lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20140414150129.GA2985@pisco.westfalen.local>
Date: Mon, 14 Apr 2014 17:01:29 +0200
From: Moritz Muehlenhoff <jmm@...ian.org>
To: bugtraq@...urityfocus.com
Subject: [SECURITY] [DSA 2903-1] strongswan security update

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -------------------------------------------------------------------------
Debian Security Advisory DSA-2903-1                   security@...ian.org
http://www.debian.org/security/                         Yves-Alexis Perez
April 14, 2014                         http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : strongswan
CVE ID         : CVE-2014-2338

An authentication bypass vulnerability was found in charon, the daemon
handling IKEv2 in strongSwan, an IKE/IPsec suite. The state machine
handling the security association (IKE_SA) handled some state transitions
incorrectly.

An attacker can trigger the vulnerability by rekeying an unestablished
IKE_SA during the initiation itself. This will trick the IKE_SA state to
'established' without the need to provide any valid credential.

Vulnerable setups include those actively initiating IKEv2 IKE_SA (like
”clients” or “roadwarriors”) but also during re-authentication (which
can be initiated by the responder). Installations using IKEv1 (pluto
daemon in strongSwan 4 and earlier, and IKEv1 code in charon 5.x) is not
affected.

For the oldstable distribution (squeeze), this problem has been fixed in
version 4.4.1-5.5.

For the stable distribution (wheezy), this problem has been fixed in
version 4.5.2-1.5+deb7u3.

For the unstable distribution (sid), this problem has been fixed in
version 5.1.2-4.

We recommend that you upgrade your strongswan packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-announce@...ts.debian.org




-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJTS/gCAAoJEBDCk7bDfE42CIMP/jpDobbJt9pO+N6SQY1BKfrn
MT1Aly9sb7o4Fz1DbOBJjJ60oXz7aFXSndOyc55DdTNInanXC3sWMfbV31kseiq+
wgRk6zAAgOaxs/uStorK3b8JYQN5NIVDmdd0BCkD5Oo3PGkr1YQyanXtraez7O4e
ba3wJYxEuXq7wt/0Y/bt77nAf//tHaJ3vJB0LWXy717E6f3isS+1xMlZLmCu9nAS
TMvCrW8XAOmPTJ3PF3AlSnRc+omYRpw3rJcIhS4pC3VA6Y1uYhTnRV3Oy81Y3PgR
lEt3m7YNiGbLu+eqN2bb3lRR1Erdl7XAE/WZPcKb8MetC9gQK+gjSmgXcwa49QFh
CuUk6rQJzYRoh78FL9LqYPxQNtow+4hPvURVB/wXHTP3ipPvN1/0OmBJU5wlepDF
2d+JZTLov187Rb0yTZG0+TlKykiJiea6r9ZdAYMUOebXtyaaGHQeEwNNlky0RT1k
Zf+ptoNPyLQQO3lq03nGlon5nwV1ytM61Hksj9v3cBu9RT2D6mIvzUlpAgdgfwnD
UgrePI88J68Layvj/SplVTaq1JtaA3dXZwnLfFBjB859eGSWpbrcn4UFiPkVMIOL
ORNv929NhmGONI913Hxkcb96vPJrqorEWKnsm70NyqI8A/oQonnTqhtXXJwh4S2f
em1AIItBX/UdJfKHZ+UA
=EdFc
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ