Bug #1448870 “Certificate policies cause rejections” : Bugs : strongswan package : Ubuntu

Revision history for this message

Richard Laager (rlaager) wrote on 2015-04-27:

#1

0001-constraints-Don-t-reject-certificates-with-invalid-c.patch Edit (5.9 KiB, text/x-diff)

description:

updated

Richard Laager (rlaager) on 2015-04-27

description:

updated

Richard Laager (rlaager) on 2015-04-27

description:

updated

Revision history for this message

Ubuntu Foundations Team Bug Bot (crichton) wrote on 2015-04-27:

#2

The attachment "0001-constraints-Don-t-reject-certificates-with-invalid-c.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags:

added: patch

Revision history for this message

Simon Déziel (sdeziel) wrote on 2016-01-08:

#3

This is upstream bug https://wiki.strongswan.org/issues/453 which was fixed with the 5.2.2 release.

Revision history for this message

Launchpad Janitor (janitor) wrote on 2016-02-18:

#4

Download full text (14.3 KiB)

This bug was fixed in the package strongswan - 5.3.5-1ubuntu1

---------------
strongswan (5.3.5-1ubuntu1) xenial; urgency=medium

  * debian/{rules,control,libstrongswan-extra-plugins.install}
    Enable bliss plugin
  * debian/{rules,control,libstrongswan-extra-plugins.install}
    Enable chapoly plugin
  * debian/patches/dont-load-kernel-libipsec-plugin-by-default.patch
    Upstream suggests to not load this plugin by default as it has
    some limitations.
    https://wiki.strongswan.org/projects/strongswan/wiki/Kernel-libipsec
  * debian/patches/increase-bliss-test-timeout.patch
    Under QEMU/KVM for autopkgtest bliss test takes a bit longer then default
  * Update Apparmor profiles
    - usr.lib.ipsec.charon
      - add capability audit_write for xauth-pam (LP: #1470277)
      - add capability dac_override (needed by agent plugin)
      - allow priv dropping (LP: #1333655)
      - allow caching CRLs (LP: #1505222)
      - allow rw access to /dev/net/tun for kernel-libipsec (LP: #1309594)
    - usr.lib.ipsec.stroke
      - allow priv dropping (LP: #1333655)
      - add local include
    - usr.lib.ipsec.lookip
      - add local include
  * Merge from Debian, which includes fixes for all previous CVEs
    Fixes (LP: #1330504, #1451091, #1448870, #1470277)
    Remaining changes:
      * debian/control
        - Lower dpkg-dev to 1.16.1 from 1.16.2 to enable backporting to Precise
        - Update Maintainer for Ubuntu
        - Add build-deps
          - dh-apparmor
          - iptables-dev
          - libjson0-dev
          - libldns-dev
          - libmysqlclient-dev
          - libpcsclite-dev
          - libsoup2.4-dev
          - libtspi-dev
          - libunbound-dev
        - Drop build-deps
          - libfcgi-dev
          - clearsilver-dev
        - Create virtual packages for all strongswan-plugin-* for dist-upgrade
        - Set XS-Testsuite: autopkgtest
      * debian/rules:
        - Enforcing DEB_BUILD_OPTIONS=nostrip for library integrity checking.
        - Set TESTS_REDUCED_KEYLENGTHS to one generate smallest key-lengths in
          tests.
        - Change init/systemd program name to strongswan
        - Install AppArmor profiles
        - Removed pieces on 'patching ipsec.conf' on build.
        - Enablement of features per Ubuntu current config suggested from
          upstream recommendation
        - Unpack and sort enabled features to one-per-line
        - Disable duplicheck as per
          https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718291#10
        - Disable libfast (--disable-fast):
          Requires dropping medsrv, medcli plugins which depend on libfast
        - Add configure options
          --with-tss=trousers
        - Remove configure options:
          --enable-ha (requires special kernel)
          --enable-unit-test (unit tests run by default)
        - Drop logcheck install
      * debian/tests/*
        - Add DEP8 test for strongswan service and plugins
      * debian/strongswan-starter.strongswan.service
        - Add new systemd file instead of patching upstream
      * debian/strongswan-starter.links
        - removed, use Ubuntu systemd file instead of linking to upstream
      * debia...

This bug was fixed in the package strongswan - 5.3.5-1ubuntu1

---------------
strongswan (5.3.5-1ubuntu1) xenial; urgency=medium

* debian/{rules,control,libstrongswan-extra-plugins.install}
    Enable bliss plugin
  * debian/{rules,control,libstrongswan-extra-plugins.install}
    Enable chapoly plugin
  * debian/patches/dont-load-kernel-libipsec-plugin-by-default.patch
    Upstream suggests to not load this plugin by default as it has
    some limitations.
    https://wiki.strongswan.org/projects/strongswan/wiki/Kernel-libipsec
  * debian/patches/increase-bliss-test-timeout.patch
    Under QEMU/KVM for autopkgtest bliss test takes a bit longer then default
  * Update Apparmor profiles
    - usr.lib.ipsec.charon
      - add capability audit_write for xauth-pam (LP: #1470277)
      - add capability dac_override (needed by agent plugin)
      - allow priv dropping (LP: #1333655)
      - allow caching CRLs (LP: #1505222)
      - allow rw access to /dev/net/tun for kernel-libipsec (LP: #1309594)
    - usr.lib.ipsec.stroke
      - allow priv dropping (LP: #1333655)
      - add local include
    - usr.lib.ipsec.lookip
      - add local include
  * Merge from Debian, which includes fixes for all previous CVEs
    Fixes (LP: #1330504, #1451091, #1448870, #1470277)
    Remaining changes:
      * debian/control
        - Lower dpkg-dev to 1.16.1 from 1.16.2 to enable backporting to Precise
        - Update Maintainer for Ubuntu
        - Add build-deps
          - dh-apparmor
          - iptables-dev
          - libjson0-dev
          - libldns-dev
          - libmysqlclient-dev
          - libpcsclite-dev
          - libsoup2.4-dev
          - libtspi-dev
          - libunbound-dev
        - Drop build-deps
          - libfcgi-dev
          - clearsilver-dev
        - Create virtual packages for all strongswan-plugin-* for dist-upgrade
        - Set XS-Testsuite: autopkgtest
      * debian/rules:
        - Enforcing DEB_BUILD_OPTIONS=nostrip for library integrity checking.
        - Set TESTS_REDUCED_KEYLENGTHS to one generate smallest key-lengths in
          tests.
        - Change init/systemd program name to strongswan
        - Install AppArmor profiles
        - Removed pieces on 'patching ipsec.conf' on build.
        - Enablement of features per Ubuntu current config suggested from
          upstream recommendation
        - Unpack and sort enabled features to one-per-line
        - Disable duplicheck as per
          https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718291#10
        - Disable libfast (--disable-fast):
          Requires dropping medsrv, medcli plugins which depend on libfast
        - Add configure options
          --with-tss=trousers
        - Remove configure options:
          --enable-ha (requires special kernel)
          --enable-unit-test (unit tests run by default)
        - Drop logcheck install
      * debian/tests/*
        - Add DEP8 test for strongswan service and plugins
      * debian/strongswan-starter.strongswan.service
        - Add new systemd file instead of patching upstream
      * debian/strongswan-starter.links
        - removed, use Ubuntu systemd file instead of linking to upstream
      * debian/usr.lib.ipsec.{charon, lookip, stroke}
        - added AppArmor profiles for charon, lookip and stroke
      * debian/libcharon-extra-plugins.install
        - Add plugins
          - kernel-libipsec.{so, lib, conf, apparmor}
        - Remove plugins
          - libstrongswan-ha.so
        - Relocate plugins
          - libstrongswan-tnc-tnccs.so (strongswan-tnc-base.install)
      * debian/libstrongswan-extra-plugins.install
        - Add plugins (so, lib, conf)
          - acert
          - attr-sql
          - coupling
          - dnscert
          - fips-prf
          - gmp
          - ipseckey
          - load-tester
          - mysql
          - ntru
          - radattr
          - soup
          - sqlite
          - sql
          - systime-fix
          - unbound
          - whitelist
        - Relocate plugins (so, lib, conf)
          - ccm (libstrongswan.install)
          - test-vectors (libstrongswan.install)
      * debian/libstrongswan.install
        - Sort sections
        - Add plugins (so, lib, conf)
          - libchecksum
          - ccm
          - eap-identity
          - md4
          - test-vectors
      * debian/strongswan-charon.install
        - Add AppArmor profile for charon
      * debian/strongswan-starter.install
        - Add tools, manpages, conf
          - openac
          - pool
          - _updown_espmark
        - Add AppArmor profile for stroke
      * debian/strongswan-tnc-base.install
        - Add new subpackage for TNC
        - remove non-existent (dropped in 5.2.1) libpts library files
      * debian/strongswan-tnc-client.install
        - Add new subpackage for TNC
      * debian/strongswan-tnc-ifmap.install
        - Add new subpackage for TNC
      * debian/strongswan-tnc-pdp.install
        - Add new subpackage for TNC
      * debian/strongswan-tnc-server.install
        - Add new subpackage for TNC
      * debian/strongswan-starter.postinit:
        - Removed section about runlevel changes, it's almost 2014.
        - Adapted service restart section for Upstart.
        - Remove old symlinks to init.d files is necessary.
      * debian/strongswan-starter.dirs: Don't touch /etc/init.d.
      * debian/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call.
      * debian/strongswan-starter.prerm: Stop strongswan service on package
        removal (as opposed to using the old init.d script).
      * debian/libstrongswan.strongswan.logcheck combined into debian/strongswan.logcheck
        - logcheck patterns updated to be helpful
      * debian/strongswan-starter.postinst: Removed further out-dated code and
        entire section on opportunistic encryption - this was never in strongSwan.
      * debian/ipsec.secrets.proto: Removed ipsec.secrets.inc reference.
    Drop changes:
      * debian/control
        - Per-plugin package breakup: Reducing packaging delta from Debian
        - Don't build dhcp, farp subpackages: Reduce packging delta from Debian
      * debian/watch: Already exists in Debian merge
      * debian/upstream/signing-key.asc:  Upstream has newer version.

strongswan (5.3.5-1) unstable; urgency=medium

* New upstream bugfix release.

strongswan (5.3.4-1) unstable; urgency=medium

* New upstream release.
  * debian/patches:
    - 03_systemd-service refreshed for new upstream release.
    - 0001-socket-default-Refactor-setting-source-address-when-,
    0001-socket-dynamic-Refactor-setting-source-address-when- and
    CVE-2015-8023_eap_mschapv2_state dropped, included upstream.

strongswan (5.3.3-3) unstable; urgency=high

* Set urgency=high for security fix.
  * debian/patches:
    - CVE-2015-8023_eap_mschapv2_state added, fix authentication bypass when
    using EAP MSCHAPv2.

strongswan (5.3.3-2) unstable; urgency=medium

* debian/rules:
    - make the dh_install override arch-dependent only since it only acts on
    arch:any packages, fix FTBFS on arch:all.

strongswan (5.3.3-1) unstable; urgency=medium

* debian/rules:
    - enable the connmark plugin.
  * debian/control:
    - add build-dep on iptables-dev.
  * debian/libstrongswan-standard-plugins:
    - add connmark plugin to the standard-plugins package.
  * New upstream release.                                       closes: #803772
  * debian/strongswan-starter.install:
    - install new pki --dn manpage to ipsec-starter package.
  * debian/patches:
    - 0001-socket-default-Refactor-setting-source-address-when- and
    0001-socket-dynamic-Refactor-setting-source-address-when- added (taken
    from c761db and 9e8b4a in the 1171-socket-default-scope branch), fix
    source address selection with IPv6 (upstream #1171)

strongswan (5.3.2-1) unstable; urgency=medium

* New upstream release.
  * debian/patches:
    - 05_ivgen-allow-reusing-same-message-id-twice dropped, included upstream.
    - CVE-2015-4171_enforce_remote_auth dropped as well.

strongswan (5.3.1-1) unstable; urgency=high

* New upstream release.
  * debian/patches:
    - strongswan-5.2.2-5.3.0_unknown_payload dropped, included upstream.
    - 05_ivgen-allow-reusing-same-message-id-twice added, allow reusing the
    same message ID twice in sequential IV gen. strongSwan issue #980.
    - CVE-2015-4171_enforce_remote_auth added, fix potential leak of
    authentication credential to rogue server when using PSK or EAP. This is
    CVE-2015-4171.

strongswan (5.3.0-2) unstable; urgency=medium

* debian/patches:
    - strongswan-5.2.2-5.3.0_unknown_payload added, fixes a DoS and potential
      remote code execution vulnerability (CVE-2015-3991).
  * debian/strongswan-starter.lintian-overrides: add override for
    command-with-path-in-maintainer-script since it's there to check for file
    existence.
  * Upload to unstable.

strongswan (5.3.0-1) experimental; urgency=medium

* New upstream release.
  * debian/patches:
    - 01_fix-manpages refreshed for new upstream release.
    - 02_chunk-endianness dropped, included upstream.
    - CVE-2014-9221_modp_custom dropped, included upstream.
  * debian/strongswan-starter.install
    - don't install the _updown and _updown_espmark manpages anymore, they're
    gone.
    - also remove the _updown_espmark script, gone too.
  * debian/copyright updated.

strongswan (5.2.1-6) unstable; urgency=medium

* Ship /lib/systemd/system/ipsec.service as a symlink to
    strongswan.service in strongswan-starter instead of using Alias= in
    the service file. This makes the ipsec name available to invoke-rc.d
    before the service gets actually enabled, which avoids some confusion
    (closes: #781209).

strongswan (5.2.1-5) unstable; urgency=high

* debian/patches:
    - debian/patches/CVE-2014-9221_modp_custom added, fix unauthenticated
    denial of service in IKEv2 when using custom MODP value.

strongswan (5.2.1-4) unstable; urgency=medium

* Give up on trying to run the test suite on !amd64, it now times out on
    both i386 and s390x, our chosen "fast" archs.

strongswan (5.2.1-3) unstable; urgency=medium

* Disable libtls tests again, they are still too intensive for the buildd
    network...

strongswan (5.2.1-2) unstable; urgency=medium

* Cherry-pick commits 701d6ed and 1c70c6e from upstream to fix checksum
    computation and FTBFS on big-endian hosts.
  * Run the test suite only on amd64, i386, and s390x. It requires lots of
    entropy and CPU time, which are typically hard to come by on slower
    archs.
  * Re-enable normal keylengths in test suite.
  * Re-enable libtls tests.
  * Update Dutch translation, thanks to Frans Spiesschaert (closes: #763798).
  * Bump Standards-Version to 3.9.6.

strongswan (5.2.1-1) unstable; urgency=medium

* New upstream release.
  * Stop shipping /etc/strongswan.conf.d in libstrongswan.

strongswan (5.2.0-2) unstable; urgency=medium

* Add systemd integration:
    + Install upstream systemd service file in strongswan-starter.
    + Alias strongswan.service to ipsec.service to match the sysv init script.
    + Drop After=syslog.target (as syslog is socket-activated nowadays), but
      add After=network.target to ensure that charon gets the chance to send
      deletes on exit.
    + Add ExecReload for reload action, since the starter script has one.
    + On linux-any, add build-dep on systemd to ensure that the pkg-config
      metadata file can be found.
    + Add build-dep on dh-systemd, and use systemd dh addon.
  * Remove debian/patches/03_include-stdint.patch.

strongswan (5.2.0-1) unstable; urgency=medium

* New upstream release.
  [ Romain Francoise ]
  * Amend build-dep on libgcrypt to 'libgcrypt20-dev | libgcrypt11-dev'.
  * Drop hardening-wrapper from build-depends (unused since 5.0.4-1).

[ Yves-Alexis Perez ]
  * debian/po:
    - pt_BR.po updated, thanks Adriano Rafael Gomes.            closes: #752721
  * debian/patches:
    03_pfkey-Always-include-stdint.h dropped, included upstream.
  * debian/strongswan-starter.install:
    - replace tools.conf by pki.conf and scepclient.conf.

strongswan (5.1.3-4) unstable; urgency=medium

* debian/control:
    - add build-dep on pkg-config.
  * debian/patches:
    - 03_pfkey-Always-include-stdint.h added, cherry-picked from upstream git:
      always include of stdint.h. Fix FTBFS on kFreeBSD.

strongswan (5.1.3-3) unstable; urgency=medium

* debian/watch:
    - add pgpsigurlmangle to get PGP signature
  * debian/upstream/signing-key.asc:
    - bootstrap keyring by adding Andreas Steffen key (0xDF42C170B34DBA77)
  * debian/control:
    - add build-dep on libgcrypt20-dev, fix FTBFS.              closes: #747796

strongswan (5.1.3-2) unstable; urgency=low

* Disable the new libtls test suite for now--it appears to be a
    little too intensive for slower archs.

strongswan (5.1.3-1) unstable; urgency=low

* New upstream release.
  * debian/control: make strongswan-charon depend on iproute2 | iproute,
    thanks to Ryo IGARASHI <rigarash@gmail.com> (closes: #744832).

strongswan (5.1.2-4) unstable; urgency=high

* debian/patches/04_cve-2014-2338.patch: added to fix CVE-2014-2338
    (authentication bypass vulnerability in IKEv2 code).
  * debian/control: add myself to Uploaders.

strongswan (5.1.2-3) unstable; urgency=medium

* debian/patches/
    - 02_unit-tests-Fix-filtered-enumerator-tests-on-64-bit-b  added, fix
    testsuite failing on 64 bit big-endian platforms (s390x).
    - 03_unit-tests-Fix-chunk-clear-armel added, fix testsuite failing on
    armel.

strongswan (5.1.2-2) unstable; urgency=medium

* debian/rules:
    - use reduced keylengths in testsuite on various arches, hopefully fixing
      FTBFS when the genrsa test runs.

strongswan (5.1.2-1) unstable; urgency=medium

* New upstream release.
  * debian/control:
    - add conflicts against openSwan.                           closes: #740808
  * debian/strongswan-starter,postrm:
    - remove /var/lib/strongswan on purge.
  * debian/ipsec.secrets.proto:
    - stop lying about ipsec showhostkey command.               closes: #600382
  * debian/patches:
    - 01_fix-manpages refreshed for new upstream.
    - 02_include-strongswan.conf.d removed, strongswan.d is now supported
      upstream.
  * debian/rules, debian/*.install:
    - install default configuration files for all plugins.
  * debian/NEWS:
    - fix spurious entry.
    - add a NEWS entry to advertise about the new strongswan.d configuration
      mechanism.

-- Ryan Harper <ryan.harper@canonical.com>  Fri, 12 Feb 2016 11:24:53 -0600

Changed in strongswan (Ubuntu):
status:	New → Fix Released

Ubuntu
strongswan package

Certificate policies cause rejections

Bug Description

CVE References

Other bug subscribers

Patches

Remote bug watches

Ubuntustrongswan package

Certificate policies cause rejections

Bug Description

CVE References

Other bug subscribers

Patches

Remote bug watches

Ubuntu
strongswan package