CVE-2013-2053 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2053): Buffer overflow in the atodn function in Openswan before 2.6.39, when Opportunistic Encryption is enabled and an RSA key is being used, allows remote attackers to cause a denial of service (pluto IKE daemon crash) and possibly execute arbitrary code via crafted DNS TXT records. NOTE: this might be the same vulnerability as CVE-2013-2052 and CVE-2013-2054.
+*openswan-2.6.39 (01 Sep 2013) + + 01 Sep 2013; Mike Gilbert <floppym@gentoo.org> + +files/openswan-2.6.39-gentoo.patch, +openswan-2.6.39.ebuild: + Version bump.
B2 as discussed with Chris on IRC. Arches, please test and mark stable: =net-misc/openswan-2.6.39 Target keywords : "amd64 x86"
@ago, you forgot about arches ? ;)
amd64 stable
x86 stable
GLSA drafted and ready for review.
@maintainer, please drop vulnerable versions
Ping! Maintainer(s), please drop the vulnerable version.
I will not be dropping openswan-2.6.38 from the tree for the foreseeable future due to bug 483576.
This issue was resolved and addressed in GLSA 201401-09 at http://security.gentoo.org/glsa/glsa-201401-09.xml by GLSA coordinator Sean Amoss (ackle).