Created attachment 246891 [details] security/strongswan: Update to 5.9.13 Changelog: https://github.com/strongswan/strongswan/releases/tag/5.9.13 https://github.com/strongswan/strongswan/releases/tag/5.9.12
Fixes CVE-2023-41913. Note to self: Add VuXML entry. Merge to 2023Q4 since that version is vulnerable.
====> Running Q/A tests (stage-qa) ====> Checking for pkg-plist issues (check-plist) ===> Parsing plist ===> Checking for items in STAGEDIR missing from pkg-plist Error: Orphaned: man/man1/pki---ocsp.1.gz Would you mind having a look at this? Thanks!
(In reply to Fernando Apesteguía from comment #2) Ugh... yes! my bad... forgot to include the new plist file. Will re-submit.
Created attachment 246933 [details] security/strongswan: Update to 5.9.13 Fix pkg-plist Note that the following errors/warnings: Error: /usr/local/lib/ipsec/plugins/libstrongswan-mysql.so is linked to /usr/local/lib/libunwind.so.8 from devel/libunwind but it is not declared as a dependency Warning: you need LIB_DEPENDS+=libunwind.so:devel/libunwind Warning: you might not need LIB_DEPENDS on libldap.so.2 Warning: you might not need LIB_DEPENDS on libmysqlclient.so.21 Are not directly related to this patch, and should be addressed separately.
I have just discovered a minor inconsistency in ipsec(8). I have filed: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=275660 It is just a documentation fix, so it would be better if it could get committed before this one. Thank you and sorry for the trouble!
(In reply to Jose Luis Duran from comment #5) To commit that before this one, we would need to rework this patch because otherwise it will not apply. I will commit this first because this is a vulnerable port.
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=eea55ca7b5c621fd4f032b1f256b8472fbae2b15 commit eea55ca7b5c621fd4f032b1f256b8472fbae2b15 Author: Fernando Apesteguía <fernape@FreeBSD.org> AuthorDate: 2023-12-09 12:31:35 +0000 Commit: Fernando Apesteguía <fernape@FreeBSD.org> CommitDate: 2023-12-10 16:57:47 +0000 security/vuxml: Record strongswan buffer overflow strongSwan before 5.9.12 has a buffer overflow and possible unauthenticated remote code execution via a DH public value that exceeds the internal buffer in charon-tkm's DH proxy. The earliest affected version is 5.3.0. An attack can occur via a crafted IKE_SA_INIT message. NVD score not yet provided. PR: 275620 security/vuxml/vuln/2023.xml | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+)
(In reply to Fernando Apesteguía from comment #6) OK, yes! I appreciate it. It is also worth noting that the CVE fix was already applied in REVISION 3 (FreeBSD version 5.9.11_3). Regarding the other (documentation) fix, I have submitted a patch upstream, that if accepted (I don't have high hopes), those patches will not be needed. Also, there is another patch that should no longer be needed. I will re-submit once the dust settles. Thank you!
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=9d8accbe0c0d7c0db16ec9bbb50bded19db8271f commit 9d8accbe0c0d7c0db16ec9bbb50bded19db8271f Author: Jose Luis Duran <jlduran@gmail.com> AuthorDate: 2023-12-10 16:59:53 +0000 Commit: Fernando Apesteguía <fernape@FreeBSD.org> CommitDate: 2023-12-10 17:16:32 +0000 security/strongswan: Update to 5.9.13 ChangeLog: https://github.com/strongswan/strongswan/releases/tag/5.9.13 PR: 275620 Reported by: jlduran@gmail.com MFH: 2023Q4 (security fix) Security: CVE-2023-41913 security/strongswan/Makefile | 5 +-- security/strongswan/distinfo | 8 ++--- ..._charon-tkm_src_tkm_tkm_diffie_hellman.c (gone) | 42 ---------------------- security/strongswan/pkg-plist | 15 ++++---- 4 files changed, 12 insertions(+), 58 deletions(-)
A commit in branch 2023Q4 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=41afbdaae94c823ac828489818cc3125a472dda4 commit 41afbdaae94c823ac828489818cc3125a472dda4 Author: Jose Luis Duran <jlduran@gmail.com> AuthorDate: 2023-12-10 16:59:53 +0000 Commit: Fernando Apesteguía <fernape@FreeBSD.org> CommitDate: 2023-12-10 17:21:09 +0000 security/strongswan: Update to 5.9.13 ChangeLog: https://github.com/strongswan/strongswan/releases/tag/5.9.13 PR: 275620 Reported by: jlduran@gmail.com MFH: 2023Q4 (security fix) Security: CVE-2023-41913 (cherry picked from commit 9d8accbe0c0d7c0db16ec9bbb50bded19db8271f) security/strongswan/Makefile | 5 +---- security/strongswan/distinfo | 8 +++----- security/strongswan/pkg-plist | 15 ++++++++------- 3 files changed, 12 insertions(+), 16 deletions(-)
Committed and merged, Thanks!
Added VuXML entry is duplicate for earlier one a62c0c50-8aa0-11ee-ac0d-00e0670f2660 I added on 2023-11-24 in a rush. In fact, our ports does not build affected part of strongswan (charon-tkm) at all, so the port was NOT affected by CVE-2023-41913, as I've discovered after that commit.
Forgot to link earlier commit: https://cgit.freebsd.org/ports/commit/security/vuxml/vuln/2023.xml?id=8c6ee1a1c2df0d7a769c1fd50f0366ded3798e86
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=3af42e8b0f16aa1a4d8989177e6f7948d85ac5f8 commit 3af42e8b0f16aa1a4d8989177e6f7948d85ac5f8 Author: Fernando Apesteguía <fernape@FreeBSD.org> AuthorDate: 2023-12-11 07:28:13 +0000 Commit: Fernando Apesteguía <fernape@FreeBSD.org> CommitDate: 2023-12-11 07:38:52 +0000 secuirty/vuxml: Remove duplicate entry A previous entry for CVE-2023-41913 was added in 8c6ee1a1c2df0d7a769c1fd50f0366ded3798e86 PR: 275620 Reported by: eugen@ Fixes: eea55ca7b5c621fd4f032b1f256b8472fbae2b15 security/vuxml/vuln/2023.xml | 30 ------------------------------ 1 file changed, 30 deletions(-)
(In reply to Eugene Grosbein from comment #12) You're right, sorry for that. It should be fixed by now.