[git.ipfire.org] IPFire 2.x development tree branch, core86, updated. 89002058bb464fb2061e673765cdd484421fbdc5
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".
The branch, core86 has been updated via 89002058bb464fb2061e673765cdd484421fbdc5 (commit) via 0d9dec7055c06ebe52314e1d22176351394d2291 (commit) via ada34e641aaeba9c5841855e4f842650a7f6cfde (commit) via 4f4fcd5dbc44f1504f46460bf8480b9b9c231c52 (commit) via 3ccd175c5531490e8be144bfb4808a1d4b12c4fa (commit) from 4091a94508e8d4485c98dd64c5a3fe1c7282986c (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit 89002058bb464fb2061e673765cdd484421fbdc5 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Wed Jan 14 00:06:06 2015 +0100
core86: security updates for openssl, openvpn and strongswan.
commit 0d9dec7055c06ebe52314e1d22176351394d2291 Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Dec 2 12:28:49 2014 +0100
openvpn: Update to 2.3.6
Fixes CVE-2014-8104
commit ada34e641aaeba9c5841855e4f842650a7f6cfde Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Jan 12 13:03:16 2015 +0100
strongswan: Fix for CVE-2014-9221
commit 4f4fcd5dbc44f1504f46460bf8480b9b9c231c52 Author: Michael Tremer michael.tremer@ipfire.org Date: Sun Oct 26 21:00:08 2014 +0100
strongswan: Update to 5.2.1
commit 3ccd175c5531490e8be144bfb4808a1d4b12c4fa Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Jan 8 18:28:12 2015 +0100
openssl: Update to 1.0.1k and 0.9.8zd
https://www.openssl.org/news/secadv_20150108.txt
-----------------------------------------------------------------------
Summary of changes: config/rootfiles/{oldcore/84 => core/86}/exclude | 0 .../{oldcore/81 => core/86}/filelists/files | 4 +- .../{oldcore/81 => core/86}/filelists/openssh | 0 .../{oldcore/81 => core/86}/filelists/openssl | 0 .../82 => core/86}/filelists/openssl-compat | 0 .../{oldcore/79 => core/86}/filelists/openvpn | 0 .../{oldcore/80 => core/86}/filelists/strongswan | 0 config/rootfiles/{oldcore/84 => core/86}/meta | 0 config/rootfiles/{oldcore/82 => core/86}/update.sh | 12 +- lfs/openssl | 4 +- lfs/openssl-compat | 4 +- lfs/openvpn | 4 +- lfs/strongswan | 5 +- make.sh | 6 +- .../strongswan-5.1.2-5.2.1_modp_custom.patch | 164 +++++++++++++++++++++ 15 files changed, 186 insertions(+), 17 deletions(-) copy config/rootfiles/{oldcore/84 => core/86}/exclude (100%) copy config/rootfiles/{oldcore/81 => core/86}/filelists/files (53%) copy config/rootfiles/{oldcore/81 => core/86}/filelists/openssh (100%) copy config/rootfiles/{oldcore/81 => core/86}/filelists/openssl (100%) copy config/rootfiles/{oldcore/82 => core/86}/filelists/openssl-compat (100%) copy config/rootfiles/{oldcore/79 => core/86}/filelists/openvpn (100%) copy config/rootfiles/{oldcore/80 => core/86}/filelists/strongswan (100%) copy config/rootfiles/{oldcore/84 => core/86}/meta (100%) copy config/rootfiles/{oldcore/82 => core/86}/update.sh (92%) create mode 100644 src/patches/strongswan-5.1.2-5.2.1_modp_custom.patch
Difference in files: diff --git a/config/rootfiles/core/86/exclude b/config/rootfiles/core/86/exclude new file mode 100644 index 0000000..18e9b4d --- /dev/null +++ b/config/rootfiles/core/86/exclude @@ -0,0 +1,20 @@ +boot/config.txt +etc/collectd.custom +etc/ipsec.conf +etc/ipsec.secrets +etc/ipsec.user.conf +etc/ipsec.user.secrets +etc/localtime +etc/shadow +etc/ssh/ssh_config +etc/ssh/sshd_config +etc/ssl/openssl.cnf +etc/sudoers +etc/sysconfig/firewall.local +etc/sysconfig/rc.local +etc/udev/rules.d/30-persistent-network.rules +srv/web/ipfire/html/proxy.pac +var/ipfire/ovpn +var/log/cache +var/state/dhcp/dhcpd.leases +var/updatecache diff --git a/config/rootfiles/core/86/filelists/files b/config/rootfiles/core/86/filelists/files new file mode 100644 index 0000000..83c9851 --- /dev/null +++ b/config/rootfiles/core/86/filelists/files @@ -0,0 +1,5 @@ +etc/system-release +etc/issue +srv/web/ipfire/cgi-bin/ovpnmain.cgi +srv/web/ipfire/cgi-bin/vpnmain.cgi +var/ipfire/langs diff --git a/config/rootfiles/core/86/filelists/openssh b/config/rootfiles/core/86/filelists/openssh new file mode 120000 index 0000000..d8c77fd --- /dev/null +++ b/config/rootfiles/core/86/filelists/openssh @@ -0,0 +1 @@ +../../../common/openssh \ No newline at end of file diff --git a/config/rootfiles/core/86/filelists/openssl b/config/rootfiles/core/86/filelists/openssl new file mode 120000 index 0000000..e011a92 --- /dev/null +++ b/config/rootfiles/core/86/filelists/openssl @@ -0,0 +1 @@ +../../../common/openssl \ No newline at end of file diff --git a/config/rootfiles/core/86/filelists/openssl-compat b/config/rootfiles/core/86/filelists/openssl-compat new file mode 120000 index 0000000..c9fa421 --- /dev/null +++ b/config/rootfiles/core/86/filelists/openssl-compat @@ -0,0 +1 @@ +../../../common/openssl-compat \ No newline at end of file diff --git a/config/rootfiles/core/86/filelists/openvpn b/config/rootfiles/core/86/filelists/openvpn new file mode 120000 index 0000000..493f3f7 --- /dev/null +++ b/config/rootfiles/core/86/filelists/openvpn @@ -0,0 +1 @@ +../../../common/openvpn \ No newline at end of file diff --git a/config/rootfiles/core/86/filelists/strongswan b/config/rootfiles/core/86/filelists/strongswan new file mode 120000 index 0000000..90c727e --- /dev/null +++ b/config/rootfiles/core/86/filelists/strongswan @@ -0,0 +1 @@ +../../../common/strongswan \ No newline at end of file diff --git a/config/rootfiles/core/86/meta b/config/rootfiles/core/86/meta new file mode 100644 index 0000000..d547fa8 --- /dev/null +++ b/config/rootfiles/core/86/meta @@ -0,0 +1 @@ +DEPS="" diff --git a/config/rootfiles/core/86/update.sh b/config/rootfiles/core/86/update.sh new file mode 100644 index 0000000..5dc87fc --- /dev/null +++ b/config/rootfiles/core/86/update.sh @@ -0,0 +1,61 @@ +#!/bin/bash +############################################################################ +# # +# This file is part of the IPFire Firewall. # +# # +# IPFire is free software; you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation; either version 3 of the License, or # +# (at your option) any later version. # +# # +# IPFire is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with IPFire; if not, write to the Free Software # +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # +# # +# Copyright (C) 2015 IPFire-Team info@ipfire.org. # +# # +############################################################################ +# +. /opt/pakfire/lib/functions.sh +/usr/local/bin/backupctrl exclude >/dev/null 2>&1 + +# Remove old core updates from pakfire cache to save space... +core=86 +for (( i=1; i<=$core; i++ )) +do + rm -f /var/cache/pakfire/core-upgrade-*-$i.ipfire +done + +# Stop services +/etc/init.d/ipsec stop + +# Remove old files + +# Extract files +extract_files + +# Start services +if [ `grep "ENABLED=on" /var/ipfire/vpn/settings` ]; then + /etc/init.d/ipsec start +fi +/etc/init.d/apache restart + +# Update Language cache +perl -e "require '/var/ipfire/lang.pl'; &Lang::BuildCacheLang" + +sync + +# This update need a reboot... +touch /var/run/need_reboot + +# Finish +/etc/init.d/fireinfo start +sendprofile + +# Don't report the exitcode last command +exit 0 diff --git a/lfs/openssl b/lfs/openssl index 186ea6c..eae2c6e 100644 --- a/lfs/openssl +++ b/lfs/openssl @@ -24,7 +24,7 @@
include Config
-VER = 1.0.1j +VER = 1.0.1k
THISAPP = openssl-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -51,7 +51,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = f7175c9cd3c39bb1907ac8bba9df8ed3 +$(DL_FILE)_MD5 = d4f002bd22a56881340105028842ae1f
install : $(TARGET)
diff --git a/lfs/openssl-compat b/lfs/openssl-compat index 683d979..52a8e91 100644 --- a/lfs/openssl-compat +++ b/lfs/openssl-compat @@ -24,7 +24,7 @@
include Config
-VER = 0.9.8zc +VER = 0.9.8zd
THISAPP = openssl-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 1b239eea3a60d67863e7b66700e47a16 +$(DL_FILE)_MD5 = e9b9ee12f2911e1a378e2458d9bfff77
install : $(TARGET)
diff --git a/lfs/openvpn b/lfs/openvpn index 8c7c81a..44a8b46 100644 --- a/lfs/openvpn +++ b/lfs/openvpn @@ -24,7 +24,7 @@
include Config
-VER = 2.3.4 +VER = 2.3.6
THISAPP = openvpn-$(VER) DL_FILE = $(THISAPP).tar.xz @@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 9b70be9fb45e407117c3c9b118e4ba22 +$(DL_FILE)_MD5 = bcc30c296566df14feebdd8aa0e408ca
install : $(TARGET)
diff --git a/lfs/strongswan b/lfs/strongswan index 5256b0a..642d651 100644 --- a/lfs/strongswan +++ b/lfs/strongswan @@ -24,7 +24,7 @@
include Config
-VER = 5.2.0 +VER = 5.2.1
THISAPP = strongswan-$(VER) DL_FILE = $(THISAPP).tar.bz2 @@ -48,7 +48,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 5cee4ee1a6ccb74400758b3ace54d46e +$(DL_FILE)_MD5 = dd3717c0aa59ab4591ca1812941ebb82
install : $(TARGET)
@@ -78,6 +78,7 @@ $(subst %,%_MD5,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE) + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-5.1.2-5.2.1_modp_custom.patch cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-5.0.2_ipfire.patch
cd $(DIR_APP) && [ -x "configure" ] || ./autogen.sh diff --git a/make.sh b/make.sh index 2b24e11..5116472 100755 --- a/make.sh +++ b/make.sh @@ -17,7 +17,7 @@ # along with IPFire; if not, write to the Free Software # # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # # # -# Copyright (C) 2007-2014 IPFire Team info@ipfire.org. # +# Copyright (C) 2007-2015 IPFire Team info@ipfire.org. # # # ############################################################################ # @@ -25,8 +25,8 @@ NAME="IPFire" # Software name SNAME="ipfire" # Short name VERSION="2.15" # Version number -CORE="85" # Core Level (Filename) -PAKFIRE_CORE="85" # Core Level (PAKFIRE) +CORE="86" # Core Level (Filename) +PAKFIRE_CORE="86" # Core Level (PAKFIRE) GIT_BRANCH=`git rev-parse --abbrev-ref HEAD` # Git Branch SLOGAN="www.ipfire.org" # Software slogan CONFIG_ROOT=/var/ipfire # Configuration rootdir diff --git a/src/patches/strongswan-5.1.2-5.2.1_modp_custom.patch b/src/patches/strongswan-5.1.2-5.2.1_modp_custom.patch new file mode 100644 index 0000000..df2cb09 --- /dev/null +++ b/src/patches/strongswan-5.1.2-5.2.1_modp_custom.patch @@ -0,0 +1,164 @@ +From a78ecdd47509626711a13481f53696e01d4b8c62 Mon Sep 17 00:00:00 2001 +From: Tobias Brunner tobias@strongswan.org +Date: Mon, 1 Dec 2014 17:21:59 +0100 +Subject: [PATCH] crypto: Define MODP_CUSTOM outside of IKE DH range + +Before this fix it was possible to crash charon with an IKE_SA_INIT +message containing a KE payload with DH group MODP_CUSTOM(1025). +Defining MODP_CUSTOM outside of the two byte IKE DH identifier range +prevents it from getting negotiated. + +Fixes CVE-2014-9221 in version 5.1.2 and newer. +--- + src/charon-tkm/src/tkm/tkm_diffie_hellman.c | 2 +- + src/libstrongswan/crypto/diffie_hellman.c | 11 ++++++----- + src/libstrongswan/crypto/diffie_hellman.h | 6 ++++-- + src/libstrongswan/plugins/gcrypt/gcrypt_dh.c | 2 +- + src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c | 2 +- + src/libstrongswan/plugins/ntru/ntru_ke.c | 2 +- + src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c | 2 +- + src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c | 2 +- + src/libstrongswan/plugins/pkcs11/pkcs11_dh.c | 2 +- + 9 files changed, 17 insertions(+), 14 deletions(-) + +diff --git a/src/charon-tkm/src/tkm/tkm_diffie_hellman.c b/src/charon-tkm/src/tkm/tkm_diffie_hellman.c +index 67db5e6d87d6..836e0b7f088d 100644 +--- a/src/charon-tkm/src/tkm/tkm_diffie_hellman.c ++++ b/src/charon-tkm/src/tkm/tkm_diffie_hellman.c +@@ -41,7 +41,7 @@ struct private_tkm_diffie_hellman_t { + /** + * Diffie Hellman group number. + */ +- u_int16_t group; ++ diffie_hellman_group_t group; + + /** + * Diffie Hellman public value. +diff --git a/src/libstrongswan/crypto/diffie_hellman.c b/src/libstrongswan/crypto/diffie_hellman.c +index bada1c529951..ac106e9c4d45 100644 +--- a/src/libstrongswan/crypto/diffie_hellman.c ++++ b/src/libstrongswan/crypto/diffie_hellman.c +@@ -42,15 +42,16 @@ ENUM_NEXT(diffie_hellman_group_names, MODP_1024_160, ECP_512_BP, ECP_521_BIT, + "ECP_256_BP", + "ECP_384_BP", + "ECP_512_BP"); +-ENUM_NEXT(diffie_hellman_group_names, MODP_NULL, MODP_CUSTOM, ECP_512_BP, +- "MODP_NULL", +- "MODP_CUSTOM"); +-ENUM_NEXT(diffie_hellman_group_names, NTRU_112_BIT, NTRU_256_BIT, MODP_CUSTOM, ++ENUM_NEXT(diffie_hellman_group_names, MODP_NULL, MODP_NULL, ECP_512_BP, ++ "MODP_NULL"); ++ENUM_NEXT(diffie_hellman_group_names, NTRU_112_BIT, NTRU_256_BIT, MODP_NULL, + "NTRU_112", + "NTRU_128", + "NTRU_192", + "NTRU_256"); +-ENUM_END(diffie_hellman_group_names, NTRU_256_BIT); ++ENUM_NEXT(diffie_hellman_group_names, MODP_CUSTOM, MODP_CUSTOM, NTRU_256_BIT, ++ "MODP_CUSTOM"); ++ENUM_END(diffie_hellman_group_names, MODP_CUSTOM); + + + /** +diff --git a/src/libstrongswan/crypto/diffie_hellman.h b/src/libstrongswan/crypto/diffie_hellman.h +index 105db22f14d4..d5161d077bb2 100644 +--- a/src/libstrongswan/crypto/diffie_hellman.h ++++ b/src/libstrongswan/crypto/diffie_hellman.h +@@ -63,12 +63,14 @@ enum diffie_hellman_group_t { + /** insecure NULL diffie hellman group for testing, in PRIVATE USE */ + MODP_NULL = 1024, + /** MODP group with custom generator/prime */ +- MODP_CUSTOM = 1025, + /** Parameters defined by IEEE 1363.1, in PRIVATE USE */ + NTRU_112_BIT = 1030, + NTRU_128_BIT = 1031, + NTRU_192_BIT = 1032, +- NTRU_256_BIT = 1033 ++ NTRU_256_BIT = 1033, ++ /** internally used DH group with additional parameters g and p, outside ++ * of PRIVATE USE (i.e. IKEv2 DH group range) so it can't be negotiated */ ++ MODP_CUSTOM = 65536, + }; + + /** +diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_dh.c b/src/libstrongswan/plugins/gcrypt/gcrypt_dh.c +index f418b941db86..299865da2e09 100644 +--- a/src/libstrongswan/plugins/gcrypt/gcrypt_dh.c ++++ b/src/libstrongswan/plugins/gcrypt/gcrypt_dh.c +@@ -35,7 +35,7 @@ struct private_gcrypt_dh_t { + /** + * Diffie Hellman group number + */ +- u_int16_t group; ++ diffie_hellman_group_t group; + + /* + * Generator value +diff --git a/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c b/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c +index b74d35169f44..9936f7e4518f 100644 +--- a/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c ++++ b/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c +@@ -42,7 +42,7 @@ struct private_gmp_diffie_hellman_t { + /** + * Diffie Hellman group number. + */ +- u_int16_t group; ++ diffie_hellman_group_t group; + + /* + * Generator value. +diff --git a/src/libstrongswan/plugins/ntru/ntru_ke.c b/src/libstrongswan/plugins/ntru/ntru_ke.c +index abaa22336221..e64f32b91d0e 100644 +--- a/src/libstrongswan/plugins/ntru/ntru_ke.c ++++ b/src/libstrongswan/plugins/ntru/ntru_ke.c +@@ -56,7 +56,7 @@ struct private_ntru_ke_t { + /** + * Diffie Hellman group number. + */ +- u_int16_t group; ++ diffie_hellman_group_t group; + + /** + * NTRU Parameter Set +diff --git a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c +index ff3382473666..1e68ac59b838 100644 +--- a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c ++++ b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c +@@ -38,7 +38,7 @@ struct private_openssl_diffie_hellman_t { + /** + * Diffie Hellman group number. + */ +- u_int16_t group; ++ diffie_hellman_group_t group; + + /** + * Diffie Hellman object +diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c b/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c +index b487d59a59a3..50853d6f0bde 100644 +--- a/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c ++++ b/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c +@@ -40,7 +40,7 @@ struct private_openssl_ec_diffie_hellman_t { + /** + * Diffie Hellman group number. + */ +- u_int16_t group; ++ diffie_hellman_group_t group; + + /** + * EC private (public) key +diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_dh.c b/src/libstrongswan/plugins/pkcs11/pkcs11_dh.c +index 36cc284bf2b5..23b63d2386af 100644 +--- a/src/libstrongswan/plugins/pkcs11/pkcs11_dh.c ++++ b/src/libstrongswan/plugins/pkcs11/pkcs11_dh.c +@@ -47,7 +47,7 @@ struct private_pkcs11_dh_t { + /** + * Diffie Hellman group number. + */ +- u_int16_t group; ++ diffie_hellman_group_t group; + + /** + * Handle for own private value +-- +1.9.1 +
hooks/post-receive -- IPFire 2.x development tree
-
git@ipfire.org