~paelzer/ubuntu/+source/strongswan:lp-1780534-stroke-segfault-lp-1773956-clusterip-apparmor-cosmic

Branch merges

Propose for merging

Merged into ubuntu/+source/strongswan:ubuntu/cosmic-devel at revision 0ad77f7522812222f2c4212b563ae866b37ab4e2

Andreas Hasenack: Approve on 2018-12-13

Canonical Server: Pending requested 2018-12-12

git-ubuntu developers: Pending requested 2018-12-12

Diff: 59 lines (+18/-0)

4 files modified

debian/changelog (+10/-0)
debian/usr.lib.ipsec.charon (+4/-0)
debian/usr.lib.ipsec.lookip (+2/-0)
debian/usr.lib.ipsec.stroke (+2/-0)

api

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related charm recipes

0ad77f7... by Christian Ehrhardt  on 2018-12-12

changelog: apparmor fixes (LP: #1780534 LP: #1773956)

Signed-off-by: Christian Ehrhardt <email address hidden>

49e135b... by Christian Ehrhardt  on 2018-12-03

- d/usr.lib.ipsec.lookip: executables need to be able to read map and execute themselves

Signed-off-by: Christian Ehrhardt <email address hidden>

914ab1c... by Christian Ehrhardt  on 2018-12-03

- d/usr.lib.ipsec.stroke: executables need to be able to read map and execute themselves

Signed-off-by: Christian Ehrhardt <email address hidden>

5a8f2ec... by Christian Ehrhardt  on 2018-12-12

d/usr.lib.ipsec.charon: allow CLUSTERIP for ha plugin (LP: #1773956)

Signed-off-by: Christian Ehrhardt <email address hidden>

36467a1... by Andreas Hasenack on 2018-10-04

Import patches-unapplied version 5.6.3-1ubuntu4 to ubuntu/cosmic-proposed

Imported using git-ubuntu import.

Upload parent: 0ce9edf7cce08faa724c504db93705fb6eb740c0

0ce9edf... by Andreas Hasenack on 2018-10-04

changelog

1dd1690... by Christian Ehrhardt  on 2018-08-20

fix apparmor denies reading the own FDs (LP: #1786250)

As per LP #1786250, user noted audit failures in system log
against charon trying to read its own list of file descriptors
in /proc/<pid>/fd/.

We are uncertain when/why this started, however it is not
unreasonable for a process to attempt to read its own fd's,
so allow by extending the apparmor profile for charon.

References:
http://manpages.ubuntu.com/manpages/bionic/en/man5/apparmor.d.5.html
https://linux.die.net/man/5/proc

3d0ea1d... by Marc Deslauriers on 2018-10-01

Import patches-unapplied version 5.6.3-1ubuntu3 to ubuntu/cosmic-proposed

Imported using git-ubuntu import.

Changelog parent: 724b5b91a0e2f6c9a15e53559dc385a49466e505

New changelog entries:
  * SECURITY UPDATE: Insufficient input validation in gmp plugin
    - debian/patches/strongswan-4.4.0-5.7.0_gmp-pkcs1-overflow.patch: fix
      buffer overflow with very small RSA keys in
      src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c.
    - CVE-2018-17540

724b5b9... by Marc Deslauriers on 2018-09-25

Import patches-unapplied version 5.6.3-1ubuntu2 to ubuntu/cosmic-proposed

Imported using git-ubuntu import.

Changelog parent: 582ccbdc77af76bd06d73ab1e60ca2f1254ec2a0

New changelog entries:
  * SECURITY UPDATE: Insufficient input validation in gmp plugin
    - debian/patches/strongswan-5.6.1-5.6.3_gmp-pkcs1-verify.patch: don't
      parse PKCS1 v1.5 RSA signatures to verify them in
      src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c,
      src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c.
    - CVE-2018-16151
    - CVE-2018-16152

582ccbd... by Andreas Hasenack on 2018-08-23

Import patches-unapplied version 5.6.3-1ubuntu1 to ubuntu/cosmic-proposed

Imported using git-ubuntu import.

Upload parent: 914d0606e00afd407437ea850454beba437a0ea2