[Openswan Users] openswan-2.6.40 still vulnerable to CVE-2013-6466

Tuomo Soini tis at foobar.fi
Wed Feb 19 03:07:10 EST 2014


The Libreswan Project offers a backport of CVE-2013-6467 for openswan
users that addresses openswan's CVE-2013-6466. Information about this
vulnerability was disclosed to openswan/xelerance on January 6 2014. The
libreswan patch was given to them on January 10. On January 16, this
vulnerability became public knowledge with the libreswan-3.8 release.

On February 14, openswan-2.6.40 was released, but unfortunately it
DOES NOT fix CVE-2013-6466. A new CVE has been requested for the
openswan-2.6.40 crasher, see:


The patches listed here are based on the work done for RHEL versions of
openswan that DOES address CVE-2013-6466 properly. These patches are
suitable for RHEL 5 and 6 as well as CentOS 5 and 6.

For more information, see:

This will be the last security patch for openswan made by The Libreswan
Project. We strongly recommend that people using openswan switch to
libreswan immediately

More information about the Users mailing list