ports/183688: [maintainer update] security/strongswan 5.0.4 -> 5.1.1
David Shane Holden
dpejesh at yahoo.com
Tue Nov 19 00:50:02 UTC 2013
The following reply was made to PR ports/183688; it has been noted by GNATS.
From: David Shane Holden <dpejesh at yahoo.com>
To: Francois ten Krooden <ftk at Nanoteq.com>
Cc: bug-followup at FreeBSD.org
Subject: Re: ports/183688: [maintainer update] security/strongswan 5.0.4 ->
5.1.1
Date: Mon, 18 Nov 2013 19:42:35 -0500
This is a multi-part message in MIME format.
--------------030902010007060501090309
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Hey Francois,
I updated your original patch a bit. First, I used the post-install
target to move the config files to share/examples/strongswan. Since
we're using staging this should be a cleaner approach than patching the
makefiles. I also added an option for --enable-kernel-libipsec as well
as updated vuln.xml for the 3 CVE's that were fixed in this release.
If for some reason the attachment doesn't make it through, I have a copy
of it at
https://googledrive.com/host/0B0OQnKtejJEMdU1IaF9UX0dfNDA/strongswan.patch
-- Dave
--------------030902010007060501090309
Content-Type: text/x-patch;
name="strongswan.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename="strongswan.patch"
diff --git a/security/strongswan/Makefile b/security/strongswan/Makefile
index 9c73792..4e61d98 100644
--- a/security/strongswan/Makefile
+++ b/security/strongswan/Makefile
@@ -2,8 +2,7 @@
# $FreeBSD$
PORTNAME= strongswan
-PORTVERSION= 5.0.4
-PORTREVISION= 1
+PORTVERSION= 5.1.1
CATEGORIES= security
MASTER_SITES= http://download.strongswan.org/ \
http://download2.strongswan.org/
@@ -37,6 +36,7 @@ CONFIGURE_ARGS= --enable-kernel-pfkey \
--enable-blowfish \
--enable-addrblock \
--enable-whitelist \
+ --enable-cmd \
--with-group=wheel \
--with-lib-prefix=${PREFIX}
@@ -44,13 +44,23 @@ CONFIGURE_ARGS= --enable-kernel-pfkey \
MAN5= ipsec.conf.5 ipsec.secrets.5 strongswan.conf.5
MAN8= ipsec.8 _updown.8 _updown_espmark.8
-OPTIONS_DEFINE= CURL EAPAKA3GPP2 EAPSIMFILE IKEv1 LDAP MYSQL SQLITE
+OPTIONS_DEFINE= CURL EAPAKA3GPP2 EAPDYNAMIC EAPRADIUS EAPSIMFILE HA IKEv1
+OPTIONS_DEFINE+= IPSECKEY KERNELLIBIPSEC LOADTESTER LDAP MYSQL SQLITE
+OPTIONS_DEFINE+= TESTVECTOR UNBOUND XAUTH
CURL_DESC= Enable CURL to fetch CRL/OCSP
EAPAKA3GPP2_DESC= Enable EAP AKA with 3gpp2 backend
+EAPDYNAMIC_DESC= Enable EAP dynamic proxy module
+EAPRADIUS_DESC= Enable EAP Radius proxy authentication
EAPSIMFILE_DESC= Enable EAP SIM with file backend
-IKEv1_DESC= Enable IKEv1 support (Experimental)
+HA_DESC= Enable high availability cluster
+IKEv1_DESC= Enable IKEv1 support
+IPSECKEY_DESC= Enable authentication with IPSECKEY resource records with DNSSEC
+KERNELLIBIPSEC_DESC= Enable IPSec userland backend
+LOADTESTER_DESC= Enable load testing plugin
+TESTVECTOR_DESC= Enable crypto test vectors
+UNBOUND_DESC= Enable DNSSEC-enabled resolver
+XAUTH_DESC= Enable XAuth password verification
-NO_STAGE= yes
.include <bsd.port.options.mk>
# Extra options
@@ -83,6 +93,29 @@ PLIST_SUB+=SIMAKA=""
PLIST_SUB+=SIMAKA="@comment "
.endif
+.if ${PORT_OPTIONS:MEAPDYNAMIC}
+CONFIGURE_ARGS+= --enable-eap-dynamic
+PLIST_SUB+= EAPDYNAMIC=""
+.else
+PLIST_SUB+= EAPDYNAMIC="@comment "
+.endif
+
+.if ${PORT_OPTIONS:MEAPRADIUS}
+CONFIGURE_ARGS+= --enable-eap-radius
+PLIST_SUB+= EAPRADIUS=""
+PLIST_SUB+= RADIUS=""
+.else
+PLIST_SUB+= EAPRADIUS="@comment "
+PLIST_SUB+= RADIUS="@comment "
+.endif
+
+.if ${PORT_OPTIONS:MHA}
+CONFIGURE_ARGS+= --enable-ha
+PLIST_SUB+= HA=""
+.else
+PLIST_SUB+= HA="@comment "
+.endif
+
.if ${PORT_OPTIONS:MIKEv1}
PLIST_SUB+= IKEv1=""
.else
@@ -90,6 +123,13 @@ CONFIGURE_ARGS+= --disable-ikev1
PLIST_SUB+= IKEv1="@comment "
.endif
+.if ${PORT_OPTIONS:MKERNELLIBIPSEC}
+CONFIGURE_ARGS+= --enable-kernel-libipsec
+PLIST_SUB+= KERNELLIBIPSEC=""
+.else
+PLIST_SUB+= KERNELLIBIPSEC="@comment "
+.endif
+
.if ${PORT_OPTIONS:MLDAP}
USE_OPENLDAP= yes
CONFIGURE_ARGS+= --enable-ldap
@@ -98,6 +138,20 @@ PLIST_SUB+= LDAP=""
PLIST_SUB+= LDAP="@comment "
.endif
+.if ${PORT_OPTIONS:MLOADTESTER}
+CONFIGURE_ARGS+= --enable-load-tester
+PLIST_SUB+= LOADTESTER=""
+.else
+PLIST_SUB+= LOADTESTER="@comment "
+.endif
+
+.if ${PORT_OPTIONS:MIPSECKEY}
+CONFIGURE_ARGS+= --enable-ipseckey
+PLIST_SUB+= IPSECKEY=""
+.else
+PLIST_SUB+= IPSECKEY="@comment "
+.endif
+
.if ${PORT_OPTIONS:MMYSQL}
CONFIGURE_ARGS+= --enable-mysql
USE_MYSQL= yes
@@ -121,11 +175,36 @@ PLIST_SUB+= SQL=""
PLIST_SUB+= SQL="@comment "
.endif
-.include <bsd.port.pre.mk>
+.if ${PORT_OPTIONS:MUNBOUND}
+CONFIGURE_ARGS+= --enable-unbound
+LIB_DEPENDS+= unbound:${PORTSDIR}/dns/unbound
+PLIST_SUB+= UNBOUND=""
+.else
+PLIST_SUB+= UNBOUND="@comment "
+.endif
+
+.if ${PORT_OPTIONS:MTESTVECTOR}
+CONFIGURE_ARGS+= --enable-test-vectors
+PLIST_SUB+= TESTVECTOR=""
+.else
+PLIST_SUB+= TESTVECTOR="@comment "
+.endif
+
+.if ${PORT_OPTIONS:MXAUTH}
+CONFIGURE_ARGS+= --enable-xauth-eap --enable-xauth-generic
+PLIST_SUB+= XAUTH=""
+.else
+PLIST_SUB+= XAUTH="@comment "
+.endif
# Requires FreeBSD 8 and above to work
.if ${OSVERSION} < 800000
IGNORE= requires at least FreeBSD 8.X
.endif
-.include <bsd.port.post.mk>
+post-install:
+ ${MKDIR} ${STAGEDIR}${EXAMPLESDIR}
+ ${MV} ${STAGEDIR}${PREFIX}/etc/strongswan.conf ${STAGEDIR}${EXAMPLESDIR}
+ ${MV} ${STAGEDIR}${PREFIX}/etc/ipsec.conf ${STAGEDIR}${EXAMPLESDIR}
+
+.include <bsd.port.mk>
diff --git a/security/strongswan/distinfo b/security/strongswan/distinfo
index ff76032..9c39d66 100644
--- a/security/strongswan/distinfo
+++ b/security/strongswan/distinfo
@@ -1,2 +1,2 @@
-SHA256 (strongswan-5.0.4.tar.bz2) = 3ec66d64046f652ab7556b3be8f9be8981fd32ef4a11e3e461a04d658928bfe2
-SIZE (strongswan-5.0.4.tar.bz2) = 3412930
+SHA256 (strongswan-5.1.1.tar.bz2) = fbf2a668221fc4a36a34bdeac2dfeda25b96f572d551df022585177953622406
+SIZE (strongswan-5.1.1.tar.bz2) = 3673200
diff --git a/security/strongswan/files/patch-src__libhydra__plugins__kernel_pfkey__kernel_pfkey_ipsec.c.in b/security/strongswan/files/patch-src__libhydra__plugins__kernel_pfkey__kernel_pfkey_ipsec.c.in
new file mode 100644
index 0000000..033b2a3
--- /dev/null
+++ b/security/strongswan/files/patch-src__libhydra__plugins__kernel_pfkey__kernel_pfkey_ipsec.c.in
@@ -0,0 +1,13 @@
+--- src.old/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c 2013-11-01 19:26:36.000000000 +0200
++++ src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c 2013-11-01 19:32:17.000000000 +0200
+@@ -790,6 +790,9 @@
+ /* {ENCR_DES_IV64, 0 }, */
+ {ENCR_DES, SADB_EALG_DESCBC },
+ {ENCR_3DES, SADB_EALG_3DESCBC },
++#ifdef SADB_X_EALG_CAMELLIACBC
++ {ENCR_CAMELLIA_CBC, SADB_X_EALG_CAMELLIACBC },
++#endif
+ /* {ENCR_RC5, 0 }, */
+ /* {ENCR_IDEA, 0 }, */
+ {ENCR_CAST, SADB_X_EALG_CASTCBC },
+
diff --git a/security/strongswan/pkg-plist b/security/strongswan/pkg-plist
index 170f10d..c88bab3 100644
--- a/security/strongswan/pkg-plist
+++ b/security/strongswan/pkg-plist
@@ -1,5 +1,3 @@
-etc/ipsec.conf
-etc/strongswan.conf
lib/ipsec/libcharon.a
lib/ipsec/libcharon.la
lib/ipsec/libcharon.so
@@ -97,12 +95,18 @@ lib/ipsec/plugins/libstrongswan-pkcs7.so
lib/ipsec/plugins/libstrongswan-pkcs8.a
lib/ipsec/plugins/libstrongswan-pkcs8.la
lib/ipsec/plugins/libstrongswan-pkcs8.so
+lib/ipsec/plugins/libstrongswan-pkcs12.a
+lib/ipsec/plugins/libstrongswan-pkcs12.la
+lib/ipsec/plugins/libstrongswan-pkcs12.so
lib/ipsec/plugins/libstrongswan-pubkey.a
lib/ipsec/plugins/libstrongswan-pubkey.la
lib/ipsec/plugins/libstrongswan-pubkey.so
lib/ipsec/plugins/libstrongswan-random.a
lib/ipsec/plugins/libstrongswan-random.la
lib/ipsec/plugins/libstrongswan-random.so
+lib/ipsec/plugins/libstrongswan-rc2.a
+lib/ipsec/plugins/libstrongswan-rc2.la
+lib/ipsec/plugins/libstrongswan-rc2.so
lib/ipsec/plugins/libstrongswan-resolve.a
lib/ipsec/plugins/libstrongswan-resolve.la
lib/ipsec/plugins/libstrongswan-resolve.so
@@ -118,6 +122,9 @@ lib/ipsec/plugins/libstrongswan-sha2.so
lib/ipsec/plugins/libstrongswan-socket-default.a
lib/ipsec/plugins/libstrongswan-socket-default.la
lib/ipsec/plugins/libstrongswan-socket-default.so
+lib/ipsec/plugins/libstrongswan-sshkey.a
+lib/ipsec/plugins/libstrongswan-sshkey.la
+lib/ipsec/plugins/libstrongswan-sshkey.so
lib/ipsec/plugins/libstrongswan-stroke.a
lib/ipsec/plugins/libstrongswan-stroke.la
lib/ipsec/plugins/libstrongswan-stroke.so
@@ -141,6 +148,13 @@ libexec/ipsec/starter
libexec/ipsec/stroke
libexec/ipsec/whitelist
sbin/ipsec
+sbin/charon-cmd
+share/examples/strongswan/ipsec.conf
+share/examples/strongswan/strongswan.conf
+%%RADIUS%%lib/ipsec/libradius.a
+%%RADIUS%%lib/ipsec/libradius.la
+%%RADIUS%%lib/ipsec/libradius.so
+%%RADIUS%%lib/ipsec/libradius.so.0
%%SIMAKA%%lib/ipsec/libsimaka.a
%%SIMAKA%%lib/ipsec/libsimaka.la
%%SIMAKA%%lib/ipsec/libsimaka.so
@@ -154,6 +168,12 @@ sbin/ipsec
%%EAPAKA3GPP2%%lib/ipsec/plugins/libstrongswan-gmp.a
%%EAPAKA3GPP2%%lib/ipsec/plugins/libstrongswan-gmp.la
%%EAPAKA3GPP2%%lib/ipsec/plugins/libstrongswan-gmp.so
+%%EAPDYNAMIC%%lib/ipsec/plugins/libstrongswan-eap-dynamic.a
+%%EAPDYNAMIC%%lib/ipsec/plugins/libstrongswan-eap-dynamic.la
+%%EAPDYNAMIC%%lib/ipsec/plugins/libstrongswan-eap-dynamic.so
+%%EAPRADIUS%%lib/ipsec/plugins/libstrongswan-eap-radius.a
+%%EAPRADIUS%%lib/ipsec/plugins/libstrongswan-eap-radius.la
+%%EAPRADIUS%%lib/ipsec/plugins/libstrongswan-eap-radius.so
%%EAPSIMFILE%%lib/ipsec/plugins/libstrongswan-eap-sim.a
%%EAPSIMFILE%%lib/ipsec/plugins/libstrongswan-eap-sim.la
%%EAPSIMFILE%%lib/ipsec/plugins/libstrongswan-eap-sim.so
@@ -163,9 +183,26 @@ sbin/ipsec
%%CURL%%lib/ipsec/plugins/libstrongswan-curl.a
%%CURL%%lib/ipsec/plugins/libstrongswan-curl.la
%%CURL%%lib/ipsec/plugins/libstrongswan-curl.so
+%%HA%%lib/ipsec/plugins/libstrongswan-ha.a
+%%HA%%lib/ipsec/plugins/libstrongswan-ha.la
+%%HA%%lib/ipsec/plugins/libstrongswan-ha.so
%%IKEv1%%lib/ipsec/plugins/libstrongswan-xauth-generic.a
%%IKEv1%%lib/ipsec/plugins/libstrongswan-xauth-generic.la
%%IKEv1%%lib/ipsec/plugins/libstrongswan-xauth-generic.so
+%%IPSECKEY%%lib/ipsec/plugins/libstrongswan-ipseckey.a
+%%IPSECKEY%%lib/ipsec/plugins/libstrongswan-ipseckey.la
+%%IPSECKEY%%lib/ipsec/plugins/libstrongswan-ipseckey.so
+%%KERNELLIBIPSEC%%lib/ipsec/libipsec.a
+%%KERNELLIBIPSEC%%lib/ipsec/libipsec.la
+%%KERNELLIBIPSEC%%lib/ipsec/libipsec.so
+%%KERNELLIBIPSEC%%lib/ipsec/libipsec.so.0
+%%KERNELLIBIPSEC%%lib/ipsec/plugins/libstrongswan-kernel-libipsec.a
+%%KERNELLIBIPSEC%%lib/ipsec/plugins/libstrongswan-kernel-libipsec.la
+%%KERNELLIBIPSEC%%lib/ipsec/plugins/libstrongswan-kernel-libipsec.so
+%%LOADTESTER%%lib/ipsec/plugins/libstrongswan-load-tester.a
+%%LOADTESTER%%lib/ipsec/plugins/libstrongswan-load-tester.la
+%%LOADTESTER%%lib/ipsec/plugins/libstrongswan-load-tester.so
+%%LOADTESTER%%libexec/ipsec/load-tester
%%LDAP%%lib/ipsec/plugins/libstrongswan-ldap.a
%%LDAP%%lib/ipsec/plugins/libstrongswan-ldap.la
%%LDAP%%lib/ipsec/plugins/libstrongswan-ldap.so
@@ -182,6 +219,15 @@ sbin/ipsec
%%SQLITE%%lib/ipsec/plugins/libstrongswan-sqlite.a
%%SQLITE%%lib/ipsec/plugins/libstrongswan-sqlite.la
%%SQLITE%%lib/ipsec/plugins/libstrongswan-sqlite.so
+%%TESTVECTOR%%lib/ipsec/plugins/libstrongswan-test-vectors.a
+%%TESTVECTOR%%lib/ipsec/plugins/libstrongswan-test-vectors.la
+%%TESTVECTOR%%lib/ipsec/plugins/libstrongswan-test-vectors.so
+%%UNBOUND%%lib/ipsec/plugins/libstrongswan-unbound.a
+%%UNBOUND%%lib/ipsec/plugins/libstrongswan-unbound.la
+%%UNBOUND%%lib/ipsec/plugins/libstrongswan-unbound.so
+%%XAUTH%%lib/ipsec/plugins/libstrongswan-xauth-eap.a
+%%XAUTH%%lib/ipsec/plugins/libstrongswan-xauth-eap.la
+%%XAUTH%%lib/ipsec/plugins/libstrongswan-xauth-eap.so
@dirrm libexec/ipsec
@dirrm lib/ipsec/plugins
@dirrm lib/ipsec
diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml
index 85ec7b9..e8395be 100644
--- a/security/vuxml/vuln.xml
+++ b/security/vuxml/vuln.xml
@@ -51,6 +51,44 @@ Note: Please add new entries to the beginning of this file.
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+ <vuln vid="fb3c1452-4599-11e3-8fb6-001cc0b0c9d4">
+ <topic>strongswan -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>strongswan</name>
+ <range><lt>5.1.1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>strongSwan security team reports:</p>
+ <blockquote cite="http://wiki.strongswan.org/projects/strongswan/wiki/Changelog51">
+ <p>CVE-2013-5018</p>
+ <p>Fixed a denial-of-service vulnerability triggered by specific XAuth
+ usernames and EAP identities (since 5.0.3), and PEM files (since 4.1.11).
+ The crash was caused by insufficient error handling in the is_asn1()
+ function.</p>
+ <p>CVE-2013-6075</p>
+ <p>Fixed a denial-of-service vulnerability triggered by a crafted IKEv1
+ fragmentation payload. The cause is a NULL pointer dereference.</p>
+ <p>CVE-2013-6076</p>
+ <p>Fixed a denial-of-service vulnerability and potential authorization bypass
+ triggered by a crafted ID_DER_ASN1_DN ID payload. The cause is an
+ insufficient length check when comparing such identities.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2013-5018</cvename>
+ <cvename>CVE-2013-6075</cvename>
+ <cvename>CVE-2013-6076</cvename>
+ </references>
+ <dates>
+ <discovery>2013-11-01</discovery>
+ <entry>2013-11-18</entry>
+ </dates>
+ </vuln>
+
<vuln vid="e62ab2af-4df4-11e3-b0cf-00262d5ed8ee">
<topic>chromium -- multiple memory corruption issues</topic>
<affects>
--------------030902010007060501090309--
More information about the freebsd-ports-bugs
mailing list