From patchwork Sat Oct 23 12:49:52 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?= X-Patchwork-Id: 4818 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4Hc1Jk1MMpz3wcs for ; Sat, 23 Oct 2021 12:49:58 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4Hc1Jj0F5JzjD; Sat, 23 Oct 2021 12:49:56 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4Hc1Jh5sNLz2xmL; Sat, 23 Oct 2021 12:49:56 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4Hc1Jg0gwXz2xPW for ; Sat, 23 Oct 2021 12:49:55 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384)) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4Hc1Jf11D0zjD for ; Sat, 23 Oct 2021 12:49:53 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1634993394; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=sNV/HjwGhHO8I2cnFaeDvvZCjN6mEv+EQFDSpUnXT4A=; b=oLPnBSGYlvYRI5wnYPsou/Mj8q6DK1m6jyBcvwxmLXe6mA8bVtX3JV2vXajRESzS0ObxBL Il12JE1QSyZm3vDw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1634993394; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=sNV/HjwGhHO8I2cnFaeDvvZCjN6mEv+EQFDSpUnXT4A=; b=WApKR18yLZpWq234XU/wPZeki5kPTWBCgTqdmx/OKs3XpFFwAFXKtEWcBflaoOFBnpnfGa C5DaekC6NXvvqA0CwowrDtpAsT1TooQNOnqJuYdI26BlH3bohwi82kEMmm9GibZ6bvt53X uVmU/a/2r8uQfXNgZc9ivj6JK1kh2lhLYREqYjFY7+kD7UIdks3VU3Bm+1juXanD3aJdOm yntGlrKDPHckeWIpVJhEsX+qdT28uot6y7/Bw083j03ne1mIb3zBgHJxPY4ovgrycveVH2 MkwKfcabIwKzdT9z8O5GWj5/t6Ua4NmsdmfDbOWc9GKbxYPvQRmM5z3Og2ay9Q== To: "IPFire: Development" From: =?utf-8?q?Peter_M=C3=BCller?= Subject: [PATCH] strongSwan: update to 5.9.4 Message-ID: <8712fd25-ac29-e597-4273-6ef77156ca7c@ipfire.org> Date: Sat, 23 Oct 2021 14:49:52 +0200 MIME-Version: 1.0 Content-Language: en-US X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Release notes as per https://github.com/strongswan/strongswan/releases/tag/5.9.4: Fixed a denial-of-service vulnerability in the gmp plugin that was caused by an integer overflow when processing RSASSA-PSS signatures with very large salt lengths. This vulnerability has been registered as CVE-2021-41990. Please refer to our blog for details. Fixed a denial-of-service vulnerability in the in-memory certificate cache if certificates are replaced and a very large random value caused an integer overflow. This vulnerability has been registered as CVE-2021-41991. Please refer to our blog for details. Fixed a related flaw that caused the daemon to accept and cache an infinite number of versions of a valid certificate by modifying the parameters in the signatureAlgorithm field of the outer X.509 Certificate structure. AUTH_LIFETIME notifies are now only sent by a responder if it can't reauthenticate the IKE_SA itself due to asymmetric authentication (i.e. EAP) or the use of virtual IPs. Several corner cases with reauthentication have been fixed (48fbe1d, 36161fe, 0d373e2). Serial number generation in several pki sub-commands has been fixed so they don't start with an unintended zero byte (#631). Loading SSH public keys via vici has been improved (#467). Shared secrets, PEM files, vici messages, PF_KEY messages, swanctl configs and other data is properly wiped from memory. Use a longer dummy key to initialize HMAC instances in the openssl plugin in case it's used in FIPS-mode (#557). The --enable-tpm option now implies --enable-tss-tss2 as the plugin doesn't do anything without a TSS 2.0. libtpmtss is initialized in all programs and libraries that use it. Migrated testing scripts to Python 3. The testing environment uses images based on Debian bullseye by default (support for jessie was removed). To my understanding, IPFire is not affected by CVE-2021-41990, as we do not support creation of IPsec connections using RSASSA-PSS (please correct me if we do :-). In contrast, CVE-2021-41991 affects IPFire installations indeed. Signed-off-by: Peter Müller --- lfs/strongswan | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lfs/strongswan b/lfs/strongswan index 46c0309fb..45ff8f426 100644 --- a/lfs/strongswan +++ b/lfs/strongswan @@ -24,7 +24,7 @@ include Config -VER = 5.9.3 +VER = 5.9.4 THISAPP = strongswan-$(VER) DL_FILE = $(THISAPP).tar.bz2 @@ -40,7 +40,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = 80ecabe0ce72d550d2d5de0118f89143 +$(DL_FILE)_MD5 = 9c387eb77f0159fdefbcf7e81c905c35 install : $(TARGET)