Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 112568 - net-misc/openswan Multiple Vulnerability Issues in Implementation of ISAKMP Protocol
Summary: net-misc/openswan Multiple Vulnerability Issues in Implementation of ISAKMP P...
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa] jaervosz
Depends on:
Reported: 2005-11-14 18:30 UTC by Jay Pfeifer (RETIRED)
Modified: 2005-12-12 06:55 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Jay Pfeifer (RETIRED) gentoo-dev 2005-11-14 18:30:39 UTC
New bug affecting at least one ipsec product offered by Gentoo

Reproducible: Always
Steps to Reproduce:
Comment 1 Jay Pfeifer (RETIRED) gentoo-dev 2005-11-14 18:33:48 UTC
openswan-1.x is not vulnerable.
openswan-2.4.1 and earlier are.
I am testing an openswan-2.4.2 ebuild and will upload shortly.

Comment 2 Jay Pfeifer (RETIRED) gentoo-dev 2005-11-14 18:35:03 UTC
strongswan is not vulnerable.

Comment 3 Jay Pfeifer (RETIRED) gentoo-dev 2005-11-14 19:16:02 UTC
ok, openswan-2.4.2 is in portage. need to get 2.4.2 stable on amd64 (i have
hardware) then i will remove 2.2.0 and mark 2.4.2 stable on x86 and amd64.
anyone on the amd64 team want to test as well?

all revisions of openswan are ~ppc so leaving that way. however, getting ppc
team member to test would be great as my ppc hardware is no longer running linux.
Comment 4 Jay Pfeifer (RETIRED) gentoo-dev 2005-11-14 19:35:47 UTC
ok, just for those who may test, i am working on an openswan-2.4.3 ebuild as
there was an assert found when using a PSK+ID in aggressive mode. Just got the
info from kenb with xelerence and downloaded the new tarball. i'll put a note
here when it is in portage.
Comment 5 Jay Pfeifer (RETIRED) gentoo-dev 2005-11-14 20:13:36 UTC
openswan-2.4.3 is in portage.
Comment 6 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-11-14 22:42:08 UTC
Arches please test and mark stable. 
Comment 7 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-11-15 00:46:41 UTC
Readding amd64. 
Comment 8 Nico Baggus 2005-11-15 15:59:13 UTC
Is there is reason the KLIPS engine cannot be selected for 2.6? 
(IMHO) The KLIPS engine has some advantages when builing netfilter rules. 
Comment 9 Mark Loeser (RETIRED) gentoo-dev 2005-11-15 22:01:32 UTC
Hopefully I'm not alone here, but could someone tell me how I can test this on
x86 to make sure it is not broken?  Upstream's wiki appears to be down.
Comment 10 Jay Pfeifer (RETIRED) gentoo-dev 2005-11-16 10:08:06 UTC
Mark - i have already tested some on x86, but there are a number of scenarios.
You can look here: for some info.

If you need further help, just find me on IRC.

Comment 11 Jay Pfeifer (RETIRED) gentoo-dev 2005-11-17 11:18:32 UTC
*sigh*... openswan-2.4.4 is on it's way (as per kenb from xelerance). it has
more ddos fixes. i will post an update once it is released and i test/commit it
to portage.
Comment 12 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-11-20 04:19:50 UTC
Back to upstream waiting for 2.4.4 
Comment 13 Thierry Carrez (RETIRED) gentoo-dev 2005-11-25 04:34:26 UTC
2005-11-18 : Xelerance has released Openswan 2.4.4 that fixes the secound
vulnerability found by the NISCC Advisory 3756/NISCC/ISAKMP.

See and bump.
Comment 14 Jay Pfeifer (RETIRED) gentoo-dev 2005-11-27 23:51:37 UTC
2.4.4 is now in portage. Unless we get a huge bug report, I plan on marking this
stable on x86/amd64 and getting rid of 2.2.0 in 24 hours.
Comment 15 Thierry Carrez (RETIRED) gentoo-dev 2005-11-29 02:36:10 UTC
maintainer / x86 / amd64 teams: please mark 2.4.4 stable (if stable :) )
Comment 16 Jay Pfeifer (RETIRED) gentoo-dev 2005-11-29 06:50:23 UTC
openswan-2.4.4 is now marked stable on x86 and amd64.
Comment 17 Thierry Carrez (RETIRED) gentoo-dev 2005-11-29 07:00:08 UTC
Ready for GLSA vote. I tend to vote yes, due to the original issue (3DES crafted
packet with invalid keylength) rather than the additional lame ones (DoS if PSK
known and aggressive mode enabled, already vulnerable to MiM anyway)...
Comment 18 Stefan Cornelius (RETIRED) gentoo-dev 2005-12-02 04:20:47 UTC
I tend to say yes, too
Comment 19 solar (RETIRED) gentoo-dev 2005-12-02 04:36:11 UTC
Yes please issue a GLSA
Comment 20 Stefan Cornelius (RETIRED) gentoo-dev 2005-12-02 04:40:02 UTC
k, this is ready for GLSA then.
Comment 21 Thierry Carrez (RETIRED) gentoo-dev 2005-12-12 06:55:02 UTC
GLSA 200512-04