Date: Mon, 12 Jan 2015 17:35:05 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-ports-bugs@FreeBSD.org Subject: [Bug 196615] Update strongswan to 5.2.2 [CVE-2014-9221] Message-ID: <bug-196615-13@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=196615 Bug ID: 196615 Summary: Update strongswan to 5.2.2 [CVE-2014-9221] Product: Ports & Packages Version: Latest Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: Individual Port(s) Assignee: freebsd-ports-bugs@FreeBSD.org Reporter: garga@FreeBSD.org Patch to update strongswan to 5.2.2 * Update strongswan to 5.2.2, follow upstream Changelog: - Fixed a denial-of-service vulnerability triggered by an IKEv2 Key Exchange payload that contains the Diffie-Hellman group 1025. This identifier was used internally for DH groups with custom generator and prime. Because these arguments are missing when creating DH objects based on the KE payload an invalid pointer dereference occurred. This allowed an attacker to crash the IKE daemon with a single IKE_SA_INIT message containing such a KE payload. The vulnerability has been registered as CVE-2014-9221. - The left/rightid options in ipsec.conf, or any other identity in strongSwan, now accept prefixes to enforce an explicit type, such as email: or fqdn:. Note that no conversion is done for the remaining string, refer to ipsec.conf(5) for details. - The post-quantum Bimodal Lattice Signature Scheme (BLISS) can be used as an IKEv2 public key authentication method. The pki tool offers full support for the generation of BLISS key pairs and certificates. - Fixed mapping of integrity algorithms negotiated for AH via IKEv1. This could cause interoperability issues when connecting to older versions of charon. -- You are receiving this mail because: You are the assignee for the bug.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-196615-13>