Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2014.0416 openswan security update 1 April 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: openswan Publisher: Debian Operating System: Debian GNU/Linux 6 Debian GNU/Linux 7 Impact/Access: Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2013-6466 CVE-2013-2053 Reference: ESB-2014.0206 ESB-2013.0696 Original Bulletin: http://www.debian.org/security/2014/dsa-2893 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-2893-1 security@debian.org http://www.debian.org/security/ Yves-Alexis Perez March 31, 2014 http://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : openswan CVE ID : CVE-2013-2053 CVE-2013-6466 Two vulnerabilities were fixed in Openswan, an IKE/IPsec implementation for Linux. CVE-2013-2053 During an audit of Libreswan (with which Openswan shares some code), Florian Weimer found a remote buffer overflow in the atodn() function. This vulnerability can be triggered when Opportunistic Encryption (OE) is enabled and an attacker controls the PTR record of a peer IP address. Authentication is not needed to trigger the vulnerability. CVE-2013-6466 Iustina Melinte found a vulnerability in Libreswan which also applies to the Openswan code. By carefuly crafting IKEv2 packets, an attacker can make the pluto daemon derefeences non-received IKEv2 payload, leading to the daemon crash. Authentication is not needed to trigger the vulnerability. Patches were originally written to fix the vulnerabilities in Libreswan, and have been ported to Openswan by Paul Wouters from the Libreswan Project. Since the Openswan package is not maintained anymore in the Debian distribution and is not available in testing and unstable suites, it is recommended for IKE/IPsec users to switch to a supported implementation like strongSwan. For the oldstable distribution (squeeze), these problems have been fixed in version 2.6.28+dfsg-5+squeeze2. For the stable distribution (wheezy), these problems have been fixed in version 2.6.37-3.1. We recommend that you upgrade your openswan packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQEcBAEBCgAGBQJTOcluAAoJEG3bU/KmdcClu7UH/07J/Vlqb3Ulnmlm2ZROyx3Q 2xALBLd5+0fBULBwMZ0A3y1elO+thmzFEL6R/7hsVJKqIMQWsWsn/Ahz0/HAOhkk 2YNnunJkZiyRI9J++9dli6dkbhLKBi53pkgzRzITu8ecJQ7Rt842bD79SvT40foh CK+l7Y8DIWao0JG8HXwNFn49KGHjz/4ZXmuDi+nRX0AalJlV7LG9N9jgnYIYjVTs +meQemBgffTyFCd3zW/ydq0K77+3z6EqprH4xVGsxGgu0Uu4Jk0GsAqYMRoETeRh Nvd1vOTSAMsVFUUpH2FgJkXdDQCtDzRiYFgItUVLWcWoDYrjXgChpdOGI8R0Wv0= =js6B - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUzoKNxLndAQH1ShLAQLN8g//RkKx+HpNzzApfJtT1reucBbhoF6lWDg8 CtWb0dLlW2wOd2D7pj1ySGLgNDqJSDzmCW3XBX0BWJKFgzVdclsNB/6ZOmki5p7U Y8rr4Qyn+EbpVyPnflV4GdPphX5kzt401GcXrFW/2y9IVLONHnBk/8ygAJGvSK5N 8iIMnrcDqFvxMTR+zWCx3dZse8gGcVFBoHmoxjqlWwUzCa4DFiDc0Bw4fTL2b6RD eVboa08sfbeYj+ogypNE2dW+LLr71JSirPEkn7WeZioMcCIdC7X+zErDg7He+W6i Yy8uLtUTe3I598TWQQbgDWtyL4EUDFSpR8NRiNHCyrDsr5uoX/MyYV7Q9YWM/CAB tyOxdqQxV7I+JNCttRq3btEolmbTQcrQa4z9bBDJCyB1CZD7i5WXZoyGavsRtv+p 4rgrWBYFfIBiHEvNG2OhuBLAJFNutB1JMa0KSLaoR4baViSvse30jLYiJSUIplkt U01nNV86VmOgIT3k77n1+oZ8pcNrpP5jKMFp2wS1jqtT3roY21Q6FIn/Ju/hh5yR bjnStYSRnRvuXh3DRckCXBYlUZOVWO1FnNFOEAM25SCerLdzy1PXY7rPiOWJZ1+T OoQt4VvYEaQlRVyW8RYT69Ws7kL1MFbG96r4A8nZ89Lvn8saRq6vNyb7Ezur4IlV EzbwKbQDzgg= =EyCG -----END PGP SIGNATURE-----