A serious vulnerability now exists in all versions of Strongswan prior to 5.0.4 whereby ECDSA is not properly handled when compiled with the openssl use flag ( CVE-2013-2944 ) thus permitting an attacker to generate an invalid ECDSA certificate and successfully authenticate. Please bump Strongswan to 5.0.4 and consider a fast-track stabilisation.
Bumped to 5.0.4 - please stabilize ASAP. Once stable, please remove version 5.0.0 from the tree, to prevent people installing that version, since it still has this issue. Thanks.
CVE-2013-2944 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2944): strongSwan 4.3.5 through 5.0.3, when using the OpenSSL plugin for ECDSA signature verification, allows remote attackers to authenticate as other users via an invalid signature.
*** Bug 468008 has been marked as a duplicate of this bug. ***
Arches, please test and mark stable: =net-misc/strongswan-5.0.4 Target KEYWORDS: "amd64 arm ppc ~ppc64 x86"
amd64 stable
x86 stable
arm stable
ppc stable
Thanks for your work GLSA vote: yes
GLSA vote: yes, request filed.
This issue was resolved and addressed in GLSA 201309-02 at http://security.gentoo.org/glsa/glsa-201309-02.xml by GLSA coordinator Chris Reffett (creffett).