From 32be2a6df3af99ac11af7c762143ef1708c2de73 Mon Sep 17 00:00:00 2001
From: Paul Wouters <paul.wouters@aiven.io>
Date: Fri, 21 Jun 2024 21:49:10 -0400
Subject: [PATCH] - Update libreswan to 4.15 for CVE-2024-3652

- Resolves rhbz#2274448 CVE-2024-3652 libreswan: IKEv1 default AH/ESP
  responder can crash and restart
- Allow "ipsec import" to try importing PKCS#12 non-interactively if
  there is no password

Resolves: RHEL-32481
---
 .gitignore     | 2 ++
 libreswan.spec | 4 +++-
 sources        | 6 +++---
 3 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/.gitignore b/.gitignore
index 56a4381..6187bf0 100644
--- a/.gitignore
+++ b/.gitignore
@@ -60,3 +60,5 @@
 /libreswan-4.13.tar.gz.asc
 /libreswan-4.14.tar.gz
 /libreswan-4.14.tar.gz.asc
+/libreswan-4.15.tar.gz
+/libreswan-4.15.tar.gz.asc
diff --git a/libreswan.spec b/libreswan.spec
index 8efd04e..6e6ef1d 100644
--- a/libreswan.spec
+++ b/libreswan.spec
@@ -29,7 +29,7 @@
 Name: libreswan
 Summary: Internet Key Exchange (IKEv1 and IKEv2) implementation for IPsec
 # version is generated in the release script
-Version: 4.14
+Version: 4.15
 Release: %autorelease
 # The code in lib/libswan/nss_copies.c is under MPL-2.0, while the
 # rest is under GPL-2.0-or-later
@@ -44,6 +44,8 @@ Source4: https://download.libreswan.org/cavs/ikev1_psk.fax.bz2
 Source5: https://download.libreswan.org/cavs/ikev2.fax.bz2
 %endif
 
+Patch1: libreswan-4.15-ipsec_import.patch
+
 BuildRequires: audit-libs-devel
 BuildRequires: bison
 BuildRequires: curl-devel
diff --git a/sources b/sources
index 86f3f17..f342c31 100644
--- a/sources
+++ b/sources
@@ -1,5 +1,5 @@
-SHA512 (libreswan-4.14.tar.gz) = fb4c4dc426530614d308a7c4f5d21123a166b1ad652f66393b45d4987a3e2be8e8bc135e7eedfe1c014db962b70f08108757f876e27cd9e7739a79764c6d4f2d
-SHA512 (libreswan-4.14.tar.gz.asc) = 870c2f206b74f2f5391f145bf6b81e6e40ec8ecb3357554c77be105a2410ea0d3d2c70ac59963b0ebf495fff55d7c8be64b511d093ee6b5542ae1f3ee3ffbd51
 SHA512 (ikev1_dsa.fax.bz2) = 627cbac14248bd68e8d22fbca247668a7749ef0c2e41df8d776d62df9a21403d3a246c0bd82c3faedce62de90b9f91a87f753e17b056319000bba7d2038461ac
 SHA512 (ikev1_psk.fax.bz2) = 1b2daec32edc56b410c036db2688c92548a9bd9914994bc7e555b301dd6db4497a6b3e89dc12ddf36826ae90b40fcde501a5a45c0d59098e07839073d219d467
-SHA512 (ikev2.fax.bz2) = 65c65d86fd1a7539c0ad516b0f49546d5722b710225857ee2d2f5f3415ac7d023264746398f3637fd248a4ce2364957c516c31214ee33faefe58ac8e4e333a10
+SHA512 (ikev2.fax.bz2) = 0d3748d1bd574f6f1f3e4db847eca126ce649566ea710ef227426f433122752b80d1d6b8acf9d0df07b5597c1e45447e3a2fcb3391756e834e8e75f99df8e51e
+SHA512 (libreswan-4.15.tar.gz) = 49a60688bb4a5241dbd791bdde0c71ae80cfb7383bb841ea0788a9d0237569d7ad79e59985c700526e3807817ddae77ebd57521897526fbb8fb93ffbea631efe
+SHA512 (libreswan-4.15.tar.gz.asc) = 3db63ff7e6082dd710325e92b97dd4639299acb0958e256d876f636d69d77d1e2de517ddb356a72dff8d03dfe540d3398554acf4b6e8d05f2358efabc441f520