Please merge strongswan 5.6.2-1 from Debian

Bug #1753018 reported by Carl-Daniel Hailfinger on 2018-03-02
This bug affects 1 person
Affects Status Importance Assigned to Milestone
strongswan (Ubuntu)
Christian Ehrhardt 

Bug Description

Strongswan 5.6.2 was released recently and there is an updated Debian package available in unstable. Please merge.

The most significant changes in Strongswan 5.6.2 are:
- Fixed a DoS vulnerability in the parser for PKCS#1 RSASSA-PSS signatures that was caused by insufficient input validation. This is CVE-2018-6459.
- Reliability improvements for MOBIKE.
- Ported the NetworkManager backend from the deprecated libnm-glib to libnm.
- Faster IKEv2 rekeying.
- save-keys plugin for Wireshark debugging of IPsec.

Additional changes in the Debian package strongswan_5.6.2-1:
- strongswan-libcharon: add bypass-lan plugin

Although having the bypass-lan plugin available is definitely nice, it does have some bugs. If you decide to compile it like in the Debian package, please make sure it is disabled by default during runtime.

Related branches

information type: Private Security → Public Security
Nish Aravamudan (nacc) wrote :

FYI, the CVE was already fixed in 5.6.1-2ubuntu4.

I checked quickly and yeah it seems to be fix-only and thereby not violating the Feature Freeze.
Bypass-lan was already added being default disabled in Debian - so that should all be fine.

I'll take a look if the merge is more complex than expected.

Changed in strongswan (Ubuntu):
status: New → Triaged
Changed in strongswan (Ubuntu):
assignee: nobody → ChristianEhrhardt (paelzer)
status: Triaged → In Progress
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package strongswan - 5.6.2-1ubuntu2

strongswan (5.6.2-1ubuntu2) bionic; urgency=medium

  * d/control: fix dependencies of strongswan-libcharon due to the move
    the updown plugin.

 -- Christian Ehrhardt <email address hidden> Tue, 20 Mar 2018 07:37:29 +0100

Changed in strongswan (Ubuntu):
status: In Progress → Fix Released

Thank you!

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers