Version in base suite: 4.3-1+deb11u1

Base version: libreswan_4.3-1+deb11u1
Target version: libreswan_4.3-1+deb11u3
Base file: /srv/ftp-master.debian.org/ftp/pool/main/libr/libreswan/libreswan_4.3-1+deb11u1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/libr/libreswan/libreswan_4.3-1+deb11u3.dsc

 changelog                                      |   12 +++++++++++
 patches/CVE-2023-23009-libreswan-4.2-4.3.patch |   26 +++++++++++++++++++++++++
 patches/series                                 |    1 
 3 files changed, 39 insertions(+)

diff -Nru libreswan-4.3/debian/changelog libreswan-4.3/debian/changelog
--- libreswan-4.3/debian/changelog	2022-01-13 04:21:33.000000000 +0000
+++ libreswan-4.3/debian/changelog	2023-03-03 13:34:50.000000000 +0000
@@ -1,3 +1,15 @@
+libreswan (4.3-1+deb11u3) bullseye-security; urgency=high
+
+  * use upstream patch for 4.2 and 4.3
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Fri, 03 Mar 2023 08:34:50 -0500
+
+libreswan (4.3-1+deb11u2) bullseye-security; urgency=high
+
+  * Fixes CVE-2023-23009 (Closes: #1031821)
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Wed, 01 Mar 2023 13:11:05 -0500
+
 libreswan (4.3-1+deb11u1) bullseye-security; urgency=high
 
   * Fixes CVE-2022-23094
diff -Nru libreswan-4.3/debian/patches/CVE-2023-23009-libreswan-4.2-4.3.patch libreswan-4.3/debian/patches/CVE-2023-23009-libreswan-4.2-4.3.patch
--- libreswan-4.3/debian/patches/CVE-2023-23009-libreswan-4.2-4.3.patch	1970-01-01 00:00:00.000000000 +0000
+++ libreswan-4.3/debian/patches/CVE-2023-23009-libreswan-4.2-4.3.patch	2023-03-03 13:34:11.000000000 +0000
@@ -0,0 +1,26 @@
+From: Paul Wouters <paul.wouters@aiven.io>
+Date: Fri, 3 Mar 2023 08:28:34 -0500
+Subject: CVE-2023-23009-libreswan-4.2-4.3
+
+Forwarded: https://libreswan.org/security/CVE-2023-23009/
+
+---
+ programs/pluto/ikev2_ts.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/programs/pluto/ikev2_ts.c b/programs/pluto/ikev2_ts.c
+index fba776a..879a6a6 100644
+--- a/programs/pluto/ikev2_ts.c
++++ b/programs/pluto/ikev2_ts.c
+@@ -421,6 +421,11 @@ static bool v2_parse_ts(struct payload_digest *const ts_pd,
+ 		d = pbs_in_struct(&ts_pd->pbs, &ikev2_ts_header_desc,
+ 			  &ts_h, sizeof(ts_h), &ts_body_pbs);
+ 
++		if (d != NULL) {
++			log_diag(RC_LOG, logger, &d, "%s", "");
++			return false;
++		}
++
+ 		switch (ts_h.isath_type) {
+ 		case IKEv2_TS_IPV4_ADDR_RANGE:
+ 		case IKEv2_TS_IPV6_ADDR_RANGE:
diff -Nru libreswan-4.3/debian/patches/series libreswan-4.3/debian/patches/series
--- libreswan-4.3/debian/patches/series	2022-01-13 04:21:33.000000000 +0000
+++ libreswan-4.3/debian/patches/series	2023-03-03 13:30:19.000000000 +0000
@@ -1,3 +1,4 @@
 0001-do-not-use-git-version.patch
 0002-debian-pam.d-pluto.patch
 CVE-2022-23094.patch
+CVE-2023-23009-libreswan-4.2-4.3.patch