Your message dated Tue, 07 Oct 2008 12:47:03 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#501026: fixed in ipsec-tools 1:0.7.1-1.2
has caused the Debian Bug report #501026,
regarding ipsec-tools: CVE-2008-3652 denial of service for authenticated
attackers
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
501026: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=501026
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: ipsec-tools
Severity: grave
Tags: security patch
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for ipsec-tools.
CVE-2008-3652[0]:
| src/racoon/handler.c in racoon in ipsec-tools does not remove an
| "orphaned ph1" (phase 1) handle when it has been initiated remotely,
| which allows remote attackers to cause a denial of service (resource
| consumption).
A patch of the relevant changes extracted from upstream rcs
is attached.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3652
http://security-tracker.debian.net/tracker/CVE-2008-3652
--
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
diff --git a/src/racoon/isakmp.c b/src/racoon/isakmp.c
index 5b81e5b..4d4e2f2 100644
--- a/src/racoon/isakmp.c
+++ b/src/racoon/isakmp.c
@@ -801,20 +801,24 @@ ph1_main(iph1, msg)
[iph1->side]
[iph1->status])(iph1, msg);
if (error != 0) {
-#if 0
+
/* XXX
* When an invalid packet is received on phase1, it should
* be selected to process this packet. That is to respond
* with a notify and delete phase 1 handler, OR not to respond
- * and keep phase 1 handler.
+ * and keep phase 1 handler. However, in PHASE1ST_START when
+ * acting as RESPONDER we must not keep phase 1 handler or else
+ * it will stay forever.
*/
- plog(LLV_ERROR, LOCATION, iph1->remote,
- "failed to pre-process packet.\n");
- return -1;
-#else
- /* ignore the error and keep phase 1 handler */
- return 0;
-#endif
+
+ if (iph1->side == RESPONDER && iph1->status == PHASE1ST_START) {
+ plog(LLV_ERROR, LOCATION, iph1->remote,
+ "failed to pre-process packet.\n");
+ return -1;
+ } else {
+ /* ignore the error and keep phase 1 handler */
+ return 0;
+ }
}
#ifndef ENABLE_FRAG
pgplMmcDb4dC5.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: ipsec-tools
Source-Version: 1:0.7.1-1.2
We believe that the bug you reported is fixed in the latest version of
ipsec-tools, which is due to be installed in the Debian FTP archive:
ipsec-tools_0.7.1-1.2.diff.gz
to pool/main/i/ipsec-tools/ipsec-tools_0.7.1-1.2.diff.gz
ipsec-tools_0.7.1-1.2.dsc
to pool/main/i/ipsec-tools/ipsec-tools_0.7.1-1.2.dsc
ipsec-tools_0.7.1-1.2_amd64.deb
to pool/main/i/ipsec-tools/ipsec-tools_0.7.1-1.2_amd64.deb
racoon_0.7.1-1.2_amd64.deb
to pool/main/i/ipsec-tools/racoon_0.7.1-1.2_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nico Golde <[EMAIL PROTECTED]> (supplier of updated ipsec-tools package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Tue, 07 Oct 2008 14:22:25 +0200
Source: ipsec-tools
Binary: ipsec-tools racoon
Architecture: source amd64
Version: 1:0.7.1-1.2
Distribution: unstable
Urgency: high
Maintainer: Ganesan Rajagopal <[EMAIL PROTECTED]>
Changed-By: Nico Golde <[EMAIL PROTECTED]>
Description:
ipsec-tools - IPsec tools for Linux
racoon - IPsec IKE keying daemon
Closes: 501026
Changes:
ipsec-tools (1:0.7.1-1.2) unstable; urgency=high
.
* Non-maintainer upload by the Security Team.
* Apply upstream patch to remove orphaned phase 1 handles that were
initiated remotely if an invalid first exchange was received
which may lead to a denial of service attack
(CVE-2008-3652; Closes: #501026).
Checksums-Sha1:
c186dcc08816adac5ddfa287f17e569e75376994 1116 ipsec-tools_0.7.1-1.2.dsc
24fd05d0588abf864e892eaf68b70bdee9d0d6aa 48771 ipsec-tools_0.7.1-1.2.diff.gz
865338f7cb9cff0ea6adf048dadc41b711157aea 104458 ipsec-tools_0.7.1-1.2_amd64.deb
8f88f79cab6620b5ff02bf21292adbbd44663f4d 409178 racoon_0.7.1-1.2_amd64.deb
Checksums-Sha256:
ade33043a0b8c8c943177fe156f14aefb50521bf5350d55ac60a159fe9568d42 1116
ipsec-tools_0.7.1-1.2.dsc
480b6f41731ca567c9f0e3f4204356180d1a65bf801f1943b2875370225a680a 48771
ipsec-tools_0.7.1-1.2.diff.gz
0a61707030dbe4d5cc5d7c16fa7d0a41206f090708a6be751a2f1f7c4646b47a 104458
ipsec-tools_0.7.1-1.2_amd64.deb
2a9681291ba5706aa31a1c84e6ef41f3be2f0b3eaf1f73ea8af2c55c46f4f17c 409178
racoon_0.7.1-1.2_amd64.deb
Files:
b752079a73117402d3e95d72b82a7a70 1116 net extra ipsec-tools_0.7.1-1.2.dsc
e5a49aa08e2ec39bce65937b4eb4bc86 48771 net extra ipsec-tools_0.7.1-1.2.diff.gz
9596677a88e83372c422483a7ebc8e47 104458 net extra
ipsec-tools_0.7.1-1.2_amd64.deb
07107ca2265a3540aee38a11a7029d6d 409178 net extra racoon_0.7.1-1.2_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkjrVggACgkQHYflSXNkfP/CVQCgiBg5hvBiJnyjUrRz104CJWPQ
oCwAoJ3SqeHYxShaMOGXxmg3lJyeN/Xr
=4Ed/
-----END PGP SIGNATURE-----
--- End Message ---
