Request for strongSwan and Poptop (pptpd) ports update
Francois ten Krooden
ftk at Nanoteq.com
Mon Jan 6 14:01:03 UTC 2014
Hi Dewayne
Those vulnerabilities is fixed in version 5.1.1 for which the patch is already submitted, but have not yet been applied. I will submit a new patch now with high availability feature removed since this is not working correctly when I performed further testing on the port.
I was still waiting for a committer to submit the changes to the ports tree.
Kind regards
Francois ten Krooden
________________________________________
From: Dewayne Geraghty [dewayne.geraghty at heuristicsystems.com.au]
Sent: Monday, January 06, 2014 8:21 AM
To: dycuo123; strongswan
Cc: ports at freebsd.org
Subject: Re: Request for strongSwan and Poptop (pptpd) ports update
On 5/01/2014 6:08 AM, dycuo123 wrote:
> Hi,there
>
> Do you guys have some time to update these two? Many thanks!
> _______________________________________________
> freebsd-ports at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ports
> To unsubscribe, send any mail to "freebsd-ports-unsubscribe at freebsd.org"
>
Its probably better if you direct your request to the maintainer of the
port, ideally using http://www.freebsd.org/send-pr.html, identifying the
upgrade benefits and further details to pique their interest. For
example, strongswan:
Current ports version is 5.0.4 and released version by strongswan is
5.1.1 (version 5.1.2 is scheduled for February)
Reasons for the request are:
1. Rectification of security vulnerabilities allowing Denial of Service:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6075
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6076
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5018
2. Rectification of security vulnerabilities allowing user impersonation
and bypassing access restrictions
CVE-2013-6075 (above)
3. Refer to change log
http://wiki.strongswan.org/projects/strongswan/wiki/Changelog51,
specifically ...
But of course the first thing to do is to use
http://www.freebsd.org/cgi/query-pr-summary.cgi to check if the request
has already been made. And in this instance it has!
Please refer to http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/183688
And given the outstanding CVEs I'd suggest that you apply the patches,
if you're going to use this port; pending maintainer's availability.
Francois, I've included you, as the CVE's should push this update from a
low priority/non-critical category to a medium given that it can be
DOS'ed via the network without authentication. (And unfortunately IKEv1
is required for iPhone clients using IPSEC)
Regards, Dewayne.
Important Notice:
This e-mail and its contents are subject to the Nanoteq (Pty) Ltd e-mail legal notice available at:
http://www.nanoteq.com/AboutUs/EmailDisclaimer.aspx
More information about the freebsd-ports
mailing list