diff mbox series

strongSwan: update to 5.9.4

Message ID	8712fd25-ac29-e597-4273-6ef77156ca7c@ipfire.org
State	Accepted
Commit	c4c756333578fc43d7f712cbc262fc3f3bf1fc52
Headers	To: "IPFire: Development" <development@lists.ipfire.org> From: =?utf-8?q?Peter_M=C3=BCller?= <peter.mueller@ipfire.org> Subject: [PATCH] strongSwan: update to 5.9.4 Message-ID: <8712fd25-ac29-e597-4273-6ef77156ca7c@ipfire.org> Date: Sat, 23 Oct 2021 14:49:52 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit Precedence: list Errors-To: development-bounces@lists.ipfire.org Sender: "Development" <development-bounces@lists.ipfire.org>
Series	strongSwan: update to 5.9.4 \| strongSwan: update to 5.9.4

Commit Message

Peter Müller Oct. 23, 2021, 12:49 p.m. UTC

  Release notes as per https://github.com/strongswan/strongswan/releases/tag/5.9.4:

    Fixed a denial-of-service vulnerability in the gmp plugin that was caused by an integer overflow when processing RSASSA-PSS signatures with very large salt lengths. This vulnerability has been registered as CVE-2021-41990.
    Please refer to our blog for details.
    Fixed a denial-of-service vulnerability in the in-memory certificate cache if certificates are replaced and a very large random value caused an integer overflow. This vulnerability has been registered as CVE-2021-41991.
    Please refer to our blog for details.
    Fixed a related flaw that caused the daemon to accept and cache an infinite number of versions of a valid certificate by modifying the parameters in the signatureAlgorithm field of the outer X.509 Certificate structure.
    AUTH_LIFETIME notifies are now only sent by a responder if it can't reauthenticate the IKE_SA itself due to asymmetric authentication (i.e. EAP) or the use of virtual IPs.
    Several corner cases with reauthentication have been fixed (48fbe1d, 36161fe, 0d373e2).
    Serial number generation in several pki sub-commands has been fixed so they don't start with an unintended zero byte (#631).
    Loading SSH public keys via vici has been improved (#467).
    Shared secrets, PEM files, vici messages, PF_KEY messages, swanctl configs and other data is properly wiped from memory.
    Use a longer dummy key to initialize HMAC instances in the openssl plugin in case it's used in FIPS-mode (#557).
    The --enable-tpm option now implies --enable-tss-tss2 as the plugin doesn't do anything without a TSS 2.0.
    libtpmtss is initialized in all programs and libraries that use it.
    Migrated testing scripts to Python 3.
    The testing environment uses images based on Debian bullseye by default (support for jessie was removed).

To my understanding, IPFire is not affected by CVE-2021-41990, as we do
not support creation of IPsec connections using RSASSA-PSS (please
correct me if we do :-). In contrast, CVE-2021-41991 affects IPFire
installations indeed.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
---
 lfs/strongswan | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff mbox series

Patch

diff --git a/lfs/strongswan b/lfs/strongswan
index 46c0309fb..45ff8f426 100644
--- a/lfs/strongswan
+++ b/lfs/strongswan
@@ -24,7 +24,7 @@ 
 
 include Config
 
-VER        = 5.9.3
+VER        = 5.9.4
 
 THISAPP    = strongswan-$(VER)
 DL_FILE    = $(THISAPP).tar.bz2
@@ -40,7 +40,7 @@  objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_MD5 = 80ecabe0ce72d550d2d5de0118f89143
+$(DL_FILE)_MD5 = 9c387eb77f0159fdefbcf7e81c905c35
 
 install : $(TARGET)