Package name
openswan
Date
2013-09-12
Advisory ID
MDVSA-2013:231
Affected versions
MES5 i586 , MES5 x86_64

Problem description

Multiple vulnerabilities has been discovered and corrected in openswan:

The IPSEC livetest tool in Openswan 2.4.12 and earlier, and
2.6.x through 2.6.16, allows local users to overwrite arbitrary
files and execute arbitrary code via a symlink attack on the (1)
ipseclive.conn and (2) ipsec.olts.remote.log temporary files. NOTE:
in many distributions and the upstream version, this tool has been
disabled (CVE-2008-4190).

The pluto IKE daemon in Openswan and Strongswan IPsec 2.6 before 2.6.21
and 2.4 before 2.4.14, and Strongswan 4.2 before 4.2.14 and 2.8 before
2.8.9, allows remote attackers to cause a denial of service (daemon
crash and restart) via a crafted (1) R_U_THERE or (2) R_U_THERE_ACK
Dead Peer Detection (DPD) IPsec IKE Notification message that triggers
a NULL pointer dereference related to inconsistent ISAKMP state and
the lack of a phase2 state association in DPD (CVE-2009-0790).

The ASN.1 parser (pluto/asn1.c, libstrongswan/asn1/asn1.c,
libstrongswan/asn1/asn1_parser.c) in (a) strongSwan 2.8 before 2.8.10,
4.2 before 4.2.16, and 4.3 before 4.3.2; and (b) openSwan 2.6 before
2.6.22 and 2.4 before 2.4.15 allows remote attackers to cause a denial
of service (pluto IKE daemon crash) via an X.509 certificate with (1)
crafted Relative Distinguished Names (RDNs), (2) a crafted UTCTIME
string, or (3) a crafted GENERALIZEDTIME string (CVE-2009-2185).

Use-after-free vulnerability in the cryptographic helper handler
functionality in Openswan 2.3.0 through 2.6.36 allows remote
authenticated users to cause a denial of service (pluto IKE daemon
crash) via vectors related to the (1) quick_outI1_continue and (2)
quick_outI1 functions (CVE-2011-4073).

Buffer overflow in the atodn function in Openswan before 2.6.39,
when Opportunistic Encryption is enabled and an RSA key is being
used, allows remote attackers to cause a denial of service (pluto IKE
daemon crash) and possibly execute arbitrary code via crafted DNS TXT
records. NOTE: this might be the same vulnerability as CVE-2013-2052
and CVE-2013-2054 (CVE-2013-2053).

The updated packages have been patched to correct these issues.

Updated packages

MES5 i586

 2596b7d865d78472fe5b88657f79731e  mes5/i586/openswan-2.6.16-1.1mdvmes5.2.i586.rpm
 631e3fb722ca66a7abf7931632977459  mes5/i586/openswan-doc-2.6.16-1.1mdvmes5.2.i586.rpm 
 77873db1e0ff1bad0873896bb98bbaea  mes5/SRPMS/openswan-2.6.16-1.1mdvmes5.2.src.rpm

MES5 x86_64

 9f41766ae39be4d95ad267ac4c9f76dd  mes5/x86_64/openswan-2.6.16-1.1mdvmes5.2.x86_64.rpm
 788a2afca1e8cc38ca7eb9e1c146c573  mes5/x86_64/openswan-doc-2.6.16-1.1mdvmes5.2.x86_64.rpm 
 77873db1e0ff1bad0873896bb98bbaea  mes5/SRPMS/openswan-2.6.16-1.1mdvmes5.2.src.rpm

References