Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2014.0499 strongswan security update 15 April 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: strongswan Publisher: Debian Operating System: Debian GNU/Linux 7 Debian GNU/Linux 6 Linux variants Impact/Access: Unauthorised Access -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2014-2338 Original Bulletin: http://www.debian.org/security/2014/dsa-2903 Comment: This advisory references vulnerabilities in products which run on platforms other than Debian. It is recommended that administrators running strongswan check for an updated version of the software for their operating system. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-2903-1 security@debian.org http://www.debian.org/security/ Yves-Alexis Perez April 14, 2014 http://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : strongswan CVE ID : CVE-2014-2338 An authentication bypass vulnerability was found in charon, the daemon handling IKEv2 in strongSwan, an IKE/IPsec suite. The state machine handling the security association (IKE_SA) handled some state transitions incorrectly. An attacker can trigger the vulnerability by rekeying an unestablished IKE_SA during the initiation itself. This will trick the IKE_SA state to 'established' without the need to provide any valid credential. Vulnerable setups include those actively initiating IKEv2 IKE_SA (like â€Âclients†or “roadwarriorsâ€Â) but also during re-authentication (which can be initiated by the responder). Installations using IKEv1 (pluto daemon in strongSwan 4 and earlier, and IKEv1 code in charon 5.x) is not affected. For the oldstable distribution (squeeze), this problem has been fixed in version 4.4.1-5.5. For the stable distribution (wheezy), this problem has been fixed in version 4.5.2-1.5+deb7u3. For the unstable distribution (sid), this problem has been fixed in version 5.1.2-4. We recommend that you upgrade your strongswan packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJTS/gCAAoJEBDCk7bDfE42CIMP/jpDobbJt9pO+N6SQY1BKfrn MT1Aly9sb7o4Fz1DbOBJjJ60oXz7aFXSndOyc55DdTNInanXC3sWMfbV31kseiq+ wgRk6zAAgOaxs/uStorK3b8JYQN5NIVDmdd0BCkD5Oo3PGkr1YQyanXtraez7O4e ba3wJYxEuXq7wt/0Y/bt77nAf//tHaJ3vJB0LWXy717E6f3isS+1xMlZLmCu9nAS TMvCrW8XAOmPTJ3PF3AlSnRc+omYRpw3rJcIhS4pC3VA6Y1uYhTnRV3Oy81Y3PgR lEt3m7YNiGbLu+eqN2bb3lRR1Erdl7XAE/WZPcKb8MetC9gQK+gjSmgXcwa49QFh CuUk6rQJzYRoh78FL9LqYPxQNtow+4hPvURVB/wXHTP3ipPvN1/0OmBJU5wlepDF 2d+JZTLov187Rb0yTZG0+TlKykiJiea6r9ZdAYMUOebXtyaaGHQeEwNNlky0RT1k Zf+ptoNPyLQQO3lq03nGlon5nwV1ytM61Hksj9v3cBu9RT2D6mIvzUlpAgdgfwnD UgrePI88J68Layvj/SplVTaq1JtaA3dXZwnLfFBjB859eGSWpbrcn4UFiPkVMIOL ORNv929NhmGONI913Hxkcb96vPJrqorEWKnsm70NyqI8A/oQonnTqhtXXJwh4S2f em1AIItBX/UdJfKHZ+UA =EdFc - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBU0x/LBLndAQH1ShLAQIsPBAAk4t8qK9ClvpD6rH8hb+ln6EtYr7W1EZC HVHXeK18e9uMvXIkIvUFTl1GJ7JCHfaDzkGCEqA8GBYVdRCsQGExsFVX9nndO9pB uxM3u9MNnMErAXqphQuxiZU9SV2d0yk7oPgp1tur/F2sxt68u2u35RPtU0LJzugK C2j0FZhESIVYEzhdiVRwXmzvS5cmidRO1feOaSUw3law6kxwrBkCwJ9IiXGhOdxh Y6BF4awHJp4veLrvyKYq19DBJcyF0SANWwtdfYpNwwF2a4TlmlNifwDi4bu4smCn xKn6T2jSzx41GRLHMDGmof/6PzS6xKOn8ixWFykDCD6lkBLbyEbbISbUTQQ0aXMe o5aR7mMUqt44VBItcZnG0q2MgIDnLRwbGl/u4rvn84xs3I7dtYLEmYT72/IJelVk 2Jbm06rTQucmpnbp8ZkkVMLaiyLn860RYLYaKzYg7pHqd/g4wariq02Ghrw5VnJw I0tLw1CMgF1JfwDyBuMD/lh0iHaiQBAeWMHflIyvKYyNua9DCfwmG3qgSJZuZ7Or HVTfToAt2VMHu86vPmBK07teMctkY3PKZlMF5Li11LTYzCJ0PuREHgS5vnvFzgFj h6d4ed8mT48feL8spsGVdbxVlM1VQl4uELAcJ2ykIuYrhS+xGuWQ3Cpnmg9+itd/ +SExJZ0+u1U= =0U1R -----END PGP SIGNATURE-----