Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 330845 - net-misc/strongswan (versions < 4.3.7, < 4.4.1): remote code execution vulnerability
Summary: net-misc/strongswan (versions < 4.3.7, < 4.4.1): remote code execution vulner...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High critical
Assignee: Matthias Dahl
URL: https://lists.strongswan.org/pipermai...
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2010-08-02 14:46 UTC by Matthias Dahl
Modified: 2010-08-03 08:03 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Dahl 2010-08-02 14:46:12 UTC
Taken straight from the 4.4.1 announcement:

"
A potential remote code execution vulnerability resulting from
the misuse of snprintf() was fixed. The vulnerability was
introduced with the strongswan-4.3.3 release and is exploitable
by unauthenticated users."

Patches and new releases are available.

Reproducible: Always
Comment 1 Matthias Dahl 2010-08-02 14:47:14 UTC
The 4.4.0 patch currently does not cleanly apply. Investigating this.
Comment 2 Matthias Dahl 2010-08-02 18:43:47 UTC
Updates sent to my proxy Markos Chandras. Closing this bug once the commit hits the tree.

Summary:

- bumping 4.3.6 to 4.3.7 which contains only the security fix
- replacing 4.4.0 w/ 4.4.1 because there is currently no working standalone patch available
Comment 3 Markos Chandras (RETIRED) gentoo-dev 2010-08-03 08:03:57 UTC
Bumped

Affected versions removed. No need to call security team since there is no stable version for that

Thank you for the ebuilds