CVE-2021-45079: In strongSwan before 5.9.5, a malicious responder can send an EAP-Success message too early without actually authenticating the client and (in the case of EAP methods with mutual authentication and EAP-only authentication for IKEv2) even without server authentication. Please stabilize 5.9.5.
Please cleanup, thanks!
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7387260e58f7f39705fa2c03024201eee834e8e9 commit 7387260e58f7f39705fa2c03024201eee834e8e9 Author: John Helmert III <ajak@gentoo.org> AuthorDate: 2023-01-06 17:43:24 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2023-01-06 17:43:34 +0000 net-vpn/strongswan: drop 5.9.6-r1, 5.9.7 Bug: https://bugs.gentoo.org/818841 Bug: https://bugs.gentoo.org/832460 Bug: https://bugs.gentoo.org/878887 Signed-off-by: John Helmert III <ajak@gentoo.org> net-vpn/strongswan/Manifest | 2 - .../files/strongswan-5.9.6-werror-security.patch | 20 -- net-vpn/strongswan/strongswan-5.9.6-r1.ebuild | 322 --------------------- net-vpn/strongswan/strongswan-5.9.7.ebuild | 318 -------------------- 4 files changed, 662 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=5c311dfaab4c0172a4524ae5860106bcac33a694 commit 5c311dfaab4c0172a4524ae5860106bcac33a694 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-05-04 09:05:41 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-05-04 09:06:06 +0000 [ GLSA 202405-08 ] strongSwan: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/818841 Bug: https://bugs.gentoo.org/832460 Bug: https://bugs.gentoo.org/878887 Bug: https://bugs.gentoo.org/899964 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202405-08.xml | 48 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+)