Additional commentary in options.pptp (#845112)

- Add note in options.pptp about MPPE not being available in FIPS mode (#845112) - Add note in options.pptp about PPTP with MSCHAP-V2 being insecure
2012-08-31 10:47:17 +01:00 · 2012-08-31 10:47:17 +01:00 · 6f7a619b06
commit 6f7a619b06
parent 8b68dfa87a
2 changed files with 46 additions and 2 deletions
--- a/pptp-1.7.2-options.pptp.patch
+++ b/pptp-1.7.2-options.pptp.patch
@ -0,0 +1,35 @@
+Index: options.pptp
+===================================================================
+RCS file: /cvsroot/pptpclient/pptp-linux/options.pptp,v
+retrieving revision 1.3
+diff -u -r1.3 options.pptp
+--- options.pptp	26 Mar 2006 23:11:05 -0000	1.3
+++ options.pptp	30 Aug 2012 12:38:36 -0000
+@@ -33,17 +33,25 @@
+ 
+ # Encryption
+ # (There have been multiple versions of PPP with encryption support,
+-# choose with of the following sections you will use.  Note that MPPE
+# choose which of the following sections you will use.  Note that MPPE
+ # requires the use of MSCHAP-V2 during authentication)
+#
+# Note that using PPTP with MPPE and MSCHAP-V2 should be considered
+# insecure:
+# http://marc.info/?l=pptpclient-devel&m=134372640219039&w=2
+# https://github.com/moxie0/chapcrack/blob/master/README.md
+# http://technet.microsoft.com/en-us/security/advisory/2743314
+ 
+ # http://ppp.samba.org/ the PPP project version of PPP by Paul Mackarras
+ # ppp-2.4.2 or later with MPPE only, kernel module ppp_mppe.o
+# If the kernel is booted in FIPS mode (fips=1), the ppp_mppe.ko module
+# is not allowed and PPTP-MPPE is not available.
+ # {{{
+ # Require MPPE 128-bit encryption
+ #require-mppe-128
+ # }}}
+ 
+-# http://polbox.com/h/hs001/ fork from PPP project by Jan Dubiec
+# http://mppe-mppc.alphacron.de/ fork from PPP project by Jan Dubiec
+ # ppp-2.4.2 or later with MPPE and MPPC, kernel module ppp_mppe_mppc.o
+ # {{{
+ # Require MPPE 128-bit encryption
--- a/pptp.spec
+++ b/pptp.spec
@ -1,6 +1,6 @@
 Name:		pptp
 Version:	1.7.2
-Release:	16%{?dist}
+Release:	17%{?dist}
 Summary:	Point-to-Point Tunneling Protocol (PPTP) Client
 Group:		Applications/Internet
 License:	GPLv2+
@ -28,6 +28,7 @@ Patch17:	pptp-1.7.2-unused.patch
 Patch18:	pptp-1.7.2-prototype.patch
 Patch19:	pptp-1.7.2-nested-externs.patch
 Patch20:	pptp-1.7.2-aliasing.patch
+Patch21:	pptp-1.7.2-options.pptp.patch
 BuildRoot:	%{_tmppath}/%{name}-%{version}-%{release}-root-%(id -nu)
 Requires:	ppp >= 2.4.2, /sbin/ip
 %if 0%{?fedora} > 14
@ -116,6 +117,9 @@ tunnels.
 # Fix aliasing issues (upstream patch)
 %patch20 -p1 -b .alias

+# Additional commentary in options.pptp regarding encryption (upstream patch)
+%patch21 -b .options-comments
+
 # Pacify rpmlint
 perl -pi -e 's/install -o root -m 555 pptp/install -m 755 pptp/;' Makefile

@ -158,7 +162,12 @@ rm -rf %{buildroot}
 %{_mandir}/man8/pptpsetup.8*

 %changelog
-* Sat Jul 21 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.7.2-16
+* Fri Aug 31 2012 Paul Howarth <paul@city-fan.org> 1.7.2-17
+- Add note in options.pptp about MPPE not being available in FIPS mode
+  (#845112)
+- Add note in options.pptp about PPTP with MSCHAP-V2 being insecure
+
+* Sat Jul 21 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> 1.7.2-16
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild

 * Wed Jul  4 2012 Paul Howarth <paul@city-fan.org> 1.7.2-15