libreswan: update to 4.15, CVE-2024-3652

To: pkgsrc-wip-changes%NetBSD.org@localhost
Subject: libreswan: update to 4.15, CVE-2024-3652
From: Andrew Cagney <andrew.cagney%gmail.com@localhost>
Date: Mon, 15 Apr 2024 18:01:37 +0000
Module Name:	pkgsrc-wip
Committed By:	Andrew Cagney <andrew.cagney%gmail.com@localhost>
Pushed By:	cagney
Date:		Mon Apr 15 18:01:37 2024 +0000
Changeset:	ff06e8dfd538ed8334a8dd2c43c25c1e92203b43

Modified Files:
	libreswan/Makefile
	libreswan/PLIST
	libreswan/TODO
	libreswan/distinfo

Log Message:
libreswan: update to 4.15, CVE-2024-3652

* Security: Fixes http://libreswan.org/security/CVE-2024-3652
* Linux: remove dependency on libxz via libsystemd [Tuomo Andrew]
* IKEv1: reject ESP proposal combining AEAD and non-empty INTEG [Andrew]
* IKEv1: reject exchange when connection has no proposals [Andrew]
* IKEv1: limit default cryptosuite [Andrew, Paul, Tuomo]
  IKE={AES_CBC,3DES_CBC}-{HMAC_SHA2_256,HMAC_SHA2_512HMAC_SHA1}-{MODP2048,MODP1536,DH19,DH31}
  ESP={AES_CBC,3DES_CBC}-{HMAC_SHA1_96,HMAC_SHA2_512_256,HMAC_SHA2_256_128}-{AES_GCM_16_128,AES_GCM_16_256}
  AH=HMAC_SHA1_96+HMAC_SHA2_512_256+HMAC_SHA2_256_128

To see a diff of this commit:
https://wip.pkgsrc.org/cgi-bin/gitweb.cgi?p=pkgsrc-wip.git;a=commitdiff;h=ff06e8dfd538ed8334a8dd2c43c25c1e92203b43

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

diffstat:
 libreswan/Makefile | 49 +++++++++++++++++++++++++++----------------------
 libreswan/PLIST    |  6 +++---
 libreswan/TODO     |  1 +
 libreswan/distinfo |  6 +++---
 4 files changed, 34 insertions(+), 28 deletions(-)

diffs:
diff --git a/libreswan/Makefile b/libreswan/Makefile
index 274168cd3b..73e62d3838 100644
--- a/libreswan/Makefile
+++ b/libreswan/Makefile
@@ -6,7 +6,7 @@
 # specific overides in mk/default/*.mk (for instance,
 # mk/default/netbsd.mk).
 
-DISTNAME=	libreswan-4.14
+DISTNAME=	libreswan-4.15
 PKGREVISION=	0
 MASTER_SITES=	https://download.libreswan.org/
 
@@ -23,40 +23,45 @@ USE_TOOLS+=	flex
 USE_TOOLS+=	bison
 #default is: USE_LANGUAGES+=	c
 
-EGDIR=		${PREFIX}/share/examples/libreswan
+# 4.x installs config files and the rc.d script into /etc and not
+# examples/. Hence, need to move them to their proper directory.
+# 5.x should have this fixed.
 
-# Config files: stop libreswan 4.10+ scribbling into /etc
-MAKE_FLAGS+=	INSTALL_CONFIGS=false
-
-# Init scripts aka rc.d: stop libreswan 4.10+ scribbing into /etc
-MAKE_FLAGS+=	INSTALL_INITSYSTEM=false
-FILESDIR=	${DESTDIR}${EGDIR}/rc.d
+EGDIR=		${PREFIX}/share/examples
+MAKE_FLAGS=
+MAKE_FLAGS+=	FINALDOCDIR=${EGDIR}/libreswan/
+MAKE_FLAGS+=	FINALCONFDDIR=${EGDIR}/libreswan/ipsec.d
 post-install:
-	mv $(FILESDIR)/pluto $(FILESDIR)/pluto.sh
+	rm -f ${DESTDIR}/usr/pkg/etc/ipsec.conf
+	rm -f ${DESTDIR}/usr/pkg/etc/ipsec.secrets
+	rm -f ${DESTDIR}/usr/pkg/etc/rc.d/pluto
+	mv ${DESTDIR}${EGDIR}/rc.d/pluto ${DESTDIR}${EGDIR}/rc.d/ipsec
+	mv ${DESTDIR}/etc/pam.d ${DESTDIR}${EGDIR}/pam.d
+	mv ${DESTDIR}/usr/pkg/etc/logrotate.d ${DESTDIR}${EGDIR}/logrotate.d
 #RCD_SCRIPTS=	pluto
-#CONF_FILES+=	${EGDIR}/rc.d/ipsec ${PKG_SYSCONFDIR}/rc.d/ipsec
+CONF_FILES+=		${EGDIR}/rc.d/ipsec					${PKG_SYSCONFDIR}/rc.d/ipsec
 
 # populate /etc
 PERMS=$(REAL_ROOT_USER) $(REAL_ROOT_GROUP) 0700
 MAKE_DIRS_PERMS+=	${PKG_SYSCONFDIR}/ipsec.d $(PERMS)
 MAKE_DIRS_PERMS+=	${PKG_SYSCONFDIR}/ipsec.d/policies $(PERMS)
-CONF_FILES_PERMS+=	${EGDIR}/ipsec.secrets-sample ${PKG_SYSCONFDIR}/ipsec.secrets $(PERMS)
-CONF_FILES_PERMS+=	${EGDIR}/ipsec.conf-sample ${PKG_SYSCONFDIR}/ipsec.conf $(PERMS)
-CONF_FILES+=		${EGDIR}/ipsec.d/policies/portexcludes.conf ${PKG_SYSCONFDIR}/ipsec.d/policies/portexcludes.conf
+CONF_FILES_PERMS+=	${EGDIR}/libreswan/ipsec.secrets-sample			${PKG_SYSCONFDIR}/ipsec.secrets $(PERMS)
+CONF_FILES_PERMS+=	${EGDIR}/libreswan/ipsec.conf-sample			${PKG_SYSCONFDIR}/ipsec.conf $(PERMS)
+CONF_FILES+=		${EGDIR}/libreswan/ipsec.d/policies/portexcludes.conf	${PKG_SYSCONFDIR}/ipsec.d/policies/portexcludes.conf
 # needs a for loop
-CONF_FILES+=		${EGDIR}/ipsec.d/policies/block ${PKG_SYSCONFDIR}/ipsec.d/policies/block
-CONF_FILES+=		${EGDIR}/ipsec.d/policies/clear ${PKG_SYSCONFDIR}/ipsec.d/policies/clear
-CONF_FILES+=		${EGDIR}/ipsec.d/policies/clear-or-private ${PKG_SYSCONFDIR}/ipsec.d/policies/clear-or-private
-CONF_FILES+=		${EGDIR}/ipsec.d/policies/private ${PKG_SYSCONFDIR}/ipsec.d/policies/private
-CONF_FILES+=		${EGDIR}/ipsec.d/policies/private-or-clear ${PKG_SYSCONFDIR}/ipsec.d/policies/private-or-clear
+CONF_FILES+=		${EGDIR}/libreswan/ipsec.d/policies/block		${PKG_SYSCONFDIR}/ipsec.d/policies/block
+CONF_FILES+=		${EGDIR}/libreswan/ipsec.d/policies/clear		${PKG_SYSCONFDIR}/ipsec.d/policies/clear
+CONF_FILES+=		${EGDIR}/libreswan/ipsec.d/policies/clear-or-private	${PKG_SYSCONFDIR}/ipsec.d/policies/clear-or-private
+CONF_FILES+=		${EGDIR}/libreswan/ipsec.d/policies/private		${PKG_SYSCONFDIR}/ipsec.d/policies/private
+CONF_FILES+=		${EGDIR}/libreswan/ipsec.d/policies/private-or-clear 	${PKG_SYSCONFDIR}/ipsec.d/policies/private-or-clear
 
 # Always install pam.d!?
-MAKE_DIRS+=	${PKG_SYSCONFDIR}/pam.d
-CONF_FILES+=	${EGDIR}/pam.d/pluto ${PKG_SYSCONFDIR}/pam.d/pluto
+MAKE_DIRS+=		${PKG_SYSCONFDIR}/pam.d
+CONF_FILES+=		${EGDIR}/pam.d/pluto					${PKG_SYSCONFDIR}/pam.d/pluto
 
 # Alway install logrotate!?!
-MAKE_DIRS+=	${PKG_SYSCONFDIR}/logrotate.d
-CONF_FILES+=	${EGDIR}/logrotate.d/libreswan ${PKG_SYSCONFDIR}/logrotate.d/libreswan
+MAKE_DIRS+=		${PKG_SYSCONFDIR}/logrotate.d
+CONF_FILES+=		${EGDIR}/logrotate.d/libreswan ${PKG_SYSCONFDIR}/logrotate.d/libreswan
 
 CHECK_PORTABILITY_SKIP=	mk/docker-targets.mk
 
diff --git a/libreswan/PLIST b/libreswan/PLIST
index 81d1e8b899..107c3db608 100644
--- a/libreswan/PLIST
+++ b/libreswan/PLIST
@@ -67,6 +67,6 @@ share/examples/libreswan/ipsec.d/policies/portexcludes.conf
 share/examples/libreswan/ipsec.d/policies/private
 share/examples/libreswan/ipsec.d/policies/private-or-clear
 share/examples/libreswan/ipsec.secrets-sample
-share/examples/libreswan/logrotate.d/libreswan
-share/examples/libreswan/pam.d/pluto
-share/examples/libreswan/rc.d/pluto.sh
+share/examples/rc.d/ipsec
+share/examples/logrotate.d/libreswan
+share/examples/pam.d/pluto
diff --git a/libreswan/TODO b/libreswan/TODO
index 4adf5b0ba2..d6e68a1876 100644
--- a/libreswan/TODO
+++ b/libreswan/TODO
@@ -9,6 +9,7 @@
 
 - add following entries to pkg-vulnerabilities
 
+libreswan<4.15		denial-of-service	https://libreswan.org/security/CVE-2024-3652/CVE-2024-3652.txt
 libreswan<4.13nb1	denial-of-service	https://libreswan.org/security/CVE-2024-2357/CVE-2024-2357.txt
 libreswan<4.12nb1	denial-of-service	https://libreswan.org/security/CVE-2023-38712/CVE-2023-38712.txt
 libreswan<4.12nb1	denial-of-service	https://libreswan.org/security/CVE-2023-38711/CVE-2023-38711.txt
diff --git a/libreswan/distinfo b/libreswan/distinfo
index 5f70f7c961..f1a680c464 100644
--- a/libreswan/distinfo
+++ b/libreswan/distinfo
@@ -1,5 +1,5 @@
 $NetBSD$
 
-BLAKE2s (libreswan-4.14.tar.gz) = 327f2730fc1dd026c88e9507fc2528b1e077af9e8147acc7dadec80c0855e751
-SHA512 (libreswan-4.14.tar.gz) = fb4c4dc426530614d308a7c4f5d21123a166b1ad652f66393b45d4987a3e2be8e8bc135e7eedfe1c014db962b70f08108757f876e27cd9e7739a79764c6d4f2d
-Size (libreswan-4.14.tar.gz) = 3721106 bytes
+BLAKE2s (libreswan-4.15.tar.gz) = caf4ad3e098aa7b1a57971aabcbf10f834fa7e507bcdf5c130493cb996ec77aa
+SHA512 (libreswan-4.15.tar.gz) = 49a60688bb4a5241dbd791bdde0c71ae80cfb7383bb841ea0788a9d0237569d7ad79e59985c700526e3807817ddae77ebd57521897526fbb8fb93ffbea631efe
+Size (libreswan-4.15.tar.gz) = 3728498 bytes
Prev by Date: freebayes: Remove obsolete pkg
Next by Date: cups-filters: remove unused configure args libppd: debugging issues with filters libcupsfilters: remove mutool
Previous by Thread: freebayes: Remove obsolete pkg
Next by Thread: cups-filters: remove unused configure args libppd: debugging issues with filters libcupsfilters: remove mutool
Indexes:
Home | Main Index | Thread Index | Old Index