SUSE-SU-2020:0743-1: moderate: Security update for strongswan

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Mon Mar 23 14:39:12 MDT 2020


   SUSE Security Update: Security update for strongswan
______________________________________________________________________________

Announcement ID:    SUSE-SU-2020:0743-1
Rating:             moderate
References:         #1079548 
Cross-References:   CVE-2018-6459
Affected Products:
                    SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1
                    SUSE Linux Enterprise Module for Basesystem 15-SP1
______________________________________________________________________________

   An update that fixes one vulnerability is now available.

Description:

   This update for strongswan fixes the following issues:

   Strongswan was updated to version 5.8.2 (jsc#SLE-11370).

   Security issue fixed:

   - CVE-2018-6459: Fixed a DoS vulnerability in the parser for PKCS#1
     RSASSA-PSS signatures that was caused by insufficient input validation
     (bsc#1079548).

   Full changelogs:

   Version 5.8.2

     * Identity-based CA constraints, which enforce that the certificate
       chain of the remote peer contains a CA certificate with a specific
       identity, are supported via vici/swanctl.conf. This is similar to the
       existing CA constraints but doesn't require that the CA certificate is
       locally installed, for instance, intermediate CA certificates received
       from the peers. Wildcard identity matching (e.g. ..., OU=Research,
       CN=*) could also be used for the latter but requires trust in the
       intermediate CAs to only issue certificates with legitimate subject
       DNs (e.g. the "Sales" CA must not issue certificates with
       OU=Research). With the new constraint that's not necessary as long as
       a path length basic constraint (--pathlen for pki --issue) prevents
       intermediate CAs from issuing further intermediate CAs.
     * Intermediate CA certificates may now be sent in hash-and-URL encoding
       by configuring a base URL for the parent CA (#3234,
       swanctl/rw-hash-and-url-multi-level).
     * Implemented NIST SP-800-90A Deterministic Random Bit Generator (DRBG)
       based on AES-CTR and SHA2-HMAC modes. Currently used by the gmp and
       ntru plugins.
     * Random nonces sent in an OCSP requests are now expected in the
       corresponding OCSP responses.
     * The kernel-netlink plugin now ignores deprecated IPv6 addresses for
       MOBIKE. Whether temporary
       or permanent IPv6 addresses are included now depends on the
        charon.prefer_temporary_addrs setting (#3192).
     * Extended Sequence Numbers (ESN) are configured via PF_KEY if supported
       by the kernel.
     * The PF_KEY socket's receive buffer in the kernel-pfkey plugin is now
       cleared before sending requests, as many of the messages sent by the
       kernel are sent as broadcasts to all PF_KEY sockets. This is an issue
       if an external tool is used to manage SAs/policies unrelated to IPsec
       (#3225).
     * The vici plugin now uses unique section names for CHILD_SAs in
       child-updown events (7c74ce9190).
     * For individually deleted CHILD_SAs (in particular for IKEv1) the vici
       child-updown event now includes more information about the CHILD_SAs
       such as traffic statistics (#3198).
     * Custom loggers are correctly re-registered if log levels are changed
       via stroke loglevel (#3182).
     * Avoid lockups during startup on low entropy systems when using OpenSSL
       1.1.1 (095a2c2eac).
     * Instead of failing later when setting a key, creating HMACs via
       openssl plugin now fails instantly if the underlying hash algorithm
       isn't supported (e.g. MD5 in FIPS-mode) so fallbacks to other plugins
       work properly (#3284).
     * Exponents of RSA keys read from TPM 2.0 via SAPI are correctly
       converted (8ee1242f1438).
     * Routing table IDs > 255 are supported for custom routes on Linux.
     * To avoid races, the check for hardware offloading support in the
       kernel-netlink plugin is performed during initialization of the plugin
       (a605452c03).
     * The D-Bus config file for charon-nm is now installed in
       $(datadir)/dbus-1/system.d instead of $(sysconfdir)/dbus-1/system.d,
       which is intended for sysadmin overrides. INVALID_MAJOR_VERSION
       notifies are now correctly sent in messages of the same exchange type
       and with the same message ID as the request.
     * IKEv2 SAs are now immediately destroyed when sending or receiving
       INVALID_SYNTAX notifies in authenticated messages.
     * For developers working from the repository the configure script now
       aborts if GNU gperf is not found.

   Version 5.8.1

     * RDNs in DNs of X.509 certificates can now optionally be matched less
       strict. The global strongswan.conf option charon.rdn_matching takes
       two alternative values that cause the matching algorithm to either
       ignore the order of matched RDNs (reordered) or additionally (relaxed)
       accept DNs that contain more RDNs than configured (unmatched RDNs are
       treated like wildcard matches).
     * The updown plugin now passes the same interface to the script that is
       also used for the automatically installed routes, that is, the
       interface over which the peer is reached instead of the interface on
       which the local address is found (#3095).
     * TPM 2.0 contexts are now protected by a mutex to prevent issues if
       multiple IKE_SAs use the same private key concurrently (4b25885025).
     * Do a rekey check after the third QM message was received (#3060).
     * If available, explicit_bzero() is now used as memwipe() instead of our
       own implementation.
     * An .editorconfig file has been added, mainly so Github shows files
       with proper indentation (68346b6962).
     * The internal certificate of the load-tester plugin has been modified
       so it can again be used as end-entity cert with 5.6.3 and later
       (#3139).
     * The maximum data length of received COOKIE notifies (64 bytes) is now
       enforced (#3160).

   Version 5.8.0

     * The systemd service units have been renamed. The modern unit, which
       was called strongswan-swanctl, is now called strongswan (the previous
       name is configured as alias in the unit, for which a symlink is
       created when the unit is enabled). The legacy unit is now called
       strongswan-starter.
     * Support for XFRM interfaces (available since Linux 4.19) has been
       added, which are intended to replace VTI devices (they are similar but
       offer several advantages, for instance, they are not bound to an
       address or address family).
     * IPsec SAs and policies are associated with such interfaces via
       interface IDs that can be configured in swanctl.conf (dynamic IDs may
       optionally be allocated for each SA and even direction). It's possible
       to use separate interfaces for in- and outbound traffic (or
       only use an interface in one direction and regular policies in the
        other).
     * Interfaces may be created dynamically via updown/vici scripts, or
       statically before or after establishing the SAs. Routes must be added
       manually as needed (the daemon will not install any routes for
       outbound policies with an interface ID).
     * When moving XFRM interfaces to other network namespaces they retain
       access to the SAs and policies installed in the original namespace,
       which allows providing IPsec tunnels for processes in other network
       namespaces without giving them access to the IPsec keys or IKE
       credentials. More information can be found on the page about
       route-based VPNs.
     * Initiation of childless IKE_SAs is supported (RFC 6023). If enabled
       and supported by the responder, no CHILD_SA is established during
       IKE_AUTH. Instead, all CHILD_SAs are created with CREATE_CHILD_SA
       exchanges. This allows using a separate DH exchange even for the first
       CHILD_SA, which is otherwise created during IKE_AUTH with keys derived
       from the IKE_SA's key material.
     * The swanctl --initiate command may be used to initiate only the IKE_SA
       via --ike
       option if --child is omitted and the peer supports this extension.
     * The NetworkManager backend and plugin support IPv6.
     * The new wolfssl plugin is a wrapper around the wolfSSL crypto library.
       Thanks to Sean Parkinson of wolfSSL Inc. for the initial patch.
     * IKE SPIs may optionally be labeled via the charon.spi_mask|label
       options in strongswan.conf. This feature was extracted from
       charon-tkm, however, now applies the mask/label in network order.
     * The openssl plugin supports ChaCha20-Poly1305 when built with OpenSSL
       1.1.0.
     * The PB-TNC finite state machine according to section 3.2 of RFC 5793
       was not correctly implemented when sending either a CRETRY or SRETRY
       batch. These batches can only be sent in the "Decided" state and a
       CRETRY batch can immediately carry all messages usually transported by
       a CDATA batch. It is currently not possible to send a SRETRY batch
       since full-duplex mode for PT-TLS transport is not supported.
     * Instead of marking IPv6 virtual IPs as deprecated, the kernel-netlink
       plugin now uses address labels to avoid that such addresses are used
       for non-VPN traffic (00a953d090).
     * The agent plugin now creates sockets to the ssh/gpg-agent dynamically
       and does not keep them open, which otherwise might prevent the agent
       from getting terminated.
     * To avoid broadcast loops the forecast plugin now only reinjects
       packets that are marked
       or received from the configured interface.
     * UTF-8 encoded passwords are supported via EAP-MSCHAPv2, which
       internally uses an UTF-16LE encoding to calculate the NT hash (#3014).
     * Properly delete temporary drop policies (used when updating IP
       addresses of SAs) if manual priorities are used, which was broken
       since 5.6.2 (8e31d65730).
     * Avoid overwriting start_action when parsing the inactivity timeout in
       the vici plugin (#2954).
     * Fixed the automatic termination of reloaded vici connections with
       start_action=start, which was broken since 5.6.3 (71b22c250f).
     * The lookup for shared secrets for IKEv1 SAs via sql plugin should now
       work better (6ec9f68f32).
     * Fixed a race condition in the trap manager between installation and
       removal of a policy (69cbe2ca3f).
     * The IPsec stack detection and module loading in starter has been
       removed (it wasn't enforced anyway and loading modules doesn't seem
       necessary, also KLIPS hasn't been supported for a long time and PF_KEY
       will eventually be removed from the Linux kernel, ba817d2917).
     * Several IKEv2 protocol details are now handled more strictly:
       Unrequested virtual IPs are ignored, CFG_REPLY payloads are ignored if
       no CFG_REQUEST payloads were sent, a USE TRANSPORT_MODE notify
       received from the responder is checked against the local configuration.
     * The keys and certificates used by the scenarios in the testing
       environment are now generated dynamically. Running the
       testing/scripts/build-certs script after creating the base and root
       images uses the pki utility installed in the latter to create the keys
       and certificates for all the CAs and in some cases for individual
       scenarios. These credentials are stored in the source tree, not the
       image, so this has to be called only once even if the images are later
       rebuilt. The script automatically (re-)rebuilds the guest images as
       that generates fresh CRLs and signs the DNS zones. The only
       keys/certificates currently not generated are the very large ones used
       by the ikev2/rw-eap-tls-fragments scenario.

   Version 5.7.2

     * For RSA with PSS padding, the TPM 2.0 specification mandates the
       maximum salt length (as defined by the length of the key and hash).
       However, if the TPM is FIPS-168-4 compliant, the salt length equals
       the hash length. This is assumed for FIPS-140-2 compliant TPMs, but if
       that's not the case, it might be necessary to manually enable
       charon.plugins.tpm.fips_186_4 if the TPM doesn't use the maximum salt
       length.
     * Directories for credentials loaded by swanctl are now accessed
       relative to the loaded swanctl.conf file, in particular, when loading
       it from a custom location via --file argument.
     * The base directory, which is used if no custom location for
       swanctl.conf is specified, is now also configurable at runtime via
       SWANCTL_DIR environment variable.
     * If RADIUS Accounting is enabled, the eap-radius plugin will add the
       session ID (Acct-Session-Id) to Access-Request messages, which e.g.
       simplifies associating database entries for IP leases and accounting
       with sessions (the session ID does not change when IKE_SAs are
       rekeyed, #2853).
     * All IP addresses assigned by a RADIUS server are included in
       Accounting-Stop messages even if the client did not claim them,
       allowing to release them early in case of connection errors (#2856).
     * Selectors installed on transport mode SAs by the kernel-netlink plugin
       are now updated if an IP address changes (e.g. via MOBIKE) and it was
       part of the selectors.
     * No deletes are sent anymore when a rekeyed CHILD_SA expires (#2815).
     * The bypass-lan plugin now tracks interfaces to handle subnets that
       move from one interface to another and properly update associated
       routes (#2820).
     * Only valid and expected inbound IKEv2 messages are used to update the
       timestamp of the last received message (previously, retransmits also
       triggered an update).
     * IKEv2 requests from responders are now ignored until the IKE_SA is
       fully established (e.g. if a DPD request from the peer arrives before
       the IKE_AUTH response does, 46bea1add9). Delayed IKE_SA_INIT responses
       with COOKIE notifies we already recevied are ignored, they caused
       another reset of the IKE_SA previously (#2837).
     * Active and queued Quick Mode tasks are now adopted if the peer
       reauthenticates an IKEv1 SA while creating lots of CHILD_SAs.
     * Newer versions of the FreeBSD kernel add an SADB_X_EXT_SA2 extension
       to SADB_ACQUIRE messages, which allows the kernel-pfkey plugin to
       determine the reqid of the policy even if it wasn't installed by the
       daemon previously (e.g. when using FreeBSD's if_ipsec(4) VTIs, which
       install policies themselves, 872b9b3e8d).
     * Added support for RSA signatures with SHA-256 and SHA-512 to the agent
       plugin. For older versions of ssh/gpg-agent that only support SHA-1,
       IKEv2 signature authentication has to be disabled via
       charon.signature_authentication.
     * The sshkey and agent plugins support Ed25519/Ed448 SSH keys and
       signatures.
     * The openssl plugin supports X25519/X448 Diffie-Hellman and
       Ed25519/Ed448 keys and signatures when built against OpenSSL 1.1.1.
     * Support for Ed25519, ChaCha20/Poly1305, SHA-3 and AES-CCM were added
       to the botan plugin.
     * The mysql plugin now properly handles database connections with
       transactions under heavy load (#2779).
     * IP addresses in ha pools are now distributed evenly among all segments
       (#2828).
     * Private key implementations may optionally provide a list of supported
       signature schemes, which, as described above, is used by the tpm
       plugin because for each key on a TPM 2.0 the hash algorithm and for
       RSA also the padding scheme is predefined.
     * The testing environment is now based on Debian 9 (stretch) by default.
       This required some changes, in particular, updating to FreeRADIUS 3.x
       (which forced us to abandon the TNC at FHH patches and scenarios,
       2fbe44bef3) and removing FIPS-enabled versions of OpenSSL (the FIPS
       module only supports OpenSSL 1.0.2).
     * Most test scenarios were migrated to swanctl.

   Version 5.7.1

     * Fixes a vulnerability in the gmp plugin triggered by crafted
       certificates with RSA keys with very small moduli. When verifying
       signatures with such keys, the code patched with the fix for
       CVE-2018-16151/2 caused an integer underflow and subsequent heap
       buffer overflow that results in a crash of the daemon.
     * The vulnerability has been registered as CVE-2018-17540.

   Version 5.7.0

     * Fixes a potential authorization bypass vulnerability in the gmp plugin
       that was caused by a too lenient verification of PKCS#1 v1.5
       signatures. Several flaws could be exploited by a Bleichenbacher-style
       attack to forge signatures for low-exponent keys (i.e. with e=3).
     * CVE-2018-16151 has been assigned to the problem of accepting random
       bytes after the OID
       of the hash function in such signatures, and CVE-2018-16152 has been
        assigned to the issue
       of not verifying that the parameters in the ASN.1 algorithmIdentitifer
        structure is empty. Other flaws that don't lead to a vulnerability
        directly (e.g. not checking for at least 8 bytes of padding) have no
        separate CVE assigned.
     * Dots are not allowed anymore in section names in swanctl.conf and
       strongswan.conf. This mainly affects the configuration of file
       loggers. If the path for such a log file contains dots it now has to
       be configured in the new path setting within the arbitrarily renamed
       subsection in the filelog section.
     * Sections in swanctl.conf and strongswan.conf may now reference other
       sections. All settings and subsections from such a section are
       inherited. This allows to simplify configs as redundant information
       has only to be specified once and may then be included in other
       sections (see strongswan.conf for an example).
     * The originally selected IKE config (based on the IPs and IKE version)
       can now change if no matching algorithm proposal is found. This way
       the order of the configs doesn't matter that much anymore and it's
       easily possible to specify separate configs for clients that require
       weaker algorithms (instead of having to also add them in other configs
       that might be selected).
     * Support for Postquantum Preshared Keys for IKEv2
       (draft-ietf-ipsecme-qr-ikev2) has been added. For an example refer to
       the swanctl/rw-cert-ppk scenario (or with EAP, or PSK authentication).
     * The new botan plugin is a wrapper around the Botan C++ crypto library.
       It requires a fairly recent build from Botan's master branch (or the
       upcoming 2.8.0 release). Thanks to René Korthaus and his team from
       Rohde & Schwarz Cybersecurity for the initial patch and to Jack Lloyd
       for quickly adding missing functions to Botan's FFI (C89) interface.
     * Implementation of RFC 8412 "Software Inventory Message and Attributes
       (SWIMA) for PA-TNC".
     * SWIMA subscription option sets CLOSE_WRITE trigger on apt history.log
       file resulting in a ClientRetry PB-TNC batch to initialize a new
       measurement cycle. The new imv/imc-swima plugins replace the previous
       imv/imc-swid plugins, which were removed.
     * Added support for fuzzing the PA-TNC (RFC 5792) and PB-TNC (RFC 5793)
       NEA protocols
       on Google's OSS-Fuzz infrastructure.
     * Support for version 2 of Intel's TPM2-TSS TGC Software Stack. The
       presence of the in-kernel /dev/tpmrm0 resource manager is
       automatically detected.
     * The pki tool accepts a xmppAddr otherName as a subjectAlternativeName
       using the syntax --san xmppaddr:<jid>.
     * swanctl.conf supports the configuration of marks the in- and/or
       outbound SA should apply to packets after processing on Linux.
       Configuring such a mark for outbound SAs requires at least a 4.14
       kernel. The ability to set a mask and configuring a mark/mask for
       inbound SAs will be added with the upcoming 4.19 kernel.
     * New options in swanctl.conf allow configuring how/whether DF, ECN and
       DS fields in the IP headers are copied during IPsec processing.
       Controlling this is currently only possible
       on Linux.
     * The handling of sequence numbers in IKEv1 DPDs has been improved
       (#2714).
     * To avoid conflicts, the dhcp plugin now only uses the DHCP server port
       if explicitly configured.

   Version 5.6.3

     * Fixed a DoS vulnerability in the IKEv2 key derivation if the openssl
       plugin is used in FIPS mode and HMAC-MD5 is negotiated as PRF. This
       vulnerability has been registered as CVE-2018-10811.
     * Fixed a vulnerability in the stroke plugin, which did not check the
       received length before reading a message from the socket. Unless a
       group is configured, root privileges are required to access that
       socket, so in the default configuration this shouldn't be an issue.
       This vulnerability has been registered as CVE-2018-5388.
     * CRLs that are not yet valid are now ignored to avoid problems in
       scenarios where expired certificates are removed from new CRLs and the
       clock on the host doing the revocation check is trailing behind that
       of the host issuing CRLs. Not doing this could result in accepting a
       revoked and expired certificate, if it's still valid according to the
       trailing clock but not contained anymore in not yet valid CRLs.
     * The issuer of fetched CRLs is now compared to the issuer of the
       checked certificate (#2608).
     * CRL validation results other than revocation (e.g. a skipped check
       because the CRL couldn't be fetched) are now stored also for
       intermediate CA certificates and not only for end-entity certificates,
       so a strict CRL policy can be enforced in such cases.
     * In compliance with RFC 4945, section 5.1.3.2, certificates used for
       IKE must now either not contain a keyUsage extension (like the ones
       generated by pki), or have at least one of the digitalSignature or
       nonRepudiation bits set.
     * New options for vici/swanctl allow forcing the local termination of an
       IKE_SA. This might be useful in situations where it's known the other
       end is not reachable anymore, or that it already removed the IKE_SA,
       so retransmitting a DELETE and waiting for a response would be
       pointless.
     * Waiting only a certain amount of time for a response (i.e. shorter
       than all retransmits would be) before destroying the IKE_SA is also
       possible by additionally specifying a timeout in the forced
       termination request.
     * When removing routes, the kernel-netlink plugin now checks if it
       tracks other routes for the same destination and replaces the
       installed route instead of just removing it. Same during installation,
       where existing routes previously weren't replaced. This should allow
       using traps with virtual IPs on Linux (#2162).
     * The dhcp plugin now only sends the client identifier DHCP option if
       the identity_lease setting is enabled (7b660944b6). It can also send
       identities of up to 255 bytes length, instead of the previous 64 bytes
       (30e886fe3b, 0e5b94d038). If a server address is configured, DHCP
       requests are now sent from port 67 instead of 68 to avoid ICMP port
       unreachables (becf027cd9).
     * The handling of faulty INVALID_KE_PAYLOAD notifies (e.g. one
       containing a DH group that wasn't proposed) during CREATE_CHILD_SA
       exchanges has been improved (#2536).
     * Roam events are now completely ignored for IKEv1 SAs (there is no
       MOBIKE to handle such changes properly).
     * ChaCha20/Poly1305 is now correctly proposed without key length
       (#2614). For compatibility with
       older releases the chacha20poly1305compat keyword may be included in
        proposals to also propose the algorithm with a key length
        (c58434aeff).
     * Configuration of hardware offload of IPsec SAs is now more flexible
       and allows a new setting (auto), which automatically uses it if the
       kernel and device both support it. If hw
       offload is set to yes and offloading is not supported, the CHILD_SA
        installation now fails.
     * The kernel-pfkey plugin optionally installs routes via internal
       interface (one with an IP in the local traffic selector). On FreeBSD,
       enabling this selects the correct source IP when sending packets from
       the gateway itself (e811659323).
     * SHA-2 based PRFs are supported in PKCS#8 files as generated by OpenSSL
       1.1 (#2574).
     * The pki --verify tool may load CA certificates and CRLs from
       directories.
     * The IKE daemon now also switches to port 4500 if the remote port is
       not 500 (e.g. because the remote maps the response to a different
       port, as might happen on Azure), as long as the local port is 500
       (85bfab621d).
     * Fixed an issue with DNS servers passed to NetworkManager in charon-nm
       (ee8c25516a).
     * Logged traffic selectors now always contain the protocol if either
       protocol or port are set (a36d8097ed).
     * Only the inbound SA/policy will be updated as reaction to IP address
       changes for rekeyed CHILD_SAs that are kept around.
     * The parser for strongswan.conf/swanctl.conf now accepts = characters
       in values without having to put the value in quotes (e.g. for Base64
       encoded shared secrets).

       Notes for developers:
       * trap_manager_t: Trap policies are now unistalled by peer/child name
         and not the reqid.
       * No reqid is returned anymore when installing trap policies.
       * child_sa_t: A new state (CHILD_DELETED) is used for CHILD_SAs that
         have been deleted but not yet destroyed (after a rekeying CHILD_SAs
         are kept around for a while to process delayed packets). This way
         child_updown events are not triggered anymore for such SAs when an
         IKE_SA that has such CHILD_SAs assigned is deleted.

   Version 5.6.2

     * Fixed a DoS vulnerability in the parser for PKCS#1 RSASSA-PSS
       signatures that was caused by insufficient input validation. One of
       the configurable parameters in algorithm identifier structures for
       RSASSA-PSS signatures is the mask generation function (MGF). Only MGF1
       is currently specified for this purpose. However, this in turn takes
       itself a parameter that specifies the underlying hash function.
       strongSwan's parser did not correctly handle the case of this
       parameter being absent, causing an undefined data read. This
       vulnerability has been registered as CVE-2018-6459.
     * When rekeying IKEv2 IKE_SAs the previously negotiated DH group will be
       reused, instead of using the first configured group, which avoids an
       additional exchange if the peer previously selected a different DH
       group via INVALID_KE_PAYLOAD notify. The same is also done when
       rekeying CHILD_SAs except for the first rekeying of the CHILD_SA that
       was created with the IKE_SA, where no DH group was negotiated yet.
       Also, the selected DH group is moved to the front in all sent
       proposals that contain it and all proposals that don't are moved to
       the back in order to convey the preference for this group to the peer.
     * Handling of MOBIKE task queuing has been improved. In particular, the
       response to an address update (with NAT-D payloads) is not ignored
       anymore if only an address list update
       or DPD is queued as that could prevent updating the UDP encapsulation
        in the kernel.
     * On Linux, roam events may optionally be triggered by changes to the
       routing rules, which can be useful if routing rules (instead of e.g.
       route metrics) are used to switch from one to another interface (i.e.
       from one to another routing table). Since routing rules are currently
       not evaluated when doing route lookups this is only useful if the
       kernel-based route lookup is used (4664992f7d).
     * The fallback drop policies installed to avoid traffic leaks when
       replacing addresses in installed policies are now replaced by
       temporary drop policies, which also prevent acquires because we
       currently delete and reinstall IPsec SAs to update their addresses
       (35ef1b032d).
     * Access X.509 certificates held in non-volatile storage of a TPM 2.0
       referenced via the NV index. Adding the --keyid parameter to pki
       --print allows to print private keys or certificates stored in a
       smartcard or a TPM 2.0.
     * Fixed proposal selection if a peer incorrectly sends DH groups in the
       ESP proposal during IKE_AUTH and also if a DH group is configured in
       the local ESP proposal and charon.prefer configured_proposals is
       disabled (d058fd3c32).
     * The lookup for PSK secrets for IKEv1 has been improved for certain
       scenarios (see #2497 for details).
     * MSKs received via RADIUS are now padded to 64 bytes to avoid
       compatibility issues with EAP-MSCHAPv2 and PRFs that have a block size
       < 64 bytes (e.g. AES-XCBC-PRF-128, see 73cbce6013).
     * The tpm_extendpcr command line tool extends a digest into a TPM PCR.
     * Ported the NetworkManager backend from the deprecated libnm-glib to
       libnm.
     * The save-keys debugging/development plugin saves IKE and/or ESP keys
       to files compatible with Wireshark.

   Version 5.6.1

     * Several algorithms were removed from the default ESP/AH and IKE
       proposals in compliance with RFC 8221 and RFC 8247, respectively.
       Removed from the default ESP/AH proposal were the 3DES and Blowfish
       encryption algorithms and the HMAC-MD5 integrity algorithm. From the
       IKE default proposal the HMAC-MD5 integrity algorithm and the
       MODP-1024 Diffie-Hellman group were removed (the latter is significant
       for Windows clients in their default configuration). These algorithms
       may still be used in custom proposals.
     * Support for RSASSA-PSS signatures has been added. For compatibility
       with previous releases they are currently not used automatically, by
       default, to change that charon.rsa_pss may be enabled. To explicitly
       use or require such signatures during IKEv2 signature authentication
       (RFC 7427) ike:rsa/pss... authentication constraints may be used for
       specific connections (regardless of whether the strongswan.conf option
       above is enabled). Only the hash algorithm can be specified in such
       constraints, the MGF1 will be based on that hash and the salt length
       will equal the hash length (when verifying the salt length is not
       enforced). To enforce such signatures during PKI verification use
       rsa/pss... authentication constraints.
     * All pki commands that create certificates/CRLs can be made to sign
       with RSASSA-PSS instead
       of the classing PKCS#1 scheme with the --rsa-padding pss option. As
        with signatures during authentication, only the hash algorithm is
        configurable (via --digest option), the MGF1 will be based on that
        and the salt length will equal the hash length.
     * These signatures are supported by all RSA backends except pkcs11 (i.e.
       gmp, gcrypt, openssl). The gmp plugin requires the mgf1 plugin. Note
       that RSASSA-PSS algorithm identifiers and parameters in keys (public
       keys in certificates or private keys in PKCS#8 files) are currently
       not used as constraints.
     * The sec-updater tool checks for security updates in dpkg-based
       repositories (e.g. Debian/Ubuntu) and sets the security flags in the
       IMV policy database accordingly. Additionally for each new package
       version a SWID tag for the given OS and HW architecture is created and
       stored in the database.
     * Using the sec-updater.sh script template the lookup can be automated
       (e.g. via an hourly cron job).
     * When restarting an IKEv2 negotiation after receiving an
       INVALID_KE_PAYLOAD notify (or due to other reasons like too many
       retransmits) a new initiator SPI is allocated. This prevents issues
       caused by retransmits for IKE_SA_INIT messages.
     * Because the initiator SPI was previously reused when restarting the
       connection delayed responses for previous connection attempts were
       processed and might have caused fatal errors due to a failed DH
       negotiation or because of the internal retry counter in the ike-init
       task. For instance, if we proposed a DH group the responder rejected
       we might have later received delayed responses that either contained
       INVALID_KE_PAYLOAD notifies with the DH group we already switched to,
       or, if we retransmitted an IKE_SA_INIT with the requested group but
       then had to restart again, a KE payload with a group different from
       the one we proposed.
     * The introduction of file versions in the IMV database scheme broke
       file reference hash measurements. This has been fixed by creating
       generic product versions having an empty package name.
     * A new timeout option for the systime-fix plugin stops periodic system
       time checks after a while and enforces a certificate verification,
       closing or reauthenticating all SAs with invalid certificates.
     * The IKE event counters, previously only available via ipsec
       listcounters command, may now also be queried and reset via vici and
       the new swanctl --counters command. They are collected and provided by
       the optional counters plugin (enabled by default for backwards
       compatibility if the stroke plugin is built).
     * Class attributes received in RADIUS Access-Accept messages may
       optionally be added to RADIUS accounting messages (655924074b).
     * Basic support for systemd sockets has been added, which may be used
       for privilege separation (59db98fb94).
     * Inbound marks may optionally be installed in the SA again (was removed
       with 5.5.2) by enabling the mark_in_sa option in swanctl.conf.
     * The timeout of leases in pools configured via pool utility may be
       configured in other units than hours. INITIAL_CONTACT notifies are now
       only omitted if never is configured as uniqueness policy.
     * Outbound FWD policies for shunts are not installed anymore, by default
       (as is the case for other policies since 5.5.1).
     * Don't consider a DH group mismatch during CHILD_SA rekeying as failure
       as responder (e7276f78aa).
     * Handling of fragmented IPv4 and IPv6 packets in libipsec has been
       improved (e138003de9).
     * Trigger expire events for the correct IPsec SA in libipsec
       (6e861947a0).
     * A crash in CRL verification via openssl plugin using OpenSSL 1.1 has
       been fixed (78acaba6a1).
     * No hard-coded default proposals are passed from starter to the stroke
       plugin anymore (the IKE proposal used curve25519 since 5.5.2, which is
       an optional plugin).
     * A workaround for an issue with virtual IPs on macOS 10.13 (High
       Sierra) has been added (039b85dd43).
     * Handling of IKE_SA rekey collisions in charon-tkm has been fixed.
     * Instead of failing or just silently doing nothing unit tests may now
       warn about certain conditions (e.g. if a test was not executed due to
       external dependencies).


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1:

      zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-743=1

   - SUSE Linux Enterprise Module for Basesystem 15-SP1:

      zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-743=1



Package List:

   - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64):

      strongswan-debuginfo-5.8.2-4.6.14
      strongswan-debugsource-5.8.2-4.6.14
      strongswan-mysql-5.8.2-4.6.14
      strongswan-mysql-debuginfo-5.8.2-4.6.14
      strongswan-nm-5.8.2-4.6.14
      strongswan-nm-debuginfo-5.8.2-4.6.14
      strongswan-sqlite-5.8.2-4.6.14
      strongswan-sqlite-debuginfo-5.8.2-4.6.14

   - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64):

      strongswan-5.8.2-4.6.14
      strongswan-debuginfo-5.8.2-4.6.14
      strongswan-debugsource-5.8.2-4.6.14
      strongswan-hmac-5.8.2-4.6.14
      strongswan-ipsec-5.8.2-4.6.14
      strongswan-ipsec-debuginfo-5.8.2-4.6.14
      strongswan-libs0-5.8.2-4.6.14
      strongswan-libs0-debuginfo-5.8.2-4.6.14

   - SUSE Linux Enterprise Module for Basesystem 15-SP1 (noarch):

      strongswan-doc-5.8.2-4.6.14


References:

   https://www.suse.com/security/cve/CVE-2018-6459.html
   https://bugzilla.suse.com/1079548



More information about the sle-security-updates mailing list