[Openswan dev] Re: openswan potential DoS in sarge

[Martin Schulze]

Paul Wouters wrote:
> > seem to suggest this. So it seems to be secure in the sense that only
> > authorized users can crash it. However, this is typically also seen as a DoS
> > (comparable to local privilege escalation bugs).
> 
> Yes. This one, and the ones frim the IPsec Proto testsuite (that caused us to
> release openswan 2.4.3 and 2.4.4) can only crash pluto in phase2, so some form
> of authentiction has already taken place.
> 
> > > Do I understand it correctly, that the crash can't be reproduced with road-
> > > warriors from stable?
> > Correct. pluto from testing/unstable triggers it reproducably, but, pluto from
> > stable does not.
> 
> What version is of openswan is in debian stable?

Debian stable was released last summer, so the version of openswan in this
distribution is 2.2.0 still.

Regards,

	Joey

-- 
Experience is something you don't get until just after you need it.

Please always Cc to me when replying to me on the lists.