Bug 185535 - security/strongswan update to fix vulnerabilities.
security/strongswan update to fix vulnerabilities.
Status: Closed FIXED
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s)
Latest
Any Any
: Normal Affects Only Me
Assigned To: Bernhard Froehlich
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-01-06 14:10 UTC by strongswan
Modified: 2014-01-27 13:40 UTC (History)
0 users

See Also:


Attachments
file.diff (8.65 KB, patch)
2014-01-06 14:10 UTC, strongswan
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description strongswan 2014-01-06 14:10:00 UTC
Update port security/strongswan 5.0.4 -> 5.1.1
- Added EAP dynamic proxy module
- Added EAP Radius proxy authentication
- Added DNSSEC/unbound support
- Added kernel libipsec plugin.
- Changed configuration files to install to ${PREFIX}/etc/<filename>.conf.sample
Updated vuln.xml for the 3 CVE's that were fixed in this release.
-https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6075
-https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6076
-https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5018

Fix: Patch attached with submission follows:
Comment 1 Bernhard Froehlich freebsd_committer 2014-01-27 11:24:52 UTC
Responsible Changed
From-To: freebsd-ports-bugs->decke

I'll take it.
Comment 2 dfilter freebsd_committer 2014-01-27 13:35:55 UTC
Author: decke
Date: Mon Jan 27 13:35:40 2014
New Revision: 341405
URL: http://svnweb.freebsd.org/changeset/ports/341405
QAT: https://qat.redports.org/buildarchive/r341405/

Log:
  - Update to 5.1.1
  - Added EAP dynamic proxy module
  - Added EAP Radius proxy authentication
  - Added DNSSEC/unbound support
  - Added kernel libipsec plugin
  - Changed configuration files to install to ${PREFIX}/etc/<filename>.conf.sample
  - Convert to new options format
  
  PR:		ports/185535
  Submitted by:	Francois ten Krooden <strongswan@nanoteq.com> (maintainer)
  Security:	CVE-2013-5018
  Security:	CVE-2013-6075
  Security:	CVE-2013-6076

Modified:
  head/security/strongswan/Makefile
  head/security/strongswan/distinfo
  head/security/strongswan/pkg-plist

Modified: head/security/strongswan/Makefile
==============================================================================
--- head/security/strongswan/Makefile	Mon Jan 27 13:35:10 2014	(r341404)
+++ head/security/strongswan/Makefile	Mon Jan 27 13:35:40 2014	(r341405)
@@ -2,8 +2,7 @@
 # $FreeBSD$
 
 PORTNAME=	strongswan
-PORTVERSION=	5.0.4
-PORTREVISION=	1
+PORTVERSION=	5.1.1
 CATEGORIES=	security
 MASTER_SITES=	http://download.strongswan.org/ \
 		http://download2.strongswan.org/
@@ -37,6 +36,7 @@ CONFIGURE_ARGS=	--enable-kernel-pfkey \
 		--enable-blowfish \
 		--enable-addrblock \
 		--enable-whitelist \
+		--enable-cmd \
 		--with-group=wheel  \
 		--with-lib-prefix=${PREFIX}
 
@@ -44,38 +44,47 @@ CONFIGURE_ARGS=	--enable-kernel-pfkey \
 MAN5=	ipsec.conf.5 ipsec.secrets.5 strongswan.conf.5
 MAN8=	ipsec.8 _updown.8 _updown_espmark.8
 
-OPTIONS_DEFINE=	CURL EAPAKA3GPP2 EAPSIMFILE IKEv1 LDAP MYSQL SQLITE
+OPTIONS_DEFINE=	CURL EAPAKA3GPP2 EAPDYNAMIC EAPRADIUS EAPSIMFILE IKEv1 \
+		IPSECKEY KERNELLIBIPSEC LOADTESTER LDAP MYSQL SQLITE \
+		TESTVECTOR UNBOUND XAUTH
+OPTIONS_SUB=	${OPTIONS_DEFINE}
 CURL_DESC=	Enable CURL to fetch CRL/OCSP
 EAPAKA3GPP2_DESC=	Enable EAP AKA with 3gpp2 backend
+EAPDYNAMIC_DESC=	Enable EAP dynamic proxy module
+EAPRADIUS_DESC=		Enable EAP Radius proxy authentication
 EAPSIMFILE_DESC=	Enable EAP SIM with file backend
-IKEv1_DESC=	Enable IKEv1 support (Experimental)
-
-NO_STAGE=	yes
-.include <bsd.port.options.mk>
+IKEv1_DESC=	Enable IKEv1 support
+IPSECKEY_DESC=	Enable authentication with IPSECKEY resource records with DNSSEC
+KERNELLIBIPSEC_DESC=	Enable IPSec userland backend
+LOADTESTER_DESC=	Enable load testing plugin
+TESTVECTOR_DESC=	Enable crypto test vectors
+UNBOUND_DESC=	Enable DNSSEC-enabled resolver
+XAUTH_DESC=	Enable XAuth password verification
 
 # Extra options
-.if ${PORT_OPTIONS:MCURL}
-CONFIGURE_ARGS+=	--enable-curl
-LIB_DEPENDS+=	curl:${PORTSDIR}/ftp/curl
-PLIST_SUB+=	CURL=""
-.else
-PLIST_SUB+=	CURL="@comment "
-.endif
-
-.if ${PORT_OPTIONS:MEAPSIMFILE}
-CONFIGURE_ARGS+=	--enable-eap-sim --enable-eap-sim-file
-PLIST_SUB+=	EAPSIMFILE=""
-.else
-PLIST_SUB+=	EAPSIMFILE="@comment "
-.endif
+CURL_CONFIGURE_ON=	--enable-curl
+CURL_LIB_DEPENDS=	curl:${PORTSDIR}/ftp/curl
+EAPAKA3GPP2_CONFIGURE_ON=	--enable-eap-aka --enable-eap-aka-3gpp2
+EAPAKA3GPP2_LIB_DEPENDS=gmp:${PORTSDIR}/math/gmp
+EAPDYNAMIC_CONFIGURE_ON=--enable-eap-dynamic
+EAPRADIUS_CONFIGURE_ON=	--enable-eap-radius
+EAPSIMFILE_CONFIGURE_ON=--enable-eap-sim --enable-eap-sim-file
+IKEv1_CONFIGURE_OFF=	--disable-ikev1
+IPSECKEY_CONFIGURE_ON=	--enable-ipseckey
+KERNELLIBIPSEC_CONFIGURE_ON=	--enable-kernel-libipsec
+LOADTESTER_CONFIGURE_ON=--enable-load-tester
+LDAP_CONFIGURE_ON=	--enable-ldap
+LDAP_USE=		USE_OPENLDAP=yes
+MYSQL_CONFIGURE_ON=	--enable-mysql
+MYSQL_USE=		USE_MYSQL=yes
+SQLITE_CONFIGURE_ON=	--enable-sqlite
+SQLITE_LIB_DEPENDS=	sqlite3:${PORTSDIR}/databases/sqlite3
+TESTVECTOR_CONFIGURE_ON=--enable-test-vectors
+UNBOUND_CONFIGURE_ON=	--enable-unbound
+UNBOUND_LIB_DEPENDS=	unbound:${PORTSDIR}/dns/unbound
+XAUTH_CONFIGURE_ON=	--enable-xauth-eap --enable-xauth-generic
 
-.if ${PORT_OPTIONS:MEAPAKA3GPP2}
-CONFIGURE_ARGS+=	--enable-eap-aka --enable-eap-aka-3gpp2
-LIB_DEPENDS+=	gmp:${PORTSDIR}/math/gmp
-PLIST_SUB+=	EAPAKA3GPP2=""
-.else
-PLIST_SUB+=	EAPAKA3GPP2="@comment "
-.endif
+.include <bsd.port.options.mk>
 
 .if ${PORT_OPTIONS:MEAPSIMFILE} || ${PORT_OPTIONS:MEAPAKA3GPP2}
 PLIST_SUB+=SIMAKA=""
@@ -83,37 +92,6 @@ PLIST_SUB+=SIMAKA=""
 PLIST_SUB+=SIMAKA="@comment "
 .endif
 
-.if ${PORT_OPTIONS:MIKEv1}
-PLIST_SUB+=	IKEv1=""
-.else
-CONFIGURE_ARGS+=	--disable-ikev1
-PLIST_SUB+=	IKEv1="@comment "
-.endif
-
-.if ${PORT_OPTIONS:MLDAP}
-USE_OPENLDAP=	yes
-CONFIGURE_ARGS+=	--enable-ldap
-PLIST_SUB+=	LDAP=""
-.else
-PLIST_SUB+=	LDAP="@comment "
-.endif
-
-.if ${PORT_OPTIONS:MMYSQL}
-CONFIGURE_ARGS+=	--enable-mysql
-USE_MYSQL=	yes
-PLIST_SUB+=	MYSQL=""
-.else
-PLIST_SUB+=	MYSQL="@comment "
-.endif
-
-.if ${PORT_OPTIONS:MSQLITE}
-CONFIGURE_ARGS+=	--enable-sqlite
-LIB_DEPENDS+=	sqlite3:${PORTSDIR}/databases/sqlite3
-PLIST_SUB+=	SQLITE=""
-.else
-PLIST_SUB+=	SQLITE="@comment "
-.endif
-
 .if ${PORT_OPTIONS:MMYSQL} || ${PORT_OPTIONS:MSQLITE}
 CONFIGURE_ARGS+=	--enable-attr-sql --enable-sql
 PLIST_SUB+=	SQL=""
@@ -121,11 +99,9 @@ PLIST_SUB+=	SQL=""
 PLIST_SUB+=	SQL="@comment "
 .endif
 
-.include <bsd.port.pre.mk>
-
-# Requires FreeBSD 8 and above to work
-.if ${OSVERSION} < 800000
-IGNORE=		requires at least FreeBSD 8.X
-.endif
+post-install:
+	${MKDIR} ${STAGEDIR}${EXAMPLESDIR}
+	${MV} ${STAGEDIR}${PREFIX}/etc/strongswan.conf ${STAGEDIR}${EXAMPLESDIR}
+	${MV} ${STAGEDIR}${PREFIX}/etc/ipsec.conf ${STAGEDIR}${EXAMPLESDIR}
 
-.include <bsd.port.post.mk>
+.include <bsd.port.mk>

Modified: head/security/strongswan/distinfo
==============================================================================
--- head/security/strongswan/distinfo	Mon Jan 27 13:35:10 2014	(r341404)
+++ head/security/strongswan/distinfo	Mon Jan 27 13:35:40 2014	(r341405)
@@ -1,2 +1,2 @@
-SHA256 (strongswan-5.0.4.tar.bz2) = 3ec66d64046f652ab7556b3be8f9be8981fd32ef4a11e3e461a04d658928bfe2
-SIZE (strongswan-5.0.4.tar.bz2) = 3412930
+SHA256 (strongswan-5.1.1.tar.bz2) = fbf2a668221fc4a36a34bdeac2dfeda25b96f572d551df022585177953622406
+SIZE (strongswan-5.1.1.tar.bz2) = 3673200

Modified: head/security/strongswan/pkg-plist
==============================================================================
--- head/security/strongswan/pkg-plist	Mon Jan 27 13:35:10 2014	(r341404)
+++ head/security/strongswan/pkg-plist	Mon Jan 27 13:35:40 2014	(r341405)
@@ -1,5 +1,3 @@
-etc/ipsec.conf
-etc/strongswan.conf
 lib/ipsec/libcharon.a
 lib/ipsec/libcharon.la
 lib/ipsec/libcharon.so
@@ -97,12 +95,18 @@ lib/ipsec/plugins/libstrongswan-pkcs7.so
 lib/ipsec/plugins/libstrongswan-pkcs8.a
 lib/ipsec/plugins/libstrongswan-pkcs8.la
 lib/ipsec/plugins/libstrongswan-pkcs8.so
+lib/ipsec/plugins/libstrongswan-pkcs12.a
+lib/ipsec/plugins/libstrongswan-pkcs12.la
+lib/ipsec/plugins/libstrongswan-pkcs12.so
 lib/ipsec/plugins/libstrongswan-pubkey.a
 lib/ipsec/plugins/libstrongswan-pubkey.la
 lib/ipsec/plugins/libstrongswan-pubkey.so
 lib/ipsec/plugins/libstrongswan-random.a
 lib/ipsec/plugins/libstrongswan-random.la
 lib/ipsec/plugins/libstrongswan-random.so
+lib/ipsec/plugins/libstrongswan-rc2.a
+lib/ipsec/plugins/libstrongswan-rc2.la
+lib/ipsec/plugins/libstrongswan-rc2.so
 lib/ipsec/plugins/libstrongswan-resolve.a
 lib/ipsec/plugins/libstrongswan-resolve.la
 lib/ipsec/plugins/libstrongswan-resolve.so
@@ -118,6 +122,9 @@ lib/ipsec/plugins/libstrongswan-sha2.so
 lib/ipsec/plugins/libstrongswan-socket-default.a
 lib/ipsec/plugins/libstrongswan-socket-default.la
 lib/ipsec/plugins/libstrongswan-socket-default.so
+lib/ipsec/plugins/libstrongswan-sshkey.a
+lib/ipsec/plugins/libstrongswan-sshkey.la
+lib/ipsec/plugins/libstrongswan-sshkey.so
 lib/ipsec/plugins/libstrongswan-stroke.a
 lib/ipsec/plugins/libstrongswan-stroke.la
 lib/ipsec/plugins/libstrongswan-stroke.so
@@ -141,6 +148,13 @@ libexec/ipsec/starter
 libexec/ipsec/stroke
 libexec/ipsec/whitelist
 sbin/ipsec
+sbin/charon-cmd
+share/examples/strongswan/ipsec.conf
+share/examples/strongswan/strongswan.conf
+%%EAPRADIUS%%lib/ipsec/libradius.a
+%%EAPRADIUS%%lib/ipsec/libradius.la
+%%EAPRADIUS%%lib/ipsec/libradius.so
+%%EAPRADIUS%%lib/ipsec/libradius.so.0
 %%SIMAKA%%lib/ipsec/libsimaka.a
 %%SIMAKA%%lib/ipsec/libsimaka.la
 %%SIMAKA%%lib/ipsec/libsimaka.so
@@ -154,6 +168,12 @@ sbin/ipsec
 %%EAPAKA3GPP2%%lib/ipsec/plugins/libstrongswan-gmp.a
 %%EAPAKA3GPP2%%lib/ipsec/plugins/libstrongswan-gmp.la
 %%EAPAKA3GPP2%%lib/ipsec/plugins/libstrongswan-gmp.so
+%%EAPDYNAMIC%%lib/ipsec/plugins/libstrongswan-eap-dynamic.a
+%%EAPDYNAMIC%%lib/ipsec/plugins/libstrongswan-eap-dynamic.la
+%%EAPDYNAMIC%%lib/ipsec/plugins/libstrongswan-eap-dynamic.so
+%%EAPRADIUS%%lib/ipsec/plugins/libstrongswan-eap-radius.a
+%%EAPRADIUS%%lib/ipsec/plugins/libstrongswan-eap-radius.la
+%%EAPRADIUS%%lib/ipsec/plugins/libstrongswan-eap-radius.so
 %%EAPSIMFILE%%lib/ipsec/plugins/libstrongswan-eap-sim.a
 %%EAPSIMFILE%%lib/ipsec/plugins/libstrongswan-eap-sim.la
 %%EAPSIMFILE%%lib/ipsec/plugins/libstrongswan-eap-sim.so
@@ -166,6 +186,20 @@ sbin/ipsec
 %%IKEv1%%lib/ipsec/plugins/libstrongswan-xauth-generic.a
 %%IKEv1%%lib/ipsec/plugins/libstrongswan-xauth-generic.la
 %%IKEv1%%lib/ipsec/plugins/libstrongswan-xauth-generic.so
+%%IPSECKEY%%lib/ipsec/plugins/libstrongswan-ipseckey.a
+%%IPSECKEY%%lib/ipsec/plugins/libstrongswan-ipseckey.la
+%%IPSECKEY%%lib/ipsec/plugins/libstrongswan-ipseckey.so
+%%KERNELLIBIPSEC%%lib/ipsec/libipsec.a
+%%KERNELLIBIPSEC%%lib/ipsec/libipsec.la
+%%KERNELLIBIPSEC%%lib/ipsec/libipsec.so
+%%KERNELLIBIPSEC%%lib/ipsec/libipsec.so.0
+%%KERNELLIBIPSEC%%lib/ipsec/plugins/libstrongswan-kernel-libipsec.a
+%%KERNELLIBIPSEC%%lib/ipsec/plugins/libstrongswan-kernel-libipsec.la
+%%KERNELLIBIPSEC%%lib/ipsec/plugins/libstrongswan-kernel-libipsec.so
+%%LOADTESTER%%lib/ipsec/plugins/libstrongswan-load-tester.a
+%%LOADTESTER%%lib/ipsec/plugins/libstrongswan-load-tester.la
+%%LOADTESTER%%lib/ipsec/plugins/libstrongswan-load-tester.so
+%%LOADTESTER%%libexec/ipsec/load-tester
 %%LDAP%%lib/ipsec/plugins/libstrongswan-ldap.a
 %%LDAP%%lib/ipsec/plugins/libstrongswan-ldap.la
 %%LDAP%%lib/ipsec/plugins/libstrongswan-ldap.so
@@ -182,6 +216,16 @@ sbin/ipsec
 %%SQLITE%%lib/ipsec/plugins/libstrongswan-sqlite.a
 %%SQLITE%%lib/ipsec/plugins/libstrongswan-sqlite.la
 %%SQLITE%%lib/ipsec/plugins/libstrongswan-sqlite.so
+%%TESTVECTOR%%lib/ipsec/plugins/libstrongswan-test-vectors.a
+%%TESTVECTOR%%lib/ipsec/plugins/libstrongswan-test-vectors.la
+%%TESTVECTOR%%lib/ipsec/plugins/libstrongswan-test-vectors.so
+%%UNBOUND%%lib/ipsec/plugins/libstrongswan-unbound.a
+%%UNBOUND%%lib/ipsec/plugins/libstrongswan-unbound.la
+%%UNBOUND%%lib/ipsec/plugins/libstrongswan-unbound.so
+%%XAUTH%%lib/ipsec/plugins/libstrongswan-xauth-eap.a
+%%XAUTH%%lib/ipsec/plugins/libstrongswan-xauth-eap.la
+%%XAUTH%%lib/ipsec/plugins/libstrongswan-xauth-eap.so
+@dirrm share/examples/strongswan
 @dirrm libexec/ipsec
 @dirrm lib/ipsec/plugins
 @dirrm lib/ipsec
_______________________________________________
svn-ports-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-ports-all
To unsubscribe, send any mail to "svn-ports-all-unsubscribe@freebsd.org"
Comment 3 Bernhard Froehlich freebsd_committer 2014-01-27 13:37:33 UTC
State Changed
From-To: open->closed

I've created an vuxml entry for the CVEs and converted the optional 
dependencies to the new format (hopefully without too many typos). 
Committed. Thanks!