strongSwan Vulnerability (CVE-2023-26463) A vulnerability related to certificate verification in TLS-based EAP methods was discovered in strongSwan that results in a denial of service but possibly even remote code execution. Versions 5.9.8 and 5.9.9 may be affected. A user publicly reported a bug related certificate verification in TLS-based EAP methods that leads to an authentication bypass followed by an expired pointer dereference that results in a denial of service but possibly even remote code execution. Fixed by 5.9.10 release: https://www.strongswan.org/blog/2023/03/02/strongswan-5.9.10-released.html
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e946ce4d76ece04b512661469ce5550e1d505ae5 commit e946ce4d76ece04b512661469ce5550e1d505ae5 Author: Dennis Eisele <kernlpanic@dennis-eisele.de> AuthorDate: 2023-03-04 13:33:08 +0000 Commit: Conrad Kostecki <conikost@gentoo.org> CommitDate: 2023-03-14 23:12:01 +0000 net-vpn/strongswan: version bump to 5.9.10 Bug: https://bugs.gentoo.org/899964 Signed-off-by: Dennis Eisele <kernlpanic@dennis-eisele.de> Closes: https://github.com/gentoo/gentoo/pull/29924 Signed-off-by: Conrad Kostecki <conikost@gentoo.org> net-vpn/strongswan/Manifest | 1 + net-vpn/strongswan/strongswan-5.9.10.ebuild | 318 ++++++++++++++++++++++++++++ 2 files changed, 319 insertions(+)
Thanks!
Ping. Please clean up vulnerable versions 5.9.8 and 5.9.9.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=328181b0a39b56600ebba16a15ab14e3e4954b85 commit 328181b0a39b56600ebba16a15ab14e3e4954b85 Author: Conrad Kostecki <conikost@gentoo.org> AuthorDate: 2023-10-08 21:50:15 +0000 Commit: Conrad Kostecki <conikost@gentoo.org> CommitDate: 2023-10-08 21:51:41 +0000 net-vpn/strongswan: drop 5.9.8, 5.9.9, 5.9.10 Bug: https://bugs.gentoo.org/899964 Signed-off-by: Conrad Kostecki <conikost@gentoo.org> net-vpn/strongswan/Manifest | 3 - net-vpn/strongswan/strongswan-5.9.10.ebuild | 318 ---------------------------- net-vpn/strongswan/strongswan-5.9.8.ebuild | 318 ---------------------------- net-vpn/strongswan/strongswan-5.9.9.ebuild | 318 ---------------------------- 4 files changed, 957 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=5c311dfaab4c0172a4524ae5860106bcac33a694 commit 5c311dfaab4c0172a4524ae5860106bcac33a694 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-05-04 09:05:41 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-05-04 09:06:06 +0000 [ GLSA 202405-08 ] strongSwan: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/818841 Bug: https://bugs.gentoo.org/832460 Bug: https://bugs.gentoo.org/878887 Bug: https://bugs.gentoo.org/899964 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202405-08.xml | 48 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+)