Bug 178266 - security/strongswan - CVE-2013-2944
Summary: security/strongswan - CVE-2013-2944
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Only Me
Assignee: Olli Hauer
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-04-30 19:50 UTC by David Shane Holden
Modified: 2013-05-03 19:26 UTC (History)
0 users

See Also:


Attachments
file.diff (1.39 KB, patch)
2013-04-30 19:50 UTC, David Shane Holden
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description David Shane Holden 2013-04-30 19:50:00 UTC
Upgrade security/strongswan port to version 5.0.4 which fixes CVE-2013-2944.

Fix: Patch attached with submission follows:
Comment 1 Edwin Groothuis freebsd_committer freebsd_triage 2013-04-30 19:50:07 UTC
Maintainer of security/strongswan,

Please note that PR ports/178266 has just been submitted.

If it contains a patch for an upgrade, an enhancement or a bug fix
you agree on, reply to this email stating that you approve the patch
and a committer will take care of it.

The full text of the PR can be found at:
    http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/178266

-- 
Edwin Groothuis via the GNATS Auto Assign Tool
edwin@FreeBSD.org
Comment 2 Edwin Groothuis freebsd_committer freebsd_triage 2013-04-30 19:50:08 UTC
State Changed
From-To: open->feedback

Awaiting maintainers feedback (via the GNATS Auto Assign Tool)
Comment 3 Francois ten Krooden 2013-05-02 07:51:06 UTC
I tested the patch with strongSwan 5.0.4 and FreeBSD.
The patch is approved and may be committed.

Thank you.

-----Original Message-----
From: Edwin Groothuis [mailto:edwin@FreeBSD.org]
Sent: 30 April 2013 08:50 PM
To: strongswan
Cc: bug-followup@FreeBSD.org
Subject: Re: ports/178266: security/strongswan - CVE-2013-2944

Maintainer of security/strongswan,

Please note that PR ports/178266 has just been submitted.

If it contains a patch for an upgrade, an enhancement or a bug fix you agre=
e on, reply to this email stating that you approve the patch and a committe=
r will take care of it.

The full text of the PR can be found at:
    http://www.freebsd.org/cgi/query-pr.cgi?pr=3Dports/178266

--
Edwin Groothuis via the GNATS Auto Assign Tool edwin@FreeBSD.org



Important Notice:

This e-mail and its contents are subject to the Nanoteq (Pty) Ltd e-mail le=
gal notice available at:
http://www.nanoteq.com/AboutUs/EmailDisclaimer.aspx
Comment 4 Mark Linimon freebsd_committer freebsd_triage 2013-05-02 17:35:12 UTC
State Changed
From-To: feedback->open

Maintainer approved.
Comment 5 Olli Hauer freebsd_committer freebsd_triage 2013-05-03 18:38:43 UTC
Responsible Changed
From-To: freebsd-ports-bugs->ohauer

I'll take it
Comment 6 dfilter service freebsd_committer freebsd_triage 2013-05-03 19:16:50 UTC
Author: ohauer
Date: Fri May  3 18:16:35 2013
New Revision: 317229
URL: http://svnweb.freebsd.org/changeset/ports/317229

Log:
  - update to version 5.0.4 which fixes CVE-2013-2944.
  - add entry to vuxml
  - add CVE references to jankins vuxml entry
  
  while I'm here remove .sh from rc script
  
  PR:		ports/178266
  Submitted by:	David Shane Holden <dpejesh@yahoo.com>
  Approved by:	strongswan@nanoteq.com (maintainer)

Added:
  head/security/strongswan/files/strongswan.in
     - copied unchanged from r317225, head/security/strongswan/files/strongswan.sh.in
Deleted:
  head/security/strongswan/files/strongswan.sh.in
Modified:
  head/security/strongswan/Makefile
  head/security/strongswan/distinfo
  head/security/strongswan/pkg-plist
  head/security/vuxml/vuln.xml

Modified: head/security/strongswan/Makefile
==============================================================================
--- head/security/strongswan/Makefile	Fri May  3 18:03:28 2013	(r317228)
+++ head/security/strongswan/Makefile	Fri May  3 18:16:35 2013	(r317229)
@@ -2,7 +2,7 @@
 # $FreeBSD$
 
 PORTNAME=	strongswan
-PORTVERSION=	5.0.1
+PORTVERSION=	5.0.4
 CATEGORIES=	security
 MASTER_SITES=	http://download.strongswan.org/ \
 		http://download2.strongswan.org/
@@ -15,7 +15,7 @@ LIB_DEPENDS=	execinfo:${PORTSDIR}/devel/
 USE_BZIP2=	yes
 USE_OPENSSL=	yes
 USE_AUTOTOOLS=	libtool
-USE_RC_SUBR=	strongswan.sh
+USE_RC_SUBR=	strongswan
 GNU_CONFIGURE=	yes
 USE_LDCONFIG=	yes
 

Modified: head/security/strongswan/distinfo
==============================================================================
--- head/security/strongswan/distinfo	Fri May  3 18:03:28 2013	(r317228)
+++ head/security/strongswan/distinfo	Fri May  3 18:16:35 2013	(r317229)
@@ -1,2 +1,2 @@
-SHA256 (strongswan-5.0.1.tar.bz2) = 1a4dff19ef69d15e0b90b1ea80bd183235ac73b4ecd114aab58ed54de0f5c3b4
-SIZE (strongswan-5.0.1.tar.bz2) = 3146776
+SHA256 (strongswan-5.0.4.tar.bz2) = 3ec66d64046f652ab7556b3be8f9be8981fd32ef4a11e3e461a04d658928bfe2
+SIZE (strongswan-5.0.4.tar.bz2) = 3412930

Copied: head/security/strongswan/files/strongswan.in (from r317225, head/security/strongswan/files/strongswan.sh.in)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/security/strongswan/files/strongswan.in	Fri May  3 18:16:35 2013	(r317229, copy of r317225, head/security/strongswan/files/strongswan.sh.in)
@@ -0,0 +1,33 @@
+#!/bin/sh
+# Start or stop strongswan
+# $FreeBSD$
+
+# PROVIDE: strongswan
+# REQUIRE: DAEMON
+# BEFORE: LOGIN
+# KEYWORD: shutdown
+
+command="%%PREFIX%%/sbin/ipsec"
+. /etc/rc.subr
+
+name="strongswan"
+rcvar=`set_rcvar`
+extra_commands="reload statusall"
+
+load_rc_config $name
+
+start_cmd="strongswan_command start"
+stop_cmd="strongswan_command stop"
+restart_cmd="strongswan_command restart"
+status_cmd="strongswan_command status"
+reload_cmd="strongswan_command reload"
+statusall_cmd="strongswan_command statusall"
+
+
+strongswan_command()
+{
+	$command ${rc_arg}
+}
+
+run_rc_command "$1"
+

Modified: head/security/strongswan/pkg-plist
==============================================================================
--- head/security/strongswan/pkg-plist	Fri May  3 18:03:28 2013	(r317228)
+++ head/security/strongswan/pkg-plist	Fri May  3 18:16:35 2013	(r317229)
@@ -91,6 +91,9 @@ lib/ipsec/plugins/libstrongswan-pgp.so
 lib/ipsec/plugins/libstrongswan-pkcs1.a
 lib/ipsec/plugins/libstrongswan-pkcs1.la
 lib/ipsec/plugins/libstrongswan-pkcs1.so
+lib/ipsec/plugins/libstrongswan-pkcs7.a
+lib/ipsec/plugins/libstrongswan-pkcs7.la
+lib/ipsec/plugins/libstrongswan-pkcs7.so
 lib/ipsec/plugins/libstrongswan-pkcs8.a
 lib/ipsec/plugins/libstrongswan-pkcs8.la
 lib/ipsec/plugins/libstrongswan-pkcs8.so

Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml	Fri May  3 18:03:28 2013	(r317228)
+++ head/security/vuxml/vuln.xml	Fri May  3 18:16:35 2013	(r317229)
@@ -51,6 +51,36 @@ Note:  Please add new entries to the beg
 
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+  <vuln vid="6ff570cb-b418-11e2-b279-20cf30e32f6d">
+    <topic>strongSwan -- ECDSA signature verification issue</topic>
+    <affects>
+      <package>
+	<name>strongswan</name>
+	<range><lt>5.0.4</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>strongSwan security team reports:</p>
+	<blockquote cite="http://www.strongswan.org/blog/2013/04/30/strongswan-5.0.4-released-%28cve-2013-2944%29.html">
+	  <p>If the openssl plugin is used for ECDSA signature verification an empty,
+	    zeroed or otherwise invalid signature is handled as a legitimate one.
+	    Both IKEv1 and IKEv2 are affected.</p>
+	  <p>Affected are only installations that have enabled and loaded the OpenSSL
+	    crypto backend (--enable-openssl). Builds using the default crypto backends
+	    are not affected.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2013-2944</cvename>
+    </references>
+    <dates>
+      <discovery>2013-05-03</discovery>
+      <entry>2013-05-03</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="622e14b1-b40c-11e2-8441-00e0814cab4e">
     <topic>jenkins -- multiple vulnerabilities</topic>
     <affects>
@@ -100,6 +130,10 @@ Note:  Please add new entries to the beg
     </description>
     <references>
       <url>https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2013-05-02</url>
+      <cvename>CVE-2013-2034</cvename>
+      <cvename>CVE-2013-2033</cvename>
+      <cvename>CVE-2013-2034</cvename>
+      <cvename>CVE-2013-1808</cvename>
     </references>
     <dates>
       <discovery>2013-05-02</discovery>
_______________________________________________
svn-ports-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-ports-all
To unsubscribe, send any mail to "svn-ports-all-unsubscribe@freebsd.org"
Comment 7 Olli Hauer freebsd_committer freebsd_triage 2013-05-03 19:26:24 UTC
State Changed
From-To: open->closed

Committed, 
Thanks!