Date: Sun, 10 Dec 2023 17:16:49 GMT From: Fernando =?utf-8?Q?Apestegu=C3=ADa?= <fernape@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: git: 9d8accbe0c0d - main - security/strongswan: Update to 5.9.13 Message-ID: <202312101716.3BAHGnXO057980@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by fernape: URL: https://cgit.FreeBSD.org/ports/commit/?id=9d8accbe0c0d7c0db16ec9bbb50bded19db8271f commit 9d8accbe0c0d7c0db16ec9bbb50bded19db8271f Author: Jose Luis Duran <jlduran@gmail.com> AuthorDate: 2023-12-10 16:59:53 +0000 Commit: Fernando ApesteguĂa <fernape@FreeBSD.org> CommitDate: 2023-12-10 17:16:32 +0000 security/strongswan: Update to 5.9.13 ChangeLog: https://github.com/strongswan/strongswan/releases/tag/5.9.13 PR: 275620 Reported by: jlduran@gmail.com MFH: 2023Q4 (security fix) Security: CVE-2023-41913 --- security/strongswan/Makefile | 5 +-- security/strongswan/distinfo | 8 ++--- ...swanctl_charon-tkm_src_tkm_tkm_diffie_hellman.c | 42 ---------------------- security/strongswan/pkg-plist | 15 ++++---- 4 files changed, 12 insertions(+), 58 deletions(-) diff --git a/security/strongswan/Makefile b/security/strongswan/Makefile index c7972b9ca9b6..b6bf781ef23e 100644 --- a/security/strongswan/Makefile +++ b/security/strongswan/Makefile @@ -1,11 +1,8 @@ PORTNAME= strongswan -DISTVERSION= 5.9.11 -PORTREVISION= 3 +DISTVERSION= 5.9.13 CATEGORIES= security net-vpn MASTER_SITES= https://download.strongswan.org/ \ https://download2.strongswan.org/ -PATCH_SITES= https://github.com/strongswan/strongswan/commit/ -PATCHFILES= a619356b5f21bfe3c13f1576eb1d16c015532ceb.patch:-p1 MAINTAINER= strongswan@nanoteq.com COMMENT= Open Source IKEv2 IPsec-based VPN solution diff --git a/security/strongswan/distinfo b/security/strongswan/distinfo index 1cccf5380f46..b24347585614 100644 --- a/security/strongswan/distinfo +++ b/security/strongswan/distinfo @@ -1,5 +1,3 @@ -TIMESTAMP = 1690493412 -SHA256 (strongswan-5.9.11.tar.bz2) = ddf53f1f26ad26979d5f55e8da95bd389552f5de3682e35593f9a70b2584ed2d -SIZE (strongswan-5.9.11.tar.bz2) = 4786552 -SHA256 (a619356b5f21bfe3c13f1576eb1d16c015532ceb.patch) = 31ba77932b88b611f1f1d54478b7d3a024f40e0bcea0b3249f2d62274e1df19f -SIZE (a619356b5f21bfe3c13f1576eb1d16c015532ceb.patch) = 3344 +TIMESTAMP = 1702006969 +SHA256 (strongswan-5.9.13.tar.bz2) = 56e30effb578fd9426d8457e3b76c8c3728cd8a5589594b55649b2719308ba55 +SIZE (strongswan-5.9.13.tar.bz2) = 4825644 diff --git a/security/strongswan/files/patch-src_swanctl_charon-tkm_src_tkm_tkm_diffie_hellman.c b/security/strongswan/files/patch-src_swanctl_charon-tkm_src_tkm_tkm_diffie_hellman.c deleted file mode 100644 index f70c02446427..000000000000 --- a/security/strongswan/files/patch-src_swanctl_charon-tkm_src_tkm_tkm_diffie_hellman.c +++ /dev/null @@ -1,42 +0,0 @@ -From 027421cbd2e6e628f5f959c74d722afadc477485 Mon Sep 17 00:00:00 2001 -From: Tobias Brunner <tobias@strongswan.org> -Date: Tue, 11 Jul 2023 12:12:25 +0200 -Subject: [PATCH] charon-tkm: Validate DH public key to fix potential buffer - overflow - -Seems this was forgotten in the referenced commit and actually could lead -to a buffer overflow. Since charon-tkm is untrusted this isn't that -much of an issue but could at least be easily exploited for a DoS attack -as DH public values are set when handling IKE_SA_INIT requests. - -Fixes: 0356089d0f94 ("diffie-hellman: Verify public DH values in backends") -Fixes: CVE-2023-41913 ---- - src/charon-tkm/src/tkm/tkm_diffie_hellman.c | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/src/charon-tkm/src/tkm/tkm_diffie_hellman.c b/src/charon-tkm/src/tkm/tkm_diffie_hellman.c -index 2b2d103d03e9..6999ad360d7e 100644 ---- src/charon-tkm/src/tkm/tkm_diffie_hellman.c -+++ src/charon-tkm/src/tkm/tkm_diffie_hellman.c -@@ -70,11 +70,16 @@ METHOD(key_exchange_t, get_shared_secret, bool, - return TRUE; - } - -- - METHOD(key_exchange_t, set_public_key, bool, - private_tkm_diffie_hellman_t *this, chunk_t value) - { - dh_pubvalue_type othervalue; -+ -+ if (!key_exchange_verify_pubkey(this->group, value) || -+ value.len > sizeof(othervalue.data)) -+ { -+ return FALSE; -+ } - othervalue.size = value.len; - memcpy(&othervalue.data, value.ptr, value.len); - --- -2.34.1 - diff --git a/security/strongswan/pkg-plist b/security/strongswan/pkg-plist index 4a834b334403..84f5c87bc304 100644 --- a/security/strongswan/pkg-plist +++ b/security/strongswan/pkg-plist @@ -36,8 +36,8 @@ %%GCM%%@sample %%ETCDIR%%.d/charon/gcm.conf.sample %%EAPAKA3GPP2%%@sample %%ETCDIR%%.d/charon/gmp.conf.sample @sample %%ETCDIR%%.d/charon/hmac.conf.sample -%%KDF%%@sample %%ETCDIR%%.d/charon/kdf.conf.sample %%IPSECKEY%%@sample %%ETCDIR%%.d/charon/ipseckey.conf.sample +%%KDF%%@sample %%ETCDIR%%.d/charon/kdf.conf.sample %%KERNELLIBIPSEC%%@sample %%ETCDIR%%.d/charon/kernel-libipsec.conf.sample @sample %%ETCDIR%%.d/charon/kernel-pfkey.conf.sample @sample %%ETCDIR%%.d/charon/kernel-pfroute.conf.sample @@ -49,6 +49,7 @@ %%MYSQL%%@sample %%ETCDIR%%.d/charon/mysql.conf.sample @sample %%ETCDIR%%.d/charon/nonce.conf.sample @sample %%ETCDIR%%.d/charon/openssl.conf.sample +%%VIA%%@sample %%ETCDIR%%.d/charon/padlock.conf.sample @sample %%ETCDIR%%.d/charon/pem.conf.sample @sample %%ETCDIR%%.d/charon/pgp.conf.sample @sample %%ETCDIR%%.d/charon/pkcs1.conf.sample @@ -207,6 +208,8 @@ lib/ipsec/plugins/libstrongswan-nonce.la lib/ipsec/plugins/libstrongswan-nonce.so lib/ipsec/plugins/libstrongswan-openssl.la lib/ipsec/plugins/libstrongswan-openssl.so +%%VIA%%lib/ipsec/plugins/libstrongswan-padlock.la +%%VIA%%lib/ipsec/plugins/libstrongswan-padlock.so lib/ipsec/plugins/libstrongswan-pem.la lib/ipsec/plugins/libstrongswan-pem.so lib/ipsec/plugins/libstrongswan-pgp.la @@ -285,6 +288,7 @@ libexec/ipsec/whitelist %%PKI%%man/man1/pki---gen.1.gz %%PKI%%man/man1/pki---issue.1.gz %%PKI%%man/man1/pki---keyid.1.gz +%%PKI%%man/man1/pki---ocsp.1.gz %%PKI%%man/man1/pki---pkcs7.1.gz %%PKI%%man/man1/pki---print.1.gz %%PKI%%man/man1/pki---pub.1.gz @@ -313,6 +317,7 @@ sbin/ipsec %%DATADIR%%/templates/config/plugins/cmac.conf %%DATADIR%%/templates/config/plugins/constraints.conf %%DATADIR%%/templates/config/plugins/counters.conf +%%CTR%%%%DATADIR%%/templates/config/plugins/ctr.conf %%CURL%%%%DATADIR%%/templates/config/plugins/curl.conf %%DATADIR%%/templates/config/plugins/curve25519.conf %%DATADIR%%/templates/config/plugins/des.conf @@ -335,8 +340,8 @@ sbin/ipsec %%GCM%%%%DATADIR%%/templates/config/plugins/gcm.conf %%EAPAKA3GPP2%%%%DATADIR%%/templates/config/plugins/gmp.conf %%DATADIR%%/templates/config/plugins/hmac.conf -%%KDF%%%%DATADIR%%/templates/config/plugins/kdf.conf %%IPSECKEY%%%%DATADIR%%/templates/config/plugins/ipseckey.conf +%%KDF%%%%DATADIR%%/templates/config/plugins/kdf.conf %%KERNELLIBIPSEC%%%%DATADIR%%/templates/config/plugins/kernel-libipsec.conf %%DATADIR%%/templates/config/plugins/kernel-pfkey.conf %%DATADIR%%/templates/config/plugins/kernel-pfroute.conf @@ -348,11 +353,11 @@ sbin/ipsec %%MYSQL%%%%DATADIR%%/templates/config/plugins/mysql.conf %%DATADIR%%/templates/config/plugins/nonce.conf %%DATADIR%%/templates/config/plugins/openssl.conf +%%VIA%%%%DATADIR%%/templates/config/plugins/padlock.conf %%DATADIR%%/templates/config/plugins/pem.conf %%DATADIR%%/templates/config/plugins/pgp.conf %%DATADIR%%/templates/config/plugins/pkcs1.conf %%PKCS11%%%%DATADIR%%/templates/config/plugins/pkcs11.conf -%%CTR%%%%DATADIR%%/templates/config/plugins/ctr.conf %%DATADIR%%/templates/config/plugins/pkcs12.conf %%DATADIR%%/templates/config/plugins/pkcs7.conf %%DATADIR%%/templates/config/plugins/pkcs8.conf @@ -412,7 +417,3 @@ sbin/ipsec %%SWANCTL%%@dir etc/swanctl/x509ca %%SWANCTL%%@dir etc/swanctl/x509crl %%SWANCTL%%@dir etc/swanctl/x509ocsp -%%VIA%%%%DATADIR%%/templates/config/plugins/padlock.conf -%%VIA%%lib/ipsec/plugins/libstrongswan-padlock.la -%%VIA%%lib/ipsec/plugins/libstrongswan-padlock.so -%%VIA%%@sample %%ETCDIR%%.d/charon/padlock.conf.sample
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202312101716.3BAHGnXO057980>