Buffer overflow in the atodn function in Openswan before 2.6.39, when
Opportunistic Encryption is enabled and an RSA key is being used, allows
remote attackers to cause a denial of service (pluto IKE daemon crash) and
possibly execute arbitrary code via crafted DNS TXT records. NOTE: this
might be the same vulnerability as CVE-2013-2052 and CVE-2013-2054.
+*openswan-2.6.39 (01 Sep 2013)
+ 01 Sep 2013; Mike Gilbert <email@example.com>
+ +files/openswan-2.6.39-gentoo.patch, +openswan-2.6.39.ebuild:
+ Version bump.
B2 as discussed with Chris on IRC.
Arches, please test and mark stable:
Target keywords : "amd64 x86"
@ago, you forgot about arches ? ;)
GLSA drafted and ready for review.
@maintainer, please drop vulnerable versions
Maintainer(s), please drop the vulnerable version.
I will not be dropping openswan-2.6.38 from the tree for the foreseeable future due to bug 483576.
This issue was resolved and addressed in
GLSA 201401-09 at http://security.gentoo.org/glsa/glsa-201401-09.xml
by GLSA coordinator Sean Amoss (ackle).