On Mon 2019-06-03 06:26:28 +0200, Salvatore Bonaccorso wrote: > Source: libreswan > Version: 3.27-4 > Severity: grave > Tags: patch security upstream fixed-upstream > Justification: user security hole > Forwarded: https://github.com/libreswan/libreswan/issues/246 > Control: fixed -1 3.28-1 > > The following vulnerability was published for libreswan. > > CVE-2019-12312[0]: > | In Libreswan before 3.28, an assertion failure can lead to a pluto IKE > | daemon restart. An attacker can trigger a NULL pointer dereference by > | sending two IKEv2 packets (init_IKE and delete_IKE) in 3des_cbc mode > | to a Libreswan server. This affects send_v2N_spi_response_from_state > | in programs/pluto/ikev2_send.c when built with Network Security > | Services (NSS).
thanks for this heads-up, Salvatore.
I'm working with upstream libreswan at patching this now, publishing my
work on the debian/master branch in salsa.
out of curiosity, how was this CVE applied for, and how was it
coordinated? When I pointed it out to libreswan upstream on the
freenode IRC #swan, it sounded like they had never heard of it.
thanks for all you do for debian security!
--dkg
signature.asc
Description: PGP signature

