112568 2005-11-14 18:30 0000 net-misc/openswan Multiple Vulnerability Issues in Implementation of ISAKMP Protocol 2005-12-12 06:55:02 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED http://www.niscc.gov.uk/niscc/docs/br-20051114-01013.html B3 [glsa] jaervosz P2 minor --- 1 pfeifer@gentoo.org security@gentoo.org mlspamcb@noci.xs4all.nl pfeifer@gentoo.org pfeifer@gentoo.org 2005-11-14 18:30:39 0000 New bug affecting at least one ipsec product offered by Gentoo Reproducible: Always Steps to Reproduce: 1. 2. 3. pfeifer@gentoo.org 2005-11-14 18:33:48 0000 openswan-1.x is not vulnerable. openswan-2.4.1 and earlier are. I am testing an openswan-2.4.2 ebuild and will upload shortly. Reference: http://lists.openswan.org/pipermail/dev/2005-November/001121.html pfeifer@gentoo.org 2005-11-14 18:35:03 0000 strongswan is not vulnerable. Reference: http://lists.strongswan.org/pipermail/users/2005-November/001191.html pfeifer@gentoo.org 2005-11-14 19:16:02 0000 ok, openswan-2.4.2 is in portage. need to get 2.4.2 stable on amd64 (i have hardware) then i will remove 2.2.0 and mark 2.4.2 stable on x86 and amd64. anyone on the amd64 team want to test as well? all revisions of openswan are ~ppc so leaving that way. however, getting ppc team member to test would be great as my ppc hardware is no longer running linux. pfeifer@gentoo.org 2005-11-14 19:35:47 0000 ok, just for those who may test, i am working on an openswan-2.4.3 ebuild as there was an assert found when using a PSK+ID in aggressive mode. Just got the info from kenb with xelerence and downloaded the new tarball. i'll put a note here when it is in portage. pfeifer@gentoo.org 2005-11-14 20:13:36 0000 openswan-2.4.3 is in portage. jaervosz@gentoo.org 2005-11-14 22:42:08 0000 Arches please test and mark stable. jaervosz@gentoo.org 2005-11-15 00:46:41 0000 Readding amd64. mlspamcb@noci.xs4all.nl 2005-11-15 15:59:13 0000 Is there is reason the KLIPS engine cannot be selected for 2.6? (IMHO) The KLIPS engine has some advantages when builing netfilter rules. halcy0n@gentoo.org 2005-11-15 22:01:32 0000 Hopefully I'm not alone here, but could someone tell me how I can test this on x86 to make sure it is not broken? Upstream's wiki appears to be down. pfeifer@gentoo.org 2005-11-16 10:08:06 0000 Mark - i have already tested some on x86, but there are a number of scenarios. You can look here: http://gentoo-wiki.com/HOWTO_OpenSwan_2.6_kernel for some info. If you need further help, just find me on IRC. Jay pfeifer@gentoo.org 2005-11-17 11:18:32 0000 *sigh*... openswan-2.4.4 is on it's way (as per kenb from xelerance). it has more ddos fixes. i will post an update once it is released and i test/commit it to portage. jaervosz@gentoo.org 2005-11-20 04:19:50 0000 Back to upstream waiting for 2.4.4 koon@gentoo.org 2005-11-25 04:34:26 0000 2005-11-18 : Xelerance has released Openswan 2.4.4 that fixes the secound vulnerability found by the NISCC Advisory 3756/NISCC/ISAKMP. See http://www.openswan.org/niscc2/ and bump. pfeifer@gentoo.org 2005-11-27 23:51:37 0000 2.4.4 is now in portage. Unless we get a huge bug report, I plan on marking this stable on x86/amd64 and getting rid of 2.2.0 in 24 hours. koon@gentoo.org 2005-11-29 02:36:10 0000 maintainer / x86 / amd64 teams: please mark 2.4.4 stable (if stable :) ) pfeifer@gentoo.org 2005-11-29 06:50:23 0000 openswan-2.4.4 is now marked stable on x86 and amd64. koon@gentoo.org 2005-11-29 07:00:08 0000 Ready for GLSA vote. I tend to vote yes, due to the original issue (3DES crafted packet with invalid keylength) rather than the additional lame ones (DoS if PSK known and aggressive mode enabled, already vulnerable to MiM anyway)... dercorny@gentoo.org 2005-12-02 04:20:47 0000 I tend to say yes, too solar@gentoo.org 2005-12-02 04:36:11 0000 Yes please issue a GLSA dercorny@gentoo.org 2005-12-02 04:40:02 0000 k, this is ready for GLSA then. koon@gentoo.org 2005-12-12 06:55:02 0000 GLSA 200512-04