Page MenuHomeVyOS Platform
Create Task
Maniphest T354

Outstanding CVEs - StrongSwan
Closed, ResolvedPublicBUG
Actions

Description

Here is a list of outstanding CVEs for StrongSan

https://www.cvedetails.com/cve/CVE-2014-2338/
https://www.cvedetails.com/cve/CVE-2014-2891/
https://www.cvedetails.com/cve/CVE-2015-4171/
https://www.cvedetails.com/cve/CVE-2015-8023/
https://www.cvedetails.com/cve/CVE-2017-9022/
https://www.cvedetails.com/cve/CVE-2017-9023/
https://www.cvedetails.com/cve/CVE-2014-9221/

Source: https://forum.vyos.net/showthread.php?tid=27172

Details

Difficulty level
Hard (possibly days)
Version
1.1.7
Why the issue appeared?
Will be filled on close

Event Timeline

syncer created this task.Aug 19 2017, 2:27 AM
syncer added a project: vyatta-strongswan.Aug 19 2017, 2:35 AM
syncer triaged this task as High priority.Aug 19 2017, 2:40 AM
higebu added a subscriber: higebu.EditedAug 19 2017, 3:59 AM

1.1.7 has 4.5.2-1.1-bpo60+vyos1+helium4. We should apply 2 patches, CVE-2015-4171 and CVE-2015-8023 to vyatta-strongswan helium branch.

higebu added a comment.Aug 19 2017, 4:30 AM

The CVSS score of CVE-2015-4171 is low, and it needs a valid certificate for attack. Can we ignore CVE-2015-4171?

higebu added a comment.Aug 19 2017, 5:03 AM

I applied the patch for CVE-2015-8023 to helium branch. https://github.com/vyos/vyatta-strongswan/commit/1f431fed4988a5e7f20a3f8ab464fed85c5f7e1c

higebu added a comment.Aug 19 2017, 5:06 AM

Jenkins job is broken. https://ci.vyos.net/job/vyatta-strongswan/

higebu added a comment.Aug 19 2017, 5:26 AM

Packages for testing:

strongswan_4.5.2-1.1-bpo60+vyos1+helium5.zip1 MBDownload

syncer added a subscriber: dmbaturin.Aug 19 2017, 11:09 AM

Hey @higebu!
agree on CVE-2015-4171

@dmbaturin moving build system to other host due to space restrictions

higebu added a comment.Aug 19 2017, 3:24 PM

@syncer I guess we need Squeeze host for building packages. But if we use pbuilder, we can build packages on Jessie.
Example script is here: https://gist.github.com/higebu/139c786fab3c88113d54eef16b462655

syncer added a comment.Aug 19 2017, 3:29 PM

I installed squeeze, think @dmbaturin will add it to CI once it ready

higebu added a comment.Aug 19 2017, 3:42 PM

Good!

higebu changed the task status from Open to In progress.Aug 20 2017, 3:23 PM
syncer moved this task from Needs Triage to Backlog on the VyOS 1.1.x (1.1.8) board.Aug 21 2017, 12:06 AM
higebu claimed this task.Aug 21 2017, 1:14 AM
higebu moved this task from Backlog to In Progress on the VyOS 1.1.x (1.1.8) board.
UnicronNL added a subscriber: UnicronNL.Oct 3 2017, 6:54 PM

@higebu @syncer squeeze is added to ci, only there is no repo to upload.

dmbaturin added a comment.Oct 3 2017, 7:38 PM

@UnicronNL The debian repo for helium is here: http://dev.packages.vyos.net/legacy/repos/debian/helium/

UnicronNL closed this task as Resolved.Oct 22 2017, 8:14 PM
syncer moved this task from In Progress to Finished on the VyOS 1.1.x (1.1.8) board.Oct 22 2017, 8:15 PM