From: git@ipfire.org
To: ipfire-scm@lists.ipfire.org
Subject: [git.ipfire.org] IPFire 2.x development tree branch, next, updated. ea3b9a4f8837242222115601487259181f79df9d
Date: Mon, 19 Feb 2018 23:46:27 +0000 [thread overview]
Message-ID: <20180219234628.3CF3C106D063@git01.ipfire.org> (raw)
[-- Attachment #1: Type: text/plain, Size: 5188 bytes --]
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, next has been updated
via ea3b9a4f8837242222115601487259181f79df9d (commit)
via a261cb06c6cdd3ba14ad0163c8c9e714ae94fc5b (commit)
from 2ec7a53b3e001ad423a78a06f3f83bf8fea8db94 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit ea3b9a4f8837242222115601487259181f79df9d
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Mon Feb 19 23:44:57 2018 +0000
strongswan: Update to 5.6.2
Fixed a DoS vulnerability in the parser for PKCS#1 RSASSA-PSS
signatures that was caused by insufficient input validation.
One of the configurable parameters in algorithm identifier
structures for RSASSA-PSS signatures is the mask generation
function (MGF). Only MGF1 is currently specified for this purpose.
However, this in turn takes itself a parameter that specifies
the underlying hash function. strongSwan's parser did not
correctly handle the case of this parameter being absent,
causing an undefined data read.
This vulnerability has been registered as CVE-2018-6459.
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit a261cb06c6cdd3ba14ad0163c8c9e714ae94fc5b
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Mon Feb 19 23:42:17 2018 +0000
IPsec: Try to restart always-on tunnels immediately
When a tunnel that is in always-on configuration closes
unexpectedly, we can instruct strongSwan to restart it
immediately which is precisely what we do now.
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
-----------------------------------------------------------------------
Summary of changes:
config/rootfiles/core/119/filelists/files | 1 +
.../rootfiles/{oldcore/106 => core/119}/filelists/strongswan | 0
config/rootfiles/core/119/update.sh | 11 +++++++++--
html/cgi-bin/vpnmain.cgi | 6 ++++++
lfs/strongswan | 4 ++--
5 files changed, 18 insertions(+), 4 deletions(-)
copy config/rootfiles/{oldcore/106 => core/119}/filelists/strongswan (100%)
Difference in files:
diff --git a/config/rootfiles/core/119/filelists/files b/config/rootfiles/core/119/filelists/files
index 053cb1278..c8f6cc13b 100644
--- a/config/rootfiles/core/119/filelists/files
+++ b/config/rootfiles/core/119/filelists/files
@@ -5,4 +5,5 @@ etc/rc.d/init.d/unbound
srv/web/ipfire/cgi-bin/index.cgi
srv/web/ipfire/cgi-bin/ovpnmain.cgi
srv/web/ipfire/cgi-bin/proxy.cgi
+srv/web/ipfire/cgi-bin/vpnmain.cgi
var/ipfire/langs
diff --git a/config/rootfiles/core/119/filelists/strongswan b/config/rootfiles/core/119/filelists/strongswan
new file mode 120000
index 000000000..90c727e26
--- /dev/null
+++ b/config/rootfiles/core/119/filelists/strongswan
@@ -0,0 +1 @@
+../../../common/strongswan
\ No newline at end of file
diff --git a/config/rootfiles/core/119/update.sh b/config/rootfiles/core/119/update.sh
index e4c7a77eb..fdca22bc5 100644
--- a/config/rootfiles/core/119/update.sh
+++ b/config/rootfiles/core/119/update.sh
@@ -32,6 +32,7 @@ for (( i=1; i<=$core; i++ )); do
done
# Stop services
+ipsec stop
# Remove old files
rm -vf \
@@ -73,8 +74,14 @@ rm -vf \
# Start services
-# This update need a reboot...
-#touch /var/run/need_reboot
+# Regenerate IPsec configuration
+sudo -u nobody /srv/web/ipfire/cgi-bin/vpnmain.cgi
+if grep -q "ENABLED=on" /var/ipfire/vpn/settings; then
+ /etc/init.d/ipsec restart
+fi
+
+# This update needs a reboot...
+touch /var/run/need_reboot
# Finish
/etc/init.d/fireinfo start
diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi
index 17873d62b..2a0351ea0 100644
--- a/html/cgi-bin/vpnmain.cgi
+++ b/html/cgi-bin/vpnmain.cgi
@@ -436,6 +436,12 @@ sub writeipsecfiles {
if ($start_action eq 'route' && $inactivity_timeout > 0) {
print CONF "\tinactivity=$inactivity_timeout\n";
}
+
+ # Restart the connection immediately when it has gone down
+ # unexpectedly
+ if ($start_action eq 'start') {
+ print CONF "\tcloseaction=restart\n";
+ }
}
# Fragmentation
diff --git a/lfs/strongswan b/lfs/strongswan
index f012492d0..58f8c5e9b 100644
--- a/lfs/strongswan
+++ b/lfs/strongswan
@@ -24,7 +24,7 @@
include Config
-VER = 5.6.1
+VER = 5.6.2
THISAPP = strongswan-$(VER)
DL_FILE = $(THISAPP).tar.bz2
@@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = cb2241f1b96c524cd15b1c0f50ed9a27
+$(DL_FILE)_MD5 = 46aa3aa18fbc4bd528f9a0345ce79913
install : $(TARGET)
hooks/post-receive
--
IPFire 2.x development tree
reply other threads:[~2018-02-19 23:46 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180219234628.3CF3C106D063@git01.ipfire.org \
--to=git@ipfire.org \
--cc=ipfire-scm@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox