Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 897916 (CVE-2023-23009) - <net-vpn/libreswan-4.10: denial of service
Summary: <net-vpn/libreswan-4.10: denial of service
Alias: CVE-2023-23009
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa?]
Depends on: CVE-2023-30570 908647
  Show dependency tree
Reported: 2023-02-26 17:34 UTC by John Helmert III
Modified: 2023-07-13 03:36 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-02-26 17:34:18 UTC

Libreswan 4.9 allows remote attackers to cause a denial of service (assert failure and daemon restart) via crafted TS payload with an incorrect selector length.

Looks like this unreleased patch is the fix?
Comment 1 Larry the Git Cow gentoo-dev 2023-03-05 08:42:03 UTC
The bug has been referenced in the following commit(s):

commit d334e6df98206ec75361deadca1e72542711fc3a
Author:     Hans de Graaff <>
AuthorDate: 2023-03-05 07:58:04 +0000
Commit:     Hans de Graaff <>
CommitDate: 2023-03-05 08:41:58 +0000

    net-vpn/libreswan: add 4.10
    Signed-off-by: Hans de Graaff <>

 net-vpn/libreswan/Manifest              |   1 +
 net-vpn/libreswan/libreswan-4.10.ebuild | 126 ++++++++++++++++++++++++++++++++
 2 files changed, 127 insertions(+)
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-03-11 04:32:54 UTC
graaff, does 4.10 fix this vulnerability?
Comment 3 Hans de Graaff gentoo-dev Security 2023-05-06 06:15:54 UTC
v4.10 (February 28, 2023)
* IKEv1: only clean up a connection when it isn't deleted [Andrew]
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-05-08 04:40:02 UTC
Indeed then :)

Please stabilize 4.10 when ready.
Comment 5 Hans de Graaff gentoo-dev Security 2023-07-09 19:16:45 UTC
libreswan 4.11 is marked stable due to another security issue.