Summary: | <net-vpn/libreswan-3.29: IKEv1 informational exchange packets not integrity checked (CVE-2019-10155) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Torsten Kaiser <Storklerk> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | graaff |
Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | All | ||
URL: | https://libreswan.org/security/CVE-2019-10155/ | ||
Whiteboard: | B4 [noglsa] | ||
Package list: |
net-vpn/libreswan-3.29
|
Runtime testing required: | --- |
Description
Torsten Kaiser
2019-10-19 14:16:41 UTC
Hrm: Current stable version is 3.27. https://libreswan.org/security/CVE-2019-12312/CVE-2019-12312.txt Vulnerable versions: libreswan 3.27 Exploitation ============ By continuing to send these packets, a denial of service attack is possible. This vulnerability cannot be abused for a remote code execution. Unfortunately 3.28 and 3.29 appear to be broken for some connections (to the point that we're restarting libreswan from cron every couple of hours to keep things working). No upstream bug from our side for that, haven't had time to dig into that yet. My understanding of CVE-2019-10155 is that it is not something that is high priority to fix. I must have overlooked CVE-2019-12312 because that does look more serious. I would have hoped that upstream already released a new version by now but they have not done so yet. I'd appreciate opinions on the way forward: are these security issues bad enough to upgrade and break some VPN connections for people? Stopping stabilization because of maintainer concerns, #2 @ maintainer(s): Is there a bug for the problem you experience why stabilization should be blocked? Many distributions already moved to 3.29 (https://repology.org/project/libreswan/versions)... There are no clear bugs upstream although perhaps https://github.com/libreswan/libreswan/issues/270 looks similar. That also contains a possible workaround (in addition to restarting), so let's continue stabilization. x86 stable amd64 stable. Maintainer(s), please cleanup. Security, please vote. Cleanup done. GLSA Vote: No! Repository is clean, all done. |