Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 566130 (CVE-2015-8023) - <net-misc/strongswan-5.3.4: Authentication bypass in eap-mschapv2 plugin (CVE-2015-8023)
Summary: <net-misc/strongswan-5.3.4: Authentication bypass in eap-mschapv2 plugin (CVE...
Status: RESOLVED FIXED
Alias: CVE-2015-8023
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B4 [noglsa/cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-11-18 14:33 UTC by Agostino Sarubbo
Modified: 2015-12-31 01:33 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-11-18 14:33:39 UTC
From ${URL} :

A vulnerability in eap-mschapv2 plugin allowing a malicious client to trick the server into 
successfully concluding the authentication without providing valid credential. The problem is 
caused by insufficient verification of the local state in the server implementation of the 
EAP-MSCHAPv2 protocol. In fact, the client can simply send the last message in the EAP-MSCHAPv2 
protocol (an empty Success message) as response to the server's initial Challenge message to pass 
the authentication successfully. Affected are IKEv2 connections that use EAP-MSCHAPv2 to 
authenticate clients via eap-mschapv2 plugin. Affected are all strongswan versions 4.2.12, up to 
and including 5.3.3.

Upstream patch:

https://download.strongswan.org/security/CVE-2015-8023/

External reference:

https://www.strongswan.org/blog/2015/11/16/strongswan-vulnerability-%28cve-2015-8023%29.html


@maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.
Comment 1 Bjarke Istrup Pedersen (RETIRED) gentoo-dev 2015-11-18 18:23:48 UTC
Do go ahead and stabilize 5.3.4 :-)

Thanks.
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2015-11-18 22:13:57 UTC
net-misc/strongswan-5.3.4

Arches, please test and mark stable:

=net-misc/strongswan-5.3.4

Target Keywords : "amd64 arm ppc x86"

Thank you!
Comment 3 Agostino Sarubbo gentoo-dev 2015-11-19 10:45:21 UTC
amd64 stable
Comment 4 Markus Meier gentoo-dev 2015-11-21 14:37:53 UTC
arm stable
Comment 5 Agostino Sarubbo gentoo-dev 2015-12-07 11:41:03 UTC
ppc stable
Comment 6 Agostino Sarubbo gentoo-dev 2015-12-25 18:21:29 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 7 Bjarke Istrup Pedersen (RETIRED) gentoo-dev 2015-12-25 19:37:49 UTC
Old version removed.
Comment 8 Yury German Gentoo Infrastructure gentoo-dev 2015-12-31 01:33:29 UTC
Arches and Maintainer(s), Thank you for your work.
GLSA Vote: No
Thank you all. Closing as noglsa.