diff options
| author | Rene Mayrhofer <rene@mayrhofer.eu.org> | 2009-03-31 10:25:38 +0000 |
|---|---|---|
| committer | Rene Mayrhofer <rene@mayrhofer.eu.org> | 2009-03-31 10:25:38 +0000 |
| commit | 188bacbfe68aa6cbbaaa6cbd26b334f634f23871 (patch) | |
| tree | 2d2b64b8b8f500424bbfc3c7d145bf0c12e008c1 | |
| parent | a386ee10459fcedea869de933c257a7cccaf7865 (diff) | |
| download | vyos-strongswan-188bacbfe68aa6cbbaaa6cbd26b334f634f23871.tar.gz vyos-strongswan-188bacbfe68aa6cbbaaa6cbd26b334f634f23871.zip | |
- Apply patch from security team.
| -rw-r--r-- | debian/changelog | 10 | ||||
| -rw-r--r-- | debian/patches/00list | 1 | ||||
| -rw-r--r-- | debian/patches/02-CVE-2009-0790.dpatch | 31 |
3 files changed, 42 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog index 1b4060aa0..71d2f2061 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,13 @@ +strongswan (4.2.13-2) unstable; urgency=low + + * Fix DoS issue via malicious Dead Peer Detection packet. Thanks to the + security team for providing the patch. + Closes: #521950: CVE-2009-0790: DoS + Gerd v. Egidy discovered that the Pluto IKE daemon in openswan is prone + to a denial of service attack via a malicious packet. + + -- Rene Mayrhofer <rmayr@debian.org> Tue, 31 Mar 2009 12:00:51 +0200 + strongswan (4.2.13-1) unstable; urgency=low * New upstream release. This is now compatible with network-manager 0.7 diff --git a/debian/patches/00list b/debian/patches/00list index e69de29bb..565571969 100644 --- a/debian/patches/00list +++ b/debian/patches/00list @@ -0,0 +1 @@ +02-CVE-2009-0790.dpatch diff --git a/debian/patches/02-CVE-2009-0790.dpatch b/debian/patches/02-CVE-2009-0790.dpatch new file mode 100644 index 000000000..1eef2fe3d --- /dev/null +++ b/debian/patches/02-CVE-2009-0790.dpatch @@ -0,0 +1,31 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run + +@DPATCH@ +diff -urN strongswan-4.2.13/src/pluto/ipsec_doi.c strongswan-4.2.13-patched/src/pluto/ipsec_doi.c +--- strongswan-4.2.13/src/pluto/ipsec_doi.c 2009-03-21 09:41:49.000000000 +0100 ++++ strongswan-4.2.4/src/pluto/ipsec_doi.c 2009-03-21 09:50:06.000000000 +0100 +@@ -5446,9 +5446,9 @@ + time_t tm = now(); + u_int32_t seqno; + +- if (!IS_ISAKMP_SA_ESTABLISHED(st->st_state)) ++ if (!st || !IS_ISAKMP_SA_ESTABLISHED(st->st_state)) + { +- loglog(RC_LOG_SERIOUS, "DPD: Received R_U_THERE for unestablished ISKAMP SA"); ++ loglog(RC_LOG_SERIOUS, "DPD: Received R_U_THERE for unestablished ISAKMP SA"); + return STF_IGNORE; + } + if (n->isan_spisize != COOKIE_SIZE * 2 || pbs_left(pbs) < COOKIE_SIZE * 2) +@@ -5516,10 +5516,10 @@ + { + u_int32_t seqno; + +- if (!IS_ISAKMP_SA_ESTABLISHED(st->st_state)) ++ if (!st || !IS_ISAKMP_SA_ESTABLISHED(st->st_state)) + { + loglog(RC_LOG_SERIOUS +- , "DPD: Received R_U_THERE_ACK for unestablished ISKAMP SA"); ++ , "DPD: Received R_U_THERE_ACK for unestablished ISAKMP SA"); + return STF_FAIL; + } + |