Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 536226 (CVE-2014-9221) - <net-misc/strongswan-5.2.2: DoS vulnerability (CVE-2014-9221)
Summary: <net-misc/strongswan-5.2.2: DoS vulnerability (CVE-2014-9221)
Status: RESOLVED FIXED
Alias: CVE-2014-9221
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa/cve]
Keywords: PullRequest
Depends on: CVE-2014-8602
Blocks:
  Show dependency tree
 
Reported: 2015-01-10 16:50 UTC by GLSAMaker/CVETool Bot
Modified: 2022-01-16 01:02 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2015-01-10 16:50:02 UTC
CVE-2014-9221 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9221):
  strongSwan 4.5.x through 5.2.x before 5.2.1 allows remote attackers to cause
  a denial of service (invalid pointer dereference) via a crafted IKEv2 Key
  Exchange (KE) message with Diffie-Hellman (DH) group 1025.


Maintainers, may we proceed with stabilization of =net-misc/strongswan-5.2.1 ?
Comment 1 Bjarke Istrup Pedersen (RETIRED) gentoo-dev 2015-01-11 09:03:41 UTC
The 5.2.1 version is also broken - the report from strongswan is badly worded. (Instead of saying up to 5.2.1, it should have said up to, and including 5.2.1).

Please see the Fix section of their report here: https://www.strongswan.org/blog/2015/01/05/strongswan-denial-of-service-vulnerability-%28cve-2014-9221%29.html

Version 5.2.2 that I have just added to the tree contains the fixes, so please stabilize that one instead.
Comment 2 Andreas Schürch gentoo-dev 2015-01-11 16:48:15 UTC
x86 done.
Comment 3 Agostino Sarubbo gentoo-dev 2015-01-12 10:44:49 UTC
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2015-01-15 08:41:17 UTC
ppc stable
Comment 5 Markus Meier gentoo-dev 2015-01-17 20:03:13 UTC
arm stable, all arches done.
Comment 6 Yury German Gentoo Infrastructure gentoo-dev 2015-01-18 05:13:15 UTC
Arches, Thank you for your work.

GLSA Vote: Yes

Maintainer(s), please drop the vulnerable version(s).
Comment 7 Bjarke Istrup Pedersen (RETIRED) gentoo-dev 2015-01-18 21:17:45 UTC
Unable to do so, since net-dns/unbound is not marked stable, and is a dependency with the unbound module use flag.

Do feel free to remove the old version once that has been fixed (Not sure what to do) :-)
Comment 8 Yury German Gentoo Infrastructure gentoo-dev 2015-01-23 21:49:38 UTC
Depends on Bug #532000 for cleanup.
Comment 9 Yury German Gentoo Infrastructure gentoo-dev 2015-04-22 20:47:01 UTC
Arches and Maintainer(s), Thank you for your work.

GLSA Vote: No

Maintainer(s), please drop the vulnerable version(s).
Comment 10 Yury German Gentoo Infrastructure gentoo-dev 2015-06-06 13:50:04 UTC
It has been 30 days+ since cleanup requested.
Maintainer(s), please drop the vulnerable version(s).
Comment 11 Bjarke Istrup Pedersen (RETIRED) gentoo-dev 2015-06-06 16:11:40 UTC
Removed :-)
Comment 12 Yury German Gentoo Infrastructure gentoo-dev 2015-06-06 18:41:56 UTC
Arches and Maintainer(s), Thank you for your work.
Comment 13 Tobias Heinlein (RETIRED) gentoo-dev 2015-06-30 22:41:40 UTC
NO too, closing.
Comment 14 Larry the Git Cow gentoo-dev 2022-01-16 01:02:17 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=82d09640143771f461b62a30d455ad98ae775aa3

commit 82d09640143771f461b62a30d455ad98ae775aa3
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-01-15 23:08:04 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-01-16 01:01:20 +0000

    profiles/arch/arm: drop obsolete strongswan unbound mask
    
    net-dns/unbound has stable keywords on ARM.
    
    Bug: https://bugs.gentoo.org/536226
    Signed-off-by: Sam James <sam@gentoo.org>

 profiles/arch/arm/package.use.mask | 4 ----
 1 file changed, 4 deletions(-)