Your message dated Sun, 19 Apr 2009 18:57:32 +0000
with message-id <e1lvccq-0002d5...@ries.debian.org>
and subject line Bug#521950: fixed in strongswan 4.2.14-1
has caused the Debian Bug report #521950,
regarding CVE-2009-0790: DoS
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
521950: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=521950
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: strongswan
Severity: grave
Tags: security, patch
Hi
>From the DSA:
Gerd v. Egidy discovered that the Pluto IKE daemon in strongswan, an
IPSec implementation for linux, is prone to a denial of service attack
via a malicious packet.
Please consider including the patch, I've attached the debdiff for
stable.
Cheers
Steffen
diff -u strongswan-4.2.4/debian/changelog strongswan-4.2.4/debian/changelog
--- strongswan-4.2.4/debian/changelog
+++ strongswan-4.2.4/debian/changelog
@@ -1,3 +1,11 @@
+strongswan (4.2.4-5+lenny1) stable-security; urgency=high
+
+ * Non-maintainer upload by the security team
+ * Fix DoS issue via malicious Dead Peer Detection packet
+ Fixes: CVE-2009-0790
+
+ -- Steffen Joeris <wh...@debian.org> Tue, 24 Mar 2009 12:31:39 +0000
+
strongswan (4.2.4-5) unstable; urgency=high
Reason for urgency high: this is potentially security relevant.
diff -u strongswan-4.2.4/debian/patches/00list strongswan-4.2.4/debian/patches/00list
--- strongswan-4.2.4/debian/patches/00list
+++ strongswan-4.2.4/debian/patches/00list
@@ -1,0 +2 @@
+02-CVE-2009-0790.dpatch
only in patch2:
unchanged:
--- strongswan-4.2.4.orig/debian/patches/02-CVE-2009-0790.dpatch
+++ strongswan-4.2.4/debian/patches/02-CVE-2009-0790.dpatch
@@ -0,0 +1,31 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+
+...@dpatch@
+diff -urN strongswan-4.2.13/src/pluto/ipsec_doi.c strongswan-4.2.13-patched/src/pluto/ipsec_doi.c
+--- strongswan-4.2.13/src/pluto/ipsec_doi.c 2009-03-21 09:41:49.000000000 +0100
++++ strongswan-4.2.4/src/pluto/ipsec_doi.c 2009-03-21 09:50:06.000000000 +0100
+@@ -5446,9 +5446,9 @@
+ time_t tm = now();
+ u_int32_t seqno;
+
+- if (!IS_ISAKMP_SA_ESTABLISHED(st->st_state))
++ if (!st || !IS_ISAKMP_SA_ESTABLISHED(st->st_state))
+ {
+- loglog(RC_LOG_SERIOUS, "DPD: Received R_U_THERE for unestablished ISKAMP SA");
++ loglog(RC_LOG_SERIOUS, "DPD: Received R_U_THERE for unestablished ISAKMP SA");
+ return STF_IGNORE;
+ }
+ if (n->isan_spisize != COOKIE_SIZE * 2 || pbs_left(pbs) < COOKIE_SIZE * 2)
+@@ -5516,10 +5516,10 @@
+ {
+ u_int32_t seqno;
+
+- if (!IS_ISAKMP_SA_ESTABLISHED(st->st_state))
++ if (!st || !IS_ISAKMP_SA_ESTABLISHED(st->st_state))
+ {
+ loglog(RC_LOG_SERIOUS
+- , "DPD: Received R_U_THERE_ACK for unestablished ISKAMP SA");
++ , "DPD: Received R_U_THERE_ACK for unestablished ISAKMP SA");
+ return STF_FAIL;
+ }
+
--- End Message ---
--- Begin Message ---
Source: strongswan
Source-Version: 4.2.14-1
We believe that the bug you reported is fixed in the latest version of
strongswan, which is due to be installed in the Debian FTP archive:
libstrongswan_4.2.14-1_amd64.deb
to pool/main/s/strongswan/libstrongswan_4.2.14-1_amd64.deb
strongswan-ikev1_4.2.14-1_amd64.deb
to pool/main/s/strongswan/strongswan-ikev1_4.2.14-1_amd64.deb
strongswan-ikev2_4.2.14-1_amd64.deb
to pool/main/s/strongswan/strongswan-ikev2_4.2.14-1_amd64.deb
strongswan-nm_4.2.14-1_amd64.deb
to pool/main/s/strongswan/strongswan-nm_4.2.14-1_amd64.deb
strongswan-starter_4.2.14-1_amd64.deb
to pool/main/s/strongswan/strongswan-starter_4.2.14-1_amd64.deb
strongswan_4.2.14-1.diff.gz
to pool/main/s/strongswan/strongswan_4.2.14-1.diff.gz
strongswan_4.2.14-1.dsc
to pool/main/s/strongswan/strongswan_4.2.14-1.dsc
strongswan_4.2.14.orig.tar.gz
to pool/main/s/strongswan/strongswan_4.2.14.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 521...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Rene Mayrhofer <rm...@debian.org> (supplier of updated strongswan package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 01 Apr 2009 22:17:52 +0200
Source: strongswan
Binary: strongswan libstrongswan strongswan-starter strongswan-ikev1
strongswan-ikev2 strongswan-nm
Architecture: source amd64
Version: 4.2.14-1
Distribution: unstable
Urgency: low
Maintainer: Rene Mayrhofer <rm...@debian.org>
Changed-By: Rene Mayrhofer <rm...@debian.org>
Description:
libstrongswan - strongSwan utility and crypto library
strongswan - IPsec VPN solution metapackage
strongswan-ikev1 - strongSwan IKEv1 keying daemon
strongswan-ikev2 - strongSwan IKEv2 keying daemon
strongswan-nm - strongSwan plugin to interact with NetworkManager
strongswan-starter - strongSwan daemon starter and configuration file parser
Closes: 521950
Changes:
strongswan (4.2.14-1) unstable; urgency=low
.
* New upstream release, which incorporates the fix. Removed dpatch for it.
Closes: #521950: CVE-2009-0790: DoS
* New support for EAP RADIUS authentication, enabled for this package.
Checksums-Sha1:
e7a1f6a4ff290d6561d645ad671c88beeae12de7 1494 strongswan_4.2.14-1.dsc
d230d57747cd63bd1f14f24d97d4e98131e5051f 3618687 strongswan_4.2.14.orig.tar.gz
d102fda9359a5812f276ff64ef70bde281cb2798 59320 strongswan_4.2.14-1.diff.gz
aedb317d7c60dee6f93d02db457f1be6bb15c119 172838
libstrongswan_4.2.14-1_amd64.deb
8084c1ce5b8e3c0cf5247e0ad10cb4e0314156fb 307076
strongswan-starter_4.2.14-1_amd64.deb
efbf79a810b7498f7f440743504fd648689e9e0e 440362
strongswan-ikev1_4.2.14-1_amd64.deb
914654b5de5836e5e738effa6bad7f50889eae68 253048
strongswan-ikev2_4.2.14-1_amd64.deb
c8b38c98386c4aaee30b785a171c39b18b9533d7 41692 strongswan-nm_4.2.14-1_amd64.deb
Checksums-Sha256:
ba1c3661bb45574d2f268eb3259440c18ae332fbdec7c30ea47eeca68f795753 1494
strongswan_4.2.14-1.dsc
311004a530d205b744354bad51f347676105236a535b95731362b84c2e6bc5bf 3618687
strongswan_4.2.14.orig.tar.gz
dea57db2e35632fadf62a0fb388a8966cae9b0feaf62cb5d912b748707a8bb0a 59320
strongswan_4.2.14-1.diff.gz
abc178eef76a05885b52dd0039360380610de79604b2db8b828c113bcbb36d60 172838
libstrongswan_4.2.14-1_amd64.deb
d1d9824bde81f0cb5ff74055f65ce23210e6a8f348e962b36742bae3376ccbdd 307076
strongswan-starter_4.2.14-1_amd64.deb
74688fee285aef05d08aade206ba2cf1f85dc2d085dc358552babe15c2345eee 440362
strongswan-ikev1_4.2.14-1_amd64.deb
06cf90fcc31f4d3c3b48c414221afda711d6e8f40afacb2a95cb695bf58330e9 253048
strongswan-ikev2_4.2.14-1_amd64.deb
f12069dcdcdfa49e02c60d71541f6884186f36107106f2b3e59a017646cb8711 41692
strongswan-nm_4.2.14-1_amd64.deb
Files:
efa4e9f266c83c622478ce47a4b9a7b1 1494 net optional strongswan_4.2.14-1.dsc
4a3521b48784a22b6a84afa8edcd3a7f 3618687 net optional
strongswan_4.2.14.orig.tar.gz
a79efb87287989aaab01c169aeb15cc2 59320 net optional strongswan_4.2.14-1.diff.gz
35d4dd8a332c2de6f5da9e151ac2b781 172838 net optional
libstrongswan_4.2.14-1_amd64.deb
aa7909f3b3d16269ca974d0763563ee4 307076 net optional
strongswan-starter_4.2.14-1_amd64.deb
b164b9b74d7da63adbd7f45b861fb4b3 440362 net optional
strongswan-ikev1_4.2.14-1_amd64.deb
21f75ce3a6654b622de30e0d40e804e7 253048 net optional
strongswan-ikev2_4.2.14-1_amd64.deb
e2fc617b92705c9742638bc80720fa98 41692 net optional
strongswan-nm_4.2.14-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkneDpEACgkQq7SPDcPCS95+/gCg24QEU0sblihAKHGwYLSDPwyi
8m4AoMzNG5iF/e/HeBauPMJ7IFBMsl5t
=P0QD
-----END PGP SIGNATURE-----
--- End Message ---
