-
strongswan (5.9.5-2ubuntu2.3) jammy-security; urgency=medium
* SECURITY UPDATE: improper certificate validation
- debian/patches/CVE-2022-4967.patch: enforce client/server identity
when looking for public key in src/libtls/tls_peer.c,
src/libtls/tls_server.c.
- CVE-2022-4967
-- Marc Deslauriers <email address hidden> Mon, 13 May 2024 16:16:55 +0200
-
strongswan (5.9.5-2ubuntu2.2) jammy-security; urgency=medium
* SECURITY UPDATE: Buffer Overflow When Handling DH Public Values
- debian/patches/CVE-2023-41913.patch: Validate DH public key to fix
potential buffer overflow in
src/charon-tkm/src/tkm/tkm_diffie_hellman.c.
- CVE-2023-41913
-- Marc Deslauriers <email address hidden> Tue, 07 Nov 2023 11:46:10 +0200
-
strongswan (5.9.5-2ubuntu2.1) jammy-security; urgency=medium
* SECURITY UPDATE: Using Untrusted URIs for Revocation Checking
- debian/patches/CVE-2022-40617.patch: do online revocation checks only
after basic trust chain validation in
src/libstrongswan/credentials/credential_manager.c.
- CVE-2022-40617
-- Marc Deslauriers <email address hidden> Tue, 20 Sep 2022 14:07:10 -0400
-
strongswan (5.9.5-2ubuntu2) jammy; urgency=medium
* d/p/lp1964977-fix-ipsec-pki-segfault.patch: Fix "ipsec pki"
segmentation fault; don't access OpenSSL objects inside atexit()
handlers. (LP: #1964977)
-- Sergio Durigan Junior <email address hidden> Fri, 18 Mar 2022 14:24:34 -0400
-
strongswan (5.9.5-2ubuntu1) jammy; urgency=medium
* Merge with Debian unstable. Remaining changes:
- d/control: strongswan-starter hard-depends on strongswan-charon,
therefore bump the dependency from Recommends to Depends. At the same
time avoid a circular dependency by dropping
strongswan-charon->strongswan-starter from Depends to Recommends as the
binaries can work without the services but not vice versa.
- re-add post-quantum encryption algorithm (NTRU) (LP #1863749)
+ d/control: mention plugins in package description
+ d/rules: enable ntru at build time
+ d/libstrongswan-extra-plugins.install: ship config and shared objects
- Re-enable eap-{dynamic,peap} libcharon plugins (LP: 1878887)
+ d/control: update libcharon-extra-plugins description.
+ d/libcharon-extra-plugins.install: install .so and conf files.
+ d/rules: add plugins to the configuration arguments.
- Remove conf files of plugins removed from libcharon-extra-plugins
+ The conf file of the following plugins were removed: eap-aka-3gpp2,
eap-sim-file, eap-sim-pcsc, eap-sim, eap-simaka-pseudonym,
eap-simaka-reauth, eap-simaka-sql, xauth-noauth.
+ Created d/libcharon-extra-plugins.maintscript to handle the removals
properly.
* Dropped patches included in new version:
- debian/patches/CVE-2021-45079.patch
- debian/patches/load-legacy-provider-in-openssl3.patch
strongswan (5.9.5-2) unstable; urgency=medium
* actually fix lintian overrides
strongswan (5.9.5-1) unstable; urgency=medium
* New upstream version 5.9.5
- eap-authenticator: Enforce failure if MSK generation fails
Fix incorrect handling of Early EAP-Success Messages (CVE-2021-45079)
* update lintian overrides to match RUNPATH
-- Marc Deslauriers <email address hidden> Thu, 03 Feb 2022 10:49:49 -0500
-
strongswan (5.9.4-1ubuntu4) jammy; urgency=medium
* SECURITY UPDATE: Incorrect Handling of Early EAP-Success Messages
- debian/patches/CVE-2021-45079.patch: enforce failure if MSK
generation fails in src/libcharon/plugins/eap_gtc/eap_gtc.c,
src/libcharon/plugins/eap_md5/eap_md5.c,
src/libcharon/plugins/eap_radius/eap_radius.c,
src/libcharon/sa/eap/eap_method.h,
src/libcharon/sa/ikev2/authenticators/eap_authenticator.c.
- CVE-2021-45079
-- Marc Deslauriers <email address hidden> Tue, 01 Feb 2022 07:23:37 -0500
-
strongswan (5.9.4-1ubuntu3) jammy; urgency=medium
* No-change rebuild against libssl3
-- Steve Langasek <email address hidden> Thu, 09 Dec 2021 00:19:38 +0000
-
strongswan (5.9.4-1ubuntu2) jammy; urgency=medium
* Add d/p/load-legacy-provider-in-openssl3.patch.
Upstream cherry-pick to fix FTBFS against OpenSSL 3.0. (LP: #1946213)
-- Paride Legovini <email address hidden> Wed, 17 Nov 2021 17:04:27 +0100
-
strongswan (5.9.4-1ubuntu1) jammy; urgency=medium
* Merge with Debian unstable. Remaining changes:
- d/control: strongswan-starter hard-depends on strongswan-charon,
therefore bump the dependency from Recommends to Depends. At the same
time avoid a circular dependency by dropping
strongswan-charon->strongswan-starter from Depends to Recommends as the
binaries can work without the services but not vice versa.
- re-add post-quantum encryption algorithm (NTRU) (LP #1863749)
+ d/control: mention plugins in package description
+ d/rules: enable ntru at build time
+ d/libstrongswan-extra-plugins.install: ship config and shared objects
- Re-enable eap-{dynamic,peap} libcharon plugins (LP: 1878887)
+ d/control: update libcharon-extra-plugins description.
+ d/libcharon-extra-plugins.install: install .so and conf files.
+ d/rules: add plugins to the configuration arguments.
- Remove conf files of plugins removed from libcharon-extra-plugins
+ The conf file of the following plugins were removed: eap-aka-3gpp2,
eap-sim-file, eap-sim-pcsc, eap-sim, eap-simaka-pseudonym,
eap-simaka-reauth, eap-simaka-sql, xauth-noauth.
+ Created d/libcharon-extra-plugins.maintscript to handle the removals
properly.
* Dropped changes:
- Compile the tpm plugin against the tpm2 software stack (tss2).
Merged in Debian (5.9.4-1).
-- Paride Legovini <email address hidden> Fri, 12 Nov 2021 12:34:30 +0100
-
strongswan (5.9.1-1ubuntu3.1) impish-security; urgency=medium
* SECURITY UPDATE: Integer Overflow in gmp Plugin
- debian/patches/CVE-2021-41990.patch: reject RSASSA-PSS params with
negative salt length in
src/libstrongswan/credentials/keys/signature_params.c,
src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c.
- CVE-2021-41990
* SECURITY UPDATE: Integer Overflow When Replacing Certificates in Cache
- debian/patches/CVE-2021-41991.patch: prevent crash due to integer
overflow/sign change in
src/libstrongswan/credentials/sets/cert_cache.c.
- CVE-2021-41991
-- Marc Deslauriers <email address hidden> Mon, 18 Oct 2021 13:10:30 -0400
-
strongswan (5.9.1-1ubuntu3) impish; urgency=medium
* Compile the tpm plugin against the tpm2 software stack (tss2)
(Debian packaging cherry-pick, LP: #1940079)
- d/rules: add the --enable-tss-tss2 configure flag
- d/control: add Build-Depends: libtss2-dev
-- Paride Legovini <email address hidden> Thu, 16 Sep 2021 11:40:38 +0200