From owner-freebsd-ports-bugs@FreeBSD.ORG Thu Jan 8 14:47:44 2015 Return-Path: Delivered-To: freebsd-ports-bugs@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 40E97DD1 for ; Thu, 8 Jan 2015 14:47:44 +0000 (UTC) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 0E2E2A2D for ; Thu, 8 Jan 2015 14:47:44 +0000 (UTC) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.14.9/8.14.9) with ESMTP id t08ElhHf060358 for ; Thu, 8 Jan 2015 14:47:43 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-ports-bugs@FreeBSD.org Subject: [Bug 196615] Update strongswan to 5.2.2 [CVE-2014-9221] Date: Thu, 08 Jan 2015 14:47:44 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Ports & Packages X-Bugzilla-Component: Individual Port(s) X-Bugzilla-Version: Latest X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: garga@FreeBSD.org X-Bugzilla-Status: New X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-ports-bugs@FreeBSD.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter attachments.created Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Jan 2015 14:47:44 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=196615 Bug ID: 196615 Summary: Update strongswan to 5.2.2 [CVE-2014-9221] Product: Ports & Packages Version: Latest Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: Individual Port(s) Assignee: freebsd-ports-bugs@FreeBSD.org Reporter: garga@FreeBSD.org Created attachment 151501 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=151501&action=edit Patch to update strongswan to 5.2.2 * Update strongswan to 5.2.2, follow upstream Changelog: - Fixed a denial-of-service vulnerability triggered by an IKEv2 Key Exchange payload that contains the Diffie-Hellman group 1025. This identifier was used internally for DH groups with custom generator and prime. Because these arguments are missing when creating DH objects based on the KE payload an invalid pointer dereference occurred. This allowed an attacker to crash the IKE daemon with a single IKE_SA_INIT message containing such a KE payload. The vulnerability has been registered as CVE-2014-9221. - The left/rightid options in ipsec.conf, or any other identity in strongSwan, now accept prefixes to enforce an explicit type, such as email: or fqdn:. Note that no conversion is done for the remaining string, refer to ipsec.conf(5) for details. - The post-quantum Bimodal Lattice Signature Scheme (BLISS) can be used as an IKEv2 public key authentication method. The pki tool offers full support for the generation of BLISS key pairs and certificates. - Fixed mapping of integrity algorithms negotiated for AH via IKEv1. This could cause interoperability issues when connecting to older versions of charon. -- You are receiving this mail because: You are the assignee for the bug.