OK, I understand. We are talking about 20+ servers that would need a full reinstallation by the way... Done by myself...
It seems I have been able to compile OpenSwan 2.6.45 on the CentOS 5 (test) server though, although with some nasty makefile modifications. I'd really prefer Libreswan as it works really well on one of our CentOS 6 servers already (well, too early to say really but so far so good). Also, if someone would consider modifying the patch from 3.14 to 3.13, I'd be willing to send a small donation for that :) Tomas -----Original Message----- From: Paul Wouters [mailto:[email protected]] Sent: Friday, September 25, 2015 4:18 AM To: Tomas France Cc: [email protected] Subject: Re: [Swan] Cannot compile Libreswan 3.14 and newer on CentOS 5 On Fri, 25 Sep 2015, Tomas France wrote: > I am afraid modifying the patch is beyond my skills. Is there a way > how to limit the possible impact of the CVE-2015-3240 security issue > by different means, for the pre-3.15 versions, and without using the patch? > > Unfortunately, some of our servers are stuck with CentOS 5 and they > cannot be upgraded at this time. Well, the impact is that someone can run a denial of service against you. The pluto IKE daemon will hit a passert() in the code and restart. There is no compromise or either data or the system. So, you'll notice when this happens. If it happens from a botnet, you'll be in trouble because you won't be able to firewall all the IP addresses to prevent the crashes. At which point you'll be forced to put in a centos6 or centos7 server :P Paul _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
