Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 275233 - <net-misc/openswan-2.4.15 ASN.1 Parsing Remote Denial of Service (CVE-2009-2185)
Summary: <net-misc/openswan-2.4.15 ASN.1 Parsing Remote Denial of Service (CVE-2009-2185)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor
Assignee: Gentoo Security
URL: http://lists.virus.org/announce-opens...
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2009-06-23 23:58 UTC by Robert Buchholz (RETIRED)
Modified: 2009-09-09 13:33 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2009-06-23 23:58:35 UTC 
Xelerance has released openswan 2.6.22.

http://www.openswan.org/download/openswan-2.6.22.tar.gz
http://www.openswan.org/download/openswan-2.6.22.tar.gz.asc

This is a major security and bugfix release

This release addresses the vulnerability as described in

http://www.vupen.com/english/advisories/2009/1639
...
Openswan versions 1.0.x upto 2.6.21 are vulnerable. Openswan 2.6.22 (and
openswan 2.4.15 shortly) are not vulnerable.
Comment 1 Alin Năstac (RETIRED) gentoo-dev 2009-06-24 17:21:23 UTC 
I've bumped version to 2.6.22, but branch 2.6 is currently p.masked on Gentoo due to broken L2TP (see https://gsoc.xelerance.com/view.php?id=1004).
 
Let me know when 2.4.15 becomes available and I'll do the real security bump.
Comment 2 Eray Aslan gentoo-dev 2009-06-25 05:40:25 UTC 
(In reply to comment #1)
> Let me know when 2.4.15 becomes available and I'll do the real security bump.

2.4.15 is released:
http://www.openswan.org/download/openswan-2.4.15.tar.gz
http://www.openswan.org/download/openswan-2.4.15.tar.gz.asc
Comment 3 Alin Năstac (RETIRED) gentoo-dev 2009-06-28 09:50:26 UTC 
2.4.15 is now in the tree.
Arches please mark this version as stable.
Comment 4 Christian Faulhammer (RETIRED) gentoo-dev 2009-06-29 10:05:37 UTC 
x86 stable
Comment 5 Markus Meier gentoo-dev 2009-06-29 20:49:54 UTC 
amd64 stable, all arches done.
Comment 6 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-08-28 22:00:19 UTC 
Alin, please remove the vulnerable versions.
Comment 7 Alin Năstac (RETIRED) gentoo-dev 2009-08-30 07:36:24 UTC 
Done
Comment 8 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-09-09 13:33:58 UTC 
GLSA 200909-05