vyos-strongswan.git, branch current (mirror of https://github.com/vyos/vyos-strongswan.git) https://git.amelek.net/vyos/vyos-strongswan.git/atom?h=current 2021-11-24T01:06:15+00:00 Reject RSASSA-PSS params with negative salt length 2021-11-24T01:06:15+00:00 Tobias Brunner tobias@strongswan.org 2021-09-28T15:52:08+00:00 urn:sha1:d99fe15d9e86c5a4c7546b58f94c9caed68b3953 The `salt_len` member in the struct is of type `ssize_t` because we use negative values for special automatic salt lengths when generating signatures. Not checking this could lead to an integer overflow. The value is assigned to the `len` field of a chunk (`size_t`), which is further used in calculations to check the padding structure and (if that is passed by a matching crafted signature value) eventually a memcpy() that will result in a segmentation fault. Fixes: a22316520b91 ("signature-params: Add functions to parse/build ASN.1 RSASSA-PSS params") Fixes: 7d6b81648b2d ("gmp: Add support for RSASSA-PSS signature verification") Fixes: CVE-2021-41990 Signed-off-by: Daniil Baturin <daniil@baturin.org> T1888: deprecate package 2021-05-29T20:36:00+00:00 Christian Poessinger christian@poessinger.com 2021-05-29T20:36:00+00:00 urn:sha1:f71d48f38f637a3741d63539cbc59fe094fb62f8 Debian: bullseye needs libxtables-dev over iptables-dev 2021-04-09T09:05:00+00:00 Christian Poessinger christian@poessinger.com 2021-04-09T09:05:00+00:00 urn:sha1:8822c451b298b256d4de66cb2e56890b336b6a70 Jenkins: enable arm64 builds 2021-03-26T19:14:35+00:00 Christian Poessinger christian@poessinger.com 2021-03-26T19:14:35+00:00 urn:sha1:329c3e314457e2329c961ada1640ccbab84dd281 Jenkins: T2625: migrate to build library 2020-06-24T16:24:59+00:00 Christian Poessinger christian@poessinger.com 2020-06-24T16:24:59+00:00 urn:sha1:f55c1c12f8b45f6555ae93daf1cc2d133bf6fb01 dmvpn: add required patches for FRR NHRP implementation 2020-06-11T23:00:19+00:00 Christian Poessinger christian@poessinger.com 2020-06-11T22:59:57+00:00 urn:sha1:1014d39807a14d266d35db5a94eae2d26e6ea336 Patches are not active. To activate bth patches add their corresponding file name to debian/patches/series. From FRR docs: nhrpd needs tight integration with IKE daemon for various reasons. Currently only strongSwan is supported as IKE daemon. nhrpd connects to strongSwan using VICI protocol based on UNIX socket (hardcoded now as /var/run/charon.vici). strongSwan currently needs few patches applied. Please check out bot git - https://git.alpinelinux.org/user/tteras/strongswan/log/?h=tteras-release - https://git.alpinelinux.org/user/tteras/strongswan/log/?h=tteras repositories for the patches. Jenkins: T1870: support GitHub PullRequest builds 2020-03-21T17:27:30+00:00 Christian Poessinger christian@poessinger.com 2020-03-21T17:27:30+00:00 urn:sha1:fd286871448acc36f8d727c07405ba8ff91d1d2b Jenkins: make pipeline branch independent 2019-12-27T15:02:27+00:00 Christian Poessinger christian@poessinger.com 2019-12-27T15:02:27+00:00 urn:sha1:b73af93684e4ac46fd8c2051345eb015e55f6daf Jenkins: adjust to new Debian Buster build 2019-12-18T15:29:19+00:00 Christian Poessinger christian@poessinger.com 2019-12-18T11:37:05+00:00 urn:sha1:60c32fc3ea95d37205ac0e73b1ba1396ccf298c3 Jenkins: import Pipeline from vyos-1x commit 2d3539f9dec1 2019-10-09T20:35:03+00:00 Christian Poessinger christian@poessinger.com 2019-10-09T20:35:03+00:00 urn:sha1:83a8545596f8e6fe627f829047d5156f4f534c9b