Debian Patches

Status for strongswan/6.0.1-6+deb13u4

Patch Description Author Forwarded Bugs Origin Last update
02_disable-bypass-lan.patch Don't load bypass-lan plugin by default Yves-Alexis Perez <corsac@debian.org> no 2019-01-02
03_systemd-service.patch Tune the ipsec systemd service file
- add a reload argument
- don't wait on syslog		 Romain Francoise <rfrancoise@debian.org> no 2019-01-02
04_disable-libtls-tests.patch Disable libtls tests
They're too intensive for the buildd network and cause FTBFS		 Romain Francoise <rfrancoise@debian.org> no 2019-01-02
dont-load-kernel-libipsec-plugin-by-default.patch dont-load-kernel-libipsec-plugin-by-default Christian Ehrhardt <christian.ehrhardt@canonical.com> no 2020-11-11
0001-openssl-Fix-testing-KDF_PRF-in-the-constructor-with-.patch openssl: Fix testing KDF_PRF in the constructor with OpenSSL 3.5.1

Setting the salt to NULL now fails, so we set it to hash length's zeroes,
which is the default value for HKDF-Extract if no salt is passed.

Fixes strongswan/strongswan#2828		 Tobias Brunner <tobias@strongswan.org> no 2025-07-10
0002-openssl-Don-t-allocate-salt-if-PRF-hash-is-unknown.patch openssl: Don't allocate salt if PRF/hash is unknown
This can happen if e.g. AES-XCBC is selected.		 Tobias Brunner <tobias@strongswan.org> no 2025-07-11
0007-eap-mschapv2-Fix-length-check-for-Failure-Request-pa.patch eap-mschapv2: Fix length check for Failure Request packets on the client

For message lengths between 6 and 8, subtracting HEADER_LEN (9) causes
`message_len` to become negative, which is then used in calls to malloc()
and memcpy() that both take size_t arguments, causing an integer
underflow.

For 6 and 7, the huge size requested from malloc() will fail (it exceeds
PTRDIFF_MAX) and the returned NULL pointer will cause a segmentation
fault in memcpy().

However, for 8, the allocation is 0, which succeeds. But then the -1
passed to memcpy() causes a heap-based buffer overflow (and possibly a
segmentation fault when attempting to read/write that much data).
Fortunately, if compiled with -D_FORTIFY_SOURCE=3 (the default on e.g.
Ubuntu), the compiler will use __memcpy_chk(), which prevents that buffer
overflow and causes the daemon to get aborted immediately instead.		 Tobias Brunner <tobias@strongswan.org> no 2025-10-09
0008-nm-Create-safe-copies-of-files-for-user-specific-con.patch nm: Create safe copies of files for user-specific connections
This ensures that only certificates/private keys accessible by the
configured user are accessed and prevents attackers from misusing
other user's credentials.

Also removed setting NM_VERSION_MIN_REQUIRED, which suppresses deprecation
warnings that were added with newer API versions, and
NM_VERSION_MAX_ALLOWED, which warns if using functions added in newer
API versions, so we always build against the latest API available.

But we check explicitly for the required function so this works with
older NM versions and automatically will use it if the function is
backported.

Note that we can't use BUILD_FROM_FILE to read the temporary files as that
uses mmap() which SELinux policies prevent us from using at the location
these files are stored ([/var]/run/NetworkManager/cert/).


Includes other backported fixes.		 Tobias Brunner <tobias@strongswan.org> no 2025-11-26
0009-eap-ttls-Prevent-crash-if-AVP-length-header-field-is.patch eap-ttls: Prevent crash if AVP length header field is invalid
The length field in the AVP header includes the 8 bytes of the header
itself. Not checking for that and later subtracting it causes an
integer underflow that usually triggers a crash when accessing a
NULL pointer that resulted from the failing chunk_alloc() call because
of the high value.

The attempted allocations for invalid lengths (0-7) are 0xfffffff8,
0xfffffffc, or 0x100000000 (0 on 32-bit hosts), so this doesn't result
in a buffer overflow even if the allocation succeeds.		 Tobias Brunner <tobias@strongswan.org> no 2026-03-05

All known versions for source package 'strongswan'

Links