[OpenWrt-Devel] strongswan CVE-2015-3991 CVE-2015-4171
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hello list, In the last days, two critical vulnerabilities were discovered in strongswan. Those are CVE-2015-4171[1] and CVE-2015-3991[2]. It is necessary to rebuild all packages from version 4.3.0 to 5.3.2 with the necessary patches as those versions are affected. The first issue is the more critical one, as it allows an attacker to gain user credentials by using DNS spoofing if one side only uses XAUTH or EAP-GTC to authenticate itself. [1] https://strongswan.org/blog/2015/06/08/strongswan-vulnerability-(cve-2015-4171).html [2] https://strongswan.org/blog/2015/06/01/strongswan-vulnerability-(cve-2015-3991).html - -- Mit freundlichen Grüßen/Kind Regards, Noel Kuntze GPG Key ID: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJVdZSDAAoJEDg5KY9j7GZYLZEP/jEE/DKd4eRYezLe8ZnGPOIp rUSPNwl0+Bq/gf/Ui9VqGXqts492T4x4Lb2c+lgGPmqepCOrJ8E1J0HstfCTm/p6 CwSB4mVkLek0cRzJFueXHt6Yt2XboONVelY6XWrZlDsSKDeaOEGJNj3W7pFH6XXV f+6F50frexsW2fSa8coUrfx55OikPc+yas//nBWYTZVvKA7Z+Fa/DJHTktiGlW3G Z1venWqRuBw5kEvcAExVklrGIBsIMTxRPnLE1anN6LNjKgJz4xMIHGZgeSKrd6Rr fekHV+dZeSKkUmeomGKIaPEjORo7teLz7jxMrJxe4gF1vuhZ/RZY7LqZclRhinVV kJrzboanxthSmFfiKFy0/AlSvYBLSawoy4kKB/xuEN4VSphfCqNVJDc5b5QByV0F Ea2veLJIYOWn4MlTc3kN2C9M02oTb3EN4raCj5Q9q56onZac7yGzLwJbkWaLngoB OIPI4Vbb78XYryHa7SeKEj2blibdF+ZLkJaFpj6oP1S01hCFrzHqf5eRFp1ZtdNq /JXgN5LZsAUljciv0u+M1mNuuqcqGDq+knnxK7KwCJSZBSNb3hA2VahXxrjn9Jph LVGA/K07eHARdQbI+Cho5kMUJLDnvNsPa5AvqhamAocqvOMZbclHCz+FfnrZlW43 x4p/eZcVbV6gYV6FUmQf =Z8rb -END PGP SIGNATURE- ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] (CVE-2014-2338) authentication bypass vulnerability in strongSwan needs patching
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hello Mirko, So fixes or new versions with fixes will only be backported, if there is a complete rebuilt scheduled for the release? Regards, Noel Kuntze GPG Key id: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 Am 06.07.2014 14:39, schrieb Mirko Parthey: Am Sonntag, 06.07.14, 00:00 +0200 schrieb Noel Kuntze: I am once again inquiring about this vulnerabity. The strongSwan version in the repository for the 12.09 version of OpenWRT is still not patched and Mr. Fietkau does not respond to any emails. I wrote him one on 2014-06-08 and one on 2014-07-02. Please update the packages. Lots of people are running vulnerable StrongSwan versions on publicly reachable OpenWRT routers. Felix Fietkau updated the strongSwan package in the 12.09 SVN branch (r40518, 2014-04-15) shortly after updating it in trunk. However, it appears that the release branch is not rebuilt automatically, so the binary packages are outdated. For OpenSSL, packages have been rebuilt manually, but that seems to be the exception. There has been mention on this mailing list of a Barrier Breaker release being worked on, but I have no information if there will be another release of Attitude Adjustment, which would then also come with updated packages from the 12.09 branch. Regards, Mirko -BEGIN PGP SIGNATURE- Version: GnuPG v2 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTuW4RAAoJEDg5KY9j7GZYQWkP/iclaAepF9RPNhtiBpyJ7enL ILV7WRW1bZkEQSJ2OCXL0CpZJve8ba5eQ3YCP9sllNHgHkMAI4L/vBINJNjHi3Ti FYdVILapqDGqqJqPCCL7h5e3BaOyqoSygvIXwNvPSt06c3RMQXjPf8dRlORvaVqc Eg/7msI36/eRjB36PEdaFNCJyFHrwVWOMo4ChEJtrrrXJQnMeXoWdFn5Kqp2Lz0m Nik/kKqglo2JysWCIdLjvrFXFCUhS7yEhPB6LM4GDVKJ7TlTe7Ou9dXDA4DyNRS/ +dOlzp35dmZLBz6K6/e7fApPzGjr0V0qtPMI9QoHlQ6DZUwvq4GN1peaemXhg6ss pHhwwMcPlEJZcZH0t0SSqR+5KEPWCJ+8/2mJFdeOptjqdWWH1feCSEsfp44UDWa5 Jtdg3SfuNqA+58AlvEzkdjSNePU5skagQKRusl1m4PmnYO9t9im0OXHbg0yVedse /9Af2P+j3TUL7UxFO8JDQMU+IETlLnmsG4CWBoDJfgv4CYzXVSb75qQSzIxvE44z CF4zhUIkLcWFJatCmyLBw/1oKxTOJesVUzNwUXApNOJTj2KwazfmsMOJgBV/hMuo GaQoCMtdI2XAHHTceDglGQ/b4NE/ngGzIq5pEGrIC982rfiWozIzcfJJSxvyDqHb SR7QNptlrFZUzy24J1k7 =frGv -END PGP SIGNATURE- ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] (CVE-2014-2338) authentication bypass vulnerability in strongSwan needs patching
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hello, I am once again inquiring about this vulnerabity. The strongSwan version in the repository for the 12.09 version of OpenWRT is still not patched and Mr. Fietkau does not respond to any emails. I wrote him one on 2014-06-08 and one on 2014-07-02. Please update the packages. Lots of people are running vulnerable StrongSwan versions on publicly reachable OpenWRT routers. Regards, Noel Kuntze GPG Key id: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 Am 15.04.2014 19:27, schrieb Felix Fietkau: On 2014-04-15 00:33, Noel Kuntze wrote: Hello list, An authentication bypass vulnerability has been revealed by the strongSwan team. All versions of strongSwan since 4.0.7 are affected. All affected packages need to be patched. The patches for the different version can be gotten from http://download.strongswan.org/security/CVE-2014-2338/ Strongswan has been updated to 5.1.3 in r40516. I will also backport this version to the 12.09 branch. - Felix -BEGIN PGP SIGNATURE- Version: GnuPG v2 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTuHVtAAoJEDg5KY9j7GZYKm8P/j0bBPIf8OfphIBY+riHidsY uShpCWSUG1ee4OB/Moi43F1+1MCmQ1oNtF0UWqzknkJIt3T8sjGYDenVtBgsYGT6 G634z7AHhp2IHYT9cBBZQ95ay0MvGjCPiHu2M98ufYNCo8SC5x2EtcKilNGgVH8G FQftMAk+Bqs43Y8KEjD3UFg1xo7Ccq8sggcoOBHYG8v/nQCG0L6Nkcz7EdmBUtLL o8nQ+kHgvCVqXHC3IuIJ2qnWVmdofbt4MgV83g8CBwXLYmgZe9ORbqa7+L4Zd2eG b/8c7MMiHCi+t1kEB/9m82Aji9JIUNKp5XwUfnqUNNkm39loD5jRwYtlF2VvGFsI n5kjRC/11nkVgQWN+nRMrK1CfunY2FD+9WA7UUtVbOSvfWXCrdUb+YMuTtAqyygI OKueJx9RkwSmo+tUSqiDQpaQmItYcTZw/sCluRQI9XS/qzAGFLZhHD8pMl5Slwd5 PB27TRaz6BSZHalKoRV0VnWF5Alz5jbVO41saIcUwu7OAT98np7Q3VGag+0xXWHd xwK1Mkc+YEBtqbXVvVstq0jtuzau5pkVceGrht3hzGrwR2O+QAzJQEZQuGOsIZv2 r2ZNxSkdAAQqstbqkt1XyMSi+Hkwnoc+VmhXHoLCShg9M6+XtjX7VDaBevTkZbpm NgTeuS4aGQShT+3+jDXV =IpJs -END PGP SIGNATURE- ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] (CVE-2014-2338) authentication bypass vulnerability in strongSwan needs patching
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello list, An authentication bypass vulnerability has been revealed by the strongSwan team. All versions of strongSwan since 4.0.7 are affected. All affected packages need to be patched. The patches for the different version can be gotten from http://download.strongswan.org/security/CVE-2014-2338/ Regards Noel Kuntze - -- GPG Key id: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJTTGJRAAoJEDg5KY9j7GZYRDkP/RpZw4oZIGIed1dRb3b5yHfH roXU2xFUgAWGcmMyggpWdz95LYupehgPEQPOA9Dt/RqevEdPd5kRsC3VFfohpm+4 icqXg4MeCxOJ1/ThBsOcvbDm7wpIlNj/HYo0ibipSw6ih44+T31bAhg0mZBzCQnq CiUc1PpNIiWJ0clNaqGUNnUQvCfdXd1JKokl6SIHhKLHOc1aRowHEkKuVN4RwHlR zUvY9apIpkbartnowZD0SZE8eXdpdu4PYGqMYseRQ21mvdsEIljNcMtpxCMNFbuO nPQQzlQEohy7ST+XM/94Xy2vNbWT/3vSBFxeqteTCB+dV4ekgSXlNxDTV3cc6B5N jO98pgivpH35WGbEGdL+UJmV6GOw31G2rCX6bRViYA/VMjjp4Y60Oz7r7qv7kXUD 36F4fNg8JDhqtZqEnmYX8NFhZO4HYSUNZJu/YitU3Rs7E5bhtNUXlTp+ZZ7aI8OZ dj8WJjcEKw4HRQoqCC6a+Th1+Hf6X5sUff6lYhI7RNNs1p5ty7hkXTp/1a+3Yc8K vUjT/XlaWwOHENOJJV/M2tRdUJhcCcE8tajapRSP0QKZX3wnUyFHfQMVVOY9tvT3 Uem485Hvplmy/Lqpqe/6d9TzcECjTeNq2JBXhlqZXZpDNH7Tzq7EsRGu6iJGGLEV w1blr1DuirXzglOeDvPM =531/ -END PGP SIGNATURE- ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel