Debian Bug report logs - #533837
two denial of service vulnerabilities # sorry mixed up the issues

version graph

Package: strongswan; Maintainer for strongswan is strongSwan Maintainers <pkg-swan-devel@lists.alioth.debian.org>; Source for strongswan is src:strongswan.

Reported by: Ruben Puettmann <ruben@puettmann.net>

Date: Sat, 20 Jun 2009 18:45:02 UTC

Severity: serious

Tags: security

Fixed in versions strongswan/4.2.14-1.2, strongswan/4.3.2-1

Done: Rene Mayrhofer <rmayr@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Rene Mayrhofer <rmayr@debian.org>:
Bug#533837; Package strongswan. (Sat, 20 Jun 2009 18:45:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Ruben Puettmann <ruben@puettmann.net>:
New Bug report received and forwarded. Copy sent to Rene Mayrhofer <rmayr@debian.org>. (Sat, 20 Jun 2009 18:45:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Ruben Puettmann <ruben@puettmann.net>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: strongSwan Two Denial of Service Vulnerabilities
Date: Sat, 20 Jun 2009 20:43:38 +0200
[Message part 1 (text/plain, inline)]
Package: strongswan
Severity: serious
Tags: security


                hy,


out of the NEW file from the 4.2.16 release:

strongswan-4.2.16
-----------------

- Applying their fuzzing tool, the Orange Labs vulnerability research team
  found another two DoS vulnerabilities, one in the rather old ASN.1 parser
  of Relative Distinguished Names (RDNs) and a second one in the conversion
  of ASN.1 UTCTIME and GENERALIZEDTIME strings to a time_t value.
  Malformed X.509 certificate RDNs or timestamps can cause the pluto IKE
  daemon to crash and restart.


            Ruben

-- 
Ruben Puettmann
ruben@puettmann.net
http://www.puettmann.net
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Rene Mayrhofer <rmayr@debian.org>:
Bug#533837; Package strongswan. (Sun, 21 Jun 2009 16:51:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Ruben Puettmann <ruben@puettmann.net>:
Extra info received and forwarded to list. Copy sent to Rene Mayrhofer <rmayr@debian.org>. (Sun, 21 Jun 2009 16:51:02 GMT) Full text and rfc822 format available.

Message #10 received at 533837@bugs.debian.org (full text, mbox):

From: Ruben Puettmann <ruben@puettmann.net>
To: 533837@bugs.debian.org
Subject: Re: strongSwan Two Denial of Service Vulnerabilities
Date: Sun, 21 Jun 2009 18:48:20 +0200
[Message part 1 (text/plain, inline)]
        hy,


attached diff will fix tis bug and also bug #525652.


        ruben

-- 
Ruben Puettmann
ruben@puettmann.net
http://www.puettmann.net
[strongswan_4.2.14-1.2.diff (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]

Changed Bug title to `CVE-2009-195{7,8} two denial of service vulnerabilities in IKE_AUTH and IKE_SA_INIT parsing' from `strongSwan Two Denial of Service Vulnerabilities'. Request was from Nico Golde <nion@debian.org> to control@bugs.debian.org. (Sun, 21 Jun 2009 17:24:03 GMT) Full text and rfc822 format available.

Changed Bug title to `two denial of service vulnerabilities # sorry mixed up the issues' from `CVE-2009-195{7,8} two denial of service vulnerabilities in IKE_AUTH and IKE_SA_INIT parsing'. Request was from Nico Golde <nion@debian.org> to control@bugs.debian.org. (Sun, 21 Jun 2009 17:27:05 GMT) Full text and rfc822 format available.

Reply sent to Ruben Puettmann <ruben@puettmann.net>:
You have taken responsibility. (Sun, 21 Jun 2009 17:45:08 GMT) Full text and rfc822 format available.

Notification sent to Ruben Puettmann <ruben@puettmann.net>:
Bug acknowledged by developer. (Sun, 21 Jun 2009 17:45:09 GMT) Full text and rfc822 format available.

Message #19 received at 533837-close@bugs.debian.org (full text, mbox):

From: Ruben Puettmann <ruben@puettmann.net>
To: 533837-close@bugs.debian.org
Subject: Bug#533837: fixed in strongswan 4.2.14-1.2
Date: Sun, 21 Jun 2009 17:32:09 +0000
Source: strongswan
Source-Version: 4.2.14-1.2

We believe that the bug you reported is fixed in the latest version of
strongswan, which is due to be installed in the Debian FTP archive:

libstrongswan_4.2.14-1.2_amd64.deb
  to pool/main/s/strongswan/libstrongswan_4.2.14-1.2_amd64.deb
strongswan-ikev1_4.2.14-1.2_amd64.deb
  to pool/main/s/strongswan/strongswan-ikev1_4.2.14-1.2_amd64.deb
strongswan-ikev2_4.2.14-1.2_amd64.deb
  to pool/main/s/strongswan/strongswan-ikev2_4.2.14-1.2_amd64.deb
strongswan-nm_4.2.14-1.2_amd64.deb
  to pool/main/s/strongswan/strongswan-nm_4.2.14-1.2_amd64.deb
strongswan-starter_4.2.14-1.2_amd64.deb
  to pool/main/s/strongswan/strongswan-starter_4.2.14-1.2_amd64.deb
strongswan_4.2.14-1.2.diff.gz
  to pool/main/s/strongswan/strongswan_4.2.14-1.2.diff.gz
strongswan_4.2.14-1.2.dsc
  to pool/main/s/strongswan/strongswan_4.2.14-1.2.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 533837@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ruben Puettmann <ruben@puettmann.net> (supplier of updated strongswan package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 21 Jun 2009 17:50:02 +0200
Source: strongswan
Binary: strongswan libstrongswan strongswan-starter strongswan-ikev1 strongswan-ikev2 strongswan-nm
Architecture: source amd64
Version: 4.2.14-1.2
Distribution: unstable
Urgency: low
Maintainer: Rene Mayrhofer <rmayr@debian.org>
Changed-By: Ruben Puettmann <ruben@puettmann.net>
Description: 
 libstrongswan - strongSwan utility and crypto library
 strongswan - IPsec VPN solution metapackage
 strongswan-ikev1 - strongSwan IKEv1 keying daemon
 strongswan-ikev2 - strongSwan IKEv2 keying daemon
 strongswan-nm - strongSwan plugin to interact with NetworkManager
 strongswan-starter - strongSwan daemon starter and configuration file parser
Closes: 525652 533837
Changes: 
 strongswan (4.2.14-1.2) unstable; urgency=low
 .
   * Non-maintainer upload.
   * Fix build on i386
     Closes: #525652: FTBFS on i386:
     libstrongswan-padlock.so*': No such file or directory
   * Fix Two Denial of Service Vulnerabilities
     Closes: #533837: strongSwan Two Denial of Service Vulnerabilities
Checksums-Sha1: 
 7e30ae7e5cd1b6d30095d64de9a54571049ddd3b 1502 strongswan_4.2.14-1.2.dsc
 1440db27e65d6c39ad4db6abd5168ad9de5b8122 61091 strongswan_4.2.14-1.2.diff.gz
 98f3d29e212751a57029b13bdea05140a47cd516 174472 libstrongswan_4.2.14-1.2_amd64.deb
 aa7861eaf725d938e14ad5b1a07abbd0b43cffbe 306992 strongswan-starter_4.2.14-1.2_amd64.deb
 457e2732fa0d8849c7522efeb5d44e1b43be375b 440238 strongswan-ikev1_4.2.14-1.2_amd64.deb
 105f73e38aaae2d3437467651baf0c847b7f7a4c 252536 strongswan-ikev2_4.2.14-1.2_amd64.deb
 a7b9406595798ef4d569c5abe784c531d4cffb59 41938 strongswan-nm_4.2.14-1.2_amd64.deb
Checksums-Sha256: 
 0e509ca1963a451cc6e05831b962eec30af4fc75f91bf713559c463f14d1f019 1502 strongswan_4.2.14-1.2.dsc
 04461ef2a13acf3789da213226f1ff471f05994e1c713c41677b33e03b920b74 61091 strongswan_4.2.14-1.2.diff.gz
 5b2b05d7b38911fe728775c7c657cecfa4e7cadf6d5f0b751c1ef5aa9b1c5c48 174472 libstrongswan_4.2.14-1.2_amd64.deb
 b294d3a62757adb76405cd759945fe60549583466f6d8fc03c39fd40647c7a9b 306992 strongswan-starter_4.2.14-1.2_amd64.deb
 6e5a9bf05e323426dcd0b03a7611eb69921bcd3d596358c198752a1b304b1167 440238 strongswan-ikev1_4.2.14-1.2_amd64.deb
 761e778d1de0180ca0afce1cb043dc3a2f81f118324fb079f00a1792140a563e 252536 strongswan-ikev2_4.2.14-1.2_amd64.deb
 932aaef0c3b5af128b512457976f1f74a8d054ff56e9e0acd4ab9d59944d6106 41938 strongswan-nm_4.2.14-1.2_amd64.deb
Files: 
 757c85abd062c6a681a95b99aecb2f99 1502 net optional strongswan_4.2.14-1.2.dsc
 ab8852d1b647e8f97998e3238afd0bbe 61091 net optional strongswan_4.2.14-1.2.diff.gz
 4239a61328fb9a500bbf3cf94ca3aaa5 174472 net optional libstrongswan_4.2.14-1.2_amd64.deb
 8cde3382adc45a4afeacded0a978f459 306992 net optional strongswan-starter_4.2.14-1.2_amd64.deb
 d9af7de60c20a81d344840473350b9b2 440238 net optional strongswan-ikev1_4.2.14-1.2_amd64.deb
 de5e15ff2d61a191090c6b38a94b7ff8 252536 net optional strongswan-ikev2_4.2.14-1.2_amd64.deb
 57953229fa63d8f7dd12a003c5ff6909 41938 net optional strongswan-nm_4.2.14-1.2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAko+a4UACgkQHYflSXNkfP9qGgCeMFpHOuZIZuNFxhXrUQ1ASlqe
LFUAniOayiDkcmyt3+bbxS1TKII5HbH8
=IWOP
-----END PGP SIGNATURE-----





Reply sent to Rene Mayrhofer <rmayr@debian.org>:
You have taken responsibility. (Wed, 24 Jun 2009 09:27:42 GMT) Full text and rfc822 format available.

Notification sent to Ruben Puettmann <ruben@puettmann.net>:
Bug acknowledged by developer. (Wed, 24 Jun 2009 09:27:42 GMT) Full text and rfc822 format available.

Message #24 received at 533837-close@bugs.debian.org (full text, mbox):

From: Rene Mayrhofer <rmayr@debian.org>
To: 533837-close@bugs.debian.org
Subject: Bug#533837: fixed in strongswan 4.3.2-1
Date: Wed, 24 Jun 2009 09:20:57 +0000
Source: strongswan
Source-Version: 4.3.2-1

We believe that the bug you reported is fixed in the latest version of
strongswan, which is due to be installed in the Debian FTP archive:

libstrongswan_4.3.2-1_i386.deb
  to pool/main/s/strongswan/libstrongswan_4.3.2-1_i386.deb
strongswan-ikev1_4.3.2-1_i386.deb
  to pool/main/s/strongswan/strongswan-ikev1_4.3.2-1_i386.deb
strongswan-ikev2_4.3.2-1_i386.deb
  to pool/main/s/strongswan/strongswan-ikev2_4.3.2-1_i386.deb
strongswan-nm_4.3.2-1_i386.deb
  to pool/main/s/strongswan/strongswan-nm_4.3.2-1_i386.deb
strongswan-starter_4.3.2-1_i386.deb
  to pool/main/s/strongswan/strongswan-starter_4.3.2-1_i386.deb
strongswan_4.3.2-1.diff.gz
  to pool/main/s/strongswan/strongswan_4.3.2-1.diff.gz
strongswan_4.3.2-1.dsc
  to pool/main/s/strongswan/strongswan_4.3.2-1.dsc
strongswan_4.3.2.orig.tar.gz
  to pool/main/s/strongswan/strongswan_4.3.2.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 533837@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Rene Mayrhofer <rmayr@debian.org> (supplier of updated strongswan package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 18 Apr 2009 20:28:51 +0200
Source: strongswan
Binary: strongswan libstrongswan strongswan-starter strongswan-ikev1 strongswan-ikev2 strongswan-nm
Architecture: source i386
Version: 4.3.2-1
Distribution: unstable
Urgency: HIGH
Maintainer: Rene Mayrhofer <rmayr@debian.org>
Changed-By: Rene Mayrhofer <rmayr@debian.org>
Description: 
 libstrongswan - strongSwan utility and crypto library
 strongswan - IPsec VPN solution metapackage
 strongswan-ikev1 - strongSwan Internet Key Exchange (v1) daemon
 strongswan-ikev2 - strongSwan Internet Key Exchange (v2) daemon
 strongswan-nm - strongSwan plugin to interact with NetworkManager
 strongswan-starter - strongSwan daemon starter and configuration file parser
Closes: 525234 525652 526037 526486 526487 526488 528073 528323 528370 529027 529063 529071 529592 529638 529661 529742 530273 531612 533837
Changes: 
 strongswan (4.3.2-1) unstable; urgency=HIGH
 .
   Urgency high because of security issue and FTBFS.
   * New upstream release, fixes security bug.
   * Fix padlock handling for i386 in debian/rules.
     Closes: #525652 (FTBFS on i386)
   * Acknowledge NMUs by security team.
     Closes: #533837, #531612
   * Add "Conflicts: strongswan (< 4.2.12-1)" to libstrongswan,
     strongswan-starter, strongswan-ikev1, and strongswan-ikev2 to force
     update of the strongswan package on installation and avoid conflicts
     caused by package restructuring.
     Closes: #526037: strongswan-ikev2 and strongswan: error when trying to
                      install together
     Closes: #526486: strongswan and libstrongswan: error when trying to
                      install together
     Closes: #526487: strongswan-ikev1 and strongswan: error when trying to
                      install together
     Closes: #526488: strongswan-starter and strongswan: error when trying to
                      install together
   * Debconf templates and debian/control reviewed by the debian-l10n-
     english team as part of the Smith review project. Closes: #528073
   * Debconf translation updates:
     Closes: #525234: [INTL:ja] Update po-debconf template translation (ja.po)
     Closes: #528323: [INTL:sv] po-debconf file for strongswan
     Closes: #528370: [INTL:vi] Vietnamese debconf templates translation update
     Closes: #529027: [INTL:pt] Updated Portuguese translation for debconf messages
     Closes: #529071: [INTL:fr] French debconf templates translation update
     Closes: #529592: nb translation of debconf PO for strongSWAN
     Closes: #529638: [INTL:ru] Russian debconf templates translation
     Closes: #529661: Updated Czech translation of strongswan debconf messages
     Closes: #529742: [INTL:eu] strongswan debconf basque translation
     Closes: #530273: [INTL:fi] Finnish translation of the debconf templates
     Closes: #529063: [INTL:gl] strongswan 4.2.14-2 debconf translation update
Checksums-Sha1: 
 f2512185664e43d6e17107b825b6fdc7b39a87c1 1487 strongswan_4.3.2-1.dsc
 a01ef1adc4ff82b2f3673cbea9dbe497ef61b33c 3541466 strongswan_4.3.2.orig.tar.gz
 6338406111afb3f59607ddaea485f3c1ad1c59b5 78372 strongswan_4.3.2-1.diff.gz
 dc420ad41d4129e7930db01be88670a43d2d9dcf 170386 libstrongswan_4.3.2-1_i386.deb
 3c2f22459c2c7fe1763545e34cd7b2d73deb9508 266028 strongswan-starter_4.3.2-1_i386.deb
 8a54ab9bea3b78b93397c45657755f9799f6b4d6 331536 strongswan-ikev1_4.3.2-1_i386.deb
 09fc51b19d756ad063d1214e85b10d2a40129ceb 225718 strongswan-ikev2_4.3.2-1_i386.deb
 638563070a1cc9c201b69732e3340b987ed08d95 43796 strongswan-nm_4.3.2-1_i386.deb
Checksums-Sha256: 
 34ca69ffd71ff9b80032d5d5aeb2d614ca914b682174e2178670f8fdb043a6e1 1487 strongswan_4.3.2-1.dsc
 6ca31f8d6b3f50b6d255af1fb567664abd41e9fe028ac84bbc5ab1085ae7db5f 3541466 strongswan_4.3.2.orig.tar.gz
 e284d738ac25634535a5203ba66356b3709c9978f8bc4159dd5695a931ef4340 78372 strongswan_4.3.2-1.diff.gz
 7d0fd8fee14ad9e19a44c5a2345f10388add7a4151ba5ba1cf0b20b93764daef 170386 libstrongswan_4.3.2-1_i386.deb
 8821b2a5f54c4ae0ca57598d4978b2593d5e380e0325cefbaf1629a95817b17a 266028 strongswan-starter_4.3.2-1_i386.deb
 803c53ab4100b8d8dfbba3240e3186402dfa1f8a01846e46adbb861129ebb162 331536 strongswan-ikev1_4.3.2-1_i386.deb
 b92ad1e5cdc13b33840106f9eaea7a0cc90970f756a17f053dede8715f5b5d71 225718 strongswan-ikev2_4.3.2-1_i386.deb
 d9ce457310e45c1c4ca0a5f9cf77f579eb11c132899313f44551b6b7bf8ffbab 43796 strongswan-nm_4.3.2-1_i386.deb
Files: 
 e3941351431fe4253b7a8d163966d58d 1487 net optional strongswan_4.3.2-1.dsc
 bc2584a0811e0de9737836a4602146d2 3541466 net optional strongswan_4.3.2.orig.tar.gz
 f636c349e51f481876424469bd76f640 78372 net optional strongswan_4.3.2-1.diff.gz
 6bc4ca52b9e56c90ebf1f0ca6a0a60ff 170386 net optional libstrongswan_4.3.2-1_i386.deb
 4e70a71df3c62623f2bd0530865bc3f2 266028 net optional strongswan-starter_4.3.2-1_i386.deb
 8cefa4e70aaa86eff409cc39992d92b8 331536 net optional strongswan-ikev1_4.3.2-1_i386.deb
 30458ff637f4c477b28d373c6cf30246 225718 net optional strongswan-ikev2_4.3.2-1_i386.deb
 4a47bb10be9e4ab4b6bd9fa7d10510dd 43796 net optional strongswan-nm_4.3.2-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkpB31UACgkQq7SPDcPCS95MPgCcDzFKgDbWAYv16S738Xlcdh+6
9n4AoMtywo2aTzDPshw0mLANd2LcOk6n
=yNOR
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sat, 12 Sep 2009 07:33:17 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 07:59:41 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.