Gentoo Archives: gentoo-announce

From: Kristian Fiskerstrand <k_f@g.o>
To: gentoo-announce@l.g.o
Subject: [gentoo-announce] [ GLSA 201603-13 ] Libreswan: Multiple Vulnerabilities
Date: Sat, 12 Mar 2016 23:26:36
Message-Id: 56E4A483.2010808@gentoo.org
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 201603-13
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 https://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: Normal
8 Title: Libreswan: Multiple Vulnerabilities
9 Date: March 12, 2016
10 Bugs: #550974, #558692
11 ID: 201603-13
12
13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15 Synopsis
16 ========
17
18 Multiple vulnerabilities have been found in libreSwan possibly
19 resulting in Denial of Service.
20
21 Background
22 ==========
23
24 Libreswan is a free software implementation of the most widely
25 supported and standarized VPN protocol based on ("IPsec") and the
26 Internet Key Exchange ("IKE").
27
28 Affected packages
29 =================
30
31 -------------------------------------------------------------------
32 Package / Vulnerable / Unaffected
33 -------------------------------------------------------------------
34 1 net-misc/libreswan < 3.15 >= 3.15
35
36 Description
37 ===========
38
39 The pluto IKE daemon in Libreswan, when built with NSS, allows remote
40 attackers to cause a Denial of Service (assertion failure and daemon
41 restart) via a zero DH g^x value in a KE payload in a IKE packet.
42 Additionally, remote attackers could cause a Denial of Service (daemon
43 restart) via an IKEv1 packet with (1) unassigned bits set in the IPSEC
44 DOI value or (2) the next payload value set to ISAKMP_NEXT_SAK.
45
46 Impact
47 ======
48
49 Remote attackers could possibly cause Denial of Service.
50
51 Workaround
52 ==========
53
54 There is no known workaround at this time.
55
56 Resolution
57 ==========
58
59 All Libreswan users should upgrade to the latest version:
60
61 # emerge --sync
62 # emerge --ask --oneshot --verbose ">=net-misc/libreswan-3.15"
63
64 References
65 ==========
66
67 [ 1 ] CVE-2015-3204
68 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3204
69 [ 2 ] CVE-2015-3240
70 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3240
71
72 Availability
73 ============
74
75 This GLSA and any updates to it are available for viewing at
76 the Gentoo Security Website:
77
78 https://security.gentoo.org/glsa/201603-13
79
80 Concerns?
81 =========
82
83 Security is a primary focus of Gentoo Linux and ensuring the
84 confidentiality and security of our users' machines is of utmost
85 importance to us. Any security concerns should be addressed to
86 security@g.o or alternatively, you may file a bug at
87 https://bugs.gentoo.org.
88
89 License
90 =======
91
92 Copyright 2016 Gentoo Foundation, Inc; referenced text
93 belongs to its owner(s).
94
95 The contents of this document are licensed under the
96 Creative Commons - Attribution / Share Alike license.
97
98 http://creativecommons.org/licenses/by-sa/2.5

Attachments

File name MIME type
signature.asc application/pgp-signature