[Openswan dev] [Announce] openswan 2.4.15 released that fixes CVE-2009-2185

Paul Wouters paul at xelerance.com
Thu Jun 25 12:48:54 EDT 2009


On Thu, 25 Jun 2009, D. Hugh Redelmeier wrote:

> | From: Paul Wouters <paul at xelerance.com>
> |
> | We have just released openswan 2.4.15. This is a security release that
> | addresses CVE-2009-2185.
> |
> | http://www.vupen.com/english/advisories/2009/1639
>
> That advisory only covers StrongSWAN.  Should Openswan be added?  Or a
> new CVE created?

That is due to Andreas Steffen's 0day release of information. I don't think
he wanted to do a CVE at all. When I posted to vendor-sec with the details
that openswan was also vulnerable and we were releasing updates, The CVE people
scrambled to get a CVE, but only based it on the original advisory. I have
since submitted all the information to them to update the advisory.

Paul


More information about the Dev mailing list