Date: Tue, 19 Nov 2013 00:50:01 GMT From: David Shane Holden <dpejesh@yahoo.com> To: freebsd-ports-bugs@FreeBSD.org Subject: Re: ports/183688: [maintainer update] security/strongswan 5.0.4 -> 5.1.1 Message-ID: <201311190050.rAJ0o1XO090749@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR ports/183688; it has been noted by GNATS. From: David Shane Holden <dpejesh@yahoo.com> To: Francois ten Krooden <ftk@Nanoteq.com> Cc: bug-followup@FreeBSD.org Subject: Re: ports/183688: [maintainer update] security/strongswan 5.0.4 -> 5.1.1 Date: Mon, 18 Nov 2013 19:42:35 -0500 This is a multi-part message in MIME format. --------------030902010007060501090309 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Hey Francois, I updated your original patch a bit. First, I used the post-install target to move the config files to share/examples/strongswan. Since we're using staging this should be a cleaner approach than patching the makefiles. I also added an option for --enable-kernel-libipsec as well as updated vuln.xml for the 3 CVE's that were fixed in this release. If for some reason the attachment doesn't make it through, I have a copy of it at https://googledrive.com/host/0B0OQnKtejJEMdU1IaF9UX0dfNDA/strongswan.patch -- Dave --------------030902010007060501090309 Content-Type: text/x-patch; name="strongswan.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="strongswan.patch" diff --git a/security/strongswan/Makefile b/security/strongswan/Makefile index 9c73792..4e61d98 100644 --- a/security/strongswan/Makefile +++ b/security/strongswan/Makefile @@ -2,8 +2,7 @@ # $FreeBSD$ PORTNAME= strongswan -PORTVERSION= 5.0.4 -PORTREVISION= 1 +PORTVERSION= 5.1.1 CATEGORIES= security MASTER_SITES= http://download.strongswan.org/ \ http://download2.strongswan.org/ @@ -37,6 +36,7 @@ CONFIGURE_ARGS= --enable-kernel-pfkey \ --enable-blowfish \ --enable-addrblock \ --enable-whitelist \ + --enable-cmd \ --with-group=wheel \ --with-lib-prefix=${PREFIX} @@ -44,13 +44,23 @@ CONFIGURE_ARGS= --enable-kernel-pfkey \ MAN5= ipsec.conf.5 ipsec.secrets.5 strongswan.conf.5 MAN8= ipsec.8 _updown.8 _updown_espmark.8 -OPTIONS_DEFINE= CURL EAPAKA3GPP2 EAPSIMFILE IKEv1 LDAP MYSQL SQLITE +OPTIONS_DEFINE= CURL EAPAKA3GPP2 EAPDYNAMIC EAPRADIUS EAPSIMFILE HA IKEv1 +OPTIONS_DEFINE+= IPSECKEY KERNELLIBIPSEC LOADTESTER LDAP MYSQL SQLITE +OPTIONS_DEFINE+= TESTVECTOR UNBOUND XAUTH CURL_DESC= Enable CURL to fetch CRL/OCSP EAPAKA3GPP2_DESC= Enable EAP AKA with 3gpp2 backend +EAPDYNAMIC_DESC= Enable EAP dynamic proxy module +EAPRADIUS_DESC= Enable EAP Radius proxy authentication EAPSIMFILE_DESC= Enable EAP SIM with file backend -IKEv1_DESC= Enable IKEv1 support (Experimental) +HA_DESC= Enable high availability cluster +IKEv1_DESC= Enable IKEv1 support +IPSECKEY_DESC= Enable authentication with IPSECKEY resource records with DNSSEC +KERNELLIBIPSEC_DESC= Enable IPSec userland backend +LOADTESTER_DESC= Enable load testing plugin +TESTVECTOR_DESC= Enable crypto test vectors +UNBOUND_DESC= Enable DNSSEC-enabled resolver +XAUTH_DESC= Enable XAuth password verification -NO_STAGE= yes .include <bsd.port.options.mk> # Extra options @@ -83,6 +93,29 @@ PLIST_SUB+=SIMAKA="" PLIST_SUB+=SIMAKA="@comment " .endif +.if ${PORT_OPTIONS:MEAPDYNAMIC} +CONFIGURE_ARGS+= --enable-eap-dynamic +PLIST_SUB+= EAPDYNAMIC="" +.else +PLIST_SUB+= EAPDYNAMIC="@comment " +.endif + +.if ${PORT_OPTIONS:MEAPRADIUS} +CONFIGURE_ARGS+= --enable-eap-radius +PLIST_SUB+= EAPRADIUS="" +PLIST_SUB+= RADIUS="" +.else +PLIST_SUB+= EAPRADIUS="@comment " +PLIST_SUB+= RADIUS="@comment " +.endif + +.if ${PORT_OPTIONS:MHA} +CONFIGURE_ARGS+= --enable-ha +PLIST_SUB+= HA="" +.else +PLIST_SUB+= HA="@comment " +.endif + .if ${PORT_OPTIONS:MIKEv1} PLIST_SUB+= IKEv1="" .else @@ -90,6 +123,13 @@ CONFIGURE_ARGS+= --disable-ikev1 PLIST_SUB+= IKEv1="@comment " .endif +.if ${PORT_OPTIONS:MKERNELLIBIPSEC} +CONFIGURE_ARGS+= --enable-kernel-libipsec +PLIST_SUB+= KERNELLIBIPSEC="" +.else +PLIST_SUB+= KERNELLIBIPSEC="@comment " +.endif + .if ${PORT_OPTIONS:MLDAP} USE_OPENLDAP= yes CONFIGURE_ARGS+= --enable-ldap @@ -98,6 +138,20 @@ PLIST_SUB+= LDAP="" PLIST_SUB+= LDAP="@comment " .endif +.if ${PORT_OPTIONS:MLOADTESTER} +CONFIGURE_ARGS+= --enable-load-tester +PLIST_SUB+= LOADTESTER="" +.else +PLIST_SUB+= LOADTESTER="@comment " +.endif + +.if ${PORT_OPTIONS:MIPSECKEY} +CONFIGURE_ARGS+= --enable-ipseckey +PLIST_SUB+= IPSECKEY="" +.else +PLIST_SUB+= IPSECKEY="@comment " +.endif + .if ${PORT_OPTIONS:MMYSQL} CONFIGURE_ARGS+= --enable-mysql USE_MYSQL= yes @@ -121,11 +175,36 @@ PLIST_SUB+= SQL="" PLIST_SUB+= SQL="@comment " .endif -.include <bsd.port.pre.mk> +.if ${PORT_OPTIONS:MUNBOUND} +CONFIGURE_ARGS+= --enable-unbound +LIB_DEPENDS+= unbound:${PORTSDIR}/dns/unbound +PLIST_SUB+= UNBOUND="" +.else +PLIST_SUB+= UNBOUND="@comment " +.endif + +.if ${PORT_OPTIONS:MTESTVECTOR} +CONFIGURE_ARGS+= --enable-test-vectors +PLIST_SUB+= TESTVECTOR="" +.else +PLIST_SUB+= TESTVECTOR="@comment " +.endif + +.if ${PORT_OPTIONS:MXAUTH} +CONFIGURE_ARGS+= --enable-xauth-eap --enable-xauth-generic +PLIST_SUB+= XAUTH="" +.else +PLIST_SUB+= XAUTH="@comment " +.endif # Requires FreeBSD 8 and above to work .if ${OSVERSION} < 800000 IGNORE= requires at least FreeBSD 8.X .endif -.include <bsd.port.post.mk> +post-install: + ${MKDIR} ${STAGEDIR}${EXAMPLESDIR} + ${MV} ${STAGEDIR}${PREFIX}/etc/strongswan.conf ${STAGEDIR}${EXAMPLESDIR} + ${MV} ${STAGEDIR}${PREFIX}/etc/ipsec.conf ${STAGEDIR}${EXAMPLESDIR} + +.include <bsd.port.mk> diff --git a/security/strongswan/distinfo b/security/strongswan/distinfo index ff76032..9c39d66 100644 --- a/security/strongswan/distinfo +++ b/security/strongswan/distinfo @@ -1,2 +1,2 @@ -SHA256 (strongswan-5.0.4.tar.bz2) = 3ec66d64046f652ab7556b3be8f9be8981fd32ef4a11e3e461a04d658928bfe2 -SIZE (strongswan-5.0.4.tar.bz2) = 3412930 +SHA256 (strongswan-5.1.1.tar.bz2) = fbf2a668221fc4a36a34bdeac2dfeda25b96f572d551df022585177953622406 +SIZE (strongswan-5.1.1.tar.bz2) = 3673200 diff --git a/security/strongswan/files/patch-src__libhydra__plugins__kernel_pfkey__kernel_pfkey_ipsec.c.in b/security/strongswan/files/patch-src__libhydra__plugins__kernel_pfkey__kernel_pfkey_ipsec.c.in new file mode 100644 index 0000000..033b2a3 --- /dev/null +++ b/security/strongswan/files/patch-src__libhydra__plugins__kernel_pfkey__kernel_pfkey_ipsec.c.in @@ -0,0 +1,13 @@ +--- src.old/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c 2013-11-01 19:26:36.000000000 +0200 ++++ src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c 2013-11-01 19:32:17.000000000 +0200 +@@ -790,6 +790,9 @@ + /* {ENCR_DES_IV64, 0 }, */ + {ENCR_DES, SADB_EALG_DESCBC }, + {ENCR_3DES, SADB_EALG_3DESCBC }, ++#ifdef SADB_X_EALG_CAMELLIACBC ++ {ENCR_CAMELLIA_CBC, SADB_X_EALG_CAMELLIACBC }, ++#endif + /* {ENCR_RC5, 0 }, */ + /* {ENCR_IDEA, 0 }, */ + {ENCR_CAST, SADB_X_EALG_CASTCBC }, + diff --git a/security/strongswan/pkg-plist b/security/strongswan/pkg-plist index 170f10d..c88bab3 100644 --- a/security/strongswan/pkg-plist +++ b/security/strongswan/pkg-plist @@ -1,5 +1,3 @@ -etc/ipsec.conf -etc/strongswan.conf lib/ipsec/libcharon.a lib/ipsec/libcharon.la lib/ipsec/libcharon.so @@ -97,12 +95,18 @@ lib/ipsec/plugins/libstrongswan-pkcs7.so lib/ipsec/plugins/libstrongswan-pkcs8.a lib/ipsec/plugins/libstrongswan-pkcs8.la lib/ipsec/plugins/libstrongswan-pkcs8.so +lib/ipsec/plugins/libstrongswan-pkcs12.a +lib/ipsec/plugins/libstrongswan-pkcs12.la +lib/ipsec/plugins/libstrongswan-pkcs12.so lib/ipsec/plugins/libstrongswan-pubkey.a lib/ipsec/plugins/libstrongswan-pubkey.la lib/ipsec/plugins/libstrongswan-pubkey.so lib/ipsec/plugins/libstrongswan-random.a lib/ipsec/plugins/libstrongswan-random.la lib/ipsec/plugins/libstrongswan-random.so +lib/ipsec/plugins/libstrongswan-rc2.a +lib/ipsec/plugins/libstrongswan-rc2.la +lib/ipsec/plugins/libstrongswan-rc2.so lib/ipsec/plugins/libstrongswan-resolve.a lib/ipsec/plugins/libstrongswan-resolve.la lib/ipsec/plugins/libstrongswan-resolve.so @@ -118,6 +122,9 @@ lib/ipsec/plugins/libstrongswan-sha2.so lib/ipsec/plugins/libstrongswan-socket-default.a lib/ipsec/plugins/libstrongswan-socket-default.la lib/ipsec/plugins/libstrongswan-socket-default.so +lib/ipsec/plugins/libstrongswan-sshkey.a +lib/ipsec/plugins/libstrongswan-sshkey.la +lib/ipsec/plugins/libstrongswan-sshkey.so lib/ipsec/plugins/libstrongswan-stroke.a lib/ipsec/plugins/libstrongswan-stroke.la lib/ipsec/plugins/libstrongswan-stroke.so @@ -141,6 +148,13 @@ libexec/ipsec/starter libexec/ipsec/stroke libexec/ipsec/whitelist sbin/ipsec +sbin/charon-cmd +share/examples/strongswan/ipsec.conf +share/examples/strongswan/strongswan.conf +%%RADIUS%%lib/ipsec/libradius.a +%%RADIUS%%lib/ipsec/libradius.la +%%RADIUS%%lib/ipsec/libradius.so +%%RADIUS%%lib/ipsec/libradius.so.0 %%SIMAKA%%lib/ipsec/libsimaka.a %%SIMAKA%%lib/ipsec/libsimaka.la %%SIMAKA%%lib/ipsec/libsimaka.so @@ -154,6 +168,12 @@ sbin/ipsec %%EAPAKA3GPP2%%lib/ipsec/plugins/libstrongswan-gmp.a %%EAPAKA3GPP2%%lib/ipsec/plugins/libstrongswan-gmp.la %%EAPAKA3GPP2%%lib/ipsec/plugins/libstrongswan-gmp.so +%%EAPDYNAMIC%%lib/ipsec/plugins/libstrongswan-eap-dynamic.a +%%EAPDYNAMIC%%lib/ipsec/plugins/libstrongswan-eap-dynamic.la +%%EAPDYNAMIC%%lib/ipsec/plugins/libstrongswan-eap-dynamic.so +%%EAPRADIUS%%lib/ipsec/plugins/libstrongswan-eap-radius.a +%%EAPRADIUS%%lib/ipsec/plugins/libstrongswan-eap-radius.la +%%EAPRADIUS%%lib/ipsec/plugins/libstrongswan-eap-radius.so %%EAPSIMFILE%%lib/ipsec/plugins/libstrongswan-eap-sim.a %%EAPSIMFILE%%lib/ipsec/plugins/libstrongswan-eap-sim.la %%EAPSIMFILE%%lib/ipsec/plugins/libstrongswan-eap-sim.so @@ -163,9 +183,26 @@ sbin/ipsec %%CURL%%lib/ipsec/plugins/libstrongswan-curl.a %%CURL%%lib/ipsec/plugins/libstrongswan-curl.la %%CURL%%lib/ipsec/plugins/libstrongswan-curl.so +%%HA%%lib/ipsec/plugins/libstrongswan-ha.a +%%HA%%lib/ipsec/plugins/libstrongswan-ha.la +%%HA%%lib/ipsec/plugins/libstrongswan-ha.so %%IKEv1%%lib/ipsec/plugins/libstrongswan-xauth-generic.a %%IKEv1%%lib/ipsec/plugins/libstrongswan-xauth-generic.la %%IKEv1%%lib/ipsec/plugins/libstrongswan-xauth-generic.so +%%IPSECKEY%%lib/ipsec/plugins/libstrongswan-ipseckey.a +%%IPSECKEY%%lib/ipsec/plugins/libstrongswan-ipseckey.la +%%IPSECKEY%%lib/ipsec/plugins/libstrongswan-ipseckey.so +%%KERNELLIBIPSEC%%lib/ipsec/libipsec.a +%%KERNELLIBIPSEC%%lib/ipsec/libipsec.la +%%KERNELLIBIPSEC%%lib/ipsec/libipsec.so +%%KERNELLIBIPSEC%%lib/ipsec/libipsec.so.0 +%%KERNELLIBIPSEC%%lib/ipsec/plugins/libstrongswan-kernel-libipsec.a +%%KERNELLIBIPSEC%%lib/ipsec/plugins/libstrongswan-kernel-libipsec.la +%%KERNELLIBIPSEC%%lib/ipsec/plugins/libstrongswan-kernel-libipsec.so +%%LOADTESTER%%lib/ipsec/plugins/libstrongswan-load-tester.a +%%LOADTESTER%%lib/ipsec/plugins/libstrongswan-load-tester.la +%%LOADTESTER%%lib/ipsec/plugins/libstrongswan-load-tester.so +%%LOADTESTER%%libexec/ipsec/load-tester %%LDAP%%lib/ipsec/plugins/libstrongswan-ldap.a %%LDAP%%lib/ipsec/plugins/libstrongswan-ldap.la %%LDAP%%lib/ipsec/plugins/libstrongswan-ldap.so @@ -182,6 +219,15 @@ sbin/ipsec %%SQLITE%%lib/ipsec/plugins/libstrongswan-sqlite.a %%SQLITE%%lib/ipsec/plugins/libstrongswan-sqlite.la %%SQLITE%%lib/ipsec/plugins/libstrongswan-sqlite.so +%%TESTVECTOR%%lib/ipsec/plugins/libstrongswan-test-vectors.a +%%TESTVECTOR%%lib/ipsec/plugins/libstrongswan-test-vectors.la +%%TESTVECTOR%%lib/ipsec/plugins/libstrongswan-test-vectors.so +%%UNBOUND%%lib/ipsec/plugins/libstrongswan-unbound.a +%%UNBOUND%%lib/ipsec/plugins/libstrongswan-unbound.la +%%UNBOUND%%lib/ipsec/plugins/libstrongswan-unbound.so +%%XAUTH%%lib/ipsec/plugins/libstrongswan-xauth-eap.a +%%XAUTH%%lib/ipsec/plugins/libstrongswan-xauth-eap.la +%%XAUTH%%lib/ipsec/plugins/libstrongswan-xauth-eap.so @dirrm libexec/ipsec @dirrm lib/ipsec/plugins @dirrm lib/ipsec diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml index 85ec7b9..e8395be 100644 --- a/security/vuxml/vuln.xml +++ b/security/vuxml/vuln.xml @@ -51,6 +51,44 @@ Note: Please add new entries to the beginning of this file. --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="fb3c1452-4599-11e3-8fb6-001cc0b0c9d4"> + <topic>strongswan -- multiple vulnerabilities</topic> + <affects> + <package> + <name>strongswan</name> + <range><lt>5.1.1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>strongSwan security team reports:</p> + <blockquote cite="http://wiki.strongswan.org/projects/strongswan/wiki/Changelog51">; + <p>CVE-2013-5018</p> + <p>Fixed a denial-of-service vulnerability triggered by specific XAuth + usernames and EAP identities (since 5.0.3), and PEM files (since 4.1.11). + The crash was caused by insufficient error handling in the is_asn1() + function.</p> + <p>CVE-2013-6075</p> + <p>Fixed a denial-of-service vulnerability triggered by a crafted IKEv1 + fragmentation payload. The cause is a NULL pointer dereference.</p> + <p>CVE-2013-6076</p> + <p>Fixed a denial-of-service vulnerability and potential authorization bypass + triggered by a crafted ID_DER_ASN1_DN ID payload. The cause is an + insufficient length check when comparing such identities.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2013-5018</cvename> + <cvename>CVE-2013-6075</cvename> + <cvename>CVE-2013-6076</cvename> + </references> + <dates> + <discovery>2013-11-01</discovery> + <entry>2013-11-18</entry> + </dates> + </vuln> + <vuln vid="e62ab2af-4df4-11e3-b0cf-00262d5ed8ee"> <topic>chromium -- multiple memory corruption issues</topic> <affects> --------------030902010007060501090309--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201311190050.rAJ0o1XO090749>