[Swan-announce] Libreswan security with NSS CVE-2014-1568 and bash CVE-2014-6271 or CVE-2014-7169
The Libreswan Project
team at libreswan.org
Thu Sep 25 19:59:02 EEST 2014
Yesterday and today saw three important security announcements. Two for
bash and one for NSS.
-------------------------------------------------------------------------
libreswan IS vulnerable to NSS CVE-2014-1568 RSA Signature Forgery
(MSF 2014-73). Please upgrade NSS to one of 3.17.1, 3.16.1 or 3.16.5.
This only affects libreswan when using X.509 certificates. Raw RSA
keys using leftrsasigkey/rightrsasigkey are not affected. Connections
using auth=secret (PSK) are also not affected.
See https://www.mozilla.org/security/announce/2014/mfsa2014-73.html
-------------------------------------------------------------------------
libreswan is NOT vulnerable to bash CVE-2014-6271 or CVE-2014-7169
libreswan sanitizes strings that may come from the network, such as XAUTH
username, domain and DNS servers by passing it through filter functions
remove_metachar() and cisco_stringify() before assigning it to
environment variables that are passed to the updown scripts that invoke
bash. Therefor, any quote symbol (') has been removed before bash is
invoked.
More information about the Swan-announce
mailing list