Date: Mon, 6 Jan 2014 14:01:29 GMT From: Francois ten Krooden <strongswan@nanoteq.com> To: freebsd-gnats-submit@FreeBSD.org Subject: ports/185535: Port update to fix vulnerabilities. Message-ID: <201401061401.s06E1T1C005810@oldred.freebsd.org> Resent-Message-ID: <201401061410.s06EA0LP090629@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 185535
>Category: ports
>Synopsis: Port update to fix vulnerabilities.
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: maintainer-update
>Submitter-Id: current-users
>Arrival-Date: Mon Jan 06 14:10:00 UTC 2014
>Closed-Date:
>Last-Modified:
>Originator: Francois ten Krooden
>Release: 9.2
>Organization:
Nanoteq
>Environment:
>Description:
Update port security/strongswan 5.0.4 -> 5.1.1
- Added EAP dynamic proxy module
- Added EAP Radius proxy authentication
- Added DNSSEC/unbound support
- Added kernel libipsec plugin.
- Changed configuration files to install to ${PREFIX}/etc/<filename>.conf.sample
Updated vuln.xml for the 3 CVE's that were fixed in this release.
-https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6075
-https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6076
-https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5018
>How-To-Repeat:
>Fix:
Patch attached with submission follows:
Index: Makefile
===================================================================
--- Makefile (revision 338877)
+++ Makefile (working copy)
@@ -2,8 +2,7 @@
# $FreeBSD$
PORTNAME= strongswan
-PORTVERSION= 5.0.4
-PORTREVISION= 1
+PORTVERSION= 5.1.1
CATEGORIES= security
MASTER_SITES= http://download.strongswan.org/ \
http://download2.strongswan.org/
@@ -37,6 +36,7 @@
--enable-blowfish \
--enable-addrblock \
--enable-whitelist \
+ --enable-cmd \
--with-group=wheel \
--with-lib-prefix=${PREFIX}
@@ -44,13 +44,22 @@
MAN5= ipsec.conf.5 ipsec.secrets.5 strongswan.conf.5
MAN8= ipsec.8 _updown.8 _updown_espmark.8
-OPTIONS_DEFINE= CURL EAPAKA3GPP2 EAPSIMFILE IKEv1 LDAP MYSQL SQLITE
+OPTIONS_DEFINE= CURL EAPAKA3GPP2 EAPDYNAMIC EAPRADIUS EAPSIMFILE IKEv1
+OPTIONS_DEFINE+= IPSECKEY KERNELLIBIPSEC LOADTESTER LDAP MYSQL SQLITE
+OPTIONS_DEFINE+= TESTVECTOR UNBOUND XAUTH
CURL_DESC= Enable CURL to fetch CRL/OCSP
EAPAKA3GPP2_DESC= Enable EAP AKA with 3gpp2 backend
+EAPDYNAMIC_DESC= Enable EAP dynamic proxy module
+EAPRADIUS_DESC= Enable EAP Radius proxy authentication
EAPSIMFILE_DESC= Enable EAP SIM with file backend
-IKEv1_DESC= Enable IKEv1 support (Experimental)
+IKEv1_DESC= Enable IKEv1 support
+IPSECKEY_DESC= Enable authentication with IPSECKEY resource records with DNSSEC
+KERNELLIBIPSEC_DESC= Enable IPSec userland backend
+LOADTESTER_DESC= Enable load testing plugin
+TESTVECTOR_DESC= Enable crypto test vectors
+UNBOUND_DESC= Enable DNSSEC-enabled resolver
+XAUTH_DESC= Enable XAuth password verification
-NO_STAGE= yes
.include <bsd.port.options.mk>
# Extra options
@@ -83,6 +92,22 @@
PLIST_SUB+=SIMAKA="@comment "
.endif
+.if ${PORT_OPTIONS:MEAPDYNAMIC}
+CONFIGURE_ARGS+= --enable-eap-dynamic
+PLIST_SUB+= EAPDYNAMIC=""
+.else
+PLIST_SUB+= EAPDYNAMIC="@comment "
+.endif
+
+.if ${PORT_OPTIONS:MEAPRADIUS}
+CONFIGURE_ARGS+= --enable-eap-radius
+PLIST_SUB+= EAPRADIUS=""
+PLIST_SUB+= RADIUS=""
+.else
+PLIST_SUB+= EAPRADIUS="@comment "
+PLIST_SUB+= RADIUS="@comment "
+.endif
+
.if ${PORT_OPTIONS:MIKEv1}
PLIST_SUB+= IKEv1=""
.else
@@ -90,6 +115,13 @@
PLIST_SUB+= IKEv1="@comment "
.endif
+.if ${PORT_OPTIONS:MKERNELLIBIPSEC}
+CONFIGURE_ARGS+= --enable-kernel-libipsec
+PLIST_SUB+= KERNELLIBIPSEC=""
+.else
+PLIST_SUB+= KERNELLIBIPSEC="@comment "
+.endif
+
.if ${PORT_OPTIONS:MLDAP}
USE_OPENLDAP= yes
CONFIGURE_ARGS+= --enable-ldap
@@ -98,6 +130,20 @@
PLIST_SUB+= LDAP="@comment "
.endif
+.if ${PORT_OPTIONS:MLOADTESTER}
+CONFIGURE_ARGS+= --enable-load-tester
+PLIST_SUB+= LOADTESTER=""
+.else
+PLIST_SUB+= LOADTESTER="@comment "
+.endif
+
+.if ${PORT_OPTIONS:MIPSECKEY}
+CONFIGURE_ARGS+= --enable-ipseckey
+PLIST_SUB+= IPSECKEY=""
+.else
+PLIST_SUB+= IPSECKEY="@comment "
+.endif
+
.if ${PORT_OPTIONS:MMYSQL}
CONFIGURE_ARGS+= --enable-mysql
USE_MYSQL= yes
@@ -121,11 +167,36 @@
PLIST_SUB+= SQL="@comment "
.endif
-.include <bsd.port.pre.mk>
+.if ${PORT_OPTIONS:MUNBOUND}
+CONFIGURE_ARGS+= --enable-unbound
+LIB_DEPENDS+= unbound:${PORTSDIR}/dns/unbound
+PLIST_SUB+= UNBOUND=""
+.else
+PLIST_SUB+= UNBOUND="@comment "
+.endif
+.if ${PORT_OPTIONS:MTESTVECTOR}
+CONFIGURE_ARGS+= --enable-test-vectors
+PLIST_SUB+= TESTVECTOR=""
+.else
+PLIST_SUB+= TESTVECTOR="@comment "
+.endif
+
+.if ${PORT_OPTIONS:MXAUTH}
+CONFIGURE_ARGS+= --enable-xauth-eap --enable-xauth-generic
+PLIST_SUB+= XAUTH=""
+.else
+PLIST_SUB+= XAUTH="@comment "
+.endif
+
# Requires FreeBSD 8 and above to work
.if ${OSVERSION} < 800000
IGNORE= requires at least FreeBSD 8.X
.endif
-.include <bsd.port.post.mk>
+post-install:
+ ${MKDIR} ${STAGEDIR}${EXAMPLESDIR}
+ ${MV} ${STAGEDIR}${PREFIX}/etc/strongswan.conf ${STAGEDIR}${EXAMPLESDIR}
+ ${MV} ${STAGEDIR}${PREFIX}/etc/ipsec.conf ${STAGEDIR}${EXAMPLESDIR}
+
+.include <bsd.port.mk>
Index: distinfo
===================================================================
--- distinfo (revision 338877)
+++ distinfo (working copy)
@@ -1,2 +1,2 @@
-SHA256 (strongswan-5.0.4.tar.bz2) = 3ec66d64046f652ab7556b3be8f9be8981fd32ef4a11e3e461a04d658928bfe2
-SIZE (strongswan-5.0.4.tar.bz2) = 3412930
+SHA256 (strongswan-5.1.1.tar.bz2) = fbf2a668221fc4a36a34bdeac2dfeda25b96f572d551df022585177953622406
+SIZE (strongswan-5.1.1.tar.bz2) = 3673200
Index: pkg-plist
===================================================================
--- pkg-plist (revision 338877)
+++ pkg-plist (working copy)
@@ -1,5 +1,3 @@
-etc/ipsec.conf
-etc/strongswan.conf
lib/ipsec/libcharon.a
lib/ipsec/libcharon.la
lib/ipsec/libcharon.so
@@ -97,12 +95,18 @@
lib/ipsec/plugins/libstrongswan-pkcs8.a
lib/ipsec/plugins/libstrongswan-pkcs8.la
lib/ipsec/plugins/libstrongswan-pkcs8.so
+lib/ipsec/plugins/libstrongswan-pkcs12.a
+lib/ipsec/plugins/libstrongswan-pkcs12.la
+lib/ipsec/plugins/libstrongswan-pkcs12.so
lib/ipsec/plugins/libstrongswan-pubkey.a
lib/ipsec/plugins/libstrongswan-pubkey.la
lib/ipsec/plugins/libstrongswan-pubkey.so
lib/ipsec/plugins/libstrongswan-random.a
lib/ipsec/plugins/libstrongswan-random.la
lib/ipsec/plugins/libstrongswan-random.so
+lib/ipsec/plugins/libstrongswan-rc2.a
+lib/ipsec/plugins/libstrongswan-rc2.la
+lib/ipsec/plugins/libstrongswan-rc2.so
lib/ipsec/plugins/libstrongswan-resolve.a
lib/ipsec/plugins/libstrongswan-resolve.la
lib/ipsec/plugins/libstrongswan-resolve.so
@@ -118,6 +122,9 @@
lib/ipsec/plugins/libstrongswan-socket-default.a
lib/ipsec/plugins/libstrongswan-socket-default.la
lib/ipsec/plugins/libstrongswan-socket-default.so
+lib/ipsec/plugins/libstrongswan-sshkey.a
+lib/ipsec/plugins/libstrongswan-sshkey.la
+lib/ipsec/plugins/libstrongswan-sshkey.so
lib/ipsec/plugins/libstrongswan-stroke.a
lib/ipsec/plugins/libstrongswan-stroke.la
lib/ipsec/plugins/libstrongswan-stroke.so
@@ -141,6 +148,13 @@
libexec/ipsec/stroke
libexec/ipsec/whitelist
sbin/ipsec
+sbin/charon-cmd
+share/examples/strongswan/ipsec.conf
+share/examples/strongswan/strongswan.conf
+%%RADIUS%%lib/ipsec/libradius.a
+%%RADIUS%%lib/ipsec/libradius.la
+%%RADIUS%%lib/ipsec/libradius.so
+%%RADIUS%%lib/ipsec/libradius.so.0
%%SIMAKA%%lib/ipsec/libsimaka.a
%%SIMAKA%%lib/ipsec/libsimaka.la
%%SIMAKA%%lib/ipsec/libsimaka.so
@@ -154,6 +168,12 @@
%%EAPAKA3GPP2%%lib/ipsec/plugins/libstrongswan-gmp.a
%%EAPAKA3GPP2%%lib/ipsec/plugins/libstrongswan-gmp.la
%%EAPAKA3GPP2%%lib/ipsec/plugins/libstrongswan-gmp.so
+%%EAPDYNAMIC%%lib/ipsec/plugins/libstrongswan-eap-dynamic.a
+%%EAPDYNAMIC%%lib/ipsec/plugins/libstrongswan-eap-dynamic.la
+%%EAPDYNAMIC%%lib/ipsec/plugins/libstrongswan-eap-dynamic.so
+%%EAPRADIUS%%lib/ipsec/plugins/libstrongswan-eap-radius.a
+%%EAPRADIUS%%lib/ipsec/plugins/libstrongswan-eap-radius.la
+%%EAPRADIUS%%lib/ipsec/plugins/libstrongswan-eap-radius.so
%%EAPSIMFILE%%lib/ipsec/plugins/libstrongswan-eap-sim.a
%%EAPSIMFILE%%lib/ipsec/plugins/libstrongswan-eap-sim.la
%%EAPSIMFILE%%lib/ipsec/plugins/libstrongswan-eap-sim.so
@@ -166,6 +186,20 @@
%%IKEv1%%lib/ipsec/plugins/libstrongswan-xauth-generic.a
%%IKEv1%%lib/ipsec/plugins/libstrongswan-xauth-generic.la
%%IKEv1%%lib/ipsec/plugins/libstrongswan-xauth-generic.so
+%%IPSECKEY%%lib/ipsec/plugins/libstrongswan-ipseckey.a
+%%IPSECKEY%%lib/ipsec/plugins/libstrongswan-ipseckey.la
+%%IPSECKEY%%lib/ipsec/plugins/libstrongswan-ipseckey.so
+%%KERNELLIBIPSEC%%lib/ipsec/libipsec.a
+%%KERNELLIBIPSEC%%lib/ipsec/libipsec.la
+%%KERNELLIBIPSEC%%lib/ipsec/libipsec.so
+%%KERNELLIBIPSEC%%lib/ipsec/libipsec.so.0
+%%KERNELLIBIPSEC%%lib/ipsec/plugins/libstrongswan-kernel-libipsec.a
+%%KERNELLIBIPSEC%%lib/ipsec/plugins/libstrongswan-kernel-libipsec.la
+%%KERNELLIBIPSEC%%lib/ipsec/plugins/libstrongswan-kernel-libipsec.so
+%%LOADTESTER%%lib/ipsec/plugins/libstrongswan-load-tester.a
+%%LOADTESTER%%lib/ipsec/plugins/libstrongswan-load-tester.la
+%%LOADTESTER%%lib/ipsec/plugins/libstrongswan-load-tester.so
+%%LOADTESTER%%libexec/ipsec/load-tester
%%LDAP%%lib/ipsec/plugins/libstrongswan-ldap.a
%%LDAP%%lib/ipsec/plugins/libstrongswan-ldap.la
%%LDAP%%lib/ipsec/plugins/libstrongswan-ldap.so
@@ -182,6 +216,15 @@
%%SQLITE%%lib/ipsec/plugins/libstrongswan-sqlite.a
%%SQLITE%%lib/ipsec/plugins/libstrongswan-sqlite.la
%%SQLITE%%lib/ipsec/plugins/libstrongswan-sqlite.so
+%%TESTVECTOR%%lib/ipsec/plugins/libstrongswan-test-vectors.a
+%%TESTVECTOR%%lib/ipsec/plugins/libstrongswan-test-vectors.la
+%%TESTVECTOR%%lib/ipsec/plugins/libstrongswan-test-vectors.so
+%%UNBOUND%%lib/ipsec/plugins/libstrongswan-unbound.a
+%%UNBOUND%%lib/ipsec/plugins/libstrongswan-unbound.la
+%%UNBOUND%%lib/ipsec/plugins/libstrongswan-unbound.so
+%%XAUTH%%lib/ipsec/plugins/libstrongswan-xauth-eap.a
+%%XAUTH%%lib/ipsec/plugins/libstrongswan-xauth-eap.la
+%%XAUTH%%lib/ipsec/plugins/libstrongswan-xauth-eap.so
@dirrm libexec/ipsec
@dirrm lib/ipsec/plugins
@dirrm lib/ipsec
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201401061401.s06E1T1C005810>