pkgsrc-WIP-changes archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
libreswan: update to 4.15, CVE-2024-3652
Module Name: pkgsrc-wip
Committed By: Andrew Cagney <andrew.cagney%gmail.com@localhost>
Pushed By: cagney
Date: Mon Apr 15 18:01:37 2024 +0000
Changeset: ff06e8dfd538ed8334a8dd2c43c25c1e92203b43
Modified Files:
libreswan/Makefile
libreswan/PLIST
libreswan/TODO
libreswan/distinfo
Log Message:
libreswan: update to 4.15, CVE-2024-3652
* Security: Fixes http://libreswan.org/security/CVE-2024-3652
* Linux: remove dependency on libxz via libsystemd [Tuomo Andrew]
* IKEv1: reject ESP proposal combining AEAD and non-empty INTEG [Andrew]
* IKEv1: reject exchange when connection has no proposals [Andrew]
* IKEv1: limit default cryptosuite [Andrew, Paul, Tuomo]
IKE={AES_CBC,3DES_CBC}-{HMAC_SHA2_256,HMAC_SHA2_512HMAC_SHA1}-{MODP2048,MODP1536,DH19,DH31}
ESP={AES_CBC,3DES_CBC}-{HMAC_SHA1_96,HMAC_SHA2_512_256,HMAC_SHA2_256_128}-{AES_GCM_16_128,AES_GCM_16_256}
AH=HMAC_SHA1_96+HMAC_SHA2_512_256+HMAC_SHA2_256_128
To see a diff of this commit:
https://wip.pkgsrc.org/cgi-bin/gitweb.cgi?p=pkgsrc-wip.git;a=commitdiff;h=ff06e8dfd538ed8334a8dd2c43c25c1e92203b43
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
diffstat:
libreswan/Makefile | 49 +++++++++++++++++++++++++++----------------------
libreswan/PLIST | 6 +++---
libreswan/TODO | 1 +
libreswan/distinfo | 6 +++---
4 files changed, 34 insertions(+), 28 deletions(-)
diffs:
diff --git a/libreswan/Makefile b/libreswan/Makefile
index 274168cd3b..73e62d3838 100644
--- a/libreswan/Makefile
+++ b/libreswan/Makefile
@@ -6,7 +6,7 @@
# specific overides in mk/default/*.mk (for instance,
# mk/default/netbsd.mk).
-DISTNAME= libreswan-4.14
+DISTNAME= libreswan-4.15
PKGREVISION= 0
MASTER_SITES= https://download.libreswan.org/
@@ -23,40 +23,45 @@ USE_TOOLS+= flex
USE_TOOLS+= bison
#default is: USE_LANGUAGES+= c
-EGDIR= ${PREFIX}/share/examples/libreswan
+# 4.x installs config files and the rc.d script into /etc and not
+# examples/. Hence, need to move them to their proper directory.
+# 5.x should have this fixed.
-# Config files: stop libreswan 4.10+ scribbling into /etc
-MAKE_FLAGS+= INSTALL_CONFIGS=false
-
-# Init scripts aka rc.d: stop libreswan 4.10+ scribbing into /etc
-MAKE_FLAGS+= INSTALL_INITSYSTEM=false
-FILESDIR= ${DESTDIR}${EGDIR}/rc.d
+EGDIR= ${PREFIX}/share/examples
+MAKE_FLAGS=
+MAKE_FLAGS+= FINALDOCDIR=${EGDIR}/libreswan/
+MAKE_FLAGS+= FINALCONFDDIR=${EGDIR}/libreswan/ipsec.d
post-install:
- mv $(FILESDIR)/pluto $(FILESDIR)/pluto.sh
+ rm -f ${DESTDIR}/usr/pkg/etc/ipsec.conf
+ rm -f ${DESTDIR}/usr/pkg/etc/ipsec.secrets
+ rm -f ${DESTDIR}/usr/pkg/etc/rc.d/pluto
+ mv ${DESTDIR}${EGDIR}/rc.d/pluto ${DESTDIR}${EGDIR}/rc.d/ipsec
+ mv ${DESTDIR}/etc/pam.d ${DESTDIR}${EGDIR}/pam.d
+ mv ${DESTDIR}/usr/pkg/etc/logrotate.d ${DESTDIR}${EGDIR}/logrotate.d
#RCD_SCRIPTS= pluto
-#CONF_FILES+= ${EGDIR}/rc.d/ipsec ${PKG_SYSCONFDIR}/rc.d/ipsec
+CONF_FILES+= ${EGDIR}/rc.d/ipsec ${PKG_SYSCONFDIR}/rc.d/ipsec
# populate /etc
PERMS=$(REAL_ROOT_USER) $(REAL_ROOT_GROUP) 0700
MAKE_DIRS_PERMS+= ${PKG_SYSCONFDIR}/ipsec.d $(PERMS)
MAKE_DIRS_PERMS+= ${PKG_SYSCONFDIR}/ipsec.d/policies $(PERMS)
-CONF_FILES_PERMS+= ${EGDIR}/ipsec.secrets-sample ${PKG_SYSCONFDIR}/ipsec.secrets $(PERMS)
-CONF_FILES_PERMS+= ${EGDIR}/ipsec.conf-sample ${PKG_SYSCONFDIR}/ipsec.conf $(PERMS)
-CONF_FILES+= ${EGDIR}/ipsec.d/policies/portexcludes.conf ${PKG_SYSCONFDIR}/ipsec.d/policies/portexcludes.conf
+CONF_FILES_PERMS+= ${EGDIR}/libreswan/ipsec.secrets-sample ${PKG_SYSCONFDIR}/ipsec.secrets $(PERMS)
+CONF_FILES_PERMS+= ${EGDIR}/libreswan/ipsec.conf-sample ${PKG_SYSCONFDIR}/ipsec.conf $(PERMS)
+CONF_FILES+= ${EGDIR}/libreswan/ipsec.d/policies/portexcludes.conf ${PKG_SYSCONFDIR}/ipsec.d/policies/portexcludes.conf
# needs a for loop
-CONF_FILES+= ${EGDIR}/ipsec.d/policies/block ${PKG_SYSCONFDIR}/ipsec.d/policies/block
-CONF_FILES+= ${EGDIR}/ipsec.d/policies/clear ${PKG_SYSCONFDIR}/ipsec.d/policies/clear
-CONF_FILES+= ${EGDIR}/ipsec.d/policies/clear-or-private ${PKG_SYSCONFDIR}/ipsec.d/policies/clear-or-private
-CONF_FILES+= ${EGDIR}/ipsec.d/policies/private ${PKG_SYSCONFDIR}/ipsec.d/policies/private
-CONF_FILES+= ${EGDIR}/ipsec.d/policies/private-or-clear ${PKG_SYSCONFDIR}/ipsec.d/policies/private-or-clear
+CONF_FILES+= ${EGDIR}/libreswan/ipsec.d/policies/block ${PKG_SYSCONFDIR}/ipsec.d/policies/block
+CONF_FILES+= ${EGDIR}/libreswan/ipsec.d/policies/clear ${PKG_SYSCONFDIR}/ipsec.d/policies/clear
+CONF_FILES+= ${EGDIR}/libreswan/ipsec.d/policies/clear-or-private ${PKG_SYSCONFDIR}/ipsec.d/policies/clear-or-private
+CONF_FILES+= ${EGDIR}/libreswan/ipsec.d/policies/private ${PKG_SYSCONFDIR}/ipsec.d/policies/private
+CONF_FILES+= ${EGDIR}/libreswan/ipsec.d/policies/private-or-clear ${PKG_SYSCONFDIR}/ipsec.d/policies/private-or-clear
# Always install pam.d!?
-MAKE_DIRS+= ${PKG_SYSCONFDIR}/pam.d
-CONF_FILES+= ${EGDIR}/pam.d/pluto ${PKG_SYSCONFDIR}/pam.d/pluto
+MAKE_DIRS+= ${PKG_SYSCONFDIR}/pam.d
+CONF_FILES+= ${EGDIR}/pam.d/pluto ${PKG_SYSCONFDIR}/pam.d/pluto
# Alway install logrotate!?!
-MAKE_DIRS+= ${PKG_SYSCONFDIR}/logrotate.d
-CONF_FILES+= ${EGDIR}/logrotate.d/libreswan ${PKG_SYSCONFDIR}/logrotate.d/libreswan
+MAKE_DIRS+= ${PKG_SYSCONFDIR}/logrotate.d
+CONF_FILES+= ${EGDIR}/logrotate.d/libreswan ${PKG_SYSCONFDIR}/logrotate.d/libreswan
CHECK_PORTABILITY_SKIP= mk/docker-targets.mk
diff --git a/libreswan/PLIST b/libreswan/PLIST
index 81d1e8b899..107c3db608 100644
--- a/libreswan/PLIST
+++ b/libreswan/PLIST
@@ -67,6 +67,6 @@ share/examples/libreswan/ipsec.d/policies/portexcludes.conf
share/examples/libreswan/ipsec.d/policies/private
share/examples/libreswan/ipsec.d/policies/private-or-clear
share/examples/libreswan/ipsec.secrets-sample
-share/examples/libreswan/logrotate.d/libreswan
-share/examples/libreswan/pam.d/pluto
-share/examples/libreswan/rc.d/pluto.sh
+share/examples/rc.d/ipsec
+share/examples/logrotate.d/libreswan
+share/examples/pam.d/pluto
diff --git a/libreswan/TODO b/libreswan/TODO
index 4adf5b0ba2..d6e68a1876 100644
--- a/libreswan/TODO
+++ b/libreswan/TODO
@@ -9,6 +9,7 @@
- add following entries to pkg-vulnerabilities
+libreswan<4.15 denial-of-service https://libreswan.org/security/CVE-2024-3652/CVE-2024-3652.txt
libreswan<4.13nb1 denial-of-service https://libreswan.org/security/CVE-2024-2357/CVE-2024-2357.txt
libreswan<4.12nb1 denial-of-service https://libreswan.org/security/CVE-2023-38712/CVE-2023-38712.txt
libreswan<4.12nb1 denial-of-service https://libreswan.org/security/CVE-2023-38711/CVE-2023-38711.txt
diff --git a/libreswan/distinfo b/libreswan/distinfo
index 5f70f7c961..f1a680c464 100644
--- a/libreswan/distinfo
+++ b/libreswan/distinfo
@@ -1,5 +1,5 @@
$NetBSD$
-BLAKE2s (libreswan-4.14.tar.gz) = 327f2730fc1dd026c88e9507fc2528b1e077af9e8147acc7dadec80c0855e751
-SHA512 (libreswan-4.14.tar.gz) = fb4c4dc426530614d308a7c4f5d21123a166b1ad652f66393b45d4987a3e2be8e8bc135e7eedfe1c014db962b70f08108757f876e27cd9e7739a79764c6d4f2d
-Size (libreswan-4.14.tar.gz) = 3721106 bytes
+BLAKE2s (libreswan-4.15.tar.gz) = caf4ad3e098aa7b1a57971aabcbf10f834fa7e507bcdf5c130493cb996ec77aa
+SHA512 (libreswan-4.15.tar.gz) = 49a60688bb4a5241dbd791bdde0c71ae80cfb7383bb841ea0788a9d0237569d7ad79e59985c700526e3807817ddae77ebd57521897526fbb8fb93ffbea631efe
+Size (libreswan-4.15.tar.gz) = 3728498 bytes
Home |
Main Index |
Thread Index |
Old Index