-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2013:231 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : openswan Date : September 12, 2013 Affected: Enterprise Server 5.0 _______________________________________________________________________ Problem Description: Multiple vulnerabilities has been discovered and corrected in openswan: The IPSEC livetest tool in Openswan 2.4.12 and earlier, and 2.6.x through 2.6.16, allows local users to overwrite arbitrary files and execute arbitrary code via a symlink attack on the (1) ipseclive.conn and (2) ipsec.olts.remote.log temporary files. NOTE: in many distributions and the upstream version, this tool has been disabled (CVE-2008-4190). The pluto IKE daemon in Openswan and Strongswan IPsec 2.6 before 2.6.21 and 2.4 before 2.4.14, and Strongswan 4.2 before 4.2.14 and 2.8 before 2.8.9, allows remote attackers to cause a denial of service (daemon crash and restart) via a crafted (1) R_U_THERE or (2) R_U_THERE_ACK Dead Peer Detection (DPD) IPsec IKE Notification message that triggers a NULL pointer dereference related to inconsistent ISAKMP state and the lack of a phase2 state association in DPD (CVE-2009-0790). The ASN.1 parser (pluto/asn1.c, libstrongswan/asn1/asn1.c, libstrongswan/asn1/asn1_parser.c) in (a) strongSwan 2.8 before 2.8.10, 4.2 before 4.2.16, and 4.3 before 4.3.2; and (b) openSwan 2.6 before 2.6.22 and 2.4 before 2.4.15 allows remote attackers to cause a denial of service (pluto IKE daemon crash) via an X.509 certificate with (1) crafted Relative Distinguished Names (RDNs), (2) a crafted UTCTIME string, or (3) a crafted GENERALIZEDTIME string (CVE-2009-2185). Use-after-free vulnerability in the cryptographic helper handler functionality in Openswan 2.3.0 through 2.6.36 allows remote authenticated users to cause a denial of service (pluto IKE daemon crash) via vectors related to the (1) quick_outI1_continue and (2) quick_outI1 functions (CVE-2011-4073). Buffer overflow in the atodn function in Openswan before 2.6.39, when Opportunistic Encryption is enabled and an RSA key is being used, allows remote attackers to cause a denial of service (pluto IKE daemon crash) and possibly execute arbitrary code via crafted DNS TXT records. NOTE: this might be the same vulnerability as CVE-2013-2052 and CVE-2013-2054 (CVE-2013-2053). The updated packages have been patched to correct these issues. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4190 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0790 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2185 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4073 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2053 _______________________________________________________________________ Updated Packages: Mandriva Enterprise Server 5: 2596b7d865d78472fe5b88657f79731e mes5/i586/openswan-2.6.16-1.1mdvmes5.2.i586.rpm 631e3fb722ca66a7abf7931632977459 mes5/i586/openswan-doc-2.6.16-1.1mdvmes5.2.i586.rpm 77873db1e0ff1bad0873896bb98bbaea mes5/SRPMS/openswan-2.6.16-1.1mdvmes5.2.src.rpm Mandriva Enterprise Server 5/X86_64: 9f41766ae39be4d95ad267ac4c9f76dd mes5/x86_64/openswan-2.6.16-1.1mdvmes5.2.x86_64.rpm 788a2afca1e8cc38ca7eb9e1c146c573 mes5/x86_64/openswan-doc-2.6.16-1.1mdvmes5.2.x86_64.rpm 77873db1e0ff1bad0873896bb98bbaea mes5/SRPMS/openswan-2.6.16-1.1mdvmes5.2.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFSMXa3mqjQ0CJFipgRArf7AKDRd3G09pBWMkDmXQBVLsIyICg4TACfYdkC 8X4IyuSYdIn4Q688lB08ZMs= =LfBS -----END PGP SIGNATURE-----