Re: [OpenWrt-Devel] (CVE-2014-2338) authentication bypass vulnerability in strongSwan needs patching
i stopped bb-builder2 and pointed it at AA instead of BB. i will update strongswan, openssl and gnutls during the day. sorry for the delay, the old AA builders HDD died half way through the build 2 weeks ago and i was busy with BB and simply forgot. sorry for the delay On 06/07/2014 17:41, Noel Kuntze wrote: Hello Mirko, So fixes or new versions with fixes will only be backported, if there is a complete rebuilt scheduled for the release? Regards, Noel Kuntze GPG Key id: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 Am 06.07.2014 14:39, schrieb Mirko Parthey: Am Sonntag, 06.07.14, 00:00 +0200 schrieb Noel Kuntze: I am once again inquiring about this vulnerabity. The strongSwan version in the repository for the 12.09 version of OpenWRT is still not patched and Mr. Fietkau does not respond to any emails. I wrote him one on 2014-06-08 and one on 2014-07-02. Please update the packages. Lots of people are running vulnerable StrongSwan versions on publicly reachable OpenWRT routers. Felix Fietkau updated the strongSwan package in the 12.09 SVN branch (r40518, 2014-04-15) shortly after updating it in trunk. However, it appears that the release branch is not rebuilt automatically, so the binary packages are outdated. For OpenSSL, packages have been rebuilt manually, but that seems to be the exception. There has been mention on this mailing list of a Barrier Breaker release being worked on, but I have no information if there will be another release of Attitude Adjustment, which would then also come with updated packages from the 12.09 branch. Regards, Mirko ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] (CVE-2014-2338) authentication bypass vulnerability in strongSwan needs patching
Am Sonntag, 06.07.14, 00:00 +0200 schrieb Noel Kuntze: I am once again inquiring about this vulnerabity. The strongSwan version in the repository for the 12.09 version of OpenWRT is still not patched and Mr. Fietkau does not respond to any emails. I wrote him one on 2014-06-08 and one on 2014-07-02. Please update the packages. Lots of people are running vulnerable StrongSwan versions on publicly reachable OpenWRT routers. Felix Fietkau updated the strongSwan package in the 12.09 SVN branch (r40518, 2014-04-15) shortly after updating it in trunk. However, it appears that the release branch is not rebuilt automatically, so the binary packages are outdated. For OpenSSL, packages have been rebuilt manually, but that seems to be the exception. There has been mention on this mailing list of a Barrier Breaker release being worked on, but I have no information if there will be another release of Attitude Adjustment, which would then also come with updated packages from the 12.09 branch. Regards, Mirko ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] (CVE-2014-2338) authentication bypass vulnerability in strongSwan needs patching
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hello Mirko, So fixes or new versions with fixes will only be backported, if there is a complete rebuilt scheduled for the release? Regards, Noel Kuntze GPG Key id: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 Am 06.07.2014 14:39, schrieb Mirko Parthey: Am Sonntag, 06.07.14, 00:00 +0200 schrieb Noel Kuntze: I am once again inquiring about this vulnerabity. The strongSwan version in the repository for the 12.09 version of OpenWRT is still not patched and Mr. Fietkau does not respond to any emails. I wrote him one on 2014-06-08 and one on 2014-07-02. Please update the packages. Lots of people are running vulnerable StrongSwan versions on publicly reachable OpenWRT routers. Felix Fietkau updated the strongSwan package in the 12.09 SVN branch (r40518, 2014-04-15) shortly after updating it in trunk. However, it appears that the release branch is not rebuilt automatically, so the binary packages are outdated. For OpenSSL, packages have been rebuilt manually, but that seems to be the exception. There has been mention on this mailing list of a Barrier Breaker release being worked on, but I have no information if there will be another release of Attitude Adjustment, which would then also come with updated packages from the 12.09 branch. Regards, Mirko -BEGIN PGP SIGNATURE- Version: GnuPG v2 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTuW4RAAoJEDg5KY9j7GZYQWkP/iclaAepF9RPNhtiBpyJ7enL ILV7WRW1bZkEQSJ2OCXL0CpZJve8ba5eQ3YCP9sllNHgHkMAI4L/vBINJNjHi3Ti FYdVILapqDGqqJqPCCL7h5e3BaOyqoSygvIXwNvPSt06c3RMQXjPf8dRlORvaVqc Eg/7msI36/eRjB36PEdaFNCJyFHrwVWOMo4ChEJtrrrXJQnMeXoWdFn5Kqp2Lz0m Nik/kKqglo2JysWCIdLjvrFXFCUhS7yEhPB6LM4GDVKJ7TlTe7Ou9dXDA4DyNRS/ +dOlzp35dmZLBz6K6/e7fApPzGjr0V0qtPMI9QoHlQ6DZUwvq4GN1peaemXhg6ss pHhwwMcPlEJZcZH0t0SSqR+5KEPWCJ+8/2mJFdeOptjqdWWH1feCSEsfp44UDWa5 Jtdg3SfuNqA+58AlvEzkdjSNePU5skagQKRusl1m4PmnYO9t9im0OXHbg0yVedse /9Af2P+j3TUL7UxFO8JDQMU+IETlLnmsG4CWBoDJfgv4CYzXVSb75qQSzIxvE44z CF4zhUIkLcWFJatCmyLBw/1oKxTOJesVUzNwUXApNOJTj2KwazfmsMOJgBV/hMuo GaQoCMtdI2XAHHTceDglGQ/b4NE/ngGzIq5pEGrIC982rfiWozIzcfJJSxvyDqHb SR7QNptlrFZUzy24J1k7 =frGv -END PGP SIGNATURE- ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] (CVE-2014-2338) authentication bypass vulnerability in strongSwan needs patching
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hello, I am once again inquiring about this vulnerabity. The strongSwan version in the repository for the 12.09 version of OpenWRT is still not patched and Mr. Fietkau does not respond to any emails. I wrote him one on 2014-06-08 and one on 2014-07-02. Please update the packages. Lots of people are running vulnerable StrongSwan versions on publicly reachable OpenWRT routers. Regards, Noel Kuntze GPG Key id: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 Am 15.04.2014 19:27, schrieb Felix Fietkau: On 2014-04-15 00:33, Noel Kuntze wrote: Hello list, An authentication bypass vulnerability has been revealed by the strongSwan team. All versions of strongSwan since 4.0.7 are affected. All affected packages need to be patched. The patches for the different version can be gotten from http://download.strongswan.org/security/CVE-2014-2338/ Strongswan has been updated to 5.1.3 in r40516. I will also backport this version to the 12.09 branch. - Felix -BEGIN PGP SIGNATURE- Version: GnuPG v2 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTuHVtAAoJEDg5KY9j7GZYKm8P/j0bBPIf8OfphIBY+riHidsY uShpCWSUG1ee4OB/Moi43F1+1MCmQ1oNtF0UWqzknkJIt3T8sjGYDenVtBgsYGT6 G634z7AHhp2IHYT9cBBZQ95ay0MvGjCPiHu2M98ufYNCo8SC5x2EtcKilNGgVH8G FQftMAk+Bqs43Y8KEjD3UFg1xo7Ccq8sggcoOBHYG8v/nQCG0L6Nkcz7EdmBUtLL o8nQ+kHgvCVqXHC3IuIJ2qnWVmdofbt4MgV83g8CBwXLYmgZe9ORbqa7+L4Zd2eG b/8c7MMiHCi+t1kEB/9m82Aji9JIUNKp5XwUfnqUNNkm39loD5jRwYtlF2VvGFsI n5kjRC/11nkVgQWN+nRMrK1CfunY2FD+9WA7UUtVbOSvfWXCrdUb+YMuTtAqyygI OKueJx9RkwSmo+tUSqiDQpaQmItYcTZw/sCluRQI9XS/qzAGFLZhHD8pMl5Slwd5 PB27TRaz6BSZHalKoRV0VnWF5Alz5jbVO41saIcUwu7OAT98np7Q3VGag+0xXWHd xwK1Mkc+YEBtqbXVvVstq0jtuzau5pkVceGrht3hzGrwR2O+QAzJQEZQuGOsIZv2 r2ZNxSkdAAQqstbqkt1XyMSi+Hkwnoc+VmhXHoLCShg9M6+XtjX7VDaBevTkZbpm NgTeuS4aGQShT+3+jDXV =IpJs -END PGP SIGNATURE- ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] (CVE-2014-2338) authentication bypass vulnerability in strongSwan needs patching
On 2014-04-15 00:33, Noel Kuntze wrote: Hello list, An authentication bypass vulnerability has been revealed by the strongSwan team. All versions of strongSwan since 4.0.7 are affected. All affected packages need to be patched. The patches for the different version can be gotten from http://download.strongswan.org/security/CVE-2014-2338/ Strongswan has been updated to 5.1.3 in r40516. I will also backport this version to the 12.09 branch. - Felix ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel