[Openswan dev] libreswan CVE-2013-205[234] backport patches availabe for openswan/strongswan (fwd)
D. Hugh Redelmeier
hugh at mimosa.com
Tue May 14 18:32:37 UTC 2013
FYI
---------- Forwarded message ----------
X-Spam-Level:
From: Paul Wouters <pwouters at redhat.com>
To: swan at lists.libreswan.org
Date: Tue, 14 May 2013 13:24:22 -0400 (EDT)
Subject: [Swan] libreswan CVE-2013-205[234] backport patches availabe for
openswan/strongswan
Yesterday was the public disclosure of the serious atodn() buffer overflow
bug in libreswan, openswan and some (older) strongswan versions. The
different swan flavours have different CVE numbers:
CVE-2013-2052: libreswan
CVE-2013-2053: openswan
CVE-2013-2054: strongswan
For a desciption of the issue see:
https://download.libreswan.org/security/CVE-2013-2052/CVE-2013-2052.txt
Current versions of libreswan and strongswan are not vulnerable. Current
version (as of today) of openswan is still vulnerable.
We have backported the libreswan patches to the RHEL version of openswan
that is based on openswan 2.6.32. These patches, which were given to
openswan a week ago, are now available at:
https://download.libreswan.org/security/CVE-2013-2053/
Andreas Steffen has provided patches for the older versions of
strongswan. As I do not see those listed on the strongswan website,
we've made these available at:
https://download.libreswan.org/security/CVE-2013-2054/
I hope that with this information, everyone can successfully upgrade
their IPsec servers, regardless of the *swan version they are using.
Regards,
Paul
_______________________________________________
Swan mailing list
Swan at lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan
More information about the Dev
mailing list