Debian: DSA-2903-1: strongswan security update
Debian: DSA-2903-1: strongswan security update
An authentication bypass vulnerability was found in charon, the daemon handling IKEv2 in strongSwan, an IKE/IPsec suite. The state machine handling the security association (IKE_SA) handled some state transitions incorrectly.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------- Debian Security Advisory DSA-2903-1 This email address is being protected from spambots. You need JavaScript enabled to view it. https://www.debian.org/security/ Yves-Alexis Perez April 14, 2014 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : strongswan CVE ID : CVE-2014-2338 An authentication bypass vulnerability was found in charon, the daemon handling IKEv2 in strongSwan, an IKE/IPsec suite. The state machine handling the security association (IKE_SA) handled some state transitions incorrectly. An attacker can trigger the vulnerability by rekeying an unestablished IKE_SA during the initiation itself. This will trick the IKE_SA state to 'established' without the need to provide any valid credential. Vulnerable setups include those actively initiating IKEv2 IKE_SA (like â€clients†or “roadwarriorsâ€) but also during re-authentication (which can be initiated by the responder). Installations using IKEv1 (pluto daemon in strongSwan 4 and earlier, and IKEv1 code in charon 5.x) is not affected. For the oldstable distribution (squeeze), this problem has been fixed in version 4.4.1-5.5. For the stable distribution (wheezy), this problem has been fixed in version 4.5.2-1.5+deb7u3. For the unstable distribution (sid), this problem has been fixed in version 5.1.2-4. We recommend that you upgrade your strongswan packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it.