[git.ipfire.org] IPFire 2.x development tree branch, next, updated. ea3b9a4f8837242222115601487259181f79df9d

public inbox for ipfire-scm@lists.ipfire.org
 help / color / mirror / Atom feed

* [git.ipfire.org] IPFire 2.x development tree branch, next, updated. ea3b9a4f8837242222115601487259181f79df9d
@ 2018-02-19 23:46 git
  0 siblings, 0 replies; only message in thread
From: git @ 2018-02-19 23:46 UTC (permalink / raw)
  To: ipfire-scm

[-- Attachment #1: Type: text/plain, Size: 5188 bytes --]

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".

The branch, next has been updated
       via  ea3b9a4f8837242222115601487259181f79df9d (commit)
       via  a261cb06c6cdd3ba14ad0163c8c9e714ae94fc5b (commit)
      from  2ec7a53b3e001ad423a78a06f3f83bf8fea8db94 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit ea3b9a4f8837242222115601487259181f79df9d
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date:   Mon Feb 19 23:44:57 2018 +0000

    strongswan: Update to 5.6.2
    
    Fixed a DoS vulnerability in the parser for PKCS#1 RSASSA-PSS
    signatures that was caused by insufficient input validation.
    One of the configurable parameters in algorithm identifier
    structures for RSASSA-PSS signatures is the mask generation
    function (MGF). Only MGF1 is currently specified for this purpose.
    However, this in turn takes itself a parameter that specifies
    the underlying hash function. strongSwan's parser did not
    correctly handle the case of this parameter being absent,
    causing an undefined data read.
    
    This vulnerability has been registered as CVE-2018-6459.
    
    Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>

commit a261cb06c6cdd3ba14ad0163c8c9e714ae94fc5b
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date:   Mon Feb 19 23:42:17 2018 +0000

    IPsec: Try to restart always-on tunnels immediately
    
    When a tunnel that is in always-on configuration closes
    unexpectedly, we can instruct strongSwan to restart it
    immediately which is precisely what we do now.
    
    Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>

-----------------------------------------------------------------------

Summary of changes:
 config/rootfiles/core/119/filelists/files                     |  1 +
 .../rootfiles/{oldcore/106 => core/119}/filelists/strongswan  |  0
 config/rootfiles/core/119/update.sh                           | 11 +++++++++--
 html/cgi-bin/vpnmain.cgi                                      |  6 ++++++
 lfs/strongswan                                                |  4 ++--
 5 files changed, 18 insertions(+), 4 deletions(-)
 copy config/rootfiles/{oldcore/106 => core/119}/filelists/strongswan (100%)

Difference in files:
diff --git a/config/rootfiles/core/119/filelists/files b/config/rootfiles/core/119/filelists/files
index 053cb1278..c8f6cc13b 100644
--- a/config/rootfiles/core/119/filelists/files
+++ b/config/rootfiles/core/119/filelists/files
@@ -5,4 +5,5 @@ etc/rc.d/init.d/unbound
 srv/web/ipfire/cgi-bin/index.cgi
 srv/web/ipfire/cgi-bin/ovpnmain.cgi
 srv/web/ipfire/cgi-bin/proxy.cgi
+srv/web/ipfire/cgi-bin/vpnmain.cgi
 var/ipfire/langs
diff --git a/config/rootfiles/core/119/filelists/strongswan b/config/rootfiles/core/119/filelists/strongswan
new file mode 120000
index 000000000..90c727e26
--- /dev/null
+++ b/config/rootfiles/core/119/filelists/strongswan
@@ -0,0 +1 @@
+../../../common/strongswan
\ No newline at end of file
diff --git a/config/rootfiles/core/119/update.sh b/config/rootfiles/core/119/update.sh
index e4c7a77eb..fdca22bc5 100644
--- a/config/rootfiles/core/119/update.sh
+++ b/config/rootfiles/core/119/update.sh
@@ -32,6 +32,7 @@ for (( i=1; i<=$core; i++ )); do
 done
 
 # Stop services
+ipsec stop
 
 # Remove old files
 rm -vf \
@@ -73,8 +74,14 @@ rm -vf \
 
 # Start services
 
-# This update need a reboot...
-#touch /var/run/need_reboot
+# Regenerate IPsec configuration
+sudo -u nobody /srv/web/ipfire/cgi-bin/vpnmain.cgi
+if grep -q "ENABLED=on" /var/ipfire/vpn/settings; then
+	/etc/init.d/ipsec restart
+fi
+
+# This update needs a reboot...
+touch /var/run/need_reboot
 
 # Finish
 /etc/init.d/fireinfo start
diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi
index 17873d62b..2a0351ea0 100644
--- a/html/cgi-bin/vpnmain.cgi
+++ b/html/cgi-bin/vpnmain.cgi
@@ -436,6 +436,12 @@ sub writeipsecfiles {
 			if ($start_action eq 'route' && $inactivity_timeout > 0) {
 				print CONF "\tinactivity=$inactivity_timeout\n";
 			}
+
+			# Restart the connection immediately when it has gone down
+			# unexpectedly
+			if ($start_action eq 'start') {
+				print CONF "\tcloseaction=restart\n";
+			}
 		}
 
 		# Fragmentation
diff --git a/lfs/strongswan b/lfs/strongswan
index f012492d0..58f8c5e9b 100644
--- a/lfs/strongswan
+++ b/lfs/strongswan
@@ -24,7 +24,7 @@
 
 include Config
 
-VER        = 5.6.1
+VER        = 5.6.2
 
 THISAPP    = strongswan-$(VER)
 DL_FILE    = $(THISAPP).tar.bz2
@@ -40,7 +40,7 @@ objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_MD5 = cb2241f1b96c524cd15b1c0f50ed9a27
+$(DL_FILE)_MD5 = 46aa3aa18fbc4bd528f9a0345ce79913
 
 install : $(TARGET)
 


hooks/post-receive
--
IPFire 2.x development tree

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2018-02-19 23:46 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-02-19 23:46 [git.ipfire.org] IPFire 2.x development tree branch, next, updated. ea3b9a4f8837242222115601487259181f79df9d git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox