Age | Commit message (Collapse) | Author | |
---|---|---|---|
2021-11-24 | cert-cache: Prevent crash due to integer overflow/sign change1.3.81.3.71.3.61.3.51.3.41.3.3-epa11.3.31.3.2equuleus | Tobias Brunner | |
random() allocates values in the range [0, RAND_MAX], with RAND_MAX usually equaling INT_MAX = 2^31-1. Previously, values between 0 and 31 were added directly to that offset before applying`% CACHE_SIZE` to get an index into the cache array. If the random value was very high, this resulted in an integer overflow and a negative index value and, therefore, an out-of-bounds access of the array and in turn dereferencing invalid pointers when trying to acquire the read lock. This most likely results in a segmentation fault. Fixes: 764e8b2211ce ("reimplemented certificate cache") Fixes: CVE-2021-41991 Signed-off-by: Daniil Baturin <daniil@vyos.io> | |||
2021-11-24 | Update package version | Daniil Baturin | |
2021-11-24 | Reject RSASSA-PSS params with negative salt length | Tobias Brunner | |
The `salt_len` member in the struct is of type `ssize_t` because we use negative values for special automatic salt lengths when generating signatures. Not checking this could lead to an integer overflow. The value is assigned to the `len` field of a chunk (`size_t`), which is further used in calculations to check the padding structure and (if that is passed by a matching crafted signature value) eventually a memcpy() that will result in a segmentation fault. Fixes: a22316520b91 ("signature-params: Add functions to parse/build ASN.1 RSASSA-PSS params") Fixes: 7d6b81648b2d ("gmp: Add support for RSASSA-PSS signature verification") Fixes: CVE-2021-41990 Signed-off-by: Daniil Baturin <daniil@baturin.org> | |||
2021-04-04 | Jenkins: use build library from proper branch "equuleus" | Christian Poessinger | |
2020-06-24 | Jenkins: T2625: migrate to build library | Christian Poessinger | |
2020-06-12 | dmvpn: add required patches for FRR NHRP implementation | Christian Poessinger | |
Patches are not active. To activate bth patches add their corresponding file name to debian/patches/series. From FRR docs: nhrpd needs tight integration with IKE daemon for various reasons. Currently only strongSwan is supported as IKE daemon. nhrpd connects to strongSwan using VICI protocol based on UNIX socket (hardcoded now as /var/run/charon.vici). strongSwan currently needs few patches applied. Please check out bot git - https://git.alpinelinux.org/user/tteras/strongswan/log/?h=tteras-release - https://git.alpinelinux.org/user/tteras/strongswan/log/?h=tteras repositories for the patches. | |||
2020-03-21 | Jenkins: T1870: support GitHub PullRequest builds | Christian Poessinger | |
2019-12-27 | Jenkins: make pipeline branch independent | Christian Poessinger | |
2019-12-18 | Jenkins: adjust to new Debian Buster build | Christian Poessinger | |
2019-10-09 | Jenkins: import Pipeline from vyos-1x commit 2d3539f9dec1VyOS_1.2-2019Q4 | Christian Poessinger | |
2019-01-14 | fixes T1070 - SWANCTL: DMVPN: ALL peers are deleted in swan when opennhrp ↵ | Kim Hagen | |
tries to delete ONE peer | |||
2019-01-14 | restore ability to remove tunnel connection by source and destination ip | Kim Hagen | |
T1070 - SWANCTL: DMVPN: ALL peers are deleted in swan when opennhrp tries to delete ONE peer | |||
2019-01-10 | Add patches for for dmvpn. | Kim Hagen | |
Use the daemon facility for IPsec logging (fixes T551). | |||
2019-01-10 | Disable building the charon-nm package, which we do not use. | Kim Hagen | |
The practical reason for removing it completely for the time being is that libnm is not in jessie. | |||
2019-01-02 | upload strongSwan 5.7.2-1 to unstable | Yves-Alexis Perez | |
2019-01-02 | finalize changelog | Yves-Alexis Perez | |
2019-01-02 | d/patches: import patches in gbp pq | Yves-Alexis Perez | |
2019-01-02 | d/u/signing-key.asc: strip signatures from upstream signing key | Yves-Alexis Perez | |
2019-01-02 | d/libstrongswan.dirs: drop lintian overrides dir | Yves-Alexis Perez | |
2019-01-02 | d/control: update standards version to 4.3.0 | Yves-Alexis Perez | |
2019-01-02 | d/copyright updated | Yves-Alexis Perez | |
2019-01-02 | New upstream version 5.7.2 | Yves-Alexis Perez | |
2019-01-02 | d/copyright update | Yves-Alexis Perez | |
2018-11-13 | use a clean export for upstream signing key | Yves-Alexis Perez | |
2018-11-12 | drop unused debconf template | Yves-Alexis Perez | |
2018-11-12 | d/control: update standards version to 4.2.1 | Yves-Alexis Perez | |
2018-11-12 | d/watch: use HTTPS protocol | Yves-Alexis Perez | |
2018-11-12 | d/copyright: fix typos | Yves-Alexis Perez | |
2018-11-12 | d/control: remove Rene from Uploaders, thanks! | Yves-Alexis Perez | |
2018-10-01 | upload strongSwan 5.7.1-1 to unstable | Yves-Alexis Perez | |
2018-10-01 | finalize changelog | Yves-Alexis Perez | |
2018-10-01 | Update upstream source from tag 'upstream/5.7.1' | Yves-Alexis Perez | |
Update to upstream version '5.7.1' with Debian dir 72f82c6dc54a03e0a4ef30d019024a741edf8eb4 | |||
2018-10-01 | New upstream version 5.7.1 | Yves-Alexis Perez | |
2018-10-01 | remove unused lintian overrides | Yves-Alexis Perez | |
2018-10-01 | finalize changelog | Yves-Alexis Perez | |
2018-10-01 | enable chapoly plugin | Yves-Alexis Perez | |
closes: #814927 | |||
2018-10-01 | d/control: Remove XS-Testsuite field, not needed anymore | Ondřej Nový | |
2018-10-01 | d/rules: Remove trailing whitespaces | Ondřej Nový | |
2018-10-01 | d/changelog: Remove trailing whitespaces | Ondřej Nový | |
2018-10-01 | d/copyright: Use https protocol in Format field | Ondřej Nový | |
2018-09-24 | Merge branch 'apparmor-cosmetic-fixes' into 'debian/master' | Yves-Alexis Perez | |
Apparmor cosmetic fixes See merge request debian/strongswan!2 | |||
2018-09-24 | Remove redundant capabilities in charon Apparmor profiles | Simon Deziel | |
2018-09-24 | Fix typo in comment of charon Apparmor profiles | Simon Deziel | |
2018-09-24 | upload strongSwan 5.7.0-1 to unstable | Yves-Alexis Perez | |
2018-09-24 | finalize changelog | Yves-Alexis Perez | |
2018-09-24 | d/control: fix typo in libstrongswan long description | Yves-Alexis Perez | |
2018-09-24 | finalize changelog | Yves-Alexis Perez | |
2018-09-24 | Update upstream source from tag 'upstream/5.7.0' | Yves-Alexis Perez | |
Update to upstream version '5.7.0' with Debian dir b608300a1e1f88db62d14d08a55ca09f3603f054 | |||
2018-09-24 | New upstream version 5.7.0 | Yves-Alexis Perez | |
2018-09-24 | d/gbp.conf added, following DEP-14 | Yves-Alexis Perez | |