Source: libreswan Version: 5.2-2.4 Severity: grave Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerabilities were published for libreswan. CVE-2026-12413[0]: | An invalidly formatted IKEv2 fragment causes the Libreswan pluto | daemon to crash and restart. Continued exploitation would cause a | denial of service. The function reassemble_v2_incoming_fragments() | would ignore unknown outer payloads but still store these in a fixed | size array msg_digest.digest[PAYLIMIT]. An off-by-one error in the | assertion PASSERT(logger, md->digest_roof < elemsof(md->digest)) | causes the daemon to abort. No remote code execution is possible. | Any configuration that allows IKEv2 connections that do not set | fragmentation=no are vulnerable. IKEv1 is not affected. CVE-2026-50721[1]: | Libreswan, via the function | RSA_authenticate_hash_signature_raw_rsa(), did not correctly verify | the length of the authentication hash when the SIG payload of an | IKEv1 packet was encoded using PKCS #1 RSA Encryption as per RFC | 2313. A remote attacker can use a variation on the Bleichenbacher | attack to forge the SIG payload when small public exponents are | being used (e.g., e=3), which could lead to impersonation. | Additionally, a remote attacker, by encoding a shorter than expected | hash in the SIG payload, could trigger an assertion leading to | denial-of-service. The daemon aborts and restarts; continued | exploitation causes sustained denial of service. Remote code | execution is not possible. X.509 certificate verifications of remote | IKE peers are not affected. CVE-2026-50722[2]: | Libreswan, via the function | RSA_authenticate_hash_signature_pkcs1_1_5_rsa(), did not correctly | verify the DER encoding of the ASN.1 digest when the IKEv2 AUTH | payload was encoded using RSASSA-PKCS1-v1_5 (RFC 8017). A remote | attacker can use a variation on the Bleichenbacher attack to forge | the AUTH payload when small public exponents are used (e.g., e=3), | leading to impersonation. Additionally, a remote attacker, by | encoding a shorter than expected hash in the AUTH payload, could | trigger an assertion leading to denial-of-service. The daemon aborts | and restarts; continued exploitation causes sustained denial of | service. Remote code execution is not possible. X.509 certificate | verifications of the remote IKE peer are not affected. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-12413 https://www.cve.org/CVERecord?id=CVE-2026-12413 https://libreswan.org/security/CVE-2026-12413/CVE-2026-12413.txt [1] https://security-tracker.debian.org/tracker/CVE-2026-50721 https://www.cve.org/CVERecord?id=CVE-2026-50721 https://libreswan.org/security/CVE-2026-50721/CVE-2026-50721.txt [2] https://security-tracker.debian.org/tracker/CVE-2026-50722 https://www.cve.org/CVERecord?id=CVE-2026-50722 https://libreswan.org/security/CVE-2026-50722/CVE-2026-50722.txt Please adjust the affected versions in the BTS as needed. Regards, Salvatore

