Date: Thu, 15 May 2014 20:36:02 +1000 From: Dewayne Geraghty <dewayne.geraghty@heuristicsystems.com.au> To: Kurt Jaeger <lists@opsec.eu> Cc: strongswan@nanoteq.com, freebsd-ports@freebsd.org Subject: Re: Committer to address 2 CVE's against strongswan Message-ID: <53749892.4050309@heuristicsystems.com.au> In-Reply-To: <20140515084921.GV2341@home.opsec.eu> References: <CAHv72r4=jREo7R3xCP3yO9dnF_Oc-5ecLPz=m-RHADPhizc-fQ@mail.gmail.com> <5373EE24.4030007@heuristicsystems.com.au> <20140515084921.GV2341@home.opsec.eu>
next in thread | previous in thread | raw e-mail | index | archive | help
On 15/05/2014 6:49 PM, Kurt Jaeger wrote:
> Hi!
>
>> Strongswan 5.1.1 has two CVE's that are corrected in the 5.1.3 release.
>> The maintainer has provided a patch on 8th May, thank-you Francois. The
>> patch applies cleanly and the patched strongswan 5.1.3 installs and
>> functions correctly. I've installed it on two FreeBSD 9.2 (Stable) VPN
>> servers, and other tunnelling firewalls.
>>
>> It would be appreciated if a ports committer could provide this patch
>> for the rest of the user-base, via a strongswan port update.
> Testing with
>
> poudriere testport -j 10amd64 -o security/strongswan -n
>
> found some pkg-plist issues:
>
> ----------------
> [...]
> ===> Checking for items in STAGEDIR missing from pkg-plist
> Error: Orphaned: etc/ipsec.conf
> Error: Orphaned: %%ETCDIR%%.conf
> Error: Orphaned: %%ETCDIR%%.d/charon-logging.conf
> Error: Orphaned: %%ETCDIR%%.d/charon.conf
> Error: Orphaned: %%ETCDIR%%.d/charon/addrblock.conf
> Error: Orphaned: %%ETCDIR%%.d/charon/aes.conf
> Error: Orphaned: %%ETCDIR%%.d/charon/attr.conf
> Error: Orphaned: %%ETCDIR%%.d/charon/blowfish.conf
> Error: Orphaned: %%ETCDIR%%.d/charon/cmac.conf
> Error: Orphaned: %%ETCDIR%%.d/charon/constraints.conf
> Error: Orphaned: %%ETCDIR%%.d/charon/des.conf
> Error: Orphaned: %%ETCDIR%%.d/charon/dnskey.conf
> Error: Orphaned: %%ETCDIR%%.d/charon/eap-identity.conf
> Error: Orphaned: %%ETCDIR%%.d/charon/eap-md5.conf
> Error: Orphaned: %%ETCDIR%%.d/charon/eap-mschapv2.conf
> Error: Orphaned: %%ETCDIR%%.d/charon/eap-peap.conf
> Error: Orphaned: %%ETCDIR%%.d/charon/eap-tls.conf
> Error: Orphaned: %%ETCDIR%%.d/charon/eap-ttls.conf
> Error: Orphaned: %%ETCDIR%%.d/charon/fips-prf.conf
> Error: Orphaned: %%ETCDIR%%.d/charon/hmac.conf
> Error: Orphaned: %%ETCDIR%%.d/charon/kernel-pfkey.conf
> Error: Orphaned: %%ETCDIR%%.d/charon/kernel-pfroute.conf
> Error: Orphaned: %%ETCDIR%%.d/charon/md4.conf
> Error: Orphaned: %%ETCDIR%%.d/charon/md5.conf
> Error: Orphaned: %%ETCDIR%%.d/charon/nonce.conf
> Error: Orphaned: %%ETCDIR%%.d/charon/openssl.conf
> Error: Orphaned: %%ETCDIR%%.d/charon/pem.conf
> Error: Orphaned: %%ETCDIR%%.d/charon/pgp.conf
> Error: Orphaned: %%ETCDIR%%.d/charon/pkcs1.conf
> Error: Orphaned: %%ETCDIR%%.d/charon/pkcs12.conf
> Error: Orphaned: %%ETCDIR%%.d/charon/pkcs7.conf
> Error: Orphaned: %%ETCDIR%%.d/charon/pkcs8.conf
> Error: Orphaned: %%ETCDIR%%.d/charon/pubkey.conf
> Error: Orphaned: %%ETCDIR%%.d/charon/random.conf
> Error: Orphaned: %%ETCDIR%%.d/charon/rc2.conf
> Error: Orphaned: %%ETCDIR%%.d/charon/resolve.conf
> Error: Orphaned: %%ETCDIR%%.d/charon/revocation.conf
> Error: Orphaned: %%ETCDIR%%.d/charon/sha1.conf
> Error: Orphaned: %%ETCDIR%%.d/charon/sha2.conf
> Error: Orphaned: %%ETCDIR%%.d/charon/socket-default.conf
> Error: Orphaned: %%ETCDIR%%.d/charon/sshkey.conf
> Error: Orphaned: %%ETCDIR%%.d/charon/stroke.conf
> Error: Orphaned: %%ETCDIR%%.d/charon/updown.conf
> Error: Orphaned: %%ETCDIR%%.d/charon/whitelist.conf
> Error: Orphaned: %%ETCDIR%%.d/charon/x509.conf
> Error: Orphaned: %%ETCDIR%%.d/charon/xcbc.conf
> Error: Orphaned: %%ETCDIR%%.d/starter.conf
> Error: Orphaned: lib/ipsec/libcharon.so.0.0.0
> Error: Orphaned: lib/ipsec/libhydra.so.0.0.0
> Error: Orphaned: lib/ipsec/libstrongswan.so.0.0.0
> Error: Orphaned: lib/ipsec/libtls.so.0.0.0
> Error: Orphaned: @dirrmtry %%ETCDIR%%.d/charon
> Error: Orphaned: @dirrmtry %%ETCDIR%%.d
>
> ----------------
>
> I'll investigate this evening (in approx. 10 hours), if someone
> can look after it before that ?
>
> --
> pi@opsec.eu +49 171 3101372 6 years to go !
>
>
Kurt,
Thank-you for taking the time to look into this. The configuration used
in the final build isn't standard, and comprises:
CURL=on: Enable CURL to fetch CRL/OCSP
EAPRADIUS=on: Enable EAP Radius proxy authentication
IKEv1=on: Enable IKEv1 support
XAUTH=on: Enable XAuth password verification
The environment is 9.2Stable i386 and amd64 as of 5th May. Built
without both pkg_ng and poudriere.
The entire tree was rebuilt on May 10 (all ports deleted, rebuilt and
reinstalled on two build and four test machines). Strongswan and
libexecinfo have been rebuilt a few times since then as I've added
--enable-padlock to the build. It has a missing include file which I've
requested upstream to include http://wiki.strongswan.org/issues/591
There are warning messages like
libtool: install: warning: remember to run `libtool --finish
/usr/local/lib/ipsec/plugins'
libtool: install: warning: relinking `libstrongswan-eap-peap.la'
libtool: install: warning: `../../src/libcharon/libcharon.la' has not
been installed in `/usr/local/lib/ipsec'
assuming that these were remnants of meta-ports flux, ignored them,
tested over a few days and deployed. Windows7 & Apple IOS clients
connect ok, as do eap-tls FreeBSD tunnels. So its disappointing that
you've come across these errors, but does raise the prospect that
migrating to next gen tools might enhance quality control - a benefit.
Regards, Dewayne
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?53749892.4050309>