Bug 200721 - [patch update] security/strongswan: update to 5.3.2
Summary: [patch update] security/strongswan: update to 5.3.2
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Renato Botelho
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-06-08 23:47 UTC by Renato Botelho
Modified: 2015-06-10 00:08 UTC (History)
4 users (show)

See Also:
strongswan: maintainer-feedback+


Attachments
strongswan 5.3.2 (2.54 KB, patch)
2015-06-08 23:47 UTC, Renato Botelho
no flags Details | Diff
security/vuxml entry for strongswan (1.52 KB, patch)
2015-06-09 01:27 UTC, Jason Unovitch
no flags Details | Diff
Poudriere Build Logs from 10.1-RELEASE-p10 amd64 (gzip'ed) (87.48 KB, application/gzip)
2015-06-09 01:45 UTC, Jason Unovitch
no flags Details
security/vuxml entry for strongswan (2.53 KB, patch)
2015-06-09 06:57 UTC, strongswan
strongswan: maintainer-approval+
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Renato Botelho freebsd_committer 2015-06-08 23:47:07 UTC
Created attachment 157553 [details]
strongswan 5.3.2

Update strongswan to 5.3.2
Comment 1 Jason Unovitch freebsd_committer 2015-06-09 01:27:19 UTC
Created attachment 157556 [details]
security/vuxml entry for strongswan

Bug is for CVE-2015-4171 which was announced on oss-security this morning.  As such, add ports-secteam to CC and attach a vuln.xml entry.

# make validate
/bin/sh /usr/ports/security/vuxml/files/tidy.sh "/usr/ports/security/vuxml/files/tidy.xsl" "/usr/ports/security/vuxml/vuln.xml" > "/usr/ports/security/vuxml/vuln.xml.tidy"
>>> Validating...
/usr/local/bin/xmllint --valid --noout /usr/ports/security/vuxml/vuln.xml
>>> Successful.
Checking if tidy differs...
... seems okay
Checking for space/tab...
... seems okay
/usr/local/bin/python2.7 /usr/ports/security/vuxml/files/extra-validation.py /usr/ports/security/vuxml/vuln.xml

# env PKG_DBDIR=/usr/ports/security/vuxml pkg audit strongswan-4.3.0
strongswan-4.3.0 is vulnerable:
strongswan -- Information Leak Vulnerability
CVE: CVE-2015-4171
WWW: http://vuxml.FreeBSD.org/freebsd/10d14955-0e45-11e5-b6a8-002590263bf5.html
... <continued but not relevant> ...

# env PKG_DBDIR=/usr/ports/security/vuxml pkg audit strongswan-5.3.0
strongswan-5.3.0 is vulnerable:
strongswan -- Information Leak Vulnerability
CVE: CVE-2015-4171
WWW: http://vuxml.FreeBSD.org/freebsd/10d14955-0e45-11e5-b6a8-002590263bf5.html

1 problem(s) in the installed packages found.

# env PKG_DBDIR=/usr/ports/security/vuxml pkg audit strongswan-5.3.2
0 problem(s) in the installed packages found.
Comment 2 Jason Unovitch freebsd_committer 2015-06-09 01:45:20 UTC
Created attachment 157557 [details]
Poudriere Build Logs from 10.1-RELEASE-p10 amd64 (gzip'ed)

Attach log from Poudriere testport for review by maintainer/submitter.  No buildtime issues noted.

Runtime: No testing performed (by me).

Buildtime: 'poudriere testport' successful on the following (from poudriere jail -l).
8.4-RELEASE-p28      amd64
8.4-RELEASE-p28      i386
9.3-RELEASE-p14      amd64
9.3-RELEASE-p14      i386
10.1-RELEASE-p10     amd64
10.1-RELEASE-p10     i386
11.0-CURRENT r284104 amd64
11.0-CURRENT r284104 i386
Comment 3 strongswan 2015-06-09 06:57:03 UTC
Created attachment 157559 [details]
security/vuxml entry for strongswan

make validate
/bin/sh /usr/home/ftk/vuxml.freebsd.port/head/files/tidy.sh "/usr/home/ftk/vuxml.freebsd.port/head/files/tidy.xsl" "/usr/home/ftk/vuxml.freebsd.port/head/vuln.xml" > "/usr/home/ftk/vuxml.freebsd.port/head/vuln.xml.tidy"
>>> Validating...
/usr/local/bin/xmllint --valid --noout /usr/home/ftk/vuxml.freebsd.port/head/vuln.xml
>>> Successful.
Checking if tidy differs...
... seems okay
Checking for space/tab...
... seems okay
/usr/local/bin/python2.7 /usr/home/ftk/vuxml.freebsd.port/head/files/extra-validation.py /usr/home/ftk/vuxml.freebsd.port/head/vuln.xml

env PKG_DBDIR=/usr/ports/security/vuxml pkg audit strongswan-4.3.0
strongswan-4.3.0 is vulnerable:
strongSwan -- ECDSA signature verification issue
CVE: CVE-2013-2944
WWW: http://vuxml.FreeBSD.org/freebsd/6ff570cb-b418-11e2-b279-20cf30e32f6d.html

strongswan-4.3.0 is vulnerable:
strongswan -- multiple DoS vulnerabilities
CVE: CVE-2013-6076
CVE: CVE-2013-6075
CVE: CVE-2013-5018
WWW: http://vuxml.FreeBSD.org/freebsd/efa663eb-8754-11e3-9a47-00163e1ed244.html

strongswan-4.3.0 is vulnerable:
strongswan -- Remote Authentication Bypass
CVE: CVE-2014-2338
WWW: http://vuxml.FreeBSD.org/freebsd/6fb521b0-d388-11e3-a790-000c2980a9f3.html

strongswan-4.3.0 is vulnerable:
strongswan -- Information Leak Vulnerability
CVE: CVE-2015-4171
WWW: http://vuxml.FreeBSD.org/freebsd/10d14955-0e45-11e5-b6a8-002590263bf5.html

1 problem(s) in the installed packages found.

env PKG_DBDIR=/usr/ports/security/vuxml pkg audit strongswan-5.3.0
strongswan-5.3.0 is vulnerable:
strongswan -- Denial-of-service and potential remote code execution vulnerability
CVE: CVE-2015-3991
WWW: http://vuxml.FreeBSD.org/freebsd/55363e65-0e71-11e5-8027-00167671dd1d.html

strongswan-5.3.0 is vulnerable:
strongswan -- Information Leak Vulnerability
CVE: CVE-2015-4171
WWW: http://vuxml.FreeBSD.org/freebsd/10d14955-0e45-11e5-b6a8-002590263bf5.html

1 problem(s) in the installed packages found.

env PKG_DBDIR=/usr/ports/security/vuxml pkg audit strongswan-5.3.2
0 problem(s) in the installed packages found.
Comment 4 strongswan 2015-06-09 06:57:56 UTC
Comment on attachment 157556 [details]
security/vuxml entry for strongswan

Updated to include CVE-2015-3991 for strongSwan 5.2.2 and 5.3.0
Comment 5 strongswan 2015-06-09 06:58:21 UTC
Comment on attachment 157553 [details]
strongswan 5.3.2

Happy with the patch
Comment 6 strongswan 2015-06-09 06:59:38 UTC
Happy with the patches
 - Updated the vuxml entry to include CVE-2015-3991 (https://www.strongswan.org/blog/2015/06/01/strongswan-vulnerability-(cve-2015-3991).html)  affecting strongswan 5.2.2 and 5.3.0.
Comment 7 commit-hook freebsd_committer 2015-06-09 08:23:49 UTC
A commit references this bug:

Author: delphij
Date: Tue Jun  9 08:23:29 UTC 2015
New revision: 388904
URL: https://svnweb.freebsd.org/changeset/ports/388904

Log:
  Document two strongswan vulnerabilities.

  PR:		200721
  Submitted by:	Jason Unovitch (with changes: wrapped long line and changed
  		CVE-2015-3991's coverage to cover only < 5.3.1 to reflect
  		the reality).

Changes:
  head/security/vuxml/vuln.xml
Comment 8 Xin LI freebsd_committer 2015-06-09 08:24:05 UTC
(In reply to Renato Botelho from comment #0)
Hi,

Please merge this to 2015Q2 too, thanks!
Comment 9 commit-hook freebsd_committer 2015-06-09 09:51:55 UTC
A commit references this bug:

Author: garga
Date: Tue Jun  9 09:51:08 UTC 2015
New revision: 388905
URL: https://svnweb.freebsd.org/changeset/ports/388905

Log:
  Update to 5.3.2

  PR:		200721
  Approved by:	strongswan@Nanoteq.com (maintainer)
  MFH:		2015Q2
  Security:	CVE-2015-3991
  Sponsored by:	Netgate

Changes:
  head/security/strongswan/Makefile
  head/security/strongswan/distinfo
  head/security/strongswan/files/patch-src_starter_starterstroke.c
  head/security/strongswan/files/patch-src_stroke_stroke.c
Comment 10 commit-hook freebsd_committer 2015-06-09 19:57:48 UTC
A commit references this bug:

Author: garga
Date: Tue Jun  9 19:57:05 UTC 2015
New revision: 388995
URL: https://svnweb.freebsd.org/changeset/ports/388995

Log:
  MFH: r388905

  Update to 5.3.2

  PR:		200721
  Approved by:	strongswan@Nanoteq.com (maintainer)
  Security:	CVE-2015-3991
  Sponsored by:	Netgate
  Approved by:	portmgr (erwin)

Changes:
_U  branches/2015Q2/
  branches/2015Q2/security/strongswan/Makefile
  branches/2015Q2/security/strongswan/distinfo
  branches/2015Q2/security/strongswan/files/patch-src_starter_starterstroke.c
  branches/2015Q2/security/strongswan/files/patch-src_stroke_stroke.c
Comment 11 Xin LI freebsd_committer 2015-06-10 00:08:31 UTC
Mark as resolved as all update bits are in tree now.