[ MDVSA-2013:231 ] openswan Sep 12 2013 11:17AM
security mandriva com
Hash: SHA1


Mandriva Linux Security Advisory MDVSA-2013:231

Package : openswan
Date : September 12, 2013
Affected: Enterprise Server 5.0

Problem Description:

Multiple vulnerabilities has been discovered and corrected in openswan:

The IPSEC livetest tool in Openswan 2.4.12 and earlier, and
2.6.x through 2.6.16, allows local users to overwrite arbitrary
files and execute arbitrary code via a symlink attack on the (1)
ipseclive.conn and (2) ipsec.olts.remote.log temporary files. NOTE:
in many distributions and the upstream version, this tool has been
disabled (CVE-2008-4190).

The pluto IKE daemon in Openswan and Strongswan IPsec 2.6 before 2.6.21
and 2.4 before 2.4.14, and Strongswan 4.2 before 4.2.14 and 2.8 before
2.8.9, allows remote attackers to cause a denial of service (daemon
crash and restart) via a crafted (1) R_U_THERE or (2) R_U_THERE_ACK
Dead Peer Detection (DPD) IPsec IKE Notification message that triggers
a NULL pointer dereference related to inconsistent ISAKMP state and
the lack of a phase2 state association in DPD (CVE-2009-0790).

The ASN.1 parser (pluto/asn1.c, libstrongswan/asn1/asn1.c,
libstrongswan/asn1/asn1_parser.c) in (a) strongSwan 2.8 before 2.8.10,
4.2 before 4.2.16, and 4.3 before 4.3.2; and (b) openSwan 2.6 before
2.6.22 and 2.4 before 2.4.15 allows remote attackers to cause a denial
of service (pluto IKE daemon crash) via an X.509 certificate with (1)
crafted Relative Distinguished Names (RDNs), (2) a crafted UTCTIME
string, or (3) a crafted GENERALIZEDTIME string (CVE-2009-2185).

Use-after-free vulnerability in the cryptographic helper handler
functionality in Openswan 2.3.0 through 2.6.36 allows remote
authenticated users to cause a denial of service (pluto IKE daemon
crash) via vectors related to the (1) quick_outI1_continue and (2)
quick_outI1 functions (CVE-2011-4073).

Buffer overflow in the atodn function in Openswan before 2.6.39,
when Opportunistic Encryption is enabled and an RSA key is being
used, allows remote attackers to cause a denial of service (pluto IKE
daemon crash) and possibly execute arbitrary code via crafted DNS TXT
records. NOTE: this might be the same vulnerability as CVE-2013-2052
and CVE-2013-2054 (CVE-2013-2053).

The updated packages have been patched to correct these issues.



Updated Packages:

Mandriva Enterprise Server 5:
2596b7d865d78472fe5b88657f79731e mes5/i586/openswan-2.6.16-1.1mdvmes5.2.i586.rpm
631e3fb722ca66a7abf7931632977459 mes5/i586/openswan-doc-2.6.16-1.1mdvmes5.2.i586.rpm
77873db1e0ff1bad0873896bb98bbaea mes5/SRPMS/openswan-2.6.16-1.1mdvmes5.2.src.rpm

Mandriva Enterprise Server 5/X86_64:
9f41766ae39be4d95ad267ac4c9f76dd mes5/x86_64/openswan-2.6.16-1.1mdvmes5.2.x86_64.rpm
788a2afca1e8cc38ca7eb9e1c146c573 mes5/x86_64/openswan-doc-2.6.16-1.1mdvmes5.2.x86_64.rpm
77873db1e0ff1bad0873896bb98bbaea mes5/SRPMS/openswan-2.6.16-1.1mdvmes5.2.src.rpm

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:


If you want to report vulnerabilities, please contact


Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
Version: GnuPG v1.4.12 (GNU/Linux)


[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus