- Update to 4.14 for CVE-2024-2357

* Security, see https://libreswan.org/security/CVE-2024-2357 * x509: unpack IPv6 general names based on length * pluto: TFC padding was not set for AEAD algorithms * Include now fixed ipcheck * Exclude hunkcheck broken on s390x * Remove obsoleted patch capng patch Related: RHEL-32481
2024-03-11 20:59:11 -04:00 · 2024-03-11 20:59:11 -04:00 · 38ded79037
commit 38ded79037
parent 9bd683c343
3 changed files with 9 additions and 6 deletions
--- a/.gitignore
+++ b/.gitignore
@ -58,3 +58,5 @@
 /libreswan-4.12.tar.gz.asc
 /libreswan-4.13.tar.gz
 /libreswan-4.13.tar.gz.asc
+/libreswan-4.14.tar.gz
+/libreswan-4.14.tar.gz.asc
--- a/libreswan.spec
+++ b/libreswan.spec
@ -29,7 +29,7 @@
 Name: libreswan
 Summary: Internet Key Exchange (IKEv1 and IKEv2) implementation for IPsec
 # version is generated in the release script
-Version: 4.12
+Version: 4.14
 Release: %autorelease
 # The code in lib/libswan/nss_copies.c is under MPL-2.0, while the
 # rest is under GPL-2.0-or-later
@ -44,8 +44,6 @@ Source4: https://download.libreswan.org/cavs/ikev1_psk.fax.bz2
 Source5: https://download.libreswan.org/cavs/ikev2.fax.bz2
 %endif

-Patch1: libreswan-4.12-libcap-ng.patch
-
 BuildRequires: audit-libs-devel
 BuildRequires: bison
 BuildRequires: curl-devel
@ -110,7 +108,10 @@ Libreswan is based on Openswan-2.6.38 which in turn is based on FreeS/WAN-2.04
 %setup -q -n libreswan-%{version}%{?prever}
 # enable crypto-policies support
 sed -i "s:#[ ]*include \(.*\)\(/crypto-policies/back-ends/libreswan.config\)$:include \1\2:" configs/ipsec.conf.in
-sed -i "s/SUBDIRS += ipcheck/#SUBDIRS += ipchec/" testing/programs/Makefile
+%ifarch s390x
+# throws error on s390x
+sed -i "s/SUBDIRS += hunkcheck/#SUBDIRS += hunkcheck/" testing/programs/Makefile
+%endif
 %autopatch -p1

 %build
--- a/4
+++ b/4
@ -1,5 +1,5 @@
+SHA512 (libreswan-4.14.tar.gz) = fb4c4dc426530614d308a7c4f5d21123a166b1ad652f66393b45d4987a3e2be8e8bc135e7eedfe1c014db962b70f08108757f876e27cd9e7739a79764c6d4f2d
+SHA512 (libreswan-4.14.tar.gz.asc) = 870c2f206b74f2f5391f145bf6b81e6e40ec8ecb3357554c77be105a2410ea0d3d2c70ac59963b0ebf495fff55d7c8be64b511d093ee6b5542ae1f3ee3ffbd51
 SHA512 (ikev1_dsa.fax.bz2) = 627cbac14248bd68e8d22fbca247668a7749ef0c2e41df8d776d62df9a21403d3a246c0bd82c3faedce62de90b9f91a87f753e17b056319000bba7d2038461ac
 SHA512 (ikev1_psk.fax.bz2) = 1b2daec32edc56b410c036db2688c92548a9bd9914994bc7e555b301dd6db4497a6b3e89dc12ddf36826ae90b40fcde501a5a45c0d59098e07839073d219d467
 SHA512 (ikev2.fax.bz2) = 65c65d86fd1a7539c0ad516b0f49546d5722b710225857ee2d2f5f3415ac7d023264746398f3637fd248a4ce2364957c516c31214ee33faefe58ac8e4e333a10
-SHA512 (libreswan-4.13.tar.gz) = 551bd4e86f6642b2f4c2fae340f73b3fd5c36953a60ce89e37938cd4fcf7131470d3819100577f86baf75214d8b632067a066348620a3fe48d8ed3c26d9897a8
-SHA512 (libreswan-4.13.tar.gz.asc) = 46b961d144fbd381e93a4deaa6bf9e2523233da02872189ae331d680930be093c4ad0b2ff21c89cd3ae819189fb5270a401f35d9aca40fa9bd7b694461b10ddd