-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2014.0499
                        strongswan security update
                               15 April 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           strongswan
Publisher:         Debian
Operating System:  Debian GNU/Linux 7
                   Debian GNU/Linux 6
                   Linux variants
Impact/Access:     Unauthorised Access -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2014-2338  

Original Bulletin: 
   http://www.debian.org/security/2014/dsa-2903

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Debian. It is recommended that administrators 
         running strongswan check for an updated version of the software for
         their operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-2903-1                   security@debian.org
http://www.debian.org/security/                         Yves-Alexis Perez
April 14, 2014                         http://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : strongswan
CVE ID         : CVE-2014-2338

An authentication bypass vulnerability was found in charon, the daemon
handling IKEv2 in strongSwan, an IKE/IPsec suite. The state machine
handling the security association (IKE_SA) handled some state transitions
incorrectly.

An attacker can trigger the vulnerability by rekeying an unestablished
IKE_SA during the initiation itself. This will trick the IKE_SA state to
'established' without the need to provide any valid credential.

Vulnerable setups include those actively initiating IKEv2 IKE_SA (like
”clients” or “roadwarriors”) but also during re-authentication (which
can be initiated by the responder). Installations using IKEv1 (pluto
daemon in strongSwan 4 and earlier, and IKEv1 code in charon 5.x) is not
affected.

For the oldstable distribution (squeeze), this problem has been fixed in
version 4.4.1-5.5.

For the stable distribution (wheezy), this problem has been fixed in
version 4.5.2-1.5+deb7u3.

For the unstable distribution (sid), this problem has been fixed in
version 5.1.2-4.

We recommend that you upgrade your strongswan packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org




- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJTS/gCAAoJEBDCk7bDfE42CIMP/jpDobbJt9pO+N6SQY1BKfrn
MT1Aly9sb7o4Fz1DbOBJjJ60oXz7aFXSndOyc55DdTNInanXC3sWMfbV31kseiq+
wgRk6zAAgOaxs/uStorK3b8JYQN5NIVDmdd0BCkD5Oo3PGkr1YQyanXtraez7O4e
ba3wJYxEuXq7wt/0Y/bt77nAf//tHaJ3vJB0LWXy717E6f3isS+1xMlZLmCu9nAS
TMvCrW8XAOmPTJ3PF3AlSnRc+omYRpw3rJcIhS4pC3VA6Y1uYhTnRV3Oy81Y3PgR
lEt3m7YNiGbLu+eqN2bb3lRR1Erdl7XAE/WZPcKb8MetC9gQK+gjSmgXcwa49QFh
CuUk6rQJzYRoh78FL9LqYPxQNtow+4hPvURVB/wXHTP3ipPvN1/0OmBJU5wlepDF
2d+JZTLov187Rb0yTZG0+TlKykiJiea6r9ZdAYMUOebXtyaaGHQeEwNNlky0RT1k
Zf+ptoNPyLQQO3lq03nGlon5nwV1ytM61Hksj9v3cBu9RT2D6mIvzUlpAgdgfwnD
UgrePI88J68Layvj/SplVTaq1JtaA3dXZwnLfFBjB859eGSWpbrcn4UFiPkVMIOL
ORNv929NhmGONI913Hxkcb96vPJrqorEWKnsm70NyqI8A/oQonnTqhtXXJwh4S2f
em1AIItBX/UdJfKHZ+UA
=EdFc
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBU0x/LBLndAQH1ShLAQIsPBAAk4t8qK9ClvpD6rH8hb+ln6EtYr7W1EZC
HVHXeK18e9uMvXIkIvUFTl1GJ7JCHfaDzkGCEqA8GBYVdRCsQGExsFVX9nndO9pB
uxM3u9MNnMErAXqphQuxiZU9SV2d0yk7oPgp1tur/F2sxt68u2u35RPtU0LJzugK
C2j0FZhESIVYEzhdiVRwXmzvS5cmidRO1feOaSUw3law6kxwrBkCwJ9IiXGhOdxh
Y6BF4awHJp4veLrvyKYq19DBJcyF0SANWwtdfYpNwwF2a4TlmlNifwDi4bu4smCn
xKn6T2jSzx41GRLHMDGmof/6PzS6xKOn8ixWFykDCD6lkBLbyEbbISbUTQQ0aXMe
o5aR7mMUqt44VBItcZnG0q2MgIDnLRwbGl/u4rvn84xs3I7dtYLEmYT72/IJelVk
2Jbm06rTQucmpnbp8ZkkVMLaiyLn860RYLYaKzYg7pHqd/g4wariq02Ghrw5VnJw
I0tLw1CMgF1JfwDyBuMD/lh0iHaiQBAeWMHflIyvKYyNua9DCfwmG3qgSJZuZ7Or
HVTfToAt2VMHu86vPmBK07teMctkY3PKZlMF5Li11LTYzCJ0PuREHgS5vnvFzgFj
h6d4ed8mT48feL8spsGVdbxVlM1VQl4uELAcJ2ykIuYrhS+xGuWQ3Cpnmg9+itd/
+SExJZ0+u1U=
=0U1R
-----END PGP SIGNATURE-----