From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peter =?utf-8?q?M=C3=BCller?= To: development@lists.ipfire.org Subject: [PATCH] strongSwan: update to 5.9.4 Date: Sat, 23 Oct 2021 14:49:52 +0200 Message-ID: <8712fd25-ac29-e597-4273-6ef77156ca7c@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============4733233355117513055==" List-Id: --===============4733233355117513055== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Release notes as per https://github.com/strongswan/strongswan/releases/tag/5.= 9.4: Fixed a denial-of-service vulnerability in the gmp plugin that was caused= by an integer overflow when processing RSASSA-PSS signatures with very large= salt lengths. This vulnerability has been registered as CVE-2021-41990. Please refer to our blog for details. Fixed a denial-of-service vulnerability in the in-memory certificate cach= e if certificates are replaced and a very large random value caused an intege= r overflow. This vulnerability has been registered as CVE-2021-41991. Please refer to our blog for details. Fixed a related flaw that caused the daemon to accept and cache an infini= te number of versions of a valid certificate by modifying the parameters in t= he signatureAlgorithm field of the outer X.509 Certificate structure. AUTH_LIFETIME notifies are now only sent by a responder if it can't reaut= henticate the IKE_SA itself due to asymmetric authentication (i.e. EAP) or th= e use of virtual IPs. Several corner cases with reauthentication have been fixed (48fbe1d, 3616= 1fe, 0d373e2). Serial number generation in several pki sub-commands has been fixed so th= ey don't start with an unintended zero byte (#631). Loading SSH public keys via vici has been improved (#467). Shared secrets, PEM files, vici messages, PF_KEY messages, swanctl config= s and other data is properly wiped from memory. Use a longer dummy key to initialize HMAC instances in the openssl plugin= in case it's used in FIPS-mode (#557). The --enable-tpm option now implies --enable-tss-tss2 as the plugin doesn= 't do anything without a TSS 2.0. libtpmtss is initialized in all programs and libraries that use it. Migrated testing scripts to Python 3. The testing environment uses images based on Debian bullseye by default (= support for jessie was removed). To my understanding, IPFire is not affected by CVE-2021-41990, as we do not support creation of IPsec connections using RSASSA-PSS (please correct me if we do :-). In contrast, CVE-2021-41991 affects IPFire installations indeed. Signed-off-by: Peter M=C3=BCller --- lfs/strongswan | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lfs/strongswan b/lfs/strongswan index 46c0309fb..45ff8f426 100644 --- a/lfs/strongswan +++ b/lfs/strongswan @@ -24,7 +24,7 @@ =20 include Config =20 -VER =3D 5.9.3 +VER =3D 5.9.4 =20 THISAPP =3D strongswan-$(VER) DL_FILE =3D $(THISAPP).tar.bz2 @@ -40,7 +40,7 @@ objects =3D $(DL_FILE) =20 $(DL_FILE) =3D $(DL_FROM)/$(DL_FILE) =20 -$(DL_FILE)_MD5 =3D 80ecabe0ce72d550d2d5de0118f89143 +$(DL_FILE)_MD5 =3D 9c387eb77f0159fdefbcf7e81c905c35 =20 install : $(TARGET) =20 --=20 2.26.2 --===============4733233355117513055==--