Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.2907 [SECURITY] [DLA 1522-1] strongswan security update 27 September 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: strongswan Publisher: Debian Operating System: Debian GNU/Linux 8 Impact/Access: Access Privileged Data -- Remote with User Interaction Provide Misleading Information -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2018-16152 CVE-2018-16151 Reference: ESB-2018.2901 ESB-2018.2864 Original Bulletin: https://lists.debian.org/debian-lts-announce/2018/09/msg00033.html - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Package : strongswan Version : 5.2.1-6+deb8u7 CVE ID : CVE-2018-16151 CVE-2018-16152 Sze Yiu Chau and his team from Purdue University and The University of Iowa found several security issues in the gmp plugin for strongSwan, an IKE/IPsec suite. CVE-2018-16151 The OID parser in the ASN.1 code in gmp allows any number of random bytes after a valid OID. CVE-2018-16152 The algorithmIdentifier parser in the ASN.1 code in gmp doesn't enforce a NULL value for the optional parameter which is not used with any PKCS#1 algorithm. For Debian 8 "Jessie", these problems have been fixed in version 5.2.1-6+deb8u7. We recommend that you upgrade your strongswan packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAlurt2sACgkQhj1N8u2c KO+jvg/+OqsOCQVXbTzZ+HcaJAK8shxwMQPWUCpNCfxxMm3urs5M6k2G6vOhamp/ kC8ZMdGK9qYQPD2UJYx44TipA3M3PhDlWVESyKtA8FV1LBi63c7NA3tdx6B6u5Ho AmmngMcgQJZEZXc53obLMnJeh8Bxko9RtHCen5SpQKLyiKDMTlrdCowkG+1gSeAS gLCbfiSAMg2DD/wngCVQveb0K4lUlQTBpS7zO7y4yRMxGbV7wgqU6Ps2NShjUdKY MKA3ONXUmTVU19Y1en3oDbUZN3f2ji3VSBQLuIv+54s/4KiZPY7YpNFSrpSixLSS Myold69/cDnRvr3yp1c/THQf9X8ZFjoLX0tmP8CqwJBADnDywutSNSQ6FqdaVcUs PJLNi+5ICV2oUyPxumeqlai0hqExTV6QGQ4NLk9lUxgSp68umJBH0Dwy9KTkEpsL o1KZzF04rxiVt/PMmojx5qQaIhEyUHGxnTMGpOoc8LfpdziGa5ZVJl8yuvTi2Zlw faJMmexU5bjkEKJeV6v7dk8akh2Yhnpq/boJp/5O30FvV0VGmWM6rp0gburqErWL FMWIDO9bDqZ/SdW49Izdvfg1Nl+JPg0kZZ3dPjWj1YEm5lwBepDpp0rzSntPjBwX 2WItMFq1aUjESVg2bQiggvCjGgf9KxoyWQPS5r9mHdK2PjSTRCM= =lFhg - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBW6xJ+WaOgq3Tt24GAQiw/xAA3hUCjQZQKUkRgebw+6f7Dnc0SXurdLvU R3/wd7LyW6ieEoyd270gmr2WXQxPyhsmXvAm7v+I1EFnu1pu6xX/vL/HbedG169Y CLTosKnfHiqO8hIdMNWofr6nXgVmwEQmefMwQauetW4dUFcebvjugDMP1H7pUUGN a9H1pyw0WGRapuc2R8gxiitMfY5CgCXgAnVljIcwLorxA5dbOPlgaiPU1B1idBj4 DM0E19IXcdBacXGWMfOcZ8Brnh5Rda0cqXHxqzVHOEv59B6aQ89MD4S88YBj4GEp LjMBWQ2R5YY25fCKd33EIOLaAIRawRSmT8aUB3Q7S2Tx1XNnYMl+mlchFwCA+vHd anDvo9ctED6kVY8R4r7H9gGz+QDZhQ1akxD/TJTtqxwiaSYmTe4nfIHRaAUiSQZe Pw1UtBaiGp4IWbv7Qp6Ou7P0xsILE17VOwRWTm7xBnFIpHKWpTFdDX4d9sYw/W2r u0XPeWW2copRt3c2SzQD4uYHeURZvZ9BrGRIx+Yfj5IousnFgU3Hexw52B5brBzn 6OCdM1BqQx7nj3k/ZJd6klujeuaFRSI8BEdHNFDuMNkkRzIwDxgMWj+M5HSH9LCG JzeFJWwOyvUcR4LBlwWtE7pzzkML4yN/60G6knKEmGd7reKl3EuhVuqs2JvcAMuY 587xSsNWfmY= =JKZp -----END PGP SIGNATURE-----