From https://bugzilla.redhat.com/show_bug.cgi?id=1457121: It was found that RSA public keys passed to the gmp plugin aren't validated sufficiently before attempting signature verification, so that invalid input might lead to a floating point exception and crash of the process. A certificate with an appropriately prepared public key sent by a peer could be used for a denial-of-service attack. External References: https://www.strongswan.org/blog/2017/05/30/strongswan-vulnerability-(cve-2017-9022).html From https://bugzilla.redhat.com/show_bug.cgi?id=1457122: It was found that ASN.1 CHOICE types are not correctly handled by the ASN.1 parser when parsing X.509 certificates with extensions that use such types. This could lead to infinite looping of the thread parsing a specifically crafted certificate. External References: https://www.strongswan.org/blog/2017/05/30/strongswan-vulnerability-(cve-2017-9023).html @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
5.5.2 has been added to the tree, and 5.5.1 has been removed. Please stabilize, so we can remove the last old version.
Please note that according to: https://strongswan.org/blog/2017/05/30/strongswan-vulnerability-(cve-2017-9022).html 5.5.2 is still a vulnerable version, 5.5.3 is actually required.
Indeed - I have changed it to 5.5.3 instead :)
Maintainer(s), please advise if you are ready for stabilization or call for stabilization yourself.
Yes, please stabilize
x86 stable
amd64 stable
ppc stable
arm stable, all arches done.
GLSA Vote: No @ Maintainer(s): Please cleanup and drop =net-vpn/strongswan-5.3.4!
Tree is clean: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9bea4795e774fd839e1d0b27784c34cbf00f7631