[Swan-dev] [Swan-announce] Libreswan security with NSS CVE-2014-1568 and bash CVE-2014-6271 or CVE-2014-7169

The Libreswan Project team at libreswan.org
Thu Sep 25 19:59:02 EEST 2014

Yesterday and today saw three important security announcements. Two for
bash and one for NSS.

libreswan IS vulnerable to NSS CVE-2014-1568 RSA Signature Forgery
(MSF 2014-73). Please upgrade NSS to one of 3.17.1, 3.16.1 or 3.16.5.

This only affects libreswan when using X.509 certificates. Raw RSA
keys using leftrsasigkey/rightrsasigkey are not affected. Connections
using auth=secret (PSK) are also not affected.

See https://www.mozilla.org/security/announce/2014/mfsa2014-73.html

libreswan is NOT vulnerable to bash CVE-2014-6271 or CVE-2014-7169

libreswan sanitizes strings that may come from the network, such as XAUTH
username, domain and DNS servers by passing it through filter functions
remove_metachar() and cisco_stringify() before assigning it to
environment variables that are passed to the updown scripts that invoke
bash. Therefor, any quote symbol (') has been removed before bash is
Swan-announce mailing list
Swan-announce at lists.libreswan.org

More information about the Swan-dev mailing list