Hi Daniel, On Thu, Jun 01, 2023 at 05:19:06PM -0400, Daniel Kahn Gillmor wrote: > Control: found 1035542 4.3-1+deb11u3 > Control: tags 1035542 + patch > > Thanks for the documentation of CVE-2023-30570 on > https://bugs.debian.org/1035542, Salvatore. > > fwiw, i don't think this is particularly serious -- the vulnerability > only appears to be dangerous if the libreswan endpoint is configured to > allow IKEv1 in aggressive mode.
Thanks for having a closer look and for your assessment. Then I believe we can have a fix scheduled via respective point releases, I do not see an urgency for it requiring a DSA. Initially I was not completely sure about it. > Since 4.5-2, libreswan's ikev1-policy has defaulted to "drop", and we've > heard no complaints from users that this has been an impediment, so i > have my doubts about how many people have such a configuration. > > That said, in bullseye, it is still a plausible choice. > > I'm attaching the patch here for bullseye (against v4.3), which i can > upload to bullseye-security whenever you you think is appropriate. Let's fix it via the next bullseye point release (and as well first bookworm point release). > > For v4.10 (which is in bookworm, about to be stable) i think the best > move is to just ship v4.11 directly. I'm also attaching here the diff > between upstream's v4.10 and v4.11 -- it is a narrowly-targeted bugfix > release. i think it makes more sense to just ship v4.11 as a security > update to bookworm (since i missed the freeze cutoff, apologies) rather > than to try to ship v4.10 plus basically the same patch. Note we are now almost late for bookworm. The last date for asking for unlbocks was last weekend, and now this weekend entering the quiet phase where no changes will happen (unless urgencies arise). So that's unfortunate, but we missed the window. Unless you can convince the release team to still accept a fix in (from security team point of view while welcome, I could understand that you will now get a NACK). As usual, thanks for your work on libreswan maintenance in Debian! Regards, Salvatore
