CVE-2021-45079: In strongSwan before 5.9.5, a malicious responder can send an EAP-Success message too early without actually authenticating the client and (in the case of EAP methods with mutual authentication and EAP-only authentication for IKEv2) even without server authentication. Please stabilize 5.9.5.
Please cleanup, thanks!
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7387260e58f7f39705fa2c03024201eee834e8e9 commit 7387260e58f7f39705fa2c03024201eee834e8e9 Author: John Helmert III <ajak@gentoo.org> AuthorDate: 2023-01-06 17:43:24 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2023-01-06 17:43:34 +0000 net-vpn/strongswan: drop 5.9.6-r1, 5.9.7 Bug: https://bugs.gentoo.org/818841 Bug: https://bugs.gentoo.org/832460 Bug: https://bugs.gentoo.org/878887 Signed-off-by: John Helmert III <ajak@gentoo.org> net-vpn/strongswan/Manifest | 2 - .../files/strongswan-5.9.6-werror-security.patch | 20 -- net-vpn/strongswan/strongswan-5.9.6-r1.ebuild | 322 --------------------- net-vpn/strongswan/strongswan-5.9.7.ebuild | 318 -------------------- 4 files changed, 662 deletions(-)