http://libreswan.org/security/openswan/CVE-2013-6466/ The Libreswan Project offers a backport of CVE-2013-6467 for openswan users that addresses openswan's CVE-2013-6466. Information about this vulnerability was disclosed to openswan/xelerance on January 6 2014. The libreswan patch was given to them on January 10. On January 16, this vulnerability became public knowledge with the libreswan-3.8 release. On February 14, openswan-2.6.40 was released, but unfortunately it DOES NOT fix CVE-2013-6466. A new CVE has been requested for the openswan-2.6.40 crasher, see: http://www.openwall.com/lists/oss-security/2014/02/18/1 The patches listed here are based on the work done for RHEL versions of openswan that DOES address CVE-2013-6466 properly. These patches are suitable for RHEL 5 and 6 as well as CentOS 5 and 6. For more information, see: https://rhn.redhat.com/errata/RHSA-2014-0185.html This will be the last security patch for openswan made by The Libreswan Project. We strongly recommend that people using openswan switch to libreswan immediately _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
