Comment 1 Jay Pfeifer (RETIRED) 2005-11-14 18:33:48 UTC

openswan-1.x is not vulnerable.
openswan-2.4.1 and earlier are.
I am testing an openswan-2.4.2 ebuild and will upload shortly.

Reference:
http://lists.openswan.org/pipermail/dev/2005-November/001121.html

Comment 2 Jay Pfeifer (RETIRED) 2005-11-14 18:35:03 UTC

strongswan is not vulnerable.

Reference:
http://lists.strongswan.org/pipermail/users/2005-November/001191.html

Comment 3 Jay Pfeifer (RETIRED) 2005-11-14 19:16:02 UTC

ok, openswan-2.4.2 is in portage. need to get 2.4.2 stable on amd64 (i have
hardware) then i will remove 2.2.0 and mark 2.4.2 stable on x86 and amd64.
anyone on the amd64 team want to test as well?

all revisions of openswan are ~ppc so leaving that way. however, getting ppc
team member to test would be great as my ppc hardware is no longer running linux.

Comment 4 Jay Pfeifer (RETIRED) 2005-11-14 19:35:47 UTC

ok, just for those who may test, i am working on an openswan-2.4.3 ebuild as
there was an assert found when using a PSK+ID in aggressive mode. Just got the
info from kenb with xelerence and downloaded the new tarball. i'll put a note
here when it is in portage.

Comment 5 Jay Pfeifer (RETIRED) 2005-11-14 20:13:36 UTC

openswan-2.4.3 is in portage.

Comment 6 Sune Kloppenborg Jeppesen (RETIRED) 2005-11-14 22:42:08 UTC

Arches please test and mark stable. 

Comment 7 Sune Kloppenborg Jeppesen (RETIRED) 2005-11-15 00:46:41 UTC

Readding amd64. 

Is there is reason the KLIPS engine cannot be selected for 2.6? 
 
(IMHO) The KLIPS engine has some advantages when builing netfilter rules. 
 

Comment 9 Mark Loeser (RETIRED) 2005-11-15 22:01:32 UTC

Hopefully I'm not alone here, but could someone tell me how I can test this on
x86 to make sure it is not broken?  Upstream's wiki appears to be down.

Comment 10 Jay Pfeifer (RETIRED) 2005-11-16 10:08:06 UTC

Mark - i have already tested some on x86, but there are a number of scenarios.
You can look here: http://gentoo-wiki.com/HOWTO_OpenSwan_2.6_kernel for some info.

If you need further help, just find me on IRC.

Jay

Comment 11 Jay Pfeifer (RETIRED) 2005-11-17 11:18:32 UTC

*sigh*... openswan-2.4.4 is on it's way (as per kenb from xelerance). it has
more ddos fixes. i will post an update once it is released and i test/commit it
to portage.

Comment 12 Sune Kloppenborg Jeppesen (RETIRED) 2005-11-20 04:19:50 UTC

Back to upstream waiting for 2.4.4 

Comment 13 Thierry Carrez (RETIRED) 2005-11-25 04:34:26 UTC

2005-11-18 : Xelerance has released Openswan 2.4.4 that fixes the secound
vulnerability found by the NISCC Advisory 3756/NISCC/ISAKMP.

See http://www.openswan.org/niscc2/ and bump.

Comment 14 Jay Pfeifer (RETIRED) 2005-11-27 23:51:37 UTC

2.4.4 is now in portage. Unless we get a huge bug report, I plan on marking this
stable on x86/amd64 and getting rid of 2.2.0 in 24 hours.

Comment 15 Thierry Carrez (RETIRED) 2005-11-29 02:36:10 UTC

maintainer / x86 / amd64 teams: please mark 2.4.4 stable (if stable :) )

Comment 16 Jay Pfeifer (RETIRED) 2005-11-29 06:50:23 UTC

openswan-2.4.4 is now marked stable on x86 and amd64.

Comment 17 Thierry Carrez (RETIRED) 2005-11-29 07:00:08 UTC

Ready for GLSA vote. I tend to vote yes, due to the original issue (3DES crafted
packet with invalid keylength) rather than the additional lame ones (DoS if PSK
known and aggressive mode enabled, already vulnerable to MiM anyway)...

Comment 18 Stefan Cornelius (RETIRED) 2005-12-02 04:20:47 UTC

I tend to say yes, too

Comment 19 solar (RETIRED) 2005-12-02 04:36:11 UTC

Yes please issue a GLSA

Comment 20 Stefan Cornelius (RETIRED) 2005-12-02 04:40:02 UTC

k, this is ready for GLSA then.

Comment 21 Thierry Carrez (RETIRED) 2005-12-12 06:55:02 UTC

GLSA 200512-04