Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 832460 (CVE-2021-45079) - <net-vpn/strongswan-5.9.5: authentication bypass
Summary: <net-vpn/strongswan-5.9.5: authentication bypass
Status: RESOLVED FIXED
Alias: CVE-2021-45079
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL: https://www.strongswan.org/blog/2022/...
Whiteboard: B3 [glsa+]
Keywords:
Depends on: 832508
Blocks:
  Show dependency tree
 
Reported: 2022-02-01 03:07 UTC by John Helmert III
Modified: 2024-05-04 09:07 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-02-01 03:07:58 UTC
CVE-2021-45079:

In strongSwan before 5.9.5, a malicious responder can send an EAP-Success message too early without actually authenticating the client and (in the case of EAP methods with mutual authentication and EAP-only authentication for IKEv2) even without server authentication.

Please stabilize 5.9.5.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-02-03 01:20:03 UTC
Please cleanup, thanks!
Comment 2 Larry the Git Cow gentoo-dev 2023-01-06 17:45:39 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7387260e58f7f39705fa2c03024201eee834e8e9

commit 7387260e58f7f39705fa2c03024201eee834e8e9
Author:     John Helmert III <ajak@gentoo.org>
AuthorDate: 2023-01-06 17:43:24 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2023-01-06 17:43:34 +0000

    net-vpn/strongswan: drop 5.9.6-r1, 5.9.7
    
    Bug: https://bugs.gentoo.org/818841
    Bug: https://bugs.gentoo.org/832460
    Bug: https://bugs.gentoo.org/878887
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 net-vpn/strongswan/Manifest                        |   2 -
 .../files/strongswan-5.9.6-werror-security.patch   |  20 --
 net-vpn/strongswan/strongswan-5.9.6-r1.ebuild      | 322 ---------------------
 net-vpn/strongswan/strongswan-5.9.7.ebuild         | 318 --------------------
 4 files changed, 662 deletions(-)
Comment 3 Larry the Git Cow gentoo-dev 2024-05-04 09:06:13 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=5c311dfaab4c0172a4524ae5860106bcac33a694

commit 5c311dfaab4c0172a4524ae5860106bcac33a694
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-05-04 09:05:41 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-05-04 09:06:06 +0000

    [ GLSA 202405-08 ] strongSwan: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/818841
    Bug: https://bugs.gentoo.org/832460
    Bug: https://bugs.gentoo.org/878887
    Bug: https://bugs.gentoo.org/899964
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202405-08.xml | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 48 insertions(+)