[Pkg-swan-devel] [strongswan] 06/08: CVE-2015-8023_eap_mschapv2_state dropped

Yves-Alexis Perez corsac at moszumanska.debian.org
Fri Nov 20 07:09:53 UTC 2015 

This is an automated email from the git hooks/post-receive script.

corsac pushed a commit to branch master
in repository strongswan.

commit 0fdf43fd606835684dc22785bfe67824c749f7f7
Author: Yves-Alexis Perez <corsac at debian.org>
Date:   Wed Nov 18 15:27:40 2015 +0100

    CVE-2015-8023_eap_mschapv2_state dropped
---
 debian/changelog                                   |  4 +--
 .../patches/CVE-2015-8023_eap_mschapv2_state.patch | 35 ----------------------
 debian/patches/series                              |  1 -
 3 files changed, 2 insertions(+), 38 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index 346f5c7..6672e95 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -4,8 +4,8 @@ strongswan (5.3.4-1) UNRELEASED; urgency=medium
   * debian/patches:
     - 03_systemd-service refreshed for new upstream release.
     - 0001-socket-default-Refactor-setting-source-address-when-,
-    0001-socket-dynamic-Refactor-setting-source-address-when- dropped,
-    included upstream. 
+    0001-socket-dynamic-Refactor-setting-source-address-when- and
+    CVE-2015-8023_eap_mschapv2_state dropped, included upstream. 
 
  -- Yves-Alexis Perez <corsac at debian.org>  Wed, 18 Nov 2015 15:19:49 +0100
 
diff --git a/debian/patches/CVE-2015-8023_eap_mschapv2_state.patch b/debian/patches/CVE-2015-8023_eap_mschapv2_state.patch
deleted file mode 100644
index 0ee759c..0000000
--- a/debian/patches/CVE-2015-8023_eap_mschapv2_state.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From 91762f11e223e33b82182150d7c4cf7c2ec3cefa Mon Sep 17 00:00:00 2001
-From: Tobias Brunner <tobias at strongswan.org>
-Date: Thu, 29 Oct 2015 11:18:27 +0100
-Subject: [PATCH] eap-mschapv2: Only succeed authentication if MSK was
- established
-
-An MSK is only established if the client successfully authenticated
-itself and only then must we accept an MSCHAPV2_SUCCESS message.
-
-Fixes CVE-2015-8023
----
- src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
-diff --git a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c
-index f7f39f9841d2..931e3c41dde4 100644
---- a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c
-+++ b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c
-@@ -1145,7 +1145,11 @@ METHOD(eap_method_t, process_server, status_t,
- 		}
- 		case MSCHAPV2_SUCCESS:
- 		{
--			return SUCCESS;
-+			if (this->msk.ptr)
-+			{
-+				return SUCCESS;
-+			}
-+			break;
- 		}
- 		case MSCHAPV2_FAILURE:
- 		{
--- 
-1.9.1
-
-
diff --git a/debian/patches/series b/debian/patches/series
index 68c6f4c..6d7cc1d 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,4 +1,3 @@
 01_fix-manpages.patch
 03_systemd-service.patch
 04_disable-libtls-tests.patch
-CVE-2015-8023_eap_mschapv2_state.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-swan/strongswan.git

More information about the Pkg-swan-devel mailing list