This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".
The branch, next has been updated via ea3b9a4f8837242222115601487259181f79df9d (commit) via a261cb06c6cdd3ba14ad0163c8c9e714ae94fc5b (commit) from 2ec7a53b3e001ad423a78a06f3f83bf8fea8db94 (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit ea3b9a4f8837242222115601487259181f79df9d Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Feb 19 23:44:57 2018 +0000
strongswan: Update to 5.6.2
Fixed a DoS vulnerability in the parser for PKCS#1 RSASSA-PSS signatures that was caused by insufficient input validation. One of the configurable parameters in algorithm identifier structures for RSASSA-PSS signatures is the mask generation function (MGF). Only MGF1 is currently specified for this purpose. However, this in turn takes itself a parameter that specifies the underlying hash function. strongSwan's parser did not correctly handle the case of this parameter being absent, causing an undefined data read.
This vulnerability has been registered as CVE-2018-6459.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit a261cb06c6cdd3ba14ad0163c8c9e714ae94fc5b Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Feb 19 23:42:17 2018 +0000
IPsec: Try to restart always-on tunnels immediately
When a tunnel that is in always-on configuration closes unexpectedly, we can instruct strongSwan to restart it immediately which is precisely what we do now.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
-----------------------------------------------------------------------
Summary of changes: config/rootfiles/core/119/filelists/files | 1 + .../rootfiles/{oldcore/106 => core/119}/filelists/strongswan | 0 config/rootfiles/core/119/update.sh | 11 +++++++++-- html/cgi-bin/vpnmain.cgi | 6 ++++++ lfs/strongswan | 4 ++-- 5 files changed, 18 insertions(+), 4 deletions(-) copy config/rootfiles/{oldcore/106 => core/119}/filelists/strongswan (100%)
Difference in files: diff --git a/config/rootfiles/core/119/filelists/files b/config/rootfiles/core/119/filelists/files index 053cb1278..c8f6cc13b 100644 --- a/config/rootfiles/core/119/filelists/files +++ b/config/rootfiles/core/119/filelists/files @@ -5,4 +5,5 @@ etc/rc.d/init.d/unbound srv/web/ipfire/cgi-bin/index.cgi srv/web/ipfire/cgi-bin/ovpnmain.cgi srv/web/ipfire/cgi-bin/proxy.cgi +srv/web/ipfire/cgi-bin/vpnmain.cgi var/ipfire/langs diff --git a/config/rootfiles/core/119/filelists/strongswan b/config/rootfiles/core/119/filelists/strongswan new file mode 120000 index 000000000..90c727e26 --- /dev/null +++ b/config/rootfiles/core/119/filelists/strongswan @@ -0,0 +1 @@ +../../../common/strongswan \ No newline at end of file diff --git a/config/rootfiles/core/119/update.sh b/config/rootfiles/core/119/update.sh index e4c7a77eb..fdca22bc5 100644 --- a/config/rootfiles/core/119/update.sh +++ b/config/rootfiles/core/119/update.sh @@ -32,6 +32,7 @@ for (( i=1; i<=$core; i++ )); do done
# Stop services +ipsec stop
# Remove old files rm -vf \ @@ -73,8 +74,14 @@ rm -vf \
# Start services
-# This update need a reboot... -#touch /var/run/need_reboot +# Regenerate IPsec configuration +sudo -u nobody /srv/web/ipfire/cgi-bin/vpnmain.cgi +if grep -q "ENABLED=on" /var/ipfire/vpn/settings; then + /etc/init.d/ipsec restart +fi + +# This update needs a reboot... +touch /var/run/need_reboot
# Finish /etc/init.d/fireinfo start diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index 17873d62b..2a0351ea0 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -436,6 +436,12 @@ sub writeipsecfiles { if ($start_action eq 'route' && $inactivity_timeout > 0) { print CONF "\tinactivity=$inactivity_timeout\n"; } + + # Restart the connection immediately when it has gone down + # unexpectedly + if ($start_action eq 'start') { + print CONF "\tcloseaction=restart\n"; + } }
# Fragmentation diff --git a/lfs/strongswan b/lfs/strongswan index f012492d0..58f8c5e9b 100644 --- a/lfs/strongswan +++ b/lfs/strongswan @@ -24,7 +24,7 @@
include Config
-VER = 5.6.1 +VER = 5.6.2
THISAPP = strongswan-$(VER) DL_FILE = $(THISAPP).tar.bz2 @@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = cb2241f1b96c524cd15b1c0f50ed9a27 +$(DL_FILE)_MD5 = 46aa3aa18fbc4bd528f9a0345ce79913
install : $(TARGET)
hooks/post-receive -- IPFire 2.x development tree