Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2012.0510
strongswan security update
1 June 2012
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: strongswan
Publisher: Debian
Operating System: Debian GNU/Linux 6
Linux variants
Impact/Access: Unauthorised Access -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2012-2388
Original Bulletin:
http://www.debian.org/security/2012/dsa-2483
Comment: This advisory references vulnerabilities in products which run on
platforms other than Debian. It is recommended that administrators
running strongswan check for an updated version of the software for
their operating system.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- - -------------------------------------------------------------------------
Debian Security Advisory DSA-2483-1 security@debian.org
http://www.debian.org/security/ Yves-Alexis Perez
May 31, 2012 http://www.debian.org/security/faq
- - -------------------------------------------------------------------------
Package : strongswan
Vulnerability : authentication bypass
Problem type : remote
Debian-specific: no
CVE ID : CVE-2012-2388
An authentication bypass issue was discovered by the Codenomicon CROSS
project in strongSwan, an IPsec-based VPN solution. When using
RSA-based setups, a missing check in the gmp plugin could allow an
attacker presenting a forged signature to successfully authenticate
against a strongSwan responder.
The default configuration in Debian does not use the gmp plugin for
RSA operations but rather the OpenSSL plugin, so the packages as
shipped by Debian are not vulnerable.
For the stable distribution (squeeze), this problem has been fixed in
version 4.4.1-5.2.
For the testing distribution (wheezy), this problem has been fixed in
version 4.5.2-1.4.
For the unstable distribution (sid), this problem has been fixed in
version 4.5.2-1.4.
We recommend that you upgrade your strongswan packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQEcBAEBAgAGBQJPx6vTAAoJEL97/wQC1SS+cFYIAIq65txOmBylguvyEIzgYsoa
EGLxDtKYf8lM78MKS1sSyoXocS9Yo3PkENEbVdcRuC8b+81+FDm+Y8VWOAoNQkwV
bzzvjDCmVKlzmmdOLBgc1On+kOpCGOL42khkIlHYiTI9qqlEmYaSpSm10h3sxzDU
xt3/1PAhPE9O8TX/Rl2au8ihLHLIV/45Ptt/QSMrErIuRInUqV4D0tNbU/M3Styf
jA9MjG2b6P+sY7CeOf22QKsBvgcmx/dvat2DzvXDcFQgq/FiG+FVuZ/AZkzh4z5u
xeQQiQUm1jreHNmAQ2UmLx/TUTRbj1xLfPReqLy/vDLgdTD2XyaoHhW38zMCNaY=
=cSz+
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBT8gDp+4yVqjM2NGpAQKlqA/+I+tEwKxdrJdrGz3b2rOlpossWnCGp0bq
qiRr1G7Mj1KNwOZcZc4OkOJZMr6cTWwcDhGbqx9lg5jsaigOqcJQuBC2eojZawR1
T3uSq1mnewfPJbmCzBWyWQ+ZZ2Yf/ORzh5yWsjnHYzQIP/6bS+qHuGKHGr6jeHtp
6y8gEkEJK8dunQrYzyKsdUrquvnjilTKl7P2VkL94uWo2SG1ywbB2n6jRtzhxYwY
HXMNhMg3V/KPM+v7dQVQw2juWYcMawbOcu/+nGRaw58PMXHD4P6vMpo/N5FYRJ4R
Ht7qay9yZCZSnTVy68iDMXoHcZTLgCCYhFDY1Md1S7Zz2l4rhzVULNfxu2GKi96o
bhuSmkzG+1gqJRGdST+RflkfIDdU6S6BAWCA3BMtAASjXQ1fiGXNDBQHOW5oVfjD
GzOUq8uaM5AfMhRAmc1D+2mqW72D2NYcMi3Uzl1j+wIqOghJrExnnnx2v4KPLs8a
95OchwCbQlkKW/QCoNIKzyxTUpi/jz/Ul7w4YBLlb6JQg8GTVg6l39I+f8oHu/8g
1uw/7jKk+AdaF51hRE1Kd60sTxO/lJMle2r4wf+NzeQsrrjqUPpFqw4KYi6YJ1Rv
gtXpqTA9ViGThYsLQj8lDq5fIRRVkePduBOQhlJ2gTyhsYVNB9h/C5lBuqDImRyc
RfyH6X94Cag=
=hb39
-----END PGP SIGNATURE-----