Source: libreswan Version: 3.27-4 Severity: grave Tags: patch security upstream fixed-upstream Justification: user security hole Forwarded: https://github.com/libreswan/libreswan/issues/246 Control: fixed -1 3.28-1
Hi, The following vulnerability was published for libreswan. CVE-2019-12312[0]: | In Libreswan before 3.28, an assertion failure can lead to a pluto IKE | daemon restart. An attacker can trigger a NULL pointer dereference by | sending two IKEv2 packets (init_IKE and delete_IKE) in 3des_cbc mode | to a Libreswan server. This affects send_v2N_spi_response_from_state | in programs/pluto/ikev2_send.c when built with Network Security | Services (NSS). If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-12312 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12312 [1] https://github.com/libreswan/libreswan/issues/246 [2] https://github.com/libreswan/libreswan/commit/7142d2c37d58cf024595a7549f0fb0d3946682f8 Regards, Salvatore