Yesterday and today saw three important security announcements. Two for bash and one for NSS.
------------------------------------------------------------------------- libreswan IS vulnerable to NSS CVE-2014-1568 RSA Signature Forgery (MSF 2014-73). Please upgrade NSS to one of 3.17.1, 3.16.1 or 3.16.5. This only affects libreswan when using X.509 certificates. Raw RSA keys using leftrsasigkey/rightrsasigkey are not affected. Connections using auth=secret (PSK) are also not affected. See https://www.mozilla.org/security/announce/2014/mfsa2014-73.html ------------------------------------------------------------------------- libreswan is NOT vulnerable to bash CVE-2014-6271 or CVE-2014-7169 libreswan sanitizes strings that may come from the network, such as XAUTH username, domain and DNS servers by passing it through filter functions remove_metachar() and cisco_stringify() before assigning it to environment variables that are passed to the updown scripts that invoke bash. Therefor, any quote symbol (') has been removed before bash is invoked. _______________________________________________ Swan-announce mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-announce _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
