Security update for strongswan

Announcement ID:	SUSE-SU-2015:0281-1
Rating:	moderate
References:	bsc#856322 bsc#897048 bsc#897512 bsc#910491
Cross-References:	CVE-2014-9221
CVSS scores:
Affected Products:	SUSE Linux Enterprise Desktop 12 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Server for SAP Applications 12

An update that solves one vulnerability and has three security fixes can now be installed.

Description:

This strongswan update fixes the following security and non security issues.

• Disallow brainpool elliptic curve groups in fips mode (bnc#856322).
• Applied an upstream fix for a denial-of-service vulnerability, which can be triggered by an IKEv2 Key Exchange payload, that contains the Diffie-Hellman group 1025 (bsc#910491,CVE-2014-9221).
• Adjusted whilelist of approved algorithms in fips mode (bsc#856322).
• Updated strongswan-hmac package description (bsc#856322).
• Disabled explicit gpg validation; osc source_validator does it.
• Guarded fipscheck and hmac package in the spec file for >13.1.
• Added generation of fips hmac hash files using fipshmac utility and a _fipscheck script to verify binaries/libraries/plugings shipped in the strongswan-hmac package. With enabled fips in the kernel, the ipsec script will call it before any action or in a enforced/manual "ipsec _fipscheck" call. Added config file to load openssl and kernel af-alg plugins, but not all the other modules which provide further/alternative algs. Applied a filter disallowing non-approved algorithms in fips mode. (fate#316931,bnc#856322).
• Fixed file list in the optional (disabled) strongswan-test package.
• Fixed build of the strongswan built-in integrity checksum library and enabled building it only on architectures tested to work.
• Fix to use bug number 897048 instead 856322 in last changes entry.
• Applied an upstream patch reverting to store algorithms in the registration order again as ordering them by identifier caused weaker algorithms to be proposed first by default (bsc#897512).

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise Desktop 12
  zypper in -t patch SUSE-SLE-DESKTOP-12-2015-71=1
• SUSE Linux Enterprise Server 12
  zypper in -t patch SUSE-SLE-SERVER-12-2015-71=1
• SUSE Linux Enterprise Server for SAP Applications 12
  zypper in -t patch SUSE-SLE-SERVER-12-2015-71=1

Package List:

• SUSE Linux Enterprise Desktop 12 (x86_64)
  • strongswan-debugsource-5.1.3-9.1
  • strongswan-ipsec-debuginfo-5.1.3-9.1
  • strongswan-libs0-debuginfo-5.1.3-9.1
  • strongswan-ipsec-5.1.3-9.1
  • strongswan-libs0-5.1.3-9.1
  • strongswan-5.1.3-9.1
• SUSE Linux Enterprise Desktop 12 (noarch)
  • strongswan-doc-5.1.3-9.1
• SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64)
  • strongswan-hmac-5.1.3-9.2
  • strongswan-ipsec-5.1.3-9.2
  • strongswan-ipsec-debuginfo-5.1.3-9.2
  • strongswan-5.1.3-9.2
  • strongswan-debugsource-5.1.3-9.2
  • strongswan-libs0-5.1.3-9.2
  • strongswan-libs0-debuginfo-5.1.3-9.2
• SUSE Linux Enterprise Server 12 (noarch)
  • strongswan-doc-5.1.3-9.2
• SUSE Linux Enterprise Server for SAP Applications 12 (x86_64)
  • strongswan-hmac-5.1.3-9.2
  • strongswan-ipsec-5.1.3-9.2
  • strongswan-ipsec-debuginfo-5.1.3-9.2
  • strongswan-5.1.3-9.2
  • strongswan-debugsource-5.1.3-9.2
  • strongswan-libs0-5.1.3-9.2
  • strongswan-libs0-debuginfo-5.1.3-9.2
• SUSE Linux Enterprise Server for SAP Applications 12 (noarch)
  • strongswan-doc-5.1.3-9.2

References:

• https://www.suse.com/security/cve/CVE-2014-9221.html
• https://bugzilla.suse.com/show_bug.cgi?id=856322
• https://bugzilla.suse.com/show_bug.cgi?id=897048
• https://bugzilla.suse.com/show_bug.cgi?id=897512
• https://bugzilla.suse.com/show_bug.cgi?id=910491