webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-10 19:15:54 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
1a6cb7f73899e52dd94de3416fbc95a025c3b03e
bpfire/lfs/strongswan
Peter Müller c4c7563335 strongSwan: update to 5.9.4 
Release notes as per https://github.com/strongswan/strongswan/releases/tag/5.9.4:

    Fixed a denial-of-service vulnerability in the gmp plugin that was caused by an integer overflow when processing RSASSA-PSS signatures with very large salt lengths. This vulnerability has been registered as CVE-2021-41990.
    Please refer to our blog for details.
    Fixed a denial-of-service vulnerability in the in-memory certificate cache if certificates are replaced and a very large random value caused an integer overflow. This vulnerability has been registered as CVE-2021-41991.
    Please refer to our blog for details.
    Fixed a related flaw that caused the daemon to accept and cache an infinite number of versions of a valid certificate by modifying the parameters in the signatureAlgorithm field of the outer X.509 Certificate structure.
    AUTH_LIFETIME notifies are now only sent by a responder if it can't reauthenticate the IKE_SA itself due to asymmetric authentication (i.e. EAP) or the use of virtual IPs.
    Several corner cases with reauthentication have been fixed (48fbe1d, 36161fe, 0d373e2).
    Serial number generation in several pki sub-commands has been fixed so they don't start with an unintended zero byte (#631).
    Loading SSH public keys via vici has been improved (#467).
    Shared secrets, PEM files, vici messages, PF_KEY messages, swanctl configs and other data is properly wiped from memory.
    Use a longer dummy key to initialize HMAC instances in the openssl plugin in case it's used in FIPS-mode (#557).
    The --enable-tpm option now implies --enable-tss-tss2 as the plugin doesn't do anything without a TSS 2.0.
    libtpmtss is initialized in all programs and libraries that use it.
    Migrated testing scripts to Python 3.
    The testing environment uses images based on Debian bullseye by default (support for jessie was removed).

To my understanding, IPFire is not affected by CVE-2021-41990, as we do
not support creation of IPsec connections using RSASSA-PSS (please
correct me if we do :-). In contrast, CVE-2021-41991 affects IPFire
installations indeed.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
2021-10-25 16:46:52 +00:00

122 lines
4.2 KiB
Plaintext
Raw Blame History

###############################################################################
# #
# IPFire.org - A linux based firewall #
# Copyright (C) 2007-2021 IPFire Team <info@ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
# the Free Software Foundation, either version 3 of the License, or #
# (at your option) any later version. #
# #
# This program is distributed in the hope that it will be useful, #
# but WITHOUT ANY WARRANTY; without even the implied warranty of #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
# GNU General Public License for more details. #
# #
# You should have received a copy of the GNU General Public License #
# along with this program. If not, see <http://www.gnu.org/licenses/>. #
# #
###############################################################################
###############################################################################
# Definitions
###############################################################################
include Config
VER = 5.9.4
THISAPP = strongswan-$(VER)
DL_FILE = $(THISAPP).tar.bz2
DL_FROM = $(URL_IPFIRE)
DIR_APP = $(DIR_SRC)/strongswan-$(VER)
TARGET = $(DIR_INFO)/$(THISAPP)
###############################################################################
# Top-level Rules
###############################################################################
objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
$(DL_FILE)_MD5 = 9c387eb77f0159fdefbcf7e81c905c35
install : $(TARGET)
check : $(patsubst %,$(DIR_CHK)/%,$(objects))
download :$(patsubst %,$(DIR_DL)/%,$(objects))
md5 : $(subst %,%_MD5,$(objects))
###############################################################################
# Downloading, checking, md5sum
###############################################################################
$(patsubst %,$(DIR_CHK)/%,$(objects)) :
@$(CHECK)
$(patsubst %,$(DIR_DL)/%,$(objects)) :
@$(LOAD)
$(subst %,%_MD5,$(objects)) :
@$(MD5)
###############################################################################
# Installation Details
###############################################################################
$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
@$(PREBUILD)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-disable-ipv6.patch
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-ipfire.patch
$(UPDATE_AUTOMAKE)
cd $(DIR_APP) && ./configure \
--prefix="/usr" \
--sysconfdir="/etc" \
--enable-curl \
--enable-dhcp \
--enable-farp \
--enable-openssl \
--enable-gcrypt \
--enable-ccm \
--enable-ctr \
--enable-gcm \
--enable-xauth-eap \
--enable-xauth-noauth \
--enable-eap-radius \
--enable-eap-tls \
--enable-eap-ttls \
--enable-eap-peap \
--enable-eap-mschapv2 \
--enable-eap-identity \
--enable-chapoly \
--enable-sha3 \
--disable-padlock \
--disable-rc2 \
$(CONFIGURE_OPTIONS)
cd $(DIR_APP) && make $(MAKETUNING)
cd $(DIR_APP) && make install
# Remove all library files we don't want or need.
rm -vf /usr/lib/ipsec/plugins/*.{,l}a
rm -f /etc/ipsec.conf /etc/ipsec.secrets
ln -sf $(CONFIG_ROOT)/vpn/ipsec.conf /etc/ipsec.conf
ln -sf $(CONFIG_ROOT)/vpn/ipsec.secrets /etc/ipsec.secrets
rm -rf /etc/ipsec.d/{cacerts,certs,crls}
ln -sf $(CONFIG_ROOT)/ca /etc/ipsec.d/cacerts
ln -sf $(CONFIG_ROOT)/certs /etc/ipsec.d/certs
ln -sf $(CONFIG_ROOT)/crls /etc/ipsec.d/crls
install -v -m 644 $(DIR_SRC)/config/strongswan/charon.conf \
/etc/strongswan.d/charon.conf
@rm -rf $(DIR_APP)
@$(POSTBUILD)
Reference in New Issue View Git Blame Copy Permalink