[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Fwd: Bug#616482: strongswan-ikev1: virtual ips not released if xauth name does not match id



Dear stable release team,

I have now integrated the cherry-picked upstream patch into my strongswan-sqeeze branch at the alioth git repository (ssh://alioth.debian.org/git/pkg-swan/strongswan.git). As mentioned in the bug report, it applies cleanly and is an isolated fix for a bug in version 4.4.1 that impacts some clients. We will integrate this patched version into our Gibraltar firewall release and will therefore test this package update for regressions within the next few days. I would then prepare an upload to "stable" to make it into squeeze proposed updates. Is this ok for you? If you can't directly look at the strongswan-squeeze git branch, I could send you the most current 4.4.1-7 package diff.

best regards,
Rene
--- Begin Message ---
Package: strongswan-ikev1
Version: 4.4.1-5.1
Severity: normal
Tags: patch upstream


In Strongswan version 4.4.1 as shipped in stable there is a known
bug which prevents a virtual ip assigned via mode config to be released
if the XAUTH name send from the peer does not match the peers id.

Clients which offer no control over which peer id is send or extract
it from the certificates subject will not be able to aquire a
virtual ip after their first disconnect.

One particular example of this peer behaviour are iphones.
For theses clients the current strongswan-ikev1 package is
not usable with the xauthrsasig method.

Upstream has a patch for this at
http://git.strongswan.org/?p=strongswan.git;h=2b3124c76d3897bccb4aa616fca1f7393f1b284e

The patch applies cleanly to the debian source package
and solves the problem described.

-- System Information:
Debian Release: 6.0
  APT prefers squeeze-updates
  APT policy: (500, 'squeeze-updates'), (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-5-686 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages strongswan-ikev1 depends on:
ii  bind9-host [host]    1:9.7.2.dfsg.P3-1.1 Version of 'host' bundled with BIN
ii  bsdmainutils         8.0.13              collection of more utilities from 
ii  debconf [debconf-2.0 1.5.36.1            Debian configuration management sy
ii  debianutils          3.4                 Miscellaneous utilities specific t
ii  iproute              20100519-3          networking and traffic control too
ii  ipsec-tools          1:0.7.3-12          IPsec tools for Linux
ii  libc6                2.11.2-10           Embedded GNU C Library: Shared lib
ii  libcap2              1:2.19-3            support for getting/setting POSIX.
ii  libstrongswan        4.4.1-5.1           strongSwan utility and crypto libr
ii  strongswan-starter   4.4.1-5.1           strongSwan daemon starter and conf

strongswan-ikev1 recommends no packages.

Versions of packages strongswan-ikev1 suggests:
pn  curl                          <none>     (no description available)

-- no debconf information




--- End Message ---

Attachment: signature.asc
Description: This is a digitally signed message part.


Reply to: