The Libreswan Project has released libreswan-4.12 This is a security release that addresses three minor CVEs and a bugfix: CVE-2023-38710: Invalid IKEv2 REKEY proposal causes restart CVE-2023-38711: Invalid IKEv1 Quick Mode ID causes restart CVE-2023-38712: Invalid IKEv1 repeat IKE SA delete causes crash and restart All three CVEs require the peer has fully authenticated before the malicious misformed payload can be send. Therefor, these CVEs mostly affect remote access VPN services. For details and patches see: https://libreswan.org/security/CVE-2023-38710/ https://libreswan.org/security/CVE-2023-38711/ https://libreswan.org/security/CVE-2023-38712/
commit 66adb119e97f4b2edb698e80cf5748ed2e99dec9 Author: Hans de Graaff <graaff@gentoo.org> Date: Fri Aug 11 08:58:26 2023 +0200 net-vpn/libreswan: add 4.12
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=88e5a0367b8d1e16d517e9e27b9e2af435720ef1 commit 88e5a0367b8d1e16d517e9e27b9e2af435720ef1 Author: Hans de Graaff <graaff@gentoo.org> AuthorDate: 2023-09-18 05:38:17 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2023-09-18 05:38:44 +0000 net-vpn/libreswan: drop 4.11 Bug: https://bugs.gentoo.org/912176 Signed-off-by: Hans de Graaff <graaff@gentoo.org> net-vpn/libreswan/Manifest | 1 - net-vpn/libreswan/libreswan-4.11.ebuild | 131 -------------------------------- 2 files changed, 132 deletions(-)
