From 0c55ec5a49770d5972c62c99499fbd6eef88ded3 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Wed, 23 Aug 2017 20:03:21 +0100 Subject: [PATCH] strongswan: Update to 5.6.0 Fixes CVE-2017-11185: Fixed a DoS vulnerability in the gmp plugin that was caused by insufficient input validation when verifying RSA signatures, which requires decryption with the operation m^e mod n, where m is the signature, and e and n are the exponent and modulus of the public key. The value m is an integer between 0 and n-1, however, the gmp plugin did not verify this. So if m equals n the calculation results in 0, in which case mpz_export() returns NULL. This result wasn't handled properly causing a null-pointer dereference. Signed-off-by: Michael Tremer --- config/rootfiles/core/114/filelists/i586/strongswan-padlock | 1 + config/rootfiles/core/114/filelists/strongswan | 1 + config/rootfiles/core/114/update.sh | 5 +++++ lfs/strongswan | 4 ++-- 4 files changed, 9 insertions(+), 2 deletions(-) create mode 120000 config/rootfiles/core/114/filelists/i586/strongswan-padlock create mode 120000 config/rootfiles/core/114/filelists/strongswan diff --git a/config/rootfiles/core/114/filelists/i586/strongswan-padlock b/config/rootfiles/core/114/filelists/i586/strongswan-padlock new file mode 120000 index 0000000000..2412824fb2 --- /dev/null +++ b/config/rootfiles/core/114/filelists/i586/strongswan-padlock @@ -0,0 +1 @@ +../../../../common/i586/strongswan-padlock \ No newline at end of file diff --git a/config/rootfiles/core/114/filelists/strongswan b/config/rootfiles/core/114/filelists/strongswan new file mode 120000 index 0000000000..90c727e265 --- /dev/null +++ b/config/rootfiles/core/114/filelists/strongswan @@ -0,0 +1 @@ +../../../common/strongswan \ No newline at end of file diff --git a/config/rootfiles/core/114/update.sh b/config/rootfiles/core/114/update.sh index b68af03e6e..54a2062304 100644 --- a/config/rootfiles/core/114/update.sh +++ b/config/rootfiles/core/114/update.sh @@ -32,6 +32,7 @@ for (( i=1; i<=$core; i++ )); do done # Stop services +ipsec stop /etc/init.d/squid stop /etc/init.d/unbound stop @@ -50,6 +51,10 @@ ldconfig /etc/init.d/unbound start /etc/init.d/squid start +if grep -q "ENABLED=on" /var/ipfire/vpn/settings; then + ipsec start +fi + # This update need a reboot... touch /var/run/need_reboot diff --git a/lfs/strongswan b/lfs/strongswan index 85c4f2b858..600c012dc5 100644 --- a/lfs/strongswan +++ b/lfs/strongswan @@ -24,7 +24,7 @@ include Config -VER = 5.5.3 +VER = 5.6.0 THISAPP = strongswan-$(VER) DL_FILE = $(THISAPP).tar.bz2 @@ -48,7 +48,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = 4afffe3c219bb2e04f09510905af836b +$(DL_FILE)_MD5 = befb5e827d02433fea6669c20e11530a install : $(TARGET) -- 2.39.2