Bug 112568 - net-misc/openswan Multiple Vulnerability Issues in Implementation of ISAKMP Protocol
Bug#: 112568 Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: Linux Status: RESOLVED Severity: minor Priority: P2
Resolution: FIXED Assigned To: security@gentoo.org Reported By: pfeifer@gentoo.org
Component: Vulnerabilities
URL:  http://www.niscc.gov.uk/niscc/docs/br-20051114-01013.html
Summary: net-misc/openswan Multiple Vulnerability Issues in Implementation of ISAKMP Protocol
Keywords:  
Status Whiteboard: B3 [glsa] jaervosz
Opened: 2005-11-14 18:30 0000
Description:   Opened: 2005-11-14 18:30 0000 
New bug affecting at least one ipsec product offered by Gentoo

Reproducible: Always
Steps to Reproduce:
1.
2.
3.

------- Comment #1 From Jay Pfeifer (RETIRED) 2005-11-14 18:33:48 0000 ------- 
openswan-1.x is not vulnerable.
openswan-2.4.1 and earlier are.
I am testing an openswan-2.4.2 ebuild and will upload shortly.

Reference:
http://lists.openswan.org/pipermail/dev/2005-November/001121.html

------- Comment #2 From Jay Pfeifer (RETIRED) 2005-11-14 18:35:03 0000 ------- 
strongswan is not vulnerable.

Reference:
http://lists.strongswan.org/pipermail/users/2005-November/001191.html

------- Comment #3 From Jay Pfeifer (RETIRED) 2005-11-14 19:16:02 0000 ------- 
ok, openswan-2.4.2 is in portage. need to get 2.4.2 stable on amd64 (i have
hardware) then i will remove 2.2.0 and mark 2.4.2 stable on x86 and amd64.
anyone on the amd64 team want to test as well?

all revisions of openswan are ~ppc so leaving that way. however, getting ppc
team member to test would be great as my ppc hardware is no longer running linux.

------- Comment #4 From Jay Pfeifer (RETIRED) 2005-11-14 19:35:47 0000 ------- 
ok, just for those who may test, i am working on an openswan-2.4.3 ebuild as
there was an assert found when using a PSK+ID in aggressive mode. Just got the
info from kenb with xelerence and downloaded the new tarball. i'll put a note
here when it is in portage.

------- Comment #5 From Jay Pfeifer (RETIRED) 2005-11-14 20:13:36 0000 ------- 
openswan-2.4.3 is in portage.

------- Comment #6 From Sune Kloppenborg Jeppesen 2005-11-14 22:42:08 0000 ------- 
Arches please test and mark stable.

------- Comment #7 From Sune Kloppenborg Jeppesen 2005-11-15 00:46:41 0000 ------- 
Readding amd64.

------- Comment #8 From Nico Baggus 2005-11-15 15:59:13 0000 ------- 
Is there is reason the KLIPS engine cannot be selected for 2.6? 
 
(IMHO) The KLIPS engine has some advantages when builing netfilter rules.

------- Comment #9 From Mark Loeser 2005-11-15 22:01:32 0000 ------- 
Hopefully I'm not alone here, but could someone tell me how I can test this on
x86 to make sure it is not broken?  Upstream's wiki appears to be down.

------- Comment #10 From Jay Pfeifer (RETIRED) 2005-11-16 10:08:06 0000 ------- 
Mark - i have already tested some on x86, but there are a number of scenarios.
You can look here: http://gentoo-wiki.com/HOWTO_OpenSwan_2.6_kernel for some info.

If you need further help, just find me on IRC.

Jay

------- Comment #11 From Jay Pfeifer (RETIRED) 2005-11-17 11:18:32 0000 ------- 
*sigh*... openswan-2.4.4 is on it's way (as per kenb from xelerance). it has
more ddos fixes. i will post an update once it is released and i test/commit it
to portage.

------- Comment #12 From Sune Kloppenborg Jeppesen 2005-11-20 04:19:50 0000 ------- 
Back to upstream waiting for 2.4.4

------- Comment #13 From Thierry Carrez (RETIRED) 2005-11-25 04:34:26 0000 ------- 
2005-11-18 : Xelerance has released Openswan 2.4.4 that fixes the secound
vulnerability found by the NISCC Advisory 3756/NISCC/ISAKMP.

See http://www.openswan.org/niscc2/ and bump.

------- Comment #14 From Jay Pfeifer (RETIRED) 2005-11-27 23:51:37 0000 ------- 
2.4.4 is now in portage. Unless we get a huge bug report, I plan on marking
this
stable on x86/amd64 and getting rid of 2.2.0 in 24 hours.

------- Comment #15 From Thierry Carrez (RETIRED) 2005-11-29 02:36:10 0000 ------- 
maintainer / x86 / amd64 teams: please mark 2.4.4 stable (if stable :) )

------- Comment #16 From Jay Pfeifer (RETIRED) 2005-11-29 06:50:23 0000 ------- 
openswan-2.4.4 is now marked stable on x86 and amd64.

------- Comment #17 From Thierry Carrez (RETIRED) 2005-11-29 07:00:08 0000 ------- 
Ready for GLSA vote. I tend to vote yes, due to the original issue (3DES
crafted
packet with invalid keylength) rather than the additional lame ones (DoS if PSK
known and aggressive mode enabled, already vulnerable to MiM anyway)...

------- Comment #18 From Stefan Cornelius (RETIRED) 2005-12-02 04:20:47 0000 ------- 
I tend to say yes, too

------- Comment #19 From solar 2005-12-02 04:36:11 0000 ------- 
Yes please issue a GLSA

------- Comment #20 From Stefan Cornelius (RETIRED) 2005-12-02 04:40:02 0000 ------- 
k, this is ready for GLSA then.

------- Comment #21 From Thierry Carrez (RETIRED) 2005-12-12 06:55:02 0000 ------- 
GLSA 200512-04