Summary: | net-firewall/ipsec-tools: Vulnerability Issues with IPsec Configurations | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Jean-François Brunette (RETIRED) <formula7> |
Component: | Default Configs | Assignee: | Gentoo Security <security> |
Status: | RESOLVED INVALID | ||
Severity: | normal | CC: | bugs-gentoo, latexer |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | All | ||
URL: | http://securitytracker.com/alerts/2005/May/1013926.html | ||
Whiteboard: | jaervosz | ||
Package list: | Runtime testing required: | --- |
Description
Jean-François Brunette (RETIRED)
2005-05-10 12:21:48 UTC
Plasmaroo/Latexer please advise. Well, while this announcement does disclose a possibility of exploit, there are no new releases that change anything, the announcement really only states configuration options that should be used to avoid any compromise in the ipsec stuff. Do we do GLSAs for "FYI, doing things this way makes things safer" type situations? Quote from http://www.gentoo.org/security/en/coordinator_guide.xml: "Default config bugs do not generate GLSAs." So, i guess no - but i'm not sure. I'm no expert, but RFC 2406 says: Confidentiality may be selected independent of all other services. However, use of confidentiality without integrity/authentication (either in ESP or separately in AH) may subject traffic to certain forms of active attacks that could undermine the confidentiality service (see [Bel96]). Seems like this is not a vulnerability but design? If it is by design, maybe we should patch our config file or put an ewarn in our ebuild to help people configure things securely. Moving to Default Configs. latexer please advise. As we don't even provide any config in /etc/racoon and people have to do their own configuration, and the advisory as largely a more detailed explanation of possibile exploits of a known bad configuration, I'd suggest this is a noop, and doesn't warrant a GLSA. Closing as INVALDID, feel free to reopen if you disagree. |