Gentoo Archives: gentoo-announce

From: Alex Legler <a3li@g.o>
To: gentoo-announce@l.g.o
Cc: bugtraq@×××××××××××××.com, full-disclosure@××××××××××××××.uk, security-alerts@×××××××××××××.com
Subject: [gentoo-announce] [ GLSA 200909-05 ] Openswan: Denial of Service
Date: Wed, 09 Sep 2009 13:37:20
Message-Id: 20090909152040.522566bb@neon
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 200909-05
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 http://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: Normal
8 Title: Openswan: Denial of Service
9 Date: September 09, 2009
10 Bugs: #264346, #275233
11 ID: 200909-05
12
13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15 Synopsis
16 ========
17
18 Multiple vulnerabilities in the pluto IKE daemon of Openswan might
19 allow remote attackers to cause a Denial of Service.
20
21 Background
22 ==========
23
24 Openswan is an implementation of IPsec for Linux.
25
26 Affected packages
27 =================
28
29 -------------------------------------------------------------------
30 Package / Vulnerable / Unaffected
31 -------------------------------------------------------------------
32 1 net-misc/openswan < 2.4.15 >= 2.4.15
33
34 Description
35 ===========
36
37 Multiple vulnerabilities have been discovered in Openswan:
38
39 * Gerd v. Egidy reported a NULL pointer dereference in the Dead Peer
40 Detection of the pluto IKE daemon as included in Openswan
41 (CVE-2009-0790).
42
43 * The Orange Labs vulnerability research team discovered multiple
44 vulnerabilities in the ASN.1 parser (CVE-2009-2185).
45
46 Impact
47 ======
48
49 A remote attacker could exploit these vulnerabilities by sending
50 specially crafted R_U_THERE or R_U_THERE_ACK packets, or a specially
51 crafted X.509 certificate containing a malicious Relative Distinguished
52 Name (RDN), UTCTIME string or GENERALIZEDTIME string to cause a Denial
53 of Service of the pluto IKE daemon.
54
55 Workaround
56 ==========
57
58 There is no known workaround at this time.
59
60 Resolution
61 ==========
62
63 All Openswan users should upgrade to the latest version:
64
65 # emerge --sync
66 # emerge --ask --oneshot --verbose =net-misc/openswan-2.4.15
67
68 References
69 ==========
70
71 [ 1 ] CVE-2009-0790
72 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0790
73 [ 2 ] CVE-2009-2185
74 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2185
75
76 Availability
77 ============
78
79 This GLSA and any updates to it are available for viewing at
80 the Gentoo Security Website:
81
82 http://security.gentoo.org/glsa/glsa-200909-05.xml
83
84 Concerns?
85 =========
86
87 Security is a primary focus of Gentoo Linux and ensuring the
88 confidentiality and security of our users machines is of utmost
89 importance to us. Any security concerns should be addressed to
90 security@g.o or alternatively, you may file a bug at
91 https://bugs.gentoo.org.
92
93 License
94 =======
95
96 Copyright 2009 Gentoo Foundation, Inc; referenced text
97 belongs to its owner(s).
98
99 The contents of this document are licensed under the
100 Creative Commons - Attribution / Share Alike license.
101
102 http://creativecommons.org/licenses/by-sa/2.5

Attachments

File name MIME type
signature.asc application/pgp-signature