diff options
| author | Peter Korsgaard <peter@korsgaard.com> | 2017-05-30 15:03:24 +0200 |
|---|---|---|
| committer | Thomas Petazzoni <thomas.petazzoni@free-electrons.com> | 2017-05-30 23:37:26 +0200 |
| commit | e43efb9b654ae19e9e47ae5828d9e99b044f37c9 (patch) | |
| tree | 86c436401a49246396805ed2ed0d240a875a9ead | |
| parent | e1c2c432a914e1da9022f370906c06d139e41aee (diff) | |
| download | buildroot-e43efb9b654ae19e9e47ae5828d9e99b044f37c9.tar.gz buildroot-e43efb9b654ae19e9e47ae5828d9e99b044f37c9.zip | |
strongswan: add upstream security patches
Fixes:
CVE-2017-9022 - RSA public keys passed to the gmp plugin aren't
validated sufficiently before attempting signature verification, so that
invalid input might lead to a floating point exception and crash of the
process. A certificate with an appropriately prepared public key sent by a
peer could be used for a denial-of-service attack.
https://www.strongswan.org/blog/2017/05/30/strongswan-vulnerability-%28cve-2017-9022%29.html
CVE-2017-9023 - ASN.1 CHOICE types are not correctly handled by the ASN.1
parser when parsing X.509 certificates with extensions that use such types.
This could lead to infinite looping of the thread parsing a specifically
crafted certificate.
https://www.strongswan.org/blog/2017/05/30/strongswan-vulnerability-%28cve-2017-9023%29.html
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
| -rw-r--r-- | package/strongswan/strongswan.hash | 3 | ||||
| -rw-r--r-- | package/strongswan/strongswan.mk | 3 |
2 files changed, 6 insertions, 0 deletions
diff --git a/package/strongswan/strongswan.hash b/package/strongswan/strongswan.hash index 97fb1998e4..cbc4e3857a 100644 --- a/package/strongswan/strongswan.hash +++ b/package/strongswan/strongswan.hash @@ -2,3 +2,6 @@ md5 9d7c77b0da9b69f859624897e5e9ebbf strongswan-5.4.0.tar.bz2 # Calculated based on the hash above sha256 f8288faaea6a9cd8a7d413c0b76b7922be5da3dfcd01fd05cb30d2c55d3bbe89 strongswan-5.4.0.tar.bz2 +# Locally calculated +sha256 f5ba7f46cf7ae81dd81bc86f9e4cfa0c5c7c6987149b3bc9c0b8bf08598a1063 strongswan-4.4.0-5.5.2_gmp_mpz_powm_sec.patch +sha256 03db8c7a4133e877e8992e155c046dd27ec4810d50f239abf55595f0280caf31 strongswan-5.0.0-5.5.2_asn1_choice.patch diff --git a/package/strongswan/strongswan.mk b/package/strongswan/strongswan.mk index 2a852f22d0..1070eeaf8b 100644 --- a/package/strongswan/strongswan.mk +++ b/package/strongswan/strongswan.mk @@ -7,6 +7,9 @@ STRONGSWAN_VERSION = 5.4.0 STRONGSWAN_SOURCE = strongswan-$(STRONGSWAN_VERSION).tar.bz2 STRONGSWAN_SITE = http://download.strongswan.org +STRONGSWAN_PATCH = \ + $(STRONGSWAN_SITE)/patches/21_gmp_mpz_powm_sec_patch/strongswan-4.4.0-5.5.2_gmp_mpz_powm_sec.patch \ + $(STRONGSWAN_SITE)/patches/22_asn1_choice_patch/strongswan-5.0.0-5.5.2_asn1_choice.patch STRONGSWAN_LICENSE = GPL-2.0+ STRONGSWAN_LICENSE_FILES = COPYING LICENSE STRONGSWAN_DEPENDENCIES = host-pkgconf |
