Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 275233

Summary: <net-misc/openswan-2.4.15 ASN.1 Parsing Remote Denial of Service (CVE-2009-2185)
Product: Gentoo Security Reporter: Robert Buchholz (RETIRED) <rbu>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: eras, mrness
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://lists.virus.org/announce-openswan-0906/msg00000.html
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---

Description Robert Buchholz (RETIRED) gentoo-dev 2009-06-23 23:58:35 UTC
Xelerance has released openswan 2.6.22.

http://www.openswan.org/download/openswan-2.6.22.tar.gz
http://www.openswan.org/download/openswan-2.6.22.tar.gz.asc

This is a major security and bugfix release

This release addresses the vulnerability as described in

http://www.vupen.com/english/advisories/2009/1639
...
Openswan versions 1.0.x upto 2.6.21 are vulnerable. Openswan 2.6.22 (and
openswan 2.4.15 shortly) are not vulnerable.
Comment 1 Alin Năstac (RETIRED) gentoo-dev 2009-06-24 17:21:23 UTC
I've bumped version to 2.6.22, but branch 2.6 is currently p.masked on Gentoo due to broken L2TP (see https://gsoc.xelerance.com/view.php?id=1004).
 
Let me know when 2.4.15 becomes available and I'll do the real security bump. 
Comment 2 Eray Aslan gentoo-dev 2009-06-25 05:40:25 UTC
(In reply to comment #1)
> Let me know when 2.4.15 becomes available and I'll do the real security bump.

2.4.15 is released:
http://www.openswan.org/download/openswan-2.4.15.tar.gz
http://www.openswan.org/download/openswan-2.4.15.tar.gz.asc
Comment 3 Alin Năstac (RETIRED) gentoo-dev 2009-06-28 09:50:26 UTC
2.4.15 is now in the tree.
Arches please mark this version as stable.
Comment 4 Christian Faulhammer (RETIRED) gentoo-dev 2009-06-29 10:05:37 UTC
x86 stable
Comment 5 Markus Meier gentoo-dev 2009-06-29 20:49:54 UTC
amd64 stable, all arches done.
Comment 6 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-08-28 22:00:19 UTC
Alin, please remove the vulnerable versions.
Comment 7 Alin Năstac (RETIRED) gentoo-dev 2009-08-30 07:36:24 UTC
Done
Comment 8 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-09-09 13:33:58 UTC
GLSA 200909-05