[Swan-dev] [Swan-announce] libreswan-3.29 released to address CVE-2019-10155
team at libreswan.org
Mon Jun 10 18:30:32 UTC 2019
-----BEGIN PGP SIGNED MESSAGE-----
The Libreswan Project has released libreswan-3.29
This is a security release addressing CVE-2019-10155.
CVE-2019-10155: IKEv1 Informational exchange integrity check failure
The Libreswan Project has found a vulnerability in its processing IKEv1
informational exchange packets. These packets are encrypted and integrity
protected using the established IKE SA encryption and integrity keys, but
as a receiver, the integrity check value (ICV) was not verified for IKEv1
Informational Exchange packets. The code containing the vulnerability is
also present in openswan and older strongswan releases.
The impact of this vulnerability is low, as it cannot be exploited.
Vulnerable versions: libreswan < 3.29
strongswan < 5.0
openswan - all versions (as of writing: 22.214.171.124)
Not vulnerable: libreswan 3.29 and later, strongswan 5.0 and later, freeswan
This release further contains a fix for auto-detecting the XFRM stack on
distributions without CONFIG_XFRM_STATISTICS, such as Debian/Ubuntu and
a fix for the diagnostic tool "ipsec barf".
For a full list of changes, see below changelog for details.
You can download libreswan via https at:
The full changelog is available at: https://download.libreswan.org/CHANGES
Please report bugs either via one of the mailinglists or at our bug
Binary packages for RHEL/CentOS can be found at: https://download.libreswan.org/binaries/
Binary packages for Fedora and Debian should be available in their
respective repositories a few days after this release.
See also https://libreswan.org/
v3.29 (June 10, 2019)
* SECURITY: Fixes CVE-2019-10155 https://libreswan.org/security/CVE-2019-10155
* programs: Change to /proc/sys/net/core/xfrm_acq_expires to detect XFRM [Paul]
* barf: Fix shell script parse error and small cleanup [Tuomo/Hugh]
* packaging: fedora30 requires gcc to be listed as BuildRequires: [Paul]
* packaging: rhel6 doesn't need USE_AVA_COPY=true or WERROR_CFLAGS= [Tuomo]
* packaging/rhel6: remove -lrt, not needed any more [Tuomo]
* systemd: change Restart default to on-failure [Tuomo]
* building: Makefiles: Use RT_LDFLAGS for glibc < 2.17 support [Tuomo]
* building: userland-cflags.mk: add RT_LDFLAGS= for older glibc [Tuomo]
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
Swan-announce mailing list
Swan-announce at lists.libreswan.org
More information about the Swan-dev