Hello community, here is the log from the commit of package strongswan for openSUSE:Factory checked in at 2015-11-17 14:23:11 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/strongswan (Old) and /work/SRC/openSUSE:Factory/.strongswan.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "strongswan" Changes: -------- --- /work/SRC/openSUSE:Factory/strongswan/strongswan.changes 2015-06-09 08:50:35.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.strongswan.new/strongswan.changes 2015-11-17 14:23:12.000000000 +0100 @@ -1,0 +2,7 @@ +Fri Nov 13 10:25:59 UTC 2015 - [email protected] + +- Applied upstream fix for a authentication bypass vulnerability + in the eap-mschapv2 plugin (CVE-2015-8023,bsc#953817). + [+ 0007-strongswan-4.4.0-5.3.3_eap_mschapv2_state.patch] + +------------------------------------------------------------------- New: ---- 0007-strongswan-4.4.0-5.3.3_eap_mschapv2_state.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ strongswan.spec ++++++ --- /var/tmp/diff_new_pack.daWJKm/_old 2015-11-17 14:23:13.000000000 +0100 +++ /var/tmp/diff_new_pack.daWJKm/_new 2015-11-17 14:23:13.000000000 +0100 @@ -84,6 +84,7 @@ %endif Patch5: 0005-strongswan-5.2.2-5.3.0_unknown_payload.patch Patch6: 0006-strongswan-5.1.0-5.3.1_enforce_remote_auth.patch +Patch7: 0007-strongswan-4.4.0-5.3.3_eap_mschapv2_state.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: bison BuildRequires: curl-devel @@ -296,6 +297,7 @@ %endif %patch5 -p1 %patch6 -p1 +%patch7 -p1 sed -e 's|@libexecdir@|%_libexecdir|g' \ < $RPM_SOURCE_DIR/strongswan.init.in \ > strongswan.init ++++++ 0007-strongswan-4.4.0-5.3.3_eap_mschapv2_state.patch ++++++ >From 91762f11e223e33b82182150d7c4cf7c2ec3cefa Mon Sep 17 00:00:00 2001 From: Tobias Brunner <[email protected]> Date: Thu, 29 Oct 2015 11:18:27 +0100 References: CVE-2015-8023, bsc#953817 Subject: [PATCH] eap-mschapv2: Only succeed authentication if MSK was established An MSK is only established if the client successfully authenticated itself and only then must we accept an MSCHAPV2_SUCCESS message. Fixes CVE-2015-8023 --- src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c index f7f39f9841d2..931e3c41dde4 100644 --- a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c +++ b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c @@ -1145,7 +1145,11 @@ METHOD(eap_method_t, process_server, status_t, } case MSCHAPV2_SUCCESS: { - return SUCCESS; + if (this->msk.ptr) + { + return SUCCESS; + } + break; } case MSCHAPV2_FAILURE: { -- 1.9.1
