Accepting request 344762 from network:vpn
- Applied upstream fix for a authentication bypass vulnerability in the eap-mschapv2 plugin (CVE-2015-8023,bsc#953817). [+ 0007-strongswan-4.4.0-5.3.3_eap_mschapv2_state.patch] OBS-URL: https://build.opensuse.org/request/show/344762 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/strongswan?expand=0&rev=62
This commit is contained in:
commit
f3a0b7cca7
35
0007-strongswan-4.4.0-5.3.3_eap_mschapv2_state.patch
Normal file
35
0007-strongswan-4.4.0-5.3.3_eap_mschapv2_state.patch
Normal file
@ -0,0 +1,35 @@
|
||||
From 91762f11e223e33b82182150d7c4cf7c2ec3cefa Mon Sep 17 00:00:00 2001
|
||||
From: Tobias Brunner <tobias@strongswan.org>
|
||||
Date: Thu, 29 Oct 2015 11:18:27 +0100
|
||||
References: CVE-2015-8023, bsc#953817
|
||||
Subject: [PATCH] eap-mschapv2: Only succeed authentication if MSK was
|
||||
established
|
||||
|
||||
An MSK is only established if the client successfully authenticated
|
||||
itself and only then must we accept an MSCHAPV2_SUCCESS message.
|
||||
|
||||
Fixes CVE-2015-8023
|
||||
---
|
||||
src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c | 6 +++++-
|
||||
1 file changed, 5 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c
|
||||
index f7f39f9841d2..931e3c41dde4 100644
|
||||
--- a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c
|
||||
+++ b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c
|
||||
@@ -1145,7 +1145,11 @@ METHOD(eap_method_t, process_server, status_t,
|
||||
}
|
||||
case MSCHAPV2_SUCCESS:
|
||||
{
|
||||
- return SUCCESS;
|
||||
+ if (this->msk.ptr)
|
||||
+ {
|
||||
+ return SUCCESS;
|
||||
+ }
|
||||
+ break;
|
||||
}
|
||||
case MSCHAPV2_FAILURE:
|
||||
{
|
||||
--
|
||||
1.9.1
|
||||
|
@ -1,3 +1,10 @@
|
||||
-------------------------------------------------------------------
|
||||
Fri Nov 13 10:25:59 UTC 2015 - mt@suse.de
|
||||
|
||||
- Applied upstream fix for a authentication bypass vulnerability
|
||||
in the eap-mschapv2 plugin (CVE-2015-8023,bsc#953817).
|
||||
[+ 0007-strongswan-4.4.0-5.3.3_eap_mschapv2_state.patch]
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Jun 4 10:54:29 UTC 2015 - mt@suse.de
|
||||
|
||||
|
@ -84,6 +84,7 @@ Patch4: %{name}_fipsfilter.patch
|
||||
%endif
|
||||
Patch5: 0005-strongswan-5.2.2-5.3.0_unknown_payload.patch
|
||||
Patch6: 0006-strongswan-5.1.0-5.3.1_enforce_remote_auth.patch
|
||||
Patch7: 0007-strongswan-4.4.0-5.3.3_eap_mschapv2_state.patch
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||
BuildRequires: bison
|
||||
BuildRequires: curl-devel
|
||||
@ -296,6 +297,7 @@ and the load testing plugin for IKEv2 daemon.
|
||||
%endif
|
||||
%patch5 -p1
|
||||
%patch6 -p1
|
||||
%patch7 -p1
|
||||
sed -e 's|@libexecdir@|%_libexecdir|g' \
|
||||
< $RPM_SOURCE_DIR/strongswan.init.in \
|
||||
> strongswan.init
|
||||
|
Loading…
Reference in New Issue
Block a user