Summary: | security/strongswan: Update to 5.9.13 | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | Ports & Packages | Reporter: | Jose Luis Duran <jlduran> | ||||||
Component: | Individual Port(s) | Assignee: | Fernando Apesteguía <fernape> | ||||||
Status: | Closed FIXED | ||||||||
Severity: | Affects Many People | CC: | eugen, fernape, ports-secteam, strongswan | ||||||
Priority: | --- | Keywords: | needs-qa | ||||||
Version: | Latest | Flags: | bugzilla:
maintainer-feedback?
(strongswan) fernape: merge-quarterly+ |
||||||
Hardware: | Any | ||||||||
OS: | Any | ||||||||
URL: | https://github.com/strongswan/strongswan/releases/tag/5.9.13 | ||||||||
Bug Depends on: | 275660 | ||||||||
Bug Blocks: | |||||||||
Attachments: |
|
Description
Jose Luis Duran
2023-12-08 03:54:33 UTC
Fixes CVE-2023-41913. Note to self: Add VuXML entry. Merge to 2023Q4 since that version is vulnerable. ====> Running Q/A tests (stage-qa) ====> Checking for pkg-plist issues (check-plist) ===> Parsing plist ===> Checking for items in STAGEDIR missing from pkg-plist Error: Orphaned: man/man1/pki---ocsp.1.gz Would you mind having a look at this? Thanks! (In reply to Fernando Apesteguía from comment #2) Ugh... yes! my bad... forgot to include the new plist file. Will re-submit. Created attachment 246933 [details]
security/strongswan: Update to 5.9.13
Fix pkg-plist
Note that the following errors/warnings:
Error: /usr/local/lib/ipsec/plugins/libstrongswan-mysql.so is linked to /usr/local/lib/libunwind.so.8 from devel/libunwind but it is not declared as a dependency
Warning: you need LIB_DEPENDS+=libunwind.so:devel/libunwind
Warning: you might not need LIB_DEPENDS on libldap.so.2
Warning: you might not need LIB_DEPENDS on libmysqlclient.so.21
Are not directly related to this patch, and should be addressed separately.
I have just discovered a minor inconsistency in ipsec(8). I have filed: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=275660 It is just a documentation fix, so it would be better if it could get committed before this one. Thank you and sorry for the trouble! (In reply to Jose Luis Duran from comment #5) To commit that before this one, we would need to rework this patch because otherwise it will not apply. I will commit this first because this is a vulnerable port. A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=eea55ca7b5c621fd4f032b1f256b8472fbae2b15 commit eea55ca7b5c621fd4f032b1f256b8472fbae2b15 Author: Fernando Apesteguía <fernape@FreeBSD.org> AuthorDate: 2023-12-09 12:31:35 +0000 Commit: Fernando Apesteguía <fernape@FreeBSD.org> CommitDate: 2023-12-10 16:57:47 +0000 security/vuxml: Record strongswan buffer overflow strongSwan before 5.9.12 has a buffer overflow and possible unauthenticated remote code execution via a DH public value that exceeds the internal buffer in charon-tkm's DH proxy. The earliest affected version is 5.3.0. An attack can occur via a crafted IKE_SA_INIT message. NVD score not yet provided. PR: 275620 security/vuxml/vuln/2023.xml | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) (In reply to Fernando Apesteguía from comment #6) OK, yes! I appreciate it. It is also worth noting that the CVE fix was already applied in REVISION 3 (FreeBSD version 5.9.11_3). Regarding the other (documentation) fix, I have submitted a patch upstream, that if accepted (I don't have high hopes), those patches will not be needed. Also, there is another patch that should no longer be needed. I will re-submit once the dust settles. Thank you! A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=9d8accbe0c0d7c0db16ec9bbb50bded19db8271f commit 9d8accbe0c0d7c0db16ec9bbb50bded19db8271f Author: Jose Luis Duran <jlduran@gmail.com> AuthorDate: 2023-12-10 16:59:53 +0000 Commit: Fernando Apesteguía <fernape@FreeBSD.org> CommitDate: 2023-12-10 17:16:32 +0000 security/strongswan: Update to 5.9.13 ChangeLog: https://github.com/strongswan/strongswan/releases/tag/5.9.13 PR: 275620 Reported by: jlduran@gmail.com MFH: 2023Q4 (security fix) Security: CVE-2023-41913 security/strongswan/Makefile | 5 +-- security/strongswan/distinfo | 8 ++--- ..._charon-tkm_src_tkm_tkm_diffie_hellman.c (gone) | 42 ---------------------- security/strongswan/pkg-plist | 15 ++++---- 4 files changed, 12 insertions(+), 58 deletions(-) A commit in branch 2023Q4 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=41afbdaae94c823ac828489818cc3125a472dda4 commit 41afbdaae94c823ac828489818cc3125a472dda4 Author: Jose Luis Duran <jlduran@gmail.com> AuthorDate: 2023-12-10 16:59:53 +0000 Commit: Fernando Apesteguía <fernape@FreeBSD.org> CommitDate: 2023-12-10 17:21:09 +0000 security/strongswan: Update to 5.9.13 ChangeLog: https://github.com/strongswan/strongswan/releases/tag/5.9.13 PR: 275620 Reported by: jlduran@gmail.com MFH: 2023Q4 (security fix) Security: CVE-2023-41913 (cherry picked from commit 9d8accbe0c0d7c0db16ec9bbb50bded19db8271f) security/strongswan/Makefile | 5 +---- security/strongswan/distinfo | 8 +++----- security/strongswan/pkg-plist | 15 ++++++++------- 3 files changed, 12 insertions(+), 16 deletions(-) Committed and merged, Thanks! Added VuXML entry is duplicate for earlier one a62c0c50-8aa0-11ee-ac0d-00e0670f2660 I added on 2023-11-24 in a rush. In fact, our ports does not build affected part of strongswan (charon-tkm) at all, so the port was NOT affected by CVE-2023-41913, as I've discovered after that commit. Forgot to link earlier commit: https://cgit.freebsd.org/ports/commit/security/vuxml/vuln/2023.xml?id=8c6ee1a1c2df0d7a769c1fd50f0366ded3798e86 A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=3af42e8b0f16aa1a4d8989177e6f7948d85ac5f8 commit 3af42e8b0f16aa1a4d8989177e6f7948d85ac5f8 Author: Fernando Apesteguía <fernape@FreeBSD.org> AuthorDate: 2023-12-11 07:28:13 +0000 Commit: Fernando Apesteguía <fernape@FreeBSD.org> CommitDate: 2023-12-11 07:38:52 +0000 secuirty/vuxml: Remove duplicate entry A previous entry for CVE-2023-41913 was added in 8c6ee1a1c2df0d7a769c1fd50f0366ded3798e86 PR: 275620 Reported by: eugen@ Fixes: eea55ca7b5c621fd4f032b1f256b8472fbae2b15 security/vuxml/vuln/2023.xml | 30 ------------------------------ 1 file changed, 30 deletions(-) (In reply to Eugene Grosbein from comment #12) You're right, sorry for that. It should be fixed by now. |