[Openswan Users] Fw: [Swan] libreswan CVE-2013-205[234] backport patches availabe for openswan/strongswan

Tuomo Soini tis at foobar.fi
Tue May 14 18:21:46 UTC 2013

Information about latest *swan security issues follows:

Begin forwarded message:

Date: Tue, 14 May 2013 13:24:22 -0400 (EDT)
From: Paul Wouters <pwouters at redhat.com>
To: swan at lists.libreswan.org
Subject: [Swan] libreswan CVE-2013-205[234] backport patches availabe
for openswan/strongswan

Yesterday was the public disclosure of the serious atodn() buffer
overflow bug in libreswan, openswan and some (older) strongswan
versions. The different swan flavours have different CVE numbers:

CVE-2013-2052: libreswan
CVE-2013-2053: openswan
CVE-2013-2054: strongswan

For a desciption of the issue see:


Current versions of libreswan and strongswan are not vulnerable. Current
version (as of today) of openswan is still vulnerable.

We have backported the libreswan patches to the RHEL version of openswan
that is based on openswan 2.6.32. These patches, which were given to
openswan a week ago, are now available at:


Andreas Steffen has provided patches for the older versions of
strongswan. As I do not see those listed on the strongswan website,
we've made these available at:


I hope that with this information, everyone can successfully upgrade
their IPsec servers, regardless of the *swan version they are using.


Swan mailing list
Swan at lists.libreswan.org

Tuomo Soini <tis at foobar.fi>
Foobar Linux services
+358 40 5240030
Foobar Oy <http://foobar.fi/>

More information about the Users mailing list