628606 – (CVE-2017-11185) <net-vpn/strongswan-5.6.0: remote denial of service via crafted RSA signature

Bug 628606 (CVE-2017-11185) - <net-vpn/strongswan-5.6.0: remote denial of service via crafted RSA signature

Summary: <net-vpn/strongswan-5.6.0: remote denial of service via crafted RSA signature

Status:	RESOLVED FIXED

Alias:	CVE-2017-11185

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:	https://www.strongswan.org/blog/2017/...
Whiteboard:	B3 [noglsa cve]
Keywords:

Depends on:
Blocks:

Reported:	2017-08-22 14:29 UTC by Aleksandr Wagner (Kivak)
Modified:	2018-10-17 10:20 UTC (History)
CC List:	2 users (show)

See Also:
Package list:	=net-vpn/strongswan-5.6.0-r1
Runtime testing required:	---

Flags:	stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Aleksandr Wagner (Kivak) 2017-08-22 14:29:10 UTC

CVE-2017-11185 (https://nvd.nist.gov/vuln/detail/CVE-2017-11185):

The gmp plugin in strongSwan before 5.6.0 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted RSA signature.

References:

https://www.strongswan.org/blog/2017/08/14/strongswan-vulnerability-%28cve-2017-11185%29.html

Patch:

https://download.strongswan.org/security/CVE-2017-11185/

@ Maintainer(s): Please provide either a patched ebuild or newer version. Please state if ready for stabilization after.

Comment 1 Patrick Lauer gentoo-dev

2017-09-24 17:30:38 UTC

Ebuild for 5.6.0 has been committed

Comment 2 Aleksandr Wagner (Kivak) 2017-09-24 19:36:11 UTC

@ Maintainer(s): Please state when the ebuild is ready for stabilization.

Comment 3 Aaron Bauman (RETIRED) gentoo-dev

2018-01-23 01:53:39 UTC

@arches, please stabilize.

Comment 4 Agostino Sarubbo gentoo-dev

2018-01-23 16:42:17 UTC

amd64 stable

Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev

2018-01-26 18:22:29 UTC

x86 stable

Comment 6 Markus Meier gentoo-dev

2018-02-05 21:19:08 UTC

arm stable

Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev

2018-03-03 22:19:37 UTC

ppc stable

Comment 8 Thomas Deutschmann (RETIRED) gentoo-dev

2018-10-17 10:18:29 UTC

GLSA Vote: No!

Comment 9 Thomas Deutschmann (RETIRED) gentoo-dev

2018-10-17 10:20:42 UTC

Cleanup via https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=75954cf504602db95aafcb1e80fe1e01b1f3ec22

Repository is clean, all done.