The racoon daemon in IPsec-Tools 0.8.2 contains a remotely exploitable computational-complexity attack when parsing and storing ISAKMP fragments. The implementation permits a remote attacker to exhaust computational resources on the remote endpoint by repeatedly sending ISAKMP fragment packets in a particular order such that the worst-case computational complexity is realized in the algorithm utilized to determine if reassembly of the fragments can take place. References: https://gnats.netbsd.org/cgi-bin/query-pr-single.pl?number=51682 Upstream patch: http://cvsweb.netbsd.org/bsdweb.cgi/src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c.diff?r1=1.5&r2=1.5.36.1
@maintainer(s), can we apply this patch? Also, the upstream site (http://ipsec-tools.sourceforge.net/) says since 2014: >Important Note >The development of ipsec-tools has been ABANDONED. >ipsec-tools has security issues, and you should not use it. >Please switch to a secure alternative! Should we instead drop the package? Thanks.
(In reply to sam_c (Security Padawan) from comment #1) > @maintainer(s), can we apply this patch? > > Also, the upstream site (http://ipsec-tools.sourceforge.net/) says since > 2014: > >Important Note > >The development of ipsec-tools has been ABANDONED. > >ipsec-tools has security issues, and you should not use it. > >Please switch to a secure alternative! > > Should we instead drop the package? Thanks. It saddens me but maybe it is time to drop it. :(
(In reply to Anthony Basile from comment #2) > (In reply to sam_c (Security Padawan) from comment #1) > > @maintainer(s), can we apply this patch? > > > > Also, the upstream site (http://ipsec-tools.sourceforge.net/) says since > > 2014: > > >Important Note > > >The development of ipsec-tools has been ABANDONED. > > >ipsec-tools has security issues, and you should not use it. > > >Please switch to a secure alternative! > > > > Should we instead drop the package? Thanks. > > It saddens me but maybe it is time to drop it. :( Okay sam_c pointed out https://sources.debian.org/patches/ipsec-tools/1:0.8.2+20140711-8+deb9u1/CVE-2016-10396.patch/ which addresses CVE-2016-10396. I've added it for ipsec-tools-0.8.2-r6.ebuild. I'm going to cc the arches to stabilize it.
@arch teams, please stabilize net-vpn/ipsec-tools-0.8.2-r6. This is a security fix. KEYWORDS="amd64 arm ppc ppc64 x86"
Thanks blueness!
x86 stable
arm stable
ppc stable
ppc64 stable
amd64 stable. Maintainer(s), please cleanup. Security, please vote.
(In reply to Agostino Sarubbo from comment #10) > amd64 stable. > > Maintainer(s), please cleanup. > Security, please vote. I just removed the vulnerable version.
(In reply to Anthony Basile from comment #11) > (In reply to Agostino Sarubbo from comment #10) > > amd64 stable. > > > > Maintainer(s), please cleanup. > > Security, please vote. > > I just removed the vulnerable version. Thanks! GLSA vote: no. Closing.
