Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 468504 (CVE-2013-2944) - <net-misc/strongswan-5.0.4: ECDSA is not properly handled (CVE-2013-2944)
Summary: <net-misc/strongswan-5.0.4: ECDSA is not properly handled (CVE-2013-2944)
Status: RESOLVED FIXED
Alias: CVE-2013-2944
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa]
Keywords:
: 468008 (view as bug list)
Depends on:
Blocks:
 
Reported: 2013-05-03 19:15 UTC by Olipro
Modified: 2013-09-02 01:30 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Olipro 2013-05-03 19:15:16 UTC
A serious vulnerability now exists in all versions of Strongswan prior to 5.0.4 whereby ECDSA is not properly handled when compiled with the openssl use flag ( CVE-2013-2944 ) thus permitting an attacker to generate an invalid ECDSA certificate and successfully authenticate.

Please bump Strongswan to 5.0.4 and consider a fast-track stabilisation.
Comment 1 Bjarke Istrup Pedersen (RETIRED) gentoo-dev 2013-05-04 06:09:40 UTC
Bumped to 5.0.4 - please stabilize ASAP.

Once stable, please remove version 5.0.0 from the tree, to prevent people installing that version, since it still has this issue.

Thanks.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2013-05-09 12:09:12 UTC
CVE-2013-2944 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2944):
  strongSwan 4.3.5 through 5.0.3, when using the OpenSSL plugin for ECDSA
  signature verification, allows remote attackers to authenticate as other
  users via an invalid signature.
Comment 3 Sean Amoss (RETIRED) gentoo-dev Security 2013-05-09 12:33:51 UTC
*** Bug 468008 has been marked as a duplicate of this bug. ***
Comment 4 Sean Amoss (RETIRED) gentoo-dev Security 2013-05-09 12:47:55 UTC
Arches, please test and mark stable:
=net-misc/strongswan-5.0.4
Target KEYWORDS: "amd64 arm ppc ~ppc64 x86"
Comment 5 Agostino Sarubbo gentoo-dev 2013-05-10 09:38:06 UTC
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2013-05-10 09:42:34 UTC
x86 stable
Comment 7 Agostino Sarubbo gentoo-dev 2013-05-11 11:17:37 UTC
arm stable
Comment 8 Agostino Sarubbo gentoo-dev 2013-05-11 11:18:44 UTC
ppc stable
Comment 9 Sergey Popov (RETIRED) gentoo-dev 2013-08-23 10:38:36 UTC
Thanks for your work

GLSA vote: yes
Comment 10 Chris Reffett (RETIRED) gentoo-dev Security 2013-08-23 13:41:09 UTC
GLSA vote: yes, request filed.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2013-09-02 01:30:55 UTC
This issue was resolved and addressed in
 GLSA 201309-02 at http://security.gentoo.org/glsa/glsa-201309-02.xml
by GLSA coordinator Chris Reffett (creffett).