SUSE-SU-2015:0281-1

See a problem?
Please try reporting it to the source first.
Source
https://www.suse.com/support/update/announcement/2015/suse-su-20150281-1/
Import Source
https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2015:0281-1.json
JSON Data
https://api.test.osv.dev/v1/vulns/SUSE-SU-2015:0281-1
Related
Published
2015-01-28T11:41:44Z
Modified
2025-05-08T17:00:51.846511Z
Upstream
Summary
Security update for strongswan
Details

This strongswan update fixes the following security and non security issues.

  • Disallow brainpool elliptic curve groups in fips mode (bnc#856322).
  • Applied an upstream fix for a denial-of-service vulnerability, which can be triggered by an IKEv2 Key Exchange payload, that contains the Diffie-Hellman group 1025 (bsc#910491,CVE-2014-9221).
  • Adjusted whilelist of approved algorithms in fips mode (bsc#856322).
  • Updated strongswan-hmac package description (bsc#856322).
  • Disabled explicit gpg validation; osc source_validator does it.
  • Guarded fipscheck and hmac package in the spec file for >13.1.
  • Added generation of fips hmac hash files using fipshmac utility and a _fipscheck script to verify binaries/libraries/plugings shipped in the strongswan-hmac package. With enabled fips in the kernel, the ipsec script will call it before any action or in a enforced/manual 'ipsec _fipscheck' call. Added config file to load openssl and kernel af-alg plugins, but not all the other modules which provide further/alternative algs. Applied a filter disallowing non-approved algorithms in fips mode. (fate#316931,bnc#856322).
  • Fixed file list in the optional (disabled) strongswan-test package.
  • Fixed build of the strongswan built-in integrity checksum library and enabled building it only on architectures tested to work.
  • Fix to use bug number 897048 instead 856322 in last changes entry.
  • Applied an upstream patch reverting to store algorithms in the registration order again as ordering them by identifier caused weaker algorithms to be proposed first by default (bsc#897512).
References

Affected packages

SUSE:Linux Enterprise Desktop 12 / strongswan

Package

Name
strongswan
Purl
pkg:rpm/suse/strongswan&distro=SUSE%20Linux%20Enterprise%20Desktop%2012

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.1.3-9.1

Ecosystem specific 

{
    "binaries": [
        {
            "strongswan": "5.1.3-9.1",
            "strongswan-doc": "5.1.3-9.1",
            "strongswan-ipsec": "5.1.3-9.1",
            "strongswan-libs0": "5.1.3-9.1"
        }
    ]
}

SUSE:Linux Enterprise Server 12 / strongswan

Package

Name
strongswan
Purl
pkg:rpm/suse/strongswan&distro=SUSE%20Linux%20Enterprise%20Server%2012

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.1.3-9.2

Ecosystem specific 

{
    "binaries": [
        {
            "strongswan": "5.1.3-9.2",
            "strongswan-hmac": "5.1.3-9.2",
            "strongswan-doc": "5.1.3-9.2",
            "strongswan-ipsec": "5.1.3-9.2",
            "strongswan-libs0": "5.1.3-9.2"
        }
    ]
}

SUSE:Linux Enterprise Server for SAP Applications 12 / strongswan

Package

Name
strongswan
Purl
pkg:rpm/suse/strongswan&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.1.3-9.2

Ecosystem specific 

{
    "binaries": [
        {
            "strongswan": "5.1.3-9.2",
            "strongswan-hmac": "5.1.3-9.2",
            "strongswan-doc": "5.1.3-9.2",
            "strongswan-ipsec": "5.1.3-9.2",
            "strongswan-libs0": "5.1.3-9.2"
        }
    ]
}