openssl plugin supports ChaCha20-Poly1305 when built with OpenSSL
           1.1.0.
         * The PB-TNC finite state machine according to section 3.2 of RFC 5793
           was not correctly implemented when sending either a CRETRY or SRETRY
           batch. These batches can only be sent in the "Decided" state and a
           CRETRY batch can immediately carry all messages usually transported by
           a CDATA batch. It is currently not possible to send a SRETRY batch
           since full-duplex mode for PT-TLS transport is not supported.
         * Instead of marking IPv6 virtual IPs as deprecated, the kernel-netlink
           plugin now uses address labels to avoid that such addresses are used
           for non-VPN traffic (00a953d090).
         * The agent plugin now creates sockets to the ssh/gpg-agent dynamically
           and does not keep them open, which otherwise might prevent the agent
           from getting terminated.
         * To avoid broadcast loops the forecast plugin now only reinjects
           packets that are marked
           or received from the configured interface.
         * UTF-8 encoded passwords are supported via EAP-MSCHAPv2, which
           internally uses an UTF-16LE encoding to calculate the NT hash (#3014).
         * Properly delete temporary drop policies (used when updating IP
           addresses of SAs) if manual priorities are used, which was broken
           since 5.6.2 (8e31d65730).
         * Avoid overwriting start_action when parsing the inactivity timeout in
           the vici plugin (#2954).
         * Fixed the automatic termination of reloaded vici connections with
           start_action=start, which was broken since 5.6.3 (71b22c250f).
         * The lookup for shared secrets for IKEv1 SAs via sql plugin should now
           work better (6ec9f68f32).
         * Fixed a race condition in the trap manager between installation and
           removal of a policy (69cbe2ca3f).
         * The IPsec stack detection and module loading in starter has been
           removed (it wasn't enforced anyway and loading modules doesn't seem
           necessary, also KLIPS hasn't been supported for a long time and PF_KEY
           will eventually be removed from the Linux kernel, ba817d2917).
         * Several IKEv2 protocol details are now handled more strictly:
           Unrequested virtual IPs are ignored, CFG_REPLY payloads are ignored if
           no CFG_REQUEST payloads were sent, a USE TRANSPORT_MODE notify
           received from the responder is checked against the local configuration.
         * The keys and certificates used by the scenarios in the testing
           environment are now generated dynamically. Running the
           testing/scripts/build-certs script after creating the base and root
           images uses the pki utility installed in the latter to create the keys
           and certificates for all the CAs and in some cases for individual
           scenarios. These credentials are stored in the source tree, not the
           image, so this has to be called only once even if the images are later
           rebuilt. The script automatically (re-)rebuilds the guest images as
           that generates fresh CRLs and signs the DNS zones. The only
           keys/certificates currently not generated are the very large ones used
           by the ikev2/rw-eap-tls-fragments scenario.
    
       Version 5.7.2
    
         * For RSA with PSS padding, the TPM 2.0 specification mandates the
           maximum salt length (as defined by the length of the key and hash).
           However, if the TPM is FIPS-168-4 compliant, the salt length equals
           the hash length. This is assumed for FIPS-140-2 compliant TPMs, but if
           that's not the case, it might be necessary to manually enable
           charon.plugins.tpm.fips_186_4 if the TPM doesn't use the maximum salt
           length.
         * Directories for credentials loaded by swanctl are now accessed
           relative to the loaded swanctl.conf file, in particular, when loading
           it from a custom location via --file argument.
         * The base directory, which is used if no custom location for
           swanctl.conf is specified, is now also configurable at runtime via
           SWANCTL_DIR environment variable.
         * If RADIUS Accounting is enabled, the eap-radius plugin will add the
           session ID (Acct-Session-Id) to Access-Request messages, which e.g.
           simplifies associating database entries for IP leases and accounting
           with sessions (the session ID does not change when IKE_SAs are
           rekeyed, #2853).
         * All IP addresses assigned by a RADIUS server are included in
           Accounting-Stop messages even if the client did not claim them,
           allowing to release them early in case of connection errors (#2856).
         * Selectors installed on transport mode SAs by the kernel-netlink plugin
           are now updated if an IP address changes (e.g. via MOBIKE) and it was
           part of the selectors.
         * No deletes are sent anymore when a rekeyed CHILD_SA expires (#2815).
         * The bypass-lan plugin now tracks interfaces to handle subnets that
           move from one interface to another and properly update associated
           routes (#2820).
         * Only valid and expected inbound IKEv2 messages are used to update the
           timestamp of the last received message (previously, retransmits also
           triggered an update).
         * IKEv2 requests from responders are now ignored until the IKE_SA is
           fully established (e.g. if a DPD request from the peer arrives before
           the IKE_AUTH response does, 46bea1add9). Delayed IKE_SA_INIT responses
           with COOKIE notifies we already recevied are ignored, they caused
           another reset of the IKE_SA previously (#2837).
         * Active and queued Quick Mode tasks are now adopted if the peer
           reauthenticates an IKEv1 SA while creating lots of CHILD_SAs.
         * Newer versions of the FreeBSD kernel add an SADB_X_EXT_SA2 extension
           to SADB_ACQUIRE messages, which allows the kernel-pfkey plugin to
           determine the reqid of the policy even if it wasn't installed by the
           daemon previously (e.g. when using FreeBSD's if_ipsec(4) VTIs, which
           install policies themselves, 872b9b3e8d).
         * Added support for RSA signatures with SHA-256 and SHA-512 to the agent
           plugin. For older versions of ssh/gpg-agent that only support SHA-1,
           IKEv2 signature authentication has to be disabled via
           charon.signature_authentication.
         * The sshkey and agent plugins support Ed25519/Ed448 SSH keys and
           signatures.
         * The openssl plugin supports X25519/X448 Diffie-Hellman and
           Ed25519/Ed448 keys and signatures when built against OpenSSL 1.1.1.
         * Support for Ed25519, ChaCha20/Poly1305, SHA-3 and AES-CCM were added
           to the botan plugin.
         * The mysql plugin now properly handles database connections with
           transactions under heavy load (#2779).
         * IP addresses in ha pools are now distributed evenly among all segments
           (#2828).
         * Private key implementations may optionally provide a list of supported
           signature schemes, which, as described above, is used by the tpm
           plugin because for each key on a TPM 2.0 the hash algorithm and for
           RSA also the padding scheme is predefined.
         * The testing environment is now based on Debian 9 (stretch) by default.
           This required some changes, in particular, updating to FreeRADIUS 3.x
           (which forced us to abandon the [email protected] patches and scenarios,
           2fbe44bef3) and removing FIPS-enabled versions of OpenSSL (the FIPS
           module only supports OpenSSL 1.0.2).
         * Most test scenarios were migrated to swanctl.
    
       Version 5.7.1
    
         * Fixes a vulnerability in the gmp plugin triggered by crafted
           certificates with RSA keys with very small moduli. When verifying
           signatures with such keys, the code patched with the fix for
           CVE-2018-16151/2 caused an integer underflow and subsequent heap
           buffer overflow that results in a crash of the daemon.
         * The vulnerability has been registered as CVE-2018-17540.
    
       Version 5.7.0
    
         * Fixes a potential authorization bypass vulnerability in the gmp plugin
           that was caused by a too lenient verification of PKCS#1 v1.5
           signatures. Several flaws could be exploited by a Bleichenbacher-style
           attack to forge signatures for low-exponent keys (i.e. with e=3).
         * CVE-2018-16151 has been assigned to the problem of accepting random
           bytes after the OID
           of the hash function in such signatures, and CVE-2018-16152 has been
            assigned to the issue
           of not verifying that the parameters in the ASN.1 algorithmIdentitifer
            structure is empty. Other flaws that don't lead to a vulnerability
            directly (e.g. not checking for at least 8 bytes of padding) have no
            separate CVE assigned.
         * Dots are not allowed anymore in section names in swanctl.conf and
           strongswan.conf. This mainly affects the configuration of file
           loggers. If the path for such a log file contains dots it now has to
           be configured in the new path setting within the arbitrarily renamed
           subsection in the filelog section.
         * Sections in swanctl.conf and strongswan.conf may now reference other
           sections. All settings and subsections from such a section are
           inherited. This allows to simplify configs as redundant information
           has only to be specified once and may then be included in other
           sections (see strongswan.conf for an example).
         * The originally selected IKE config (based on the IPs and IKE version)
           can now change if no matching algorithm proposal is found. This way
           the order of the configs doesn't matter that much anymore and it's
           easily possible to specify separate configs for clients that require
           weaker algorithms (instead of having to also add them in other configs
           that might be selected).
         * Support for Postquantum Preshared Keys for IKEv2
           (draft-ietf-ipsecme-qr-ikev2) has been added. For an example refer to
           the swanctl/rw-cert-ppk scenario (or with EAP, or PSK authentication).
         * The new botan plugin is a wrapper around the Botan C++ crypto library.
           It requires a fairly recent build from Botan's master branch (or the
           upcoming 2.8.0 release). Thanks to René Korthaus and his team from
           Rohde & Schwarz Cybersecurity for the initial patch and to Jack Lloyd
           for quickly adding missing functions to Botan's FFI (C89) interface.
         * Implementation of RFC 8412 "Software Inventory Message and Attributes
           (SWIMA) for PA-TNC".
         * SWIMA subscription option sets CLOSE_WRITE trigger on apt history.log
           file resulting in a ClientRetry PB-TNC batch to initialize a new
           measurement cycle. The new imv/imc-swima plugins replace the previous
           imv/imc-swid plugins, which were removed.
         * Added support for fuzzing the PA-TNC (RFC 5792) and PB-TNC (RFC 5793)
           NEA protocols
           on Google's OSS-Fuzz infrastructure.
         * Support for version 2 of Intel's TPM2-TSS TGC Software Stack. The
           presence of the in-kernel /dev/tpmrm0 resource manager is
           automatically detected.
         * The pki tool accepts a xmppAddr otherName as a subjectAlternativeName
           using the syntax --san xmppaddr:.
         * swanctl.conf supports the configuration of marks the in- and/or
           outbound SA should apply to packets after processing on Linux.
           Configuring such a mark for outbound SAs requires at least a 4.14
           kernel. The ability to set a mask and configuring a mark/mask for
           inbound SAs will be added with the upcoming 4.19 kernel.
         * New options in swanctl.conf allow configuring how/whether DF, ECN and
           DS fields in the IP headers are copied during IPsec processing.
           Controlling this is currently only possible
           on Linux.
         * The handling of sequence numbers in IKEv1 DPDs has been improved
           (#2714).
         * To avoid conflicts, the dhcp plugin now only uses the DHCP server port
           if explicitly configured.
    
       Version 5.6.3
    
         * Fixed a DoS vulnerability in the IKEv2 key derivation if the openssl
           plugin is used in FIPS mode and HMAC-MD5 is negotiated as PRF. This
           vulnerability has been registered as CVE-2018-10811.
         * Fixed a vulnerability in the stroke plugin, which did not check the
           received length before reading a message from the socket. Unless a
           group is configured, root privileges are required to access that
           socket, so in the default configuration this shouldn't be an issue.
           This vulnerability has been registered as CVE-2018-5388.
         * CRLs that are not yet valid are now ignored to avoid problems in
           scenarios where expired certificates are removed from new CRLs and the
           clock on the host doing the revocation check is trailing behind that
           of the host issuing CRLs. Not doing this could result in accepting a
           revoked and expired certificate, if it's still valid according to the
           trailing clock but not contained anymore in not yet valid CRLs.
         * The issuer of fetched CRLs is now compared to the issuer of the
           checked certificate (#2608).
         * CRL validation results other than revocation (e.g. a skipped check
           because the CRL couldn't be fetched) are now stored also for
           intermediate CA certificates and not only for end-entity certificates,
           so a strict CRL policy can be enforced in such cases.
         * In compliance with RFC 4945, section 5.1.3.2, certificates used for
           IKE must now either not contain a keyUsage extension (like the ones
           generated by pki), or have at least one of the digitalSignature or
           nonRepudiation bits set.
         * New options for vici/swanctl allow forcing the local termination of an
           IKE_SA. This might be useful in situations where it's known the other
           end is not reachable anymore, or that it already removed the IKE_SA,
           so retransmitting a DELETE and waiting for a response would be
           pointless.
         * Waiting only a certain amount of time for a response (i.e. shorter
           than all retransmits would be) before destroying the IKE_SA is also
           possible by additionally specifying a timeout in the forced
           termination request.
         * When removing routes, the kernel-netlink plugin now checks if it
           tracks other routes for the same destination and replaces the
           installed route instead of just removing it. Same during installation,
           where existing routes previously weren't replaced. This should allow
           using traps with virtual IPs on Linux (#2162).
         * The dhcp plugin now only sends the client identifier DHCP option if
           the identity_lease setting is enabled (7b660944b6). It can also send
           identities of up to 255 bytes length, instead of the previous 64 bytes
           (30e886fe3b, 0e5b94d038). If a server address is configured, DHCP
           requests are now sent from port 67 instead of 68 to avoid ICMP port
           unreachables (becf027cd9).
         * The handling of faulty INVALID_KE_PAYLOAD notifies (e.g. one
           containing a DH group that wasn't proposed) during CREATE_CHILD_SA
           exchanges has been improved (#2536).
         * Roam events are now completely ignored for IKEv1 SAs (there is no
           MOBIKE to handle such changes properly).
         * ChaCha20/Poly1305 is now correctly proposed without key length
           (#2614). For compatibility with
           older releases the chacha20poly1305compat keyword may be included in
            proposals to also propose the algorithm with a key length
            (c58434aeff).
         * Configuration of hardware offload of IPsec SAs is now more flexible
           and allows a new setting (auto), which automatically uses it if the
           kernel and device both support it. If hw
           offload is set to yes and offloading is not supported, the CHILD_SA
            installation now fails.
         * The kernel-pfkey plugin optionally installs routes via internal
           interface (one with an IP in the local traffic selector). On FreeBSD,
           enabling this selects the correct source IP when sending packets from
           the gateway itself (e811659323).
         * SHA-2 based PRFs are supported in PKCS#8 files as generated by OpenSSL
           1.1 (#2574).
         * The pki --verify tool may load CA certificates and CRLs from
           directories.
         * The IKE daemon now also switches to port 4500 if the remote port is
           not 500 (e.g. because the remote maps the response to a different
           port, as might happen on Azure), as long as the local port is 500
           (85bfab621d).
         * Fixed an issue with DNS servers passed to NetworkManager in charon-nm
           (ee8c25516a).
         * Logged traffic selectors now always contain the protocol if either
           protocol or port are set (a36d8097ed).
         * Only the inbound SA/policy will be updated as reaction to IP address
           changes for rekeyed CHILD_SAs that are kept around.
         * The parser for strongswan.conf/swanctl.conf now accepts = characters
           in values without having to put the value in quotes (e.g. for Base64
           encoded shared secrets).
    
           Notes for developers:
           * trap_manager_t: Trap policies are now unistalled by peer/child name
             and not the reqid.
           * No reqid is returned anymore when installing trap policies.
           * child_sa_t: A new state (CHILD_DELETED) is used for CHILD_SAs that
             have been deleted but not yet destroyed (after a rekeying CHILD_SAs
             are kept around for a while to process delayed packets). This way
             child_updown events are not triggered anymore for such SAs when an
             IKE_SA that has such CHILD_SAs assigned is deleted.
    
       Version 5.6.2
    
         * Fixed a DoS vulnerability in the parser for PKCS#1 RSASSA-PSS
           signatures that was caused by insufficient input validation. One of
           the configurable parameters in algorithm identifier structures for
           RSASSA-PSS signatures is the mask generation function (MGF). Only MGF1
           is currently specified for this purpose. However, this in turn takes
           itself a parameter that specifies the underlying hash function.
           strongSwan's parser did not correctly handle the case of this
           parameter being absent, causing an undefined data read. This
           vulnerability has been registered as CVE-2018-6459.
         * When rekeying IKEv2 IKE_SAs the previously negotiated DH group will be
           reused, instead of using the first configured group, which avoids an
           additional exchange if the peer previously selected a different DH
           group via INVALID_KE_PAYLOAD notify. The same is also done when
           rekeying CHILD_SAs except for the first rekeying of the CHILD_SA that
           was created with the IKE_SA, where no DH group was negotiated yet.
           Also, the selected DH group is moved to the front in all sent
           proposals that contain it and all proposals that don't are moved to
           the back in order to convey the preference for this group to the peer.
         * Handling of MOBIKE task queuing has been improved. In particular, the
           response to an address update (with NAT-D payloads) is not ignored
           anymore if only an address list update
           or DPD is queued as that could prevent updating the UDP encapsulation
            in the kernel.
         * On Linux, roam events may optionally be triggered by changes to the
           routing rules, which can be useful if routing rules (instead of e.g.
           route metrics) are used to switch from one to another interface (i.e.
           from one to another routing table). Since routing rules are currently
           not evaluated when doing route lookups this is only useful if the
           kernel-based route lookup is used (4664992f7d).
         * The fallback drop policies installed to avoid traffic leaks when
           replacing addresses in installed policies are now replaced by
           temporary drop policies, which also prevent acquires because we
           currently delete and reinstall IPsec SAs to update their addresses
           (35ef1b032d).
         * Access X.509 certificates held in non-volatile storage of a TPM 2.0
           referenced via the NV index. Adding the --keyid parameter to pki
           --print allows to print private keys or certificates stored in a
           smartcard or a TPM 2.0.
         * Fixed proposal selection if a peer incorrectly sends DH groups in the
           ESP proposal during IKE_AUTH and also if a DH group is configured in
           the local ESP proposal and charon.prefer configured_proposals is
           disabled (d058fd3c32).
         * The lookup for PSK secrets for IKEv1 has been improved for certain
           scenarios (see #2497 for details).
         * MSKs received via RADIUS are now padded to 64 bytes to avoid
           compatibility issues with EAP-MSCHAPv2 and PRFs that have a block size
           < 64 bytes (e.g. AES-XCBC-PRF-128, see 73cbce6013).
         * The tpm_extendpcr command line tool extends a digest into a TPM PCR.
         * Ported the NetworkManager backend from the deprecated libnm-glib to
           libnm.
         * The save-keys debugging/development plugin saves IKE and/or ESP keys
           to files compatible with Wireshark.
    
       Version 5.6.1
    
         * Several algorithms were removed from the default ESP/AH and IKE
           proposals in compliance with RFC 8221 and RFC 8247, respectively.
           Removed from the default ESP/AH proposal were the 3DES and Blowfish
           encryption algorithms and the HMAC-MD5 integrity algorithm. From the
           IKE default proposal the HMAC-MD5 integrity algorithm and the
           MODP-1024 Diffie-Hellman group were removed (the latter is significant
           for Windows clients in their default configuration). These algorithms
           may still be used in custom proposals.
         * Support for RSASSA-PSS signatures has been added. For compatibility
           with previous releases they are currently not used automatically, by
           default, to change that charon.rsa_pss may be enabled. To explicitly
           use or require such signatures during IKEv2 signature authentication
           (RFC 7427) ike:rsa/pss... authentication constraints may be used for
           specific connections (regardless of whether the strongswan.conf option
           above is enabled). Only the hash algorithm can be specified in such
           constraints, the MGF1 will be based on that hash and the salt length
           will equal the hash length (when verifying the salt length is not
           enforced). To enforce such signatures during PKI verification use
           rsa/pss... authentication constraints.
         * All pki commands that create certificates/CRLs can be made to sign
           with RSASSA-PSS instead
           of the classing PKCS#1 scheme with the --rsa-padding pss option. As
            with signatures during authentication, only the hash algorithm is
            configurable (via --digest option), the MGF1 will be based on that
            and the salt length will equal the hash length.
         * These signatures are supported by all RSA backends except pkcs11 (i.e.
           gmp, gcrypt, openssl). The gmp plugin requires the mgf1 plugin. Note
           that RSASSA-PSS algorithm identifiers and parameters in keys (public
           keys in certificates or private keys in PKCS#8 files) are currently
           not used as constraints.
         * The sec-updater tool checks for security updates in dpkg-based
           repositories (e.g. Debian/Ubuntu) and sets the security flags in the
           IMV policy database accordingly. Additionally for each new package
           version a SWID tag for the given OS and HW architecture is created and
           stored in the database.
         * Using the sec-updater.sh script template the lookup can be automated
           (e.g. via an hourly cron job).
         * When restarting an IKEv2 negotiation after receiving an
           INVALID_KE_PAYLOAD notify (or due to other reasons like too many
           retransmits) a new initiator SPI is allocated. This prevents issues
           caused by retransmits for IKE_SA_INIT messages.
         * Because the initiator SPI was previously reused when restarting the
           connection delayed responses for previous connection attempts were
           processed and might have caused fatal errors due to a failed DH
           negotiation or because of the internal retry counter in the ike-init
           task. For instance, if we proposed a DH group the responder rejected
           we might have later received delayed responses that either contained
           INVALID_KE_PAYLOAD notifies with the DH group we already switched to,
           or, if we retransmitted an IKE_SA_INIT with the requested group but
           then had to restart again, a KE payload with a group different from
           the one we proposed.
         * The introduction of file versions in the IMV database scheme broke
           file reference hash measurements. This has been fixed by creating
           generic product versions having an empty package name.
         * A new timeout option for the systime-fix plugin stops periodic system
           time checks after a while and enforces a certificate verification,
           closing or reauthenticating all SAs with invalid certificates.
         * The IKE event counters, previously only available via ipsec
           listcounters command, may now also be queried and reset via vici and
           the new swanctl --counters command. They are collected and provided by
           the optional counters plugin (enabled by default for backwards
           compatibility if the stroke plugin is built).
         * Class attributes received in RADIUS Access-Accept messages may
           optionally be added to RADIUS accounting messages (655924074b).
         * Basic support for systemd sockets has been added, which may be used
           for privilege separation (59db98fb94).
         * Inbound marks may optionally be installed in the SA again (was removed
           with 5.5.2) by enabling the mark_in_sa option in swanctl.conf.
         * The timeout of leases in pools configured via pool utility may be
           configured in other units than hours. INITIAL_CONTACT notifies are now
           only omitted if never is configured as uniqueness policy.
         * Outbound FWD policies for shunts are not installed anymore, by default
           (as is the case for other policies since 5.5.1).
         * Don't consider a DH group mismatch during CHILD_SA rekeying as failure
           as responder (e7276f78aa).
         * Handling of fragmented IPv4 and IPv6 packets in libipsec has been
           improved (e138003de9).
         * Trigger expire events for the correct IPsec SA in libipsec
           (6e861947a0).
         * A crash in CRL verification via openssl plugin using OpenSSL 1.1 has
           been fixed (78acaba6a1).
         * No hard-coded default proposals are passed from starter to the stroke
           plugin anymore (the IKE proposal used curve25519 since 5.5.2, which is
           an optional plugin).
         * A workaround for an issue with virtual IPs on macOS 10.13 (High
           Sierra) has been added (039b85dd43).
         * Handling of IKE_SA rekey collisions in charon-tkm has been fixed.
         * Instead of failing or just silently doing nothing unit tests may now
           warn about certain conditions (e.g. if a test was not executed due to
           external dependencies).
    
       This update was imported from the SUSE:SLE-15:Update update project.
    
    
    Patch Instructions:
    
       To install this openSUSE Security Update use the SUSE recommended installation methods
       like YaST online_update or "zypper patch".
    
       Alternatively you can run the command listed for your product:
    
       - openSUSE Leap 15.1:
    
          zypper in -t patch openSUSE-2020-403=1
    
    
    
    Package List:
    
       - openSUSE Leap 15.1 (noarch):
    
          strongswan-doc-5.8.2-lp151.4.6.1
    
       - openSUSE Leap 15.1 (x86_64):
    
          strongswan-5.8.2-lp151.4.6.1
          strongswan-debuginfo-5.8.2-lp151.4.6.1
          strongswan-debugsource-5.8.2-lp151.4.6.1
          strongswan-hmac-5.8.2-lp151.4.6.1
          strongswan-ipsec-5.8.2-lp151.4.6.1
          strongswan-ipsec-debuginfo-5.8.2-lp151.4.6.1
          strongswan-libs0-5.8.2-lp151.4.6.1
          strongswan-libs0-debuginfo-5.8.2-lp151.4.6.1
          strongswan-mysql-5.8.2-lp151.4.6.1
          strongswan-mysql-debuginfo-5.8.2-lp151.4.6.1
          strongswan-nm-5.8.2-lp151.4.6.1
          strongswan-nm-debuginfo-5.8.2-lp151.4.6.1
          strongswan-sqlite-5.8.2-lp151.4.6.1
          strongswan-sqlite-debuginfo-5.8.2-lp151.4.6.1
    
    
    References:
    
       https://www.suse.com/security/cve/CVE-2018-6459.html
       https://bugzilla.suse.com/1079548
    
    -- 
    

    LinuxSecurity Poll

    Do you agree with Linus Torvalds' decision to reject the controversial patch mitigating the Snoop attack on Intel CPUs?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/28-do-you-agree-with-linus-torvalds-decision-to-reject-the-controversial-patch-mitigating-the-snoop-attack-on-intel-cpus?task=poll.vote&format=json
    28
    radio
    [{"id":"100","title":"Yes - this was undoubtedly the right decision.","votes":"1","type":"x","order":"1","pct":50,"resources":[]},{"id":"101","title":"Not sure...","votes":"1","type":"x","order":"2","pct":50,"resources":[]},{"id":"102","title":"No - he made a big mistake here.","votes":"0","type":"x","order":"3","pct":0,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350
    bottom 200

    Advisories

    Please enable / Bitte aktiviere JavaScript!
    Veuillez activer / Por favor activa el Javascript![ ? ]

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.