Package: openswan Version: 1:2.6.28+dfsg-5 Tags: security upstream Severity: important
A security issue has been discovered in Openswan: | Subject: CVE-2011-4073 Openswan crypto helper crasher | When a phase 2 cryptographic job is handed over to a crypto helper | process, and the phase 1 associated with that phase2 is deleted, the | crypto helper submits its completed work to a freed and possible re-used | memory location. | | Openswan is only vulnerable if the attacker is a known client that can | pass ISAKMP phase 1 authentication. Since the cryptographic work done | locally cannot be influenced by the remote client, it is not possible | for the client to cause remote execution of code. <http://openswan.org/download/CVE-2011-4073/CVE-2011-4073.txt> I think this warrants a DSA for stable and olstable, and we would appreciate if you could prepare an update. (CVE-2011-2147 should be fixed at the same time.) -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
