Your message dated Sun, 26 Oct 2008 10:06:37 +1100
with message-id <[EMAIL PROTECTED]>
and subject line unblock request stongswan/4.2.4-5 (was: Bug#502676
CVE-2008-4551: DoS)
has caused the Debian Bug report #502676,
regarding CVE-2008-4551: DoS
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
502676: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=502676
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: strongswan
Severity: grave
Tags: security, patch
Justification: user security hole
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for strongswan.
CVE-2008-4551[0]:
| strongSwan 4.2.6 and earlier allows remote attackers to cause a denial
| of service (daemon crash) via an IKE_SA_INIT message with a large
| number of NULL values in a Key Exchange payload, which triggers a NULL
| pointer dereference for the return value of the mpz_export function in
| the GNU Multiprecision Library (GMP).
See also this report[1] and the upstream patch[2].
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
Cheers
Steffen
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4551
http://security-tracker.debian.net/tracker/CVE-2008-4551
[1] http://labs.mudynamics.com/advisories/MU-200809-01.txt
[2] http://wiki.strongswan.org/changeset/4345
--- End Message ---
--- Begin Message ---
Version: 4.2.4-5
Package: strongswan
This RC bug was fixed by an earlier upload which includes the upstream CVE
patch.
On Saturday 25 October 2008 22:15:18 Philipp Kern wrote:
> You owe me at least one RC bug fix now.
Philipp || release-team, request you unblock stongswan/4.2.4-5 for inclusion
in lenny. Searching through debian-release, I couldn't find an unblock request
for this version of strongswan.
Thanks,
Mark
strongswan (4.2.4-5) unstable; urgency=high
Reason for urgency high: this is potentially security relevant.
* Patch backported from 4.2.7 to fix a potential DoS issue.
Thanks to Thomas Kallenberg for the patch.
-- Rene Mayrhofer <[EMAIL PROTECTED]> Mon, 29 Sep 2008 10:35:30 +0200
--- End Message ---
