Summary: | <net-vpn/ipsec-tools-0.8.2-r6: Parsing and storing ISAKMP fragments in malicious order can exhaust resources (CVE-2016-10396) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Aleksandr Wagner (Kivak) <alwag> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | blueness |
Priority: | Normal | Flags: | nattka:
sanity-check+
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B3 [noglsa cve] | ||
Package list: |
net-vpn/ipsec-tools-0.8.2-r6
|
Runtime testing required: | --- |
Description
Aleksandr Wagner (Kivak)
2017-07-13 05:15:38 UTC
@maintainer(s), can we apply this patch? Also, the upstream site (http://ipsec-tools.sourceforge.net/) says since 2014: >Important Note >The development of ipsec-tools has been ABANDONED. >ipsec-tools has security issues, and you should not use it. >Please switch to a secure alternative! Should we instead drop the package? Thanks. (In reply to sam_c (Security Padawan) from comment #1) > @maintainer(s), can we apply this patch? > > Also, the upstream site (http://ipsec-tools.sourceforge.net/) says since > 2014: > >Important Note > >The development of ipsec-tools has been ABANDONED. > >ipsec-tools has security issues, and you should not use it. > >Please switch to a secure alternative! > > Should we instead drop the package? Thanks. It saddens me but maybe it is time to drop it. :( (In reply to Anthony Basile from comment #2) > (In reply to sam_c (Security Padawan) from comment #1) > > @maintainer(s), can we apply this patch? > > > > Also, the upstream site (http://ipsec-tools.sourceforge.net/) says since > > 2014: > > >Important Note > > >The development of ipsec-tools has been ABANDONED. > > >ipsec-tools has security issues, and you should not use it. > > >Please switch to a secure alternative! > > > > Should we instead drop the package? Thanks. > > It saddens me but maybe it is time to drop it. :( Okay sam_c pointed out https://sources.debian.org/patches/ipsec-tools/1:0.8.2+20140711-8+deb9u1/CVE-2016-10396.patch/ which addresses CVE-2016-10396. I've added it for ipsec-tools-0.8.2-r6.ebuild. I'm going to cc the arches to stabilize it. @arch teams, please stabilize net-vpn/ipsec-tools-0.8.2-r6. This is a security fix. KEYWORDS="amd64 arm ppc ppc64 x86" Thanks blueness! x86 stable arm stable ppc stable ppc64 stable amd64 stable. Maintainer(s), please cleanup. Security, please vote. (In reply to Agostino Sarubbo from comment #10) > amd64 stable. > > Maintainer(s), please cleanup. > Security, please vote. I just removed the vulnerable version. (In reply to Anthony Basile from comment #11) > (In reply to Agostino Sarubbo from comment #10) > > amd64 stable. > > > > Maintainer(s), please cleanup. > > Security, please vote. > > I just removed the vulnerable version. Thanks! GLSA vote: no. Closing. |