Joined: 12 May 2004
|Posted: Mon Jul 27, 2020 7:26 pm Post subject: [ GLSA 202007-21 ] Libreswan
|Gentoo Linux Security Advisory
Title: Libreswan: Denial of service (GLSA 202007-21)
A vulnerability in Libreswan could lead to a Denial of Service
Libreswan is a free software implementation of the most widely supported
and standarized VPN protocol based on (“IPsec”) and the Internet Key
Vulnerable: < 3.32
Unaffected: >= 3.32
Architectures: All supported architectures
As a result of a bug in handling certain bogus encrypted IKEv1, while
building a log message that the packet has been dropped, a NULL pointer
dereference causes Libreswan to crash and restart when it attempts to log
the state name involved.
An attacker could cause a possible Denial of Service condition.
There is no known workaround at this time.
All Libreswan users should upgrade to the latest version:
|# emerge --sync
# emerge --ask --oneshot --verbose ">=net-vpn/libreswan-3.32"