Package: libreswan Version: 3.27-5 Severity critical Control: found -1 3.28-1 Control: forwarded -1 https://libreswan.org/security/CVE-2019-10155/
See the attached message from libreswan upstream about this CVE. I'll fix it in unstable shortly. --dkg
--- Begin Message --------BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 The Libreswan Project has released libreswan-3.29 This is a security release addressing CVE-2019-10155. CVE-2019-10155: IKEv1 Informational exchange integrity check failure https://libreswan.org/security/CVE-2019-10155/ The Libreswan Project has found a vulnerability in its processing IKEv1 informational exchange packets. These packets are encrypted and integrity protected using the established IKE SA encryption and integrity keys, but as a receiver, the integrity check value (ICV) was not verified for IKEv1 Informational Exchange packets. The code containing the vulnerability is also present in openswan and older strongswan releases. The impact of this vulnerability is low, as it cannot be exploited. Vulnerable versions: libreswan < 3.29 strongswan < 5.0 openswan - all versions (as of writing: 2.6.51.3) Not vulnerable: libreswan 3.29 and later, strongswan 5.0 and later, freeswan This release further contains a fix for auto-detecting the XFRM stack on distributions without CONFIG_XFRM_STATISTICS, such as Debian/Ubuntu and a fix for the diagnostic tool "ipsec barf". For a full list of changes, see below changelog for details. You can download libreswan via https at: https://download.libreswan.org/libreswan-3.29.tar.gz https://download.libreswan.org/libreswan-3.29.tar.gz.asc The full changelog is available at: https://download.libreswan.org/CHANGES Please report bugs either via one of the mailinglists or at our bug tracker: https://lists.libreswan.org/ https://bugs.libreswan.org/ Binary packages for RHEL/CentOS can be found at: https://download.libreswan.org/binaries/ Binary packages for Fedora and Debian should be available in their respective repositories a few days after this release. See also https://libreswan.org/ v3.29 (June 10, 2019) * SECURITY: Fixes CVE-2019-10155 https://libreswan.org/security/CVE-2019-10155 * programs: Change to /proc/sys/net/core/xfrm_acq_expires to detect XFRM [Paul] * barf: Fix shell script parse error and small cleanup [Tuomo/Hugh] * packaging: fedora30 requires gcc to be listed as BuildRequires: [Paul] * packaging: rhel6 doesn't need USE_AVA_COPY=true or WERROR_CFLAGS= [Tuomo] * packaging/rhel6: remove -lrt, not needed any more [Tuomo] * systemd: change Restart default to on-failure [Tuomo] * building: Makefiles: Use RT_LDFLAGS for glibc < 2.17 support [Tuomo] * building: userland-cflags.mk: add RT_LDFLAGS= for older glibc [Tuomo] -----BEGIN PGP SIGNATURE----- iQJHBAEBCgAxFiEEkH55DyXB6OVhzXO1hf9LQ7MPxvkFAlz+oVATHHRlYW1AbGli cmVzd2FuLm9yZwAKCRCF/0tDsw/G+dgWD/0RCmGXjIo4Fy7KXDQRzIzXca04Neho oNfk+5OmsxYZg4o+fAbea7hRymSrIx6VHtc74tqCexhSgPJfcs5y8xIJPJ0VwvkJ BXUFOan0NQfGnl8O8hW3ZPAUCXVYSW2MlPHpTey1Szyvsr3et0YAX3UHYlTkF/ld 9+NzoBSVFCszCVom1I0bmM4W2QAaT2nCiE+2cl+N/N4EfcBkNHoDAtIdYQdtQ0q1 XaWrVUGdawl73CBpWlXl16UD0sikh4tYpMrNKr3v4YBPtpLEtFX3slmVKJE7YGtQ 3jdcHCSpsjZkZTznZfCXLdO3Z5F45B0xYX26JPIRocdQvOKqny0Ots5sr99k9FxP n4i4MeHOyBroWiUg1wZ6xgJLmXme7shusP4mdi3EwMJxKrpYOMrkIk4UG9/JgV21 pkUsnzPpVSdiwBko6aGOO/kKFUyGJIJYIK59nmrOu43LzS748CGYwhwyhY+b1JVO 1pINuNATzkYdLam0MY9HcmT5AjTfltZBumlMhIT5GviphSuWm96YFVDaAio5UUsK TGb0WG2nnA8OVazfdS14zX94SdP4Qqfc6jMdRecQX9XTWiUHjSyssPvg2cCgztAF ApUd3QNjPwXodzdC2Ls7vd2iObjWwrvxAz+DjbqqeA/JD+cjshz80yDGvzVdZRaw o3QrNZUzlgSMYA== =XSEP -----END PGP SIGNATURE----- _______________________________________________ Swan-announce mailing list swan-annou...@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-announce _______________________________________________ Swan-dev mailing list swan-...@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-dev
--- End Message ---
signature.asc
Description: PGP signature