Bug 536226 (CVE-2014-9221)

Summary:	<net-misc/strongswan-5.2.2: DoS vulnerability (CVE-2014-9221)
Product:	Gentoo Security	Reporter:	GLSAMaker/CVETool Bot <glsamaker>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	gurligebis, patrick
Priority:	Normal	Keywords:	PullRequest
Version:	unspecified
Hardware:	All
OS:	Linux
See Also:	https://github.com/gentoo/gentoo/pull/23818
Whiteboard:	B3 [noglsa/cve]
Package list:		Runtime testing required:	---
Bug Depends on:	532000
Bug Blocks:

Description GLSAMaker/CVETool Bot gentoo-dev

2015-01-10 16:50:02 UTC

CVE-2014-9221 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9221):
  strongSwan 4.5.x through 5.2.x before 5.2.1 allows remote attackers to cause
  a denial of service (invalid pointer dereference) via a crafted IKEv2 Key
  Exchange (KE) message with Diffie-Hellman (DH) group 1025.


Maintainers, may we proceed with stabilization of =net-misc/strongswan-5.2.1 ?

Comment 1 Bjarke Istrup Pedersen (RETIRED) gentoo-dev

2015-01-11 09:03:41 UTC

The 5.2.1 version is also broken - the report from strongswan is badly worded. (Instead of saying up to 5.2.1, it should have said up to, and including 5.2.1).

Please see the Fix section of their report here: https://www.strongswan.org/blog/2015/01/05/strongswan-denial-of-service-vulnerability-%28cve-2014-9221%29.html

Version 5.2.2 that I have just added to the tree contains the fixes, so please stabilize that one instead.

Comment 2 Andreas Schürch gentoo-dev

2015-01-11 16:48:15 UTC

x86 done.

Comment 3 Agostino Sarubbo gentoo-dev

2015-01-12 10:44:49 UTC

amd64 stable

Comment 4 Agostino Sarubbo gentoo-dev

2015-01-15 08:41:17 UTC

ppc stable

Comment 5 Markus Meier gentoo-dev

2015-01-17 20:03:13 UTC

arm stable, all arches done.

Comment 6 Yury German Gentoo Infrastructure

2015-01-18 05:13:15 UTC

Arches, Thank you for your work.

GLSA Vote: Yes

Maintainer(s), please drop the vulnerable version(s).

Comment 7 Bjarke Istrup Pedersen (RETIRED) gentoo-dev

2015-01-18 21:17:45 UTC

Unable to do so, since net-dns/unbound is not marked stable, and is a dependency with the unbound module use flag.

Do feel free to remove the old version once that has been fixed (Not sure what to do) :-)

Comment 8 Yury German Gentoo Infrastructure

2015-01-23 21:49:38 UTC

Depends on Bug #532000 for cleanup.

Comment 9 Yury German Gentoo Infrastructure

2015-04-22 20:47:01 UTC

Arches and Maintainer(s), Thank you for your work.

GLSA Vote: No

Maintainer(s), please drop the vulnerable version(s).

Comment 10 Yury German Gentoo Infrastructure

2015-06-06 13:50:04 UTC

It has been 30 days+ since cleanup requested.
Maintainer(s), please drop the vulnerable version(s).

Comment 11 Bjarke Istrup Pedersen (RETIRED) gentoo-dev

2015-06-06 16:11:40 UTC

Removed :-)

Comment 12 Yury German Gentoo Infrastructure

2015-06-06 18:41:56 UTC

Arches and Maintainer(s), Thank you for your work.

Comment 13 Tobias Heinlein (RETIRED) gentoo-dev

2015-06-30 22:41:40 UTC

NO too, closing.

Comment 14 Larry the Git Cow gentoo-dev

2022-01-16 01:02:17 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=82d09640143771f461b62a30d455ad98ae775aa3

commit 82d09640143771f461b62a30d455ad98ae775aa3
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-01-15 23:08:04 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-01-16 01:01:20 +0000

    profiles/arch/arm: drop obsolete strongswan unbound mask
    
    net-dns/unbound has stable keywords on ARM.
    
    Bug: https://bugs.gentoo.org/536226
    Signed-off-by: Sam James <sam@gentoo.org>

 profiles/arch/arm/package.use.mask | 4 ----
 1 file changed, 4 deletions(-)