diff options
author | Timo Teräs <timo.teras@iki.fi> | 2015-06-11 10:21:13 +0300 |
---|---|---|
committer | Timo Teräs <timo.teras@iki.fi> | 2015-06-11 10:21:37 +0300 |
commit | 52207fc1f01e9e371e339a1e7d4ba03f335e666a (patch) | |
tree | da56b24f368d6ae7f75c494328810790d10fdd7e | |
parent | 38b1d68577858507f8b3e503deb1076fd38b86fc (diff) | |
download | aports-52207fc1f01e9e371e339a1e7d4ba03f335e666a.tar.bz2 aports-52207fc1f01e9e371e339a1e7d4ba03f335e666a.tar.xz |
main/strongswan: security upgrade to 5.3.2 (CVE-2015-4171)
This also removes the GRE key patch -- it was incomplete and does
not fully fix the issues.
-rw-r--r-- | main/strongswan/0005-kernel-netlink-ignore-ports-for-gre-protocol.patch | 36 | ||||
-rw-r--r-- | main/strongswan/APKBUILD | 16 |
2 files changed, 6 insertions, 46 deletions
diff --git a/main/strongswan/0005-kernel-netlink-ignore-ports-for-gre-protocol.patch b/main/strongswan/0005-kernel-netlink-ignore-ports-for-gre-protocol.patch deleted file mode 100644 index 9d0247b8fa..0000000000 --- a/main/strongswan/0005-kernel-netlink-ignore-ports-for-gre-protocol.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 9645c87adbfcbfba2ace8a51a5df31448512112c Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi> -Date: Fri, 5 Jun 2015 10:19:38 +0300 -Subject: [PATCH] kernel-netlink: ignore ports for gre protocol -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Netlink supports matching a grekey from using the port data. But -charon does not handle grekey negotiation currently, so just ignore -them for now. - -Signed-off-by: Timo Teräs <timo.teras@iki.fi> ---- - src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c -index f22e07d..5ce6b32 100644 ---- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c -+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c -@@ -754,6 +754,11 @@ static struct xfrm_selector ts2selector(traffic_selector_t *src, - sel.sport = htons(port & 0xff); - sel.dport = htons(port >> 8); - } -+ else if (sel.proto == IPPROTO_GRE) -+ { -+ sel.sport = sel.dport = 0; -+ sel.sport_mask = sel.dport_mask = 0; -+ } - sel.ifindex = 0; - sel.user = 0; - --- -2.4.2 - diff --git a/main/strongswan/APKBUILD b/main/strongswan/APKBUILD index 52d844e980..448490f575 100644 --- a/main/strongswan/APKBUILD +++ b/main/strongswan/APKBUILD @@ -1,9 +1,9 @@ # Contributor: Jesse Young <jlyo@jlyo.org> # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=strongswan -pkgver=5.3.1 +pkgver=5.3.2 _pkgver=${pkgver//_rc/rc} -pkgrel=2 +pkgrel=0 pkgdesc="IPsec-based VPN solution focused on security and ease of use, supporting IKEv1/IKEv2 and MOBIKE" url="http://www.strongswan.org/" arch="all" @@ -14,13 +14,12 @@ depends="iproute2 openssl" depends_dev="sqlite-dev openssl-dev curl-dev gmp-dev libcap-dev" makedepends="$depends_dev linux-headers" install="$pkgname.pre-install" -subpackages="$pkgname-doc" +subpackages="$pkgname-doc $pkgname-dbg" source="http://download.strongswan.org/$pkgname-$_pkgver.tar.bz2 0001-charon-add-optional-source-and-remote-overrides-for-.patch 0002-vici-send-certificates-for-ike-sa-events.patch 0003-vici-add-support-rekeying-events-and-individual-sa-s.patch 0004-vici-support-asynchronous-initiation.patch - 0005-kernel-netlink-ignore-ports-for-gre-protocol.patch strongswan.initd charon.initd" @@ -103,27 +102,24 @@ package() { rm "$pkgdir"/usr/lib/ipsec/*.la || return 1 } -md5sums="66f258901a3d6c271da1a0c7fb3e5013 strongswan-5.3.1.tar.bz2 +md5sums="fab014be1477ef4ebf9a765e10f8802c strongswan-5.3.2.tar.bz2 e553c5e9a895a2d95b1cbc33407d64a0 0001-charon-add-optional-source-and-remote-overrides-for-.patch 8bea05feac6f4e90c4973b2459864437 0002-vici-send-certificates-for-ike-sa-events.patch 125c4e648f73b0dbdaa741ac13ed6d87 0003-vici-add-support-rekeying-events-and-individual-sa-s.patch f65811bd1ae6e7f98cf9d76928a0aa03 0004-vici-support-asynchronous-initiation.patch -8616a8800d40662176214df4749d6780 0005-kernel-netlink-ignore-ports-for-gre-protocol.patch 85ebc1b6c6b9c0c6640d8136e97da8e1 strongswan.initd 7962a720ebef6892d80a3cbdab72c204 charon.initd" -sha256sums="83fa7b004e65356ff5bb755d9d0e03901d578a99e90b6328a350a4335a32f6de strongswan-5.3.1.tar.bz2 +sha256sums="a4a9bc8c4e42bdc4366a87a05a02bf9f425169a7ab0c6f4482d347e44acbf225 strongswan-5.3.2.tar.bz2 a472df28677d4f43a063926a65b52b317dfca0b74f8c6a2e3bf852b94fbf5f0f 0001-charon-add-optional-source-and-remote-overrides-for-.patch c1cfe3d1e3345238e125a46a492f8dc0800aa3dc75aea060d54cdbab35fd60cb 0002-vici-send-certificates-for-ike-sa-events.patch 4e08d4fe01717de0601411b4756141394ced2d3107adc47f2c2beac2f92a967e 0003-vici-add-support-rekeying-events-and-individual-sa-s.patch 42171ee35e7679fe3d4efb80fdb121b0a7ea8df5cf3395bbcccb97d56327027c 0004-vici-support-asynchronous-initiation.patch -3c2e91b6bdf051ecba3c2c9c5575b617998eb471a4b570c9c5c4e59505599439 0005-kernel-netlink-ignore-ports-for-gre-protocol.patch ad43d1ed2585d84e12ad1e67fbdfe93983c424c5c64b230d5027c0aae496c65f strongswan.initd 97b018796f0f15106b70694449cff36e8fc586292aab09ef83a05c0c13142e73 charon.initd" -sha512sums="b789c18de1fa6663d8140c4173c2fe9b668e7741098340aad439e7346d4542df702f59760d1886d82d68c070ebde3121b5b29ccdab031876399d0d5d771f1381 strongswan-5.3.1.tar.bz2 +sha512sums="60b17645c00769d497f4cea2229b41a217c29fe1109b58be256a0d4a6ccf4765348b9eb89466539c2528756344c2fa969f25ea1cd8856d56c5d55aa78e632e68 strongswan-5.3.2.tar.bz2 682c768e82c6b8e48680ab73db49eb3a462b90ee317c943a42a82812d171a19da27ff4139bff0fc9af7b228cdcef44a75b86979f4b1b3af0bbc9698e4329fb4a 0001-charon-add-optional-source-and-remote-overrides-for-.patch ca6eec72f75f243234baa1b361ab6dba82a810d1efb01dbcfd16cd7ce104c3f18fb932c1f6f280a566bfcbe16bc67d7d55e024f72c9eef82a62fe78505293c5c 0002-vici-send-certificates-for-ike-sa-events.patch 2e28af9043cab41f16c57f41ccb65b6591ec32d50a811bd393c4dcf7f0ffe81fac67679c41b716dfc74fca9ebedd178fe0b572b1c2cda3ccc685a0ad0d02f65a 0003-vici-add-support-rekeying-events-and-individual-sa-s.patch 39e4a9839b2f6f42f662620b20697c684b90949622f8cc21c393ca55ab40e669befd1d2055e0f0c799cf37733a37bbf4df2b9cebc984a45bb66ecba6fa0ef116 0004-vici-support-asynchronous-initiation.patch -e93856948afbb331c4faa32a008e2948088107b45585d52d67b40aaa819e76246096fc4e71d30ef9b7f41f7e5b41bf58b804569e313c1cb8b0e2e29f6391580e 0005-kernel-netlink-ignore-ports-for-gre-protocol.patch b56008c07b804dacb3441d3802880058986ab7b314297fe485649a771861885b9232f9fd53b94faa3388a5e9330e2b38a86af5c04f3ff119199720043967ec64 strongswan.initd 6f3abaaa8da0925f06cdd184fdf534518e40c49533dba427dbf31dbe88172e5626bdc9aadf798d791f82fbded08801c1f565d514e2c289e1f28448d0c2e72b79 charon.initd" |