IPsec-Tools' racoon is affected by a remote Denial of Service
vulnerability.
Background
==========
IPsec-Tools is a port of KAME's implementation of the IPsec utilities.
It contains a collection of network monitoring tools, including racoon,
ping, and ping6.
Two Denial of Service vulnerabilities have been reported in racoon:
* The vendor reported a memory leak in racoon/proposal.c that can be
triggered via invalid proposals (CVE-2008-3651).
* Krzysztof Piotr Oledzk reported that src/racoon/handler.c does not
remove an "orphaned ph1" (phase 1) handle when it has been initiated
remotely (CVE-2008-3652).
Impact
======
An attacker could exploit these vulnerabilities to cause a Denial of
Service.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All IPsec-Tools users should upgrade to the latest version:
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security (at) gentoo (dot) org [email concealed] or alternatively, you may file a bug at
http://bugs.gentoo.org.
License
=======
Copyright 2008 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
Gentoo Linux Security Advisory GLSA 200812-03
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: IPsec-Tools: racoon Denial of Service
Date: December 02, 2008
Bugs: #232831
ID: 200812-03
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
IPsec-Tools' racoon is affected by a remote Denial of Service
vulnerability.
Background
==========
IPsec-Tools is a port of KAME's implementation of the IPsec utilities.
It contains a collection of network monitoring tools, including racoon,
ping, and ping6.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-firewall/ipsec-tools < 0.7.1 >= 0.7.1
Description
===========
Two Denial of Service vulnerabilities have been reported in racoon:
* The vendor reported a memory leak in racoon/proposal.c that can be
triggered via invalid proposals (CVE-2008-3651).
* Krzysztof Piotr Oledzk reported that src/racoon/handler.c does not
remove an "orphaned ph1" (phase 1) handle when it has been initiated
remotely (CVE-2008-3652).
Impact
======
An attacker could exploit these vulnerabilities to cause a Denial of
Service.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All IPsec-Tools users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=net-firewall/ipsec-tools-0.7.1"
References
==========
[ 1 ] CVE-2008-3651
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3651
[ 2 ] CVE-2008-3652
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3652
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-200812-03.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security (at) gentoo (dot) org [email concealed] or alternatively, you may file a bug at
http://bugs.gentoo.org.
License
=======
Copyright 2008 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
iQIcBAABAgAGBQJJNXDVAAoJECaaHo/OfoM5UoQP/RCV3cENFyDt7stVmCjMoEhT
AWRHcoVAWxH0pqgKe3kV9UBT8UBcynItpoQZV+mB7YSoHiVGP6PRqz9A2RsK6G6F
1qtwLmtx5xYAcBJ8QcWxO5Sm+eVeSBo0/Xh+NutG60Zy0nGxcBgCdFyIkV4taYDk
Ke55d9KgGm4MOxWPBFGONCYAs//GMpe4XF20rQB7kiZg0EJVxptqFiyUi4YOWoTp
i/MnjSAvD/JLhciWyWdPNW1knou2QYqq2J0/46PnMoNySKMW3PuBk437G67OWr0K
Tzn0TCcv4PKHam+aBdqRbUfA9qajeE0bIu3hey9aMeCijAu5T2ZztSrV6ExSYr38
mMzUSFzEC3LBLEvDMNwI5sTO9IO2nnxlC2aL7Jg3vvmgVJw8FmygnFVsPpNMwi9Z
1q4k95cybRliei1bjctM16DxCv58klw8hCi2R9ChEKhdKYzYtTri+Hl0LxKPEgYi
g1AFW8cH8f12Q+TXgiapRNOZiqRUi7gk9bPsGAOyLQG05+uZ1blp99xe2fYr2wZn
RZBBRJyLFxV/EtKm0f5ztjr9jmgcU6szi/4yCiD1WwvjBBD/jNKJfFd9SIpcqIHC
oy/00hhR1TRLspg4vG57oZcfJEefJZUzXBIlDdO7aFKo78IvdfR84Aj8SNt+fAd6
ugzu7BCwibmM6PQ69Dtx
=Wyuv
-----END PGP SIGNATURE-----
[ reply ]