Patch to update strongswan to 5.2.2
* Update strongswan to 5.2.2, follow upstream Changelog:
- Fixed a denial-of-service vulnerability triggered by an IKEv2 Key Exchange
payload that contains the Diffie-Hellman group 1025. This identifier was
used internally for DH groups with custom generator and prime. Because
these arguments are missing when creating DH objects based on the KE payload
an invalid pointer dereference occurred. This allowed an attacker to crash
the IKE daemon with a single IKE_SA_INIT message containing such a KE
payload. The vulnerability has been registered as CVE-2014-9221.
- The left/rightid options in ipsec.conf, or any other identity in strongSwan,
now accept prefixes to enforce an explicit type, such as email: or fqdn:.
Note that no conversion is done for the remaining string, refer to
ipsec.conf(5) for details.
- The post-quantum Bimodal Lattice Signature Scheme (BLISS) can be used as
an IKEv2 public key authentication method. The pki tool offers full support
for the generation of BLISS key pairs and certificates.
- Fixed mapping of integrity algorithms negotiated for AH via IKEv1. This could
cause interoperability issues when connecting to older versions of charon.
Due to an issue with the backend FreeBSD Bugzilla database, your original PR and any updates to it since have been lost. I've recreated the original PR as best as I can, however any attachments and updates you submitted to the PR have been lost. Please could you resubmit them?
Thanks, and apologies.
Updated in r376625, approved by maintainer.