[Bug 196615] Update strongswan to 5.2.2 [CVE-2014-9221]

Mon Jan 12 17:35:05 UTC 2015

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=196615

            Bug ID: 196615
           Summary: Update strongswan to 5.2.2 [CVE-2014-9221]
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: Individual Port(s)
          Assignee: freebsd-ports-bugs at FreeBSD.org
          Reporter: garga at FreeBSD.org

Patch to update strongswan to 5.2.2

* Update strongswan to 5.2.2, follow upstream Changelog:

- Fixed a denial-of-service vulnerability triggered by an IKEv2 Key Exchange
  payload that contains the Diffie-Hellman group 1025.  This identifier was
  used internally for DH groups with custom generator and prime.  Because
  these arguments are missing when creating DH objects based on the KE payload
  an invalid pointer dereference occurred.  This allowed an attacker to crash
  the IKE daemon with a single IKE_SA_INIT message containing such a KE
  payload.  The vulnerability has been registered as CVE-2014-9221.

- The left/rightid options in ipsec.conf, or any other identity in strongSwan,
  now accept prefixes to enforce an explicit type, such as email: or fqdn:.
  Note that no conversion is done for the remaining string, refer to
  ipsec.conf(5) for details.

- The post-quantum Bimodal Lattice Signature Scheme (BLISS) can be used as
  an IKEv2 public key authentication method. The pki tool offers full support
  for the generation of BLISS key pairs and certificates.

- Fixed mapping of integrity algorithms negotiated for AH via IKEv1. This could
  cause interoperability issues when connecting to older versions of charon.

-- 
You are receiving this mail because:
You are the assignee for the bug.