From: git@ipfire.org
To: ipfire-scm@lists.ipfire.org
Subject: [git.ipfire.org] IPFire 2.x development tree branch, next, updated. 57f5c85825d9f6b61e8726c5b146bae1957acfcf
Date: Thu, 04 Jun 2015 19:32:31 +0200 [thread overview]
Message-ID: <20150604173232.BA2E022308@argus.ipfire.org> (raw)
[-- Attachment #1: Type: text/plain, Size: 6714 bytes --]
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, next has been updated
via 57f5c85825d9f6b61e8726c5b146bae1957acfcf (commit)
via 41ed4795fe92b1b16c8d946baef3f807adc97a77 (commit)
from b2faf4f566b687052d40c8a2c37ed633ed643cb8 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 57f5c85825d9f6b61e8726c5b146bae1957acfcf
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Thu Jun 4 19:31:53 2015 +0200
core91: Add strongswan update
commit 41ed4795fe92b1b16c8d946baef3f807adc97a77
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Thu Jun 4 19:26:44 2015 +0200
strongswan: Update to 5.3.1
Fixed a denial-of-service and potential remote code execution vulnerability
triggered by IKEv1/IKEv2 messages that contain payloads for the respective
other IKE version. Such payload are treated specially since 5.2.2 but because
they were still identified by their original payload type they were used as
such in some places causing invalid function pointer dereferences.
The vulnerability has been registered as CVE-2015-3991.
https://www.strongswan.org/blog/2015/06/01/strongswan-vulnerability-%28cve-2015-3991%29.html
The increased buffer size has been fixed in bug #943 upstream
https://wiki.strongswan.org/issues/943
-----------------------------------------------------------------------
Summary of changes:
.../91}/filelists/i586/strongswan-padlock | 0
.../{oldcore/87 => core/91}/filelists/strongswan | 0
lfs/strongswan | 8 ++---
...-stroke-Increase-stroke-buffer-size-to-8k.patch | 34 ----------------------
.../strongswan-5.3.1-build-timeattack.patch | 11 +++++++
5 files changed, 15 insertions(+), 38 deletions(-)
copy config/rootfiles/{oldcore/77 => core/91}/filelists/i586/strongswan-padlock (100%)
copy config/rootfiles/{oldcore/87 => core/91}/filelists/strongswan (100%)
delete mode 100644 src/patches/strongswan-5.3.0-stroke-Increase-stroke-buffer-size-to-8k.patch
create mode 100644 src/patches/strongswan-5.3.1-build-timeattack.patch
Difference in files:
diff --git a/config/rootfiles/core/91/filelists/i586/strongswan-padlock b/config/rootfiles/core/91/filelists/i586/strongswan-padlock
new file mode 120000
index 0000000..2412824
--- /dev/null
+++ b/config/rootfiles/core/91/filelists/i586/strongswan-padlock
@@ -0,0 +1 @@
+../../../../common/i586/strongswan-padlock
\ No newline at end of file
diff --git a/config/rootfiles/core/91/filelists/strongswan b/config/rootfiles/core/91/filelists/strongswan
new file mode 120000
index 0000000..90c727e
--- /dev/null
+++ b/config/rootfiles/core/91/filelists/strongswan
@@ -0,0 +1 @@
+../../../common/strongswan
\ No newline at end of file
diff --git a/lfs/strongswan b/lfs/strongswan
index f227bba..d1a5b8c 100644
--- a/lfs/strongswan
+++ b/lfs/strongswan
@@ -24,7 +24,7 @@
include Config
-VER = 5.3.0
+VER = 5.3.1
THISAPP = strongswan-$(VER)
DL_FILE = $(THISAPP).tar.bz2
@@ -48,7 +48,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = c52d4228231c2025d9c320d0e9990327
+$(DL_FILE)_MD5 = 66f258901a3d6c271da1a0c7fb3e5013
install : $(TARGET)
@@ -78,10 +78,10 @@ $(subst %,%_MD5,$(objects)) :
$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
@$(PREBUILD)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
- cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-5.3.0-stroke-Increase-stroke-buffer-size-to-8k.patch
+ cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-5.3.1-build-timeattack.patch
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-ipfire.patch
- cd $(DIR_APP) && [ -x "configure" ] || ./autogen.sh
+ cd $(DIR_APP) && autoreconf -vfi
cd $(DIR_APP) && ./configure \
--prefix="/usr" \
--sysconfdir="/etc" \
diff --git a/src/patches/strongswan-5.3.0-stroke-Increase-stroke-buffer-size-to-8k.patch b/src/patches/strongswan-5.3.0-stroke-Increase-stroke-buffer-size-to-8k.patch
deleted file mode 100644
index 2252e31..0000000
--- a/src/patches/strongswan-5.3.0-stroke-Increase-stroke-buffer-size-to-8k.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From 4b59d129fd1026bab37256af0df9ae7ace39e7ba Mon Sep 17 00:00:00 2001
-From: Michael Tremer <michael.tremer(a)ipfire.org>
-Date: Mon, 27 Apr 2015 18:49:45 +0200
-Subject: [PATCH] stroke: Increase stroke buffer size to 8k
-
-Complicated connections can have lots of arguments
-for the ike= and esp= directives in the ipsec.conf
-configuration file. strongSwan wouldn't import those
-because the size of the message that is send from
-stroke to charon exceeded the limit of 4k.
-
-This patch increases the size of the buffer that
-can be passed to charon to 8k which should be enough
-even for connections with longer configurations.
----
- src/stroke/stroke_msg.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/stroke/stroke_msg.h b/src/stroke/stroke_msg.h
-index c2b923f6db9a..c391efa00105 100644
---- a/src/stroke/stroke_msg.h
-+++ b/src/stroke/stroke_msg.h
-@@ -32,7 +32,7 @@
- */
- #define STROKE_SOCKET IPSEC_PIDDIR "/charon.ctl"
-
--#define STROKE_BUF_LEN 4096
-+#define STROKE_BUF_LEN 8192
-
- typedef enum list_flag_t list_flag_t;
-
---
-2.1.0
-
diff --git a/src/patches/strongswan-5.3.1-build-timeattack.patch b/src/patches/strongswan-5.3.1-build-timeattack.patch
new file mode 100644
index 0000000..948c4fc
--- /dev/null
+++ b/src/patches/strongswan-5.3.1-build-timeattack.patch
@@ -0,0 +1,11 @@
+--- strongswan-5.3.1/scripts/Makefile.am.old 2015-06-04 17:20:43.539244145 +0000
++++ strongswan-5.3.1/scripts/Makefile.am 2015-06-04 17:20:51.760510631 +0000
+@@ -42,7 +42,7 @@
+ dnssec_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
+ aes_test_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
+ settings_test_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
+-timeattack_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
++timeattack_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la $(RTLIB)
+
+ key2keyid.o : $(top_builddir)/config.status
+
hooks/post-receive
--
IPFire 2.x development tree
reply other threads:[~2015-06-04 17:32 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150604173232.BA2E022308@argus.ipfire.org \
--to=git@ipfire.org \
--cc=ipfire-scm@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox