Debian Patches
Status for strongswan/5.9.8-5+deb12u2
| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| 02_disable-bypass-lan.patch | Don't load bypass-lan plugin by default | Yves-Alexis Perez <corsac@debian.org> | no | 2019-01-02 | ||
| 03_systemd-service.patch | Tune the ipsec systemd service file - add a reload argument - don't wait on syslog |
Romain Francoise <rfrancoise@debian.org> | no | 2019-01-02 | ||
| 04_disable-libtls-tests.patch | Disable libtls tests They're too intensive for the buildd network and cause FTBFS |
Romain Francoise <rfrancoise@debian.org> | no | 2019-01-02 | ||
| dont-load-kernel-libipsec-plugin-by-default.patch | dont-load-kernel-libipsec-plugin-by-default | Christian Ehrhardt <christian.ehrhardt@canonical.com> | no | 2020-11-11 | ||
| 0005-libtls-Fix-authentication-bypass-and-expired-pointer.patch | libtls: Fix authentication bypass and expired pointer dereference `public` is returned, but previously only if a trusted key was found. We obviously don't want to return untrusted keys. However, since the reference is released after determining the key type, the returned object also doesn't have the correct refcount. So when the returned reference is released after verifying the TLS signature, the public key object is actually destroyed. The certificate object then points to an expired pointer, which is dereferenced once it itself is destroyed after the authentication is complete. Depending on whether the pointer is valid (i.e. points to memory allocated to the process) and what was allocated there after the public key was freed, this could result in a segmentation fault or even code execution. |
Tobias Brunner <tobias@strongswan.org> | no | 2023-02-17 | ||
| 0006-charon-tkm-Validate-DH-public-key-to-fix-potential-b.patch | charon-tkm: Validate DH public key to fix potential buffer overflow Seems this was forgotten in the referenced commit and actually could lead to a buffer overflow. Since charon-tkm is untrusted this isn't that much of an issue but could at least be easily exploited for a DoS attack as DH public values are set when handling IKE_SA_INIT requests. |
Tobias Brunner <tobias@strongswan.org> | no | 2023-07-11 | ||
| 0007-eap-mschapv2-Fix-length-check-for-Failure-Request-pa.patch | eap-mschapv2: Fix length check for Failure Request packets on the client For message lengths between 6 and 8, subtracting HEADER_LEN (9) causes `message_len` to become negative, which is then used in calls to malloc() and memcpy() that both take size_t arguments, causing an integer underflow. For 6 and 7, the huge size requested from malloc() will fail (it exceeds PTRDIFF_MAX) and the returned NULL pointer will cause a segmentation fault in memcpy(). However, for 8, the allocation is 0, which succeeds. But then the -1 passed to memcpy() causes a heap-based buffer overflow (and possibly a segmentation fault when attempting to read/write that much data). Fortunately, if compiled with -D_FORTIFY_SOURCE=3 (the default on e.g. Ubuntu), the compiler will use __memcpy_chk(), which prevents that buffer overflow and causes the daemon to get aborted immediately instead. |
Tobias Brunner <tobias@strongswan.org> | no | 2025-10-09 |
All known versions for source package 'strongswan'
- 6.0.3-1 (forky, sid)
- 6.0.1-6+deb13u2 (trixie-security)
- 6.0.1-6+deb13u1 (trixie)
- 5.9.8-5+deb12u2 (bookworm-security)
- 5.9.8-5+deb12u1 (bookworm)