Ubuntu
strongswan package

Please merge strongswan 5.6.2-1 from Debian

Bug #1753018 reported by Carl-Daniel Hailfinger
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
strongswan (Ubuntu)
Fix Released
Undecided
Christian Ehrhardt 

Bug Description

Strongswan 5.6.2 was released recently and there is an updated Debian package available in unstable. Please merge.

The most significant changes in Strongswan 5.6.2 are:
- Fixed a DoS vulnerability in the parser for PKCS#1 RSASSA-PSS signatures that was caused by insufficient input validation. This is CVE-2018-6459.
- Reliability improvements for MOBIKE.
- Ported the NetworkManager backend from the deprecated libnm-glib to libnm.
- Faster IKEv2 rekeying.
- save-keys plugin for Wireshark debugging of IPsec.

Additional changes in the Debian package strongswan_5.6.2-1:
- strongswan-libcharon: add bypass-lan plugin

Although having the bypass-lan plugin available is definitely nice, it does have some bugs. If you decide to compile it like in the Debian package, please make sure it is disabled by default during runtime.

Related branches

~paelzer/ubuntu/+source/strongswan:lp1753018-remerge-bionic
Andreas Hasenack: Approve
Canonical Server: Pending requested
git-ubuntu developers: Pending requested
Diff: 1989 lines (+1466/-96)
18 files modified
debian/changelog (+1082/-0)
debian/control (+128/-12)
debian/ipsec.secrets.proto (+0/-3)
debian/libcharon-extra-plugins.install (+64/-12)
debian/libcharon-standard-plugins.install (+19/-0)
debian/libstrongswan-extra-plugins.install (+58/-0)
debian/libstrongswan.install (+11/-6)
debian/patches/dont-load-kernel-libipsec-plugin-by-default.patch (+11/-0)
debian/patches/series (+1/-0)
debian/rules (+50/-6)
debian/strongswan-starter.install (+4/-0)
debian/strongswan-starter.maintscript (+1/-0)
debian/strongswan-starter.postinst (+0/-57)
debian/strongswan-tnc-base.install (+16/-0)
debian/strongswan-tnc-client.install (+5/-0)
debian/strongswan-tnc-ifmap.install (+3/-0)
debian/strongswan-tnc-pdp.install (+3/-0)
debian/strongswan-tnc-server.install (+10/-0)
Seth Arnold (seth-arnold)
information type: Private Security → Public Security
Revision history for this message
Nish Aravamudan (nacc) wrote :

FYI, the CVE was already fixed in 5.6.1-2ubuntu4.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

I checked quickly and yeah it seems to be fix-only and thereby not violating the Feature Freeze.
Bypass-lan was already added being default disabled in Debian - so that should all be fine.

I'll take a look if the merge is more complex than expected.

Christian Ehrhardt  (paelzer)
Changed in strongswan (Ubuntu):
status: New → Triaged
Andreas Hasenack (ahasenack)
Changed in strongswan (Ubuntu):
assignee: nobody → ChristianEhrhardt (paelzer)
status: Triaged → In Progress
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package strongswan - 5.6.2-1ubuntu2

---------------
strongswan (5.6.2-1ubuntu2) bionic; urgency=medium

  * d/control: fix dependencies of strongswan-libcharon due to the move
    the updown plugin.

 -- Christian Ehrhardt <email address hidden> Tue, 20 Mar 2018 07:37:29 +0100

Changed in strongswan (Ubuntu):
status: In Progress → Fix Released
Revision history for this message
Carl-Daniel Hailfinger (hailfinger) wrote :

Thank you!

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.