From owner-freebsd-ports@FreeBSD.ORG Thu May 15 10:59:05 2014 Return-Path: Delivered-To: freebsd-ports@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id ECD3887C for ; Thu, 15 May 2014 10:59:04 +0000 (UTC) Received: from nskntqsrv01p.mx.bigpond.com (nskntqsrv01p.mx.bigpond.com [61.9.168.231]) by mx1.freebsd.org (Postfix) with ESMTP id 86BEC2AA3 for ; Thu, 15 May 2014 10:59:03 +0000 (UTC) Received: from nskntcmgw08p ([61.9.169.168]) by nskntmtas04p.mx.bigpond.com with ESMTP id <20140515103756.DLZR17495.nskntmtas04p.mx.bigpond.com@nskntcmgw08p>; Thu, 15 May 2014 10:37:56 +0000 Received: from hermes.heuristicsystems.com.au ([121.210.107.100]) by nskntcmgw08p with BigPond Outbound id 2Adu1o00U29zwdD01Adu5c; Thu, 15 May 2014 10:37:56 +0000 X-Authority-Analysis: v=2.0 cv=D6DF24tj c=1 sm=1 a=SEJ2iDwVkb98DYvesvueMw==:17 a=JipEcVzqA9wA:10 a=9PdaKXZw7QsA:10 a=8nJEP1OIZ-IA:10 a=GHIR_BbyAAAA:8 a=KiMCiSwjAAAA:8 a=d_r8JiHPmII45MNYOrAA:9 a=wPNLvfGTeEIA:10 a=SEJ2iDwVkb98DYvesvueMw==:117 Received: from [10.0.5.3] (ewsw01.hs [10.0.5.3]) (authenticated bits=0) by hermes.heuristicsystems.com.au (8.14.5/8.13.6) with ESMTP id s4FAa2UA090365 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Thu, 15 May 2014 20:36:03 +1000 (EST) (envelope-from dewayne.geraghty@heuristicsystems.com.au) Message-ID: <53749892.4050309@heuristicsystems.com.au> Date: Thu, 15 May 2014 20:36:02 +1000 From: Dewayne Geraghty User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Thunderbird/24.3.0 MIME-Version: 1.0 To: Kurt Jaeger Subject: Re: Committer to address 2 CVE's against strongswan References: <5373EE24.4030007@heuristicsystems.com.au> <20140515084921.GV2341@home.opsec.eu> In-Reply-To: <20140515084921.GV2341@home.opsec.eu> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: strongswan@nanoteq.com, freebsd-ports@freebsd.org X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 May 2014 10:59:05 -0000 On 15/05/2014 6:49 PM, Kurt Jaeger wrote: > Hi! > >> Strongswan 5.1.1 has two CVE's that are corrected in the 5.1.3 release. >> The maintainer has provided a patch on 8th May, thank-you Francois. The >> patch applies cleanly and the patched strongswan 5.1.3 installs and >> functions correctly. I've installed it on two FreeBSD 9.2 (Stable) VPN >> servers, and other tunnelling firewalls. >> >> It would be appreciated if a ports committer could provide this patch >> for the rest of the user-base, via a strongswan port update. > Testing with > > poudriere testport -j 10amd64 -o security/strongswan -n > > found some pkg-plist issues: > > ---------------- > [...] > ===> Checking for items in STAGEDIR missing from pkg-plist > Error: Orphaned: etc/ipsec.conf > Error: Orphaned: %%ETCDIR%%.conf > Error: Orphaned: %%ETCDIR%%.d/charon-logging.conf > Error: Orphaned: %%ETCDIR%%.d/charon.conf > Error: Orphaned: %%ETCDIR%%.d/charon/addrblock.conf > Error: Orphaned: %%ETCDIR%%.d/charon/aes.conf > Error: Orphaned: %%ETCDIR%%.d/charon/attr.conf > Error: Orphaned: %%ETCDIR%%.d/charon/blowfish.conf > Error: Orphaned: %%ETCDIR%%.d/charon/cmac.conf > Error: Orphaned: %%ETCDIR%%.d/charon/constraints.conf > Error: Orphaned: %%ETCDIR%%.d/charon/des.conf > Error: Orphaned: %%ETCDIR%%.d/charon/dnskey.conf > Error: Orphaned: %%ETCDIR%%.d/charon/eap-identity.conf > Error: Orphaned: %%ETCDIR%%.d/charon/eap-md5.conf > Error: Orphaned: %%ETCDIR%%.d/charon/eap-mschapv2.conf > Error: Orphaned: %%ETCDIR%%.d/charon/eap-peap.conf > Error: Orphaned: %%ETCDIR%%.d/charon/eap-tls.conf > Error: Orphaned: %%ETCDIR%%.d/charon/eap-ttls.conf > Error: Orphaned: %%ETCDIR%%.d/charon/fips-prf.conf > Error: Orphaned: %%ETCDIR%%.d/charon/hmac.conf > Error: Orphaned: %%ETCDIR%%.d/charon/kernel-pfkey.conf > Error: Orphaned: %%ETCDIR%%.d/charon/kernel-pfroute.conf > Error: Orphaned: %%ETCDIR%%.d/charon/md4.conf > Error: Orphaned: %%ETCDIR%%.d/charon/md5.conf > Error: Orphaned: %%ETCDIR%%.d/charon/nonce.conf > Error: Orphaned: %%ETCDIR%%.d/charon/openssl.conf > Error: Orphaned: %%ETCDIR%%.d/charon/pem.conf > Error: Orphaned: %%ETCDIR%%.d/charon/pgp.conf > Error: Orphaned: %%ETCDIR%%.d/charon/pkcs1.conf > Error: Orphaned: %%ETCDIR%%.d/charon/pkcs12.conf > Error: Orphaned: %%ETCDIR%%.d/charon/pkcs7.conf > Error: Orphaned: %%ETCDIR%%.d/charon/pkcs8.conf > Error: Orphaned: %%ETCDIR%%.d/charon/pubkey.conf > Error: Orphaned: %%ETCDIR%%.d/charon/random.conf > Error: Orphaned: %%ETCDIR%%.d/charon/rc2.conf > Error: Orphaned: %%ETCDIR%%.d/charon/resolve.conf > Error: Orphaned: %%ETCDIR%%.d/charon/revocation.conf > Error: Orphaned: %%ETCDIR%%.d/charon/sha1.conf > Error: Orphaned: %%ETCDIR%%.d/charon/sha2.conf > Error: Orphaned: %%ETCDIR%%.d/charon/socket-default.conf > Error: Orphaned: %%ETCDIR%%.d/charon/sshkey.conf > Error: Orphaned: %%ETCDIR%%.d/charon/stroke.conf > Error: Orphaned: %%ETCDIR%%.d/charon/updown.conf > Error: Orphaned: %%ETCDIR%%.d/charon/whitelist.conf > Error: Orphaned: %%ETCDIR%%.d/charon/x509.conf > Error: Orphaned: %%ETCDIR%%.d/charon/xcbc.conf > Error: Orphaned: %%ETCDIR%%.d/starter.conf > Error: Orphaned: lib/ipsec/libcharon.so.0.0.0 > Error: Orphaned: lib/ipsec/libhydra.so.0.0.0 > Error: Orphaned: lib/ipsec/libstrongswan.so.0.0.0 > Error: Orphaned: lib/ipsec/libtls.so.0.0.0 > Error: Orphaned: @dirrmtry %%ETCDIR%%.d/charon > Error: Orphaned: @dirrmtry %%ETCDIR%%.d > > ---------------- > > I'll investigate this evening (in approx. 10 hours), if someone > can look after it before that ? > > -- > pi@opsec.eu +49 171 3101372 6 years to go ! > > Kurt, Thank-you for taking the time to look into this. The configuration used in the final build isn't standard, and comprises: CURL=on: Enable CURL to fetch CRL/OCSP EAPRADIUS=on: Enable EAP Radius proxy authentication IKEv1=on: Enable IKEv1 support XAUTH=on: Enable XAuth password verification The environment is 9.2Stable i386 and amd64 as of 5th May. Built without both pkg_ng and poudriere. The entire tree was rebuilt on May 10 (all ports deleted, rebuilt and reinstalled on two build and four test machines). Strongswan and libexecinfo have been rebuilt a few times since then as I've added --enable-padlock to the build. It has a missing include file which I've requested upstream to include http://wiki.strongswan.org/issues/591 There are warning messages like libtool: install: warning: remember to run `libtool --finish /usr/local/lib/ipsec/plugins' libtool: install: warning: relinking `libstrongswan-eap-peap.la' libtool: install: warning: `../../src/libcharon/libcharon.la' has not been installed in `/usr/local/lib/ipsec' assuming that these were remnants of meta-ports flux, ignored them, tested over a few days and deployed. Windows7 & Apple IOS clients connect ok, as do eap-tls FreeBSD tunnels. So its disappointing that you've come across these errors, but does raise the prospect that migrating to next gen tools might enhance quality control - a benefit. Regards, Dewayne