Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 279319 (CVE-2009-2661) - <net-misc/strongswan-{4.2.17,4.3.3}: Incomplete fix for CVE-2009-2185 (CVE-2009-2661)
Summary: <net-misc/strongswan-{4.2.17,4.3.3}: Incomplete fix for CVE-2009-2185 (CVE-20...
Status: RESOLVED FIXED
Alias: CVE-2009-2661
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High trivial
Assignee: Gentoo Security
URL: https://lists.strongswan.org/pipermai...
Whiteboard: ~3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2009-07-27 13:05 UTC by Alex Legler (RETIRED)
Modified: 2009-08-04 19:35 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alex Legler (RETIRED) archtester gentoo-dev Security 2009-07-27 13:05:11 UTC
+++ This bug was initially created as a clone of Bug #275096 +++

the RDN parser vulnerability discovered by Orange Labs research team
two months ago was not completely fixed by the security patch

This fix has been integrated into the latest strongSwan releases 2.8.11,
4.2.17, and 4.3.3 available from http://download.strongswan.org/
Comment 1 Wolfram Schlich (RETIRED) gentoo-dev 2009-07-29 08:52:13 UTC
Fixed in CVS.
Comment 2 Wolfram Schlich (RETIRED) gentoo-dev 2009-07-29 08:53:16 UTC
Sorry security@gentoo.org, I should not have closed this bug on my own :)
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2009-07-29 09:24:47 UTC
thanks, this can be closed indeed.
Comment 4 Stefan Behte (RETIRED) gentoo-dev Security 2009-08-04 19:34:42 UTC
CVE-2009-2661 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2661):
  The asn1_length function in strongSwan 2.8 before 2.8.11, 4.2 before
  4.2.17, and 4.3 before 4.3.3 does not properly handle X.509
  certificates with crafted Relative Distinguished Names (RDNs), which
  allows remote attackers to cause a denial of service (pluto IKE
  daemon crash) via malformed ASN.1 data.  NOTE: this is due to an
  incomplete fix for CVE-2009-2185.

Comment 5 Stefan Behte (RETIRED) gentoo-dev Security 2009-08-04 19:35:44 UTC
check-todo-issues put the summary wrong, fixed.