Operating System:

[UNIX/Linux][Debian]

Published:

09 June 2015

Protect yourself against future threats.

//Service

Member Security Incident Notifications

Be proactive with your security and receive our daily Member Security Incident Notifications (MSINs) custom to your network.

Read more
Resources > Security Bulletins > ESB-2015.1473 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2015.1473
                        strongswan security update
                                9 June 2015

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           strongswan
Publisher:         Debian
Operating System:  Debian GNU/Linux 7
                   Debian GNU/Linux 8
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Access Privileged Data -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2015-4171  

Original Bulletin: 
   http://www.debian.org/security/2015/dsa-3282

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Debian. It is recommended that administrators 
         running strongswan check for an updated version of the software for
         their operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-3282-1                   security@debian.org
http://www.debian.org/security/                         Yves-Alexis Perez
June 08, 2015                          http://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : strongswan
CVE ID         : CVE-2015-4171

Alexander E. Patrakov discovered an issue in strongSwan, an IKE/IPsec
suite used to establish IPsec protected links.

When an IKEv2 client authenticates the server with certificates and the
client authenticates itself to the server using pre-shared key or EAP,
the constraints on the server certificate are only enforced by the
client after all authentication steps are completed successfully. A
rogue server which can authenticate using a valid certificate issued by
any CA trusted by the client could trick the user into continuing the
authentication, revealing the username and password digest (for EAP) or
even the cleartext password (if EAP-GTC is accepted).

For the oldstable distribution (wheezy), this problem has been fixed
in version 4.5.2-1.5+deb7u7.

For the stable distribution (jessie), this problem has been fixed in
version 5.2.1-6+deb8u1.

For the testing distribution (stretch), this problem has been fixed
in version 5.3.1-1.

For the unstable distribution (sid), this problem has been fixed in
version 5.3.1-1.

We recommend that you upgrade your strongswan packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org

- - -- 
Yves-Alexis Perez
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCgAGBQJVdao4AAoJEG3bU/KmdcCluZAH/0KIDlKhVrU58yZ2uqThY8IZ
+rYZDO1Liz4X5Ycx+vo+tM85DsqUYNQeTeBSKxpQX57XKF2KY09tVF08C1oXo8u6
JA3h9B4zsSBMm3210IQ4XQBQZSA5XnqRg4mTANihtdCZNhwrtskAcEiHwDqKtzkW
FNHNzLtduM9q7w8rApLYAYROKGjO2rR0YyEQ6iu55fnMoyhL8Qy9t5uwTOx+fGDS
8ai8lKMIGTtVXVYw/HrsYJA5hl88ndbbBAZzoJrPcxFiFFjBpawpWdhgPlf4kYRr
3GrsqJcwQvPSbQcOyxzGIFa08JJOGPwRx1M1HfkmZHI8RQQ8f/jp9ZsibXaFXPs=
=HOGE
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVXYyJBLndAQH1ShLAQJpXA//WLithQGaWhyaGDzmZmaf6ZLrTFL+un4l
ewuZIfJo3gcOcxukDHUGPH2HWs371cKtRvNtvrfkNgsaFh2o+AGC+cn5d1IJWiVi
HvA1iH06/c74sF/7bwQZOC2p0ld2jPo03u32nxmgBW/fcq0sTt7WrlH4KA4BvvtO
CvspEyf3xAklD+jwNAchWsYiWNV9yX31SW8vgtS/e/Xt4k39pMT1D6GencrsIANw
Y34Ekg4dEP+rbFMalXoP42NUMBjbnEM0jFdEv1aFTik8O1/VhMdFT4enZjh99sRp
ia2QLORCv0UL/bnjKVysya4aE+rxaeAnhxFXWowFjGeLgtlOqBnW5NxUKpqPqD9l
Ll1kmpYZOpyehL4S0lMShhhoh4ULdWeHeiDNucQuivqqJeDDH4RBCPfQWx9XPhUj
zP1LWJdNHRKnAB1YvL0s9f16jdZCI9IKjeP9eYd1zIPr+ztbXmuJyoT6vb+GyiYf
/8R29eLS2tD/ApKahkPCg085PZWxn8q5yph4lbAFsvp8F4B3AlnoEMinN0K9qDsi
0ldjCMc9BvAllu/ZviHn4se+B9lCzf6XUH9EWU7HxdvtGq49UBHH8hcnV89DpVuK
2eohh/h096AMc14e1QPcswTHeGzYFk2PXO0+zPwSjQ4NjlukOyFVRG8OR+uIRyUW
0bA11occvPg=
=O9rZ
-----END PGP SIGNATURE-----