On Mon 2019-06-03 06:26:28 +0200, Salvatore Bonaccorso wrote:
> Source: libreswan
> Version: 3.27-4
> Severity: grave
> Tags: patch security upstream fixed-upstream
> Justification: user security hole
> Forwarded: https://github.com/libreswan/libreswan/issues/246
> Control: fixed -1 3.28-1
>
> The following vulnerability was published for libreswan.
>
> CVE-2019-12312[0]:
> | In Libreswan before 3.28, an assertion failure can lead to a pluto IKE
> | daemon restart. An attacker can trigger a NULL pointer dereference by
> | sending two IKEv2 packets (init_IKE and delete_IKE) in 3des_cbc mode
> | to a Libreswan server. This affects send_v2N_spi_response_from_state
> | in programs/pluto/ikev2_send.c when built with Network Security
> | Services (NSS).

thanks for this heads-up, Salvatore.

I'm working with upstream libreswan at patching this now, publishing my
work on the debian/master branch in salsa.

out of curiosity, how was this CVE applied for, and how was it
coordinated?  When I pointed it out to libreswan upstream on the
freenode IRC #swan, it sounded like they had never heard of it.

thanks for all you do for debian security!

    --dkg

Attachment: signature.asc
Description: PGP signature

Reply via email to