A serious vulnerability now exists in all versions of Strongswan prior to 5.0.4 whereby ECDSA is not properly handled when compiled with the openssl use flag ( CVE-2013-2944 ) thus permitting an attacker to generate an invalid ECDSA certificate and successfully authenticate.
Please bump Strongswan to 5.0.4 and consider a fast-track stabilisation.
Bumped to 5.0.4 - please stabilize ASAP.
Once stable, please remove version 5.0.0 from the tree, to prevent people installing that version, since it still has this issue.
strongSwan 4.3.5 through 5.0.3, when using the OpenSSL plugin for ECDSA
signature verification, allows remote attackers to authenticate as other
users via an invalid signature.
*** Bug 468008 has been marked as a duplicate of this bug. ***
Arches, please test and mark stable:
Target KEYWORDS: "amd64 arm ppc ~ppc64 x86"
Thanks for your work
GLSA vote: yes
GLSA vote: yes, request filed.
This issue was resolved and addressed in
GLSA 201309-02 at http://security.gentoo.org/glsa/glsa-201309-02.xml
by GLSA coordinator Chris Reffett (creffett).