strongswan: Update to 5.6.2

Fixed a DoS vulnerability in the parser for PKCS#1 RSASSA-PSS
signatures that was caused by insufficient input validation.
One of the configurable parameters in algorithm identifier
structures for RSASSA-PSS signatures is the mask generation
function (MGF). Only MGF1 is currently specified for this purpose.
However, this in turn takes itself a parameter that specifies
the underlying hash function. strongSwan's parser did not
correctly handle the case of this parameter being absent,
causing an undefined data read.

This vulnerability has been registered as CVE-2018-6459.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/config/rootfiles/core/119/filelists/strongswan b/config/rootfiles/core/119/filelists/strongswan
new file mode 120000 (symlink)
index 0000000..90c727e
--- /dev/null
+++ b/config/rootfiles/core/119/filelists/strongswan
@@ -0,0 +1 @@
+../../../common/strongswan
\ No newline at end of file

diff --git a/config/rootfiles/core/119/update.sh b/config/rootfiles/core/119/update.sh
index 1231a4941bb35e36b37bd184ebfc93f33e9f73c0..fdca22bc56f83e1c3591c86e549ab22fdcb77792 100644 (file)
--- a/config/rootfiles/core/119/update.sh
+++ b/config/rootfiles/core/119/update.sh
@@ -32,6 +32,7 @@ for (( i=1; i<=$core; i++ )); do
 done
 
 # Stop services
+ipsec stop
 
 # Remove old files
 rm -vf \

diff --git a/lfs/strongswan b/lfs/strongswan
index f012492d03007d8400ae04cb1560ef3687c8f2da..58f8c5e9b2f9e4f43254cb365e9d5352f3c8dd48 100644 (file)
--- a/lfs/strongswan
+++ b/lfs/strongswan
@@ -24,7 +24,7 @@
 
 include Config
 
-VER        = 5.6.1
+VER        = 5.6.2
 
 THISAPP    = strongswan-$(VER)
 DL_FILE    = $(THISAPP).tar.bz2
@@ -40,7 +40,7 @@ objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_MD5 = cb2241f1b96c524cd15b1c0f50ed9a27
+$(DL_FILE)_MD5 = 46aa3aa18fbc4bd528f9a0345ce79913
 
 install : $(TARGET)