Date: Mon, 6 Jan 2014 14:01:29 GMT From: Francois ten Krooden <strongswan@nanoteq.com> To: freebsd-gnats-submit@FreeBSD.org Subject: ports/185535: Port update to fix vulnerabilities. Message-ID: <201401061401.s06E1T1C005810@oldred.freebsd.org> Resent-Message-ID: <201401061410.s06EA0LP090629@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 185535 >Category: ports >Synopsis: Port update to fix vulnerabilities. >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: maintainer-update >Submitter-Id: current-users >Arrival-Date: Mon Jan 06 14:10:00 UTC 2014 >Closed-Date: >Last-Modified: >Originator: Francois ten Krooden >Release: 9.2 >Organization: Nanoteq >Environment: >Description: Update port security/strongswan 5.0.4 -> 5.1.1 - Added EAP dynamic proxy module - Added EAP Radius proxy authentication - Added DNSSEC/unbound support - Added kernel libipsec plugin. - Changed configuration files to install to ${PREFIX}/etc/<filename>.conf.sample Updated vuln.xml for the 3 CVE's that were fixed in this release. -https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6075 -https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6076 -https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5018 >How-To-Repeat: >Fix: Patch attached with submission follows: Index: Makefile =================================================================== --- Makefile (revision 338877) +++ Makefile (working copy) @@ -2,8 +2,7 @@ # $FreeBSD$ PORTNAME= strongswan -PORTVERSION= 5.0.4 -PORTREVISION= 1 +PORTVERSION= 5.1.1 CATEGORIES= security MASTER_SITES= http://download.strongswan.org/ \ http://download2.strongswan.org/ @@ -37,6 +36,7 @@ --enable-blowfish \ --enable-addrblock \ --enable-whitelist \ + --enable-cmd \ --with-group=wheel \ --with-lib-prefix=${PREFIX} @@ -44,13 +44,22 @@ MAN5= ipsec.conf.5 ipsec.secrets.5 strongswan.conf.5 MAN8= ipsec.8 _updown.8 _updown_espmark.8 -OPTIONS_DEFINE= CURL EAPAKA3GPP2 EAPSIMFILE IKEv1 LDAP MYSQL SQLITE +OPTIONS_DEFINE= CURL EAPAKA3GPP2 EAPDYNAMIC EAPRADIUS EAPSIMFILE IKEv1 +OPTIONS_DEFINE+= IPSECKEY KERNELLIBIPSEC LOADTESTER LDAP MYSQL SQLITE +OPTIONS_DEFINE+= TESTVECTOR UNBOUND XAUTH CURL_DESC= Enable CURL to fetch CRL/OCSP EAPAKA3GPP2_DESC= Enable EAP AKA with 3gpp2 backend +EAPDYNAMIC_DESC= Enable EAP dynamic proxy module +EAPRADIUS_DESC= Enable EAP Radius proxy authentication EAPSIMFILE_DESC= Enable EAP SIM with file backend -IKEv1_DESC= Enable IKEv1 support (Experimental) +IKEv1_DESC= Enable IKEv1 support +IPSECKEY_DESC= Enable authentication with IPSECKEY resource records with DNSSEC +KERNELLIBIPSEC_DESC= Enable IPSec userland backend +LOADTESTER_DESC= Enable load testing plugin +TESTVECTOR_DESC= Enable crypto test vectors +UNBOUND_DESC= Enable DNSSEC-enabled resolver +XAUTH_DESC= Enable XAuth password verification -NO_STAGE= yes .include <bsd.port.options.mk> # Extra options @@ -83,6 +92,22 @@ PLIST_SUB+=SIMAKA="@comment " .endif +.if ${PORT_OPTIONS:MEAPDYNAMIC} +CONFIGURE_ARGS+= --enable-eap-dynamic +PLIST_SUB+= EAPDYNAMIC="" +.else +PLIST_SUB+= EAPDYNAMIC="@comment " +.endif + +.if ${PORT_OPTIONS:MEAPRADIUS} +CONFIGURE_ARGS+= --enable-eap-radius +PLIST_SUB+= EAPRADIUS="" +PLIST_SUB+= RADIUS="" +.else +PLIST_SUB+= EAPRADIUS="@comment " +PLIST_SUB+= RADIUS="@comment " +.endif + .if ${PORT_OPTIONS:MIKEv1} PLIST_SUB+= IKEv1="" .else @@ -90,6 +115,13 @@ PLIST_SUB+= IKEv1="@comment " .endif +.if ${PORT_OPTIONS:MKERNELLIBIPSEC} +CONFIGURE_ARGS+= --enable-kernel-libipsec +PLIST_SUB+= KERNELLIBIPSEC="" +.else +PLIST_SUB+= KERNELLIBIPSEC="@comment " +.endif + .if ${PORT_OPTIONS:MLDAP} USE_OPENLDAP= yes CONFIGURE_ARGS+= --enable-ldap @@ -98,6 +130,20 @@ PLIST_SUB+= LDAP="@comment " .endif +.if ${PORT_OPTIONS:MLOADTESTER} +CONFIGURE_ARGS+= --enable-load-tester +PLIST_SUB+= LOADTESTER="" +.else +PLIST_SUB+= LOADTESTER="@comment " +.endif + +.if ${PORT_OPTIONS:MIPSECKEY} +CONFIGURE_ARGS+= --enable-ipseckey +PLIST_SUB+= IPSECKEY="" +.else +PLIST_SUB+= IPSECKEY="@comment " +.endif + .if ${PORT_OPTIONS:MMYSQL} CONFIGURE_ARGS+= --enable-mysql USE_MYSQL= yes @@ -121,11 +167,36 @@ PLIST_SUB+= SQL="@comment " .endif -.include <bsd.port.pre.mk> +.if ${PORT_OPTIONS:MUNBOUND} +CONFIGURE_ARGS+= --enable-unbound +LIB_DEPENDS+= unbound:${PORTSDIR}/dns/unbound +PLIST_SUB+= UNBOUND="" +.else +PLIST_SUB+= UNBOUND="@comment " +.endif +.if ${PORT_OPTIONS:MTESTVECTOR} +CONFIGURE_ARGS+= --enable-test-vectors +PLIST_SUB+= TESTVECTOR="" +.else +PLIST_SUB+= TESTVECTOR="@comment " +.endif + +.if ${PORT_OPTIONS:MXAUTH} +CONFIGURE_ARGS+= --enable-xauth-eap --enable-xauth-generic +PLIST_SUB+= XAUTH="" +.else +PLIST_SUB+= XAUTH="@comment " +.endif + # Requires FreeBSD 8 and above to work .if ${OSVERSION} < 800000 IGNORE= requires at least FreeBSD 8.X .endif -.include <bsd.port.post.mk> +post-install: + ${MKDIR} ${STAGEDIR}${EXAMPLESDIR} + ${MV} ${STAGEDIR}${PREFIX}/etc/strongswan.conf ${STAGEDIR}${EXAMPLESDIR} + ${MV} ${STAGEDIR}${PREFIX}/etc/ipsec.conf ${STAGEDIR}${EXAMPLESDIR} + +.include <bsd.port.mk> Index: distinfo =================================================================== --- distinfo (revision 338877) +++ distinfo (working copy) @@ -1,2 +1,2 @@ -SHA256 (strongswan-5.0.4.tar.bz2) = 3ec66d64046f652ab7556b3be8f9be8981fd32ef4a11e3e461a04d658928bfe2 -SIZE (strongswan-5.0.4.tar.bz2) = 3412930 +SHA256 (strongswan-5.1.1.tar.bz2) = fbf2a668221fc4a36a34bdeac2dfeda25b96f572d551df022585177953622406 +SIZE (strongswan-5.1.1.tar.bz2) = 3673200 Index: pkg-plist =================================================================== --- pkg-plist (revision 338877) +++ pkg-plist (working copy) @@ -1,5 +1,3 @@ -etc/ipsec.conf -etc/strongswan.conf lib/ipsec/libcharon.a lib/ipsec/libcharon.la lib/ipsec/libcharon.so @@ -97,12 +95,18 @@ lib/ipsec/plugins/libstrongswan-pkcs8.a lib/ipsec/plugins/libstrongswan-pkcs8.la lib/ipsec/plugins/libstrongswan-pkcs8.so +lib/ipsec/plugins/libstrongswan-pkcs12.a +lib/ipsec/plugins/libstrongswan-pkcs12.la +lib/ipsec/plugins/libstrongswan-pkcs12.so lib/ipsec/plugins/libstrongswan-pubkey.a lib/ipsec/plugins/libstrongswan-pubkey.la lib/ipsec/plugins/libstrongswan-pubkey.so lib/ipsec/plugins/libstrongswan-random.a lib/ipsec/plugins/libstrongswan-random.la lib/ipsec/plugins/libstrongswan-random.so +lib/ipsec/plugins/libstrongswan-rc2.a +lib/ipsec/plugins/libstrongswan-rc2.la +lib/ipsec/plugins/libstrongswan-rc2.so lib/ipsec/plugins/libstrongswan-resolve.a lib/ipsec/plugins/libstrongswan-resolve.la lib/ipsec/plugins/libstrongswan-resolve.so @@ -118,6 +122,9 @@ lib/ipsec/plugins/libstrongswan-socket-default.a lib/ipsec/plugins/libstrongswan-socket-default.la lib/ipsec/plugins/libstrongswan-socket-default.so +lib/ipsec/plugins/libstrongswan-sshkey.a +lib/ipsec/plugins/libstrongswan-sshkey.la +lib/ipsec/plugins/libstrongswan-sshkey.so lib/ipsec/plugins/libstrongswan-stroke.a lib/ipsec/plugins/libstrongswan-stroke.la lib/ipsec/plugins/libstrongswan-stroke.so @@ -141,6 +148,13 @@ libexec/ipsec/stroke libexec/ipsec/whitelist sbin/ipsec +sbin/charon-cmd +share/examples/strongswan/ipsec.conf +share/examples/strongswan/strongswan.conf +%%RADIUS%%lib/ipsec/libradius.a +%%RADIUS%%lib/ipsec/libradius.la +%%RADIUS%%lib/ipsec/libradius.so +%%RADIUS%%lib/ipsec/libradius.so.0 %%SIMAKA%%lib/ipsec/libsimaka.a %%SIMAKA%%lib/ipsec/libsimaka.la %%SIMAKA%%lib/ipsec/libsimaka.so @@ -154,6 +168,12 @@ %%EAPAKA3GPP2%%lib/ipsec/plugins/libstrongswan-gmp.a %%EAPAKA3GPP2%%lib/ipsec/plugins/libstrongswan-gmp.la %%EAPAKA3GPP2%%lib/ipsec/plugins/libstrongswan-gmp.so +%%EAPDYNAMIC%%lib/ipsec/plugins/libstrongswan-eap-dynamic.a +%%EAPDYNAMIC%%lib/ipsec/plugins/libstrongswan-eap-dynamic.la +%%EAPDYNAMIC%%lib/ipsec/plugins/libstrongswan-eap-dynamic.so +%%EAPRADIUS%%lib/ipsec/plugins/libstrongswan-eap-radius.a +%%EAPRADIUS%%lib/ipsec/plugins/libstrongswan-eap-radius.la +%%EAPRADIUS%%lib/ipsec/plugins/libstrongswan-eap-radius.so %%EAPSIMFILE%%lib/ipsec/plugins/libstrongswan-eap-sim.a %%EAPSIMFILE%%lib/ipsec/plugins/libstrongswan-eap-sim.la %%EAPSIMFILE%%lib/ipsec/plugins/libstrongswan-eap-sim.so @@ -166,6 +186,20 @@ %%IKEv1%%lib/ipsec/plugins/libstrongswan-xauth-generic.a %%IKEv1%%lib/ipsec/plugins/libstrongswan-xauth-generic.la %%IKEv1%%lib/ipsec/plugins/libstrongswan-xauth-generic.so +%%IPSECKEY%%lib/ipsec/plugins/libstrongswan-ipseckey.a +%%IPSECKEY%%lib/ipsec/plugins/libstrongswan-ipseckey.la +%%IPSECKEY%%lib/ipsec/plugins/libstrongswan-ipseckey.so +%%KERNELLIBIPSEC%%lib/ipsec/libipsec.a +%%KERNELLIBIPSEC%%lib/ipsec/libipsec.la +%%KERNELLIBIPSEC%%lib/ipsec/libipsec.so +%%KERNELLIBIPSEC%%lib/ipsec/libipsec.so.0 +%%KERNELLIBIPSEC%%lib/ipsec/plugins/libstrongswan-kernel-libipsec.a +%%KERNELLIBIPSEC%%lib/ipsec/plugins/libstrongswan-kernel-libipsec.la +%%KERNELLIBIPSEC%%lib/ipsec/plugins/libstrongswan-kernel-libipsec.so +%%LOADTESTER%%lib/ipsec/plugins/libstrongswan-load-tester.a +%%LOADTESTER%%lib/ipsec/plugins/libstrongswan-load-tester.la +%%LOADTESTER%%lib/ipsec/plugins/libstrongswan-load-tester.so +%%LOADTESTER%%libexec/ipsec/load-tester %%LDAP%%lib/ipsec/plugins/libstrongswan-ldap.a %%LDAP%%lib/ipsec/plugins/libstrongswan-ldap.la %%LDAP%%lib/ipsec/plugins/libstrongswan-ldap.so @@ -182,6 +216,15 @@ %%SQLITE%%lib/ipsec/plugins/libstrongswan-sqlite.a %%SQLITE%%lib/ipsec/plugins/libstrongswan-sqlite.la %%SQLITE%%lib/ipsec/plugins/libstrongswan-sqlite.so +%%TESTVECTOR%%lib/ipsec/plugins/libstrongswan-test-vectors.a +%%TESTVECTOR%%lib/ipsec/plugins/libstrongswan-test-vectors.la +%%TESTVECTOR%%lib/ipsec/plugins/libstrongswan-test-vectors.so +%%UNBOUND%%lib/ipsec/plugins/libstrongswan-unbound.a +%%UNBOUND%%lib/ipsec/plugins/libstrongswan-unbound.la +%%UNBOUND%%lib/ipsec/plugins/libstrongswan-unbound.so +%%XAUTH%%lib/ipsec/plugins/libstrongswan-xauth-eap.a +%%XAUTH%%lib/ipsec/plugins/libstrongswan-xauth-eap.la +%%XAUTH%%lib/ipsec/plugins/libstrongswan-xauth-eap.so @dirrm libexec/ipsec @dirrm lib/ipsec/plugins @dirrm lib/ipsec >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201401061401.s06E1T1C005810>