summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2021-11-24cert-cache: Prevent crash due to integer overflow/sign change1.3.81.3.71.3.61.3.51.3.41.3.3-epa11.3.31.3.2equuleusTobias Brunner
random() allocates values in the range [0, RAND_MAX], with RAND_MAX usually equaling INT_MAX = 2^31-1. Previously, values between 0 and 31 were added directly to that offset before applying`% CACHE_SIZE` to get an index into the cache array. If the random value was very high, this resulted in an integer overflow and a negative index value and, therefore, an out-of-bounds access of the array and in turn dereferencing invalid pointers when trying to acquire the read lock. This most likely results in a segmentation fault. Fixes: 764e8b2211ce ("reimplemented certificate cache") Fixes: CVE-2021-41991 Signed-off-by: Daniil Baturin <daniil@vyos.io>
2021-11-24Update package versionDaniil Baturin
2021-11-24Reject RSASSA-PSS params with negative salt lengthTobias Brunner
The `salt_len` member in the struct is of type `ssize_t` because we use negative values for special automatic salt lengths when generating signatures. Not checking this could lead to an integer overflow. The value is assigned to the `len` field of a chunk (`size_t`), which is further used in calculations to check the padding structure and (if that is passed by a matching crafted signature value) eventually a memcpy() that will result in a segmentation fault. Fixes: a22316520b91 ("signature-params: Add functions to parse/build ASN.1 RSASSA-PSS params") Fixes: 7d6b81648b2d ("gmp: Add support for RSASSA-PSS signature verification") Fixes: CVE-2021-41990 Signed-off-by: Daniil Baturin <daniil@baturin.org>
2021-04-04Jenkins: use build library from proper branch "equuleus"Christian Poessinger
2020-06-24Jenkins: T2625: migrate to build libraryChristian Poessinger
2020-06-12dmvpn: add required patches for FRR NHRP implementationChristian Poessinger
Patches are not active. To activate bth patches add their corresponding file name to debian/patches/series. From FRR docs: nhrpd needs tight integration with IKE daemon for various reasons. Currently only strongSwan is supported as IKE daemon. nhrpd connects to strongSwan using VICI protocol based on UNIX socket (hardcoded now as /var/run/charon.vici). strongSwan currently needs few patches applied. Please check out bot git - https://git.alpinelinux.org/user/tteras/strongswan/log/?h=tteras-release - https://git.alpinelinux.org/user/tteras/strongswan/log/?h=tteras repositories for the patches.
2020-03-21Jenkins: T1870: support GitHub PullRequest buildsChristian Poessinger
2019-12-27Jenkins: make pipeline branch independentChristian Poessinger
2019-12-18Jenkins: adjust to new Debian Buster buildChristian Poessinger
2019-10-09Jenkins: import Pipeline from vyos-1x commit 2d3539f9dec1VyOS_1.2-2019Q4Christian Poessinger
2019-01-14fixes T1070 - SWANCTL: DMVPN: ALL peers are deleted in swan when opennhrp ↵Kim Hagen
tries to delete ONE peer
2019-01-14restore ability to remove tunnel connection by source and destination ipKim Hagen
T1070 - SWANCTL: DMVPN: ALL peers are deleted in swan when opennhrp tries to delete ONE peer
2019-01-10Add patches for for dmvpn.Kim Hagen
Use the daemon facility for IPsec logging (fixes T551).
2019-01-10Disable building the charon-nm package, which we do not use.Kim Hagen
The practical reason for removing it completely for the time being is that libnm is not in jessie.
2019-01-02upload strongSwan 5.7.2-1 to unstableYves-Alexis Perez
2019-01-02finalize changelogYves-Alexis Perez
2019-01-02d/patches: import patches in gbp pqYves-Alexis Perez
2019-01-02d/u/signing-key.asc: strip signatures from upstream signing keyYves-Alexis Perez
2019-01-02d/libstrongswan.dirs: drop lintian overrides dirYves-Alexis Perez
2019-01-02d/control: update standards version to 4.3.0Yves-Alexis Perez
2019-01-02d/copyright updatedYves-Alexis Perez
2019-01-02New upstream version 5.7.2Yves-Alexis Perez
2019-01-02d/copyright updateYves-Alexis Perez
2018-11-13use a clean export for upstream signing keyYves-Alexis Perez
2018-11-12drop unused debconf templateYves-Alexis Perez
2018-11-12d/control: update standards version to 4.2.1Yves-Alexis Perez
2018-11-12d/watch: use HTTPS protocolYves-Alexis Perez
2018-11-12d/copyright: fix typosYves-Alexis Perez
2018-11-12d/control: remove Rene from Uploaders, thanks!Yves-Alexis Perez
2018-10-01upload strongSwan 5.7.1-1 to unstableYves-Alexis Perez
2018-10-01finalize changelogYves-Alexis Perez
2018-10-01Update upstream source from tag 'upstream/5.7.1'Yves-Alexis Perez
Update to upstream version '5.7.1' with Debian dir 72f82c6dc54a03e0a4ef30d019024a741edf8eb4
2018-10-01New upstream version 5.7.1Yves-Alexis Perez
2018-10-01remove unused lintian overridesYves-Alexis Perez
2018-10-01finalize changelogYves-Alexis Perez
2018-10-01enable chapoly pluginYves-Alexis Perez
closes: #814927
2018-10-01d/control: Remove XS-Testsuite field, not needed anymoreOndřej Nový
2018-10-01d/rules: Remove trailing whitespacesOndřej Nový
2018-10-01d/changelog: Remove trailing whitespacesOndřej Nový
2018-10-01d/copyright: Use https protocol in Format fieldOndřej Nový
2018-09-24Merge branch 'apparmor-cosmetic-fixes' into 'debian/master'Yves-Alexis Perez
Apparmor cosmetic fixes See merge request debian/strongswan!2
2018-09-24Remove redundant capabilities in charon Apparmor profilesSimon Deziel
2018-09-24Fix typo in comment of charon Apparmor profilesSimon Deziel
2018-09-24upload strongSwan 5.7.0-1 to unstableYves-Alexis Perez
2018-09-24finalize changelogYves-Alexis Perez
2018-09-24d/control: fix typo in libstrongswan long descriptionYves-Alexis Perez
2018-09-24finalize changelogYves-Alexis Perez
2018-09-24Update upstream source from tag 'upstream/5.7.0'Yves-Alexis Perez
Update to upstream version '5.7.0' with Debian dir b608300a1e1f88db62d14d08a55ca09f3603f054
2018-09-24New upstream version 5.7.0Yves-Alexis Perez
2018-09-24d/gbp.conf added, following DEP-14Yves-Alexis Perez