diff --git a/strongswan-5.6.2-CVE-2018-5388.patch b/strongswan-5.6.2-CVE-2018-5388.patch deleted file mode 100644 index e932fe2..0000000 --- a/strongswan-5.6.2-CVE-2018-5388.patch +++ /dev/null @@ -1,15 +0,0 @@ -diff -Naur strongswan-5.6.2-orig/src/libcharon/plugins/stroke/stroke_socket.c strongswan-5.6.2/src/libcharon/plugins/stroke/stroke_socket.c ---- strongswan-5.6.2-orig/src/libcharon/plugins/stroke/stroke_socket.c 2017-11-09 10:57:30.000000000 -0500 -+++ strongswan-5.6.2/src/libcharon/plugins/stroke/stroke_socket.c 2018-05-24 00:00:32.382953618 -0400 -@@ -628,6 +628,11 @@ - return FALSE; - } - -+ if (len < offsetof(stroke_msg_t, buffer)) -+ { -+ DBG1(DBG_CFG, "invalid stroke message length %d", len); -+ return FALSE; -+ } - /* read message (we need an additional byte to terminate the buffer) */ - msg = malloc(len + 1); - msg->length = len; diff --git a/strongswan-5.8.4-runtime-dir.patch b/strongswan-5.8.4-runtime-dir.patch deleted file mode 100644 index a577161..0000000 --- a/strongswan-5.8.4-runtime-dir.patch +++ /dev/null @@ -1,24 +0,0 @@ -diff -ur strongswan-5.8.4.orig/init/systemd/strongswan.service.in strongswan-5.8.4/init/systemd/strongswan.service.in ---- strongswan-5.8.4.orig/init/systemd/strongswan.service.in 2019-08-27 16:26:53.000000000 +0300 -+++ strongswan-5.8.4/init/systemd/strongswan.service.in 2020-04-12 12:05:57.383596844 +0300 -@@ -9,6 +9,8 @@ - ExecReload=@SBINDIR@/swanctl --reload - ExecReload=@SBINDIR@/swanctl --load-all --noprompt - Restart=on-abnormal -+RuntimeDirectory=strongswan -+RuntimeDirectoryMode=0755 - - [Install] - WantedBy=multi-user.target -diff -ur strongswan-5.8.4.orig/init/systemd-starter/strongswan-starter.service.in strongswan-5.8.4/init/systemd-starter/strongswan-starter.service.in ---- strongswan-5.8.4.orig/init/systemd-starter/strongswan-starter.service.in 2019-08-27 16:26:53.000000000 +0300 -+++ strongswan-5.8.4/init/systemd-starter/strongswan-starter.service.in 2020-04-12 12:05:51.810559482 +0300 -@@ -6,6 +6,8 @@ - ExecStart=@SBINDIR@/@IPSEC_SCRIPT@ start --nofork - StandardOutput=syslog - Restart=on-abnormal -+RuntimeDirectory=strongswan -+RuntimeDirectoryMode=0755 - - [Install] - WantedBy=multi-user.target diff --git a/strongswan-5.9.1-runtime-dir.patch b/strongswan-5.9.1-runtime-dir.patch deleted file mode 100644 index 91674d6..0000000 --- a/strongswan-5.9.1-runtime-dir.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -Naur strongswan-5.9.1-orig/init/systemd-starter/strongswan-starter.service.in strongswan-5.9.1/init/systemd-starter/strongswan-starter.service.in ---- strongswan-5.9.1-orig/init/systemd-starter/strongswan-starter.service.in 2020-10-16 08:36:37.000000000 -0400 -+++ strongswan-5.9.1/init/systemd-starter/strongswan-starter.service.in 2021-02-12 14:06:09.985042362 -0500 -@@ -5,6 +5,8 @@ - [Service] - ExecStart=@SBINDIR@/@IPSEC_SCRIPT@ start --nofork - Restart=on-abnormal -+RuntimeDirectory=strongswan -+RuntimeDirectoryMode=0755 - - [Install] - WantedBy=multi-user.target diff --git a/strongswan.spec b/strongswan.spec index 70015d9..23e1251 100644 --- a/strongswan.spec +++ b/strongswan.spec @@ -3,15 +3,13 @@ Name: strongswan Version: 5.9.4 -Release: 1%{?dist} +Release: 2%{?dist} Summary: An OpenSource IPsec-based VPN and TNC solution License: GPLv2+ URL: http://www.strongswan.org/ -Source0: http://download.strongswan.org/%{name}-%{version}%{?prerelease}.tar.bz2 +Source0: http://download.strongswan.org/strongswan-%{version}%{?prerelease}.tar.bz2 Source1: tmpfiles-strongswan.conf -Patch0: strongswan-5.9.1-runtime-dir.patch -Patch1: strongswan-5.6.0-uintptr_t.patch -Patch3: strongswan-5.6.2-CVE-2018-5388.patch +Patch0: strongswan-5.6.0-uintptr_t.patch # only needed for pre-release versions #BuildRequires: autoconf automake @@ -55,8 +53,8 @@ in userland, using TUN devices and its own IPsec implementation libipsec. %package charon-nm Summary: NetworkManager plugin for Strongswan Requires: dbus -Obsoletes: %{name}-NetworkManager < 0:5.0.4-5 -Conflicts: %{name}-NetworkManager < 0:5.0.4-5 +Obsoletes: strongswan-NetworkManager < 0:5.0.4-5 +Conflicts: strongswan-NetworkManager < 0:5.0.4-5 Conflicts: NetworkManager-strongswan < 1.4.2-1 %description charon-nm NetworkManager plugin integrates a subset of Strongswan capabilities @@ -64,14 +62,14 @@ to NetworkManager. %package sqlite Summary: SQLite support for strongSwan -Requires: %{name} = %{version}-%{release} +Requires: strongswan = %{version}-%{release} %description sqlite The sqlite plugin adds an SQLite database backend to strongSwan. %package tnc-imcvs Summary: Trusted network connect (TNC)'s IMC/IMV functionality -Requires: %{name} = %{version}-%{release} -Requires: %{name}-sqlite = %{version}-%{release} +Requires: strongswan = %{version}-%{release} +Requires: strongswan-sqlite = %{version}-%{release} %description tnc-imcvs This package provides Trusted Network Connect's (TNC) architecture support. It includes support for TNC client and server (IF-TNCCS), IMC and IMV message @@ -85,8 +83,6 @@ PT-TLS to support TNC over TLS. %prep %setup -q -n %{name}-%{version}%{?prerelease} %patch0 -p1 -%patch1 -p1 -%patch3 -p1 %build # only for snapshots @@ -208,15 +204,16 @@ for i in aacerts acerts certs cacerts crls ocspcerts private reqs; do done install -d -m 0700 %{buildroot}%{_rundir}/strongswan install -D -m 0644 %{SOURCE1} %{buildroot}/%{_tmpfilesdir}/strongswan.conf +install -D -m 0644 %{SOURCE1} %{buildroot}/%{_tmpfilesdir}/strongswan-starter.conf %post -%systemd_post %{name}.service +%systemd_post strongswan.service strongswan-starter.service %preun -%systemd_preun %{name}.service +%systemd_preun strongswan.service strongswan-starter.service %postun -%systemd_postun_with_restart %{name}.service +%systemd_postun_with_restart strongswan.service strongswan-starter.service %files %doc README NEWS TODO ChangeLog @@ -251,6 +248,7 @@ install -D -m 0644 %{SOURCE1} %{buildroot}/%{_tmpfilesdir}/strongswan.conf %{_datadir}/strongswan/templates/database/ %attr(0755,root,root) %dir %{_rundir}/strongswan %attr(0644,root,root) %{_tmpfilesdir}/strongswan.conf +%attr(0644,root,root) %{_tmpfilesdir}/strongswan-starter.conf %files sqlite %{_libdir}/strongswan/plugins/libstrongswan-sqlite.so @@ -278,6 +276,11 @@ install -D -m 0644 %{SOURCE1} %{buildroot}/%{_tmpfilesdir}/strongswan.conf %{_libexecdir}/strongswan/charon-nm %changelog +* Tue Nov 09 2021 Paul Wouters - 5.9.4-2 +- Resolves rhbz#2018547 'strongswan restart' breaks ipsec started with strongswan-starter +- Return to using tmpfiles, but extend to cover strongswan-starter service too +- Cleanup old patches + * Wed Oct 20 2021 Paul Wouters - 5.9.4-1 - Resolves: rhbz#2015165 strongswan-5.9.4 is available - Resolves: rhbz#2015611 CVE-2021-41990 strongswan: gmp plugin: integer overflow via a crafted certificate with an RSASSA-PSS signature