Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 468504 (CVE-2013-2944)

Summary: <net-misc/strongswan-5.0.4: ECDSA is not properly handled (CVE-2013-2944)
Product: Gentoo Security Reporter: Olipro <olipro+gentoopub>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: alexander, gurligebis, patrick, whissi
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---

Description Olipro 2013-05-03 19:15:16 UTC 
A serious vulnerability now exists in all versions of Strongswan prior to 5.0.4 whereby ECDSA is not properly handled when compiled with the openssl use flag ( CVE-2013-2944 ) thus permitting an attacker to generate an invalid ECDSA certificate and successfully authenticate.

Please bump Strongswan to 5.0.4 and consider a fast-track stabilisation.
Comment 1 Bjarke Istrup Pedersen (RETIRED) gentoo-dev 2013-05-04 06:09:40 UTC 
Bumped to 5.0.4 - please stabilize ASAP.

Once stable, please remove version 5.0.0 from the tree, to prevent people installing that version, since it still has this issue.

Thanks.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2013-05-09 12:09:12 UTC 
CVE-2013-2944 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2944):
  strongSwan 4.3.5 through 5.0.3, when using the OpenSSL plugin for ECDSA
  signature verification, allows remote attackers to authenticate as other
  users via an invalid signature.
Comment 3 Sean Amoss (RETIRED) gentoo-dev Security 2013-05-09 12:33:51 UTC 
*** Bug 468008 has been marked as a duplicate of this bug. ***
Comment 4 Sean Amoss (RETIRED) gentoo-dev Security 2013-05-09 12:47:55 UTC 
Arches, please test and mark stable:
=net-misc/strongswan-5.0.4
Target KEYWORDS: "amd64 arm ppc ~ppc64 x86"
Comment 5 Agostino Sarubbo gentoo-dev 2013-05-10 09:38:06 UTC 
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2013-05-10 09:42:34 UTC 
x86 stable
Comment 7 Agostino Sarubbo gentoo-dev 2013-05-11 11:17:37 UTC 
arm stable
Comment 8 Agostino Sarubbo gentoo-dev 2013-05-11 11:18:44 UTC 
ppc stable
Comment 9 Sergey Popov gentoo-dev 2013-08-23 10:38:36 UTC 
Thanks for your work

GLSA vote: yes
Comment 10 Chris Reffett (RETIRED) gentoo-dev Security 2013-08-23 13:41:09 UTC 
GLSA vote: yes, request filed.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2013-09-02 01:30:55 UTC 
This issue was resolved and addressed in
 GLSA 201309-02 at http://security.gentoo.org/glsa/glsa-201309-02.xml
by GLSA coordinator Chris Reffett (creffett).