[Swan] libreswan CVE-2013-205[234] backport patches availabe for openswan/strongswan

Paul Wouters pwouters at redhat.com
Tue May 14 20:24:22 EEST 2013


Yesterday was the public disclosure of the serious atodn() buffer overflow
bug in libreswan, openswan and some (older) strongswan versions. The
different swan flavours have different CVE numbers:

CVE-2013-2052: libreswan
CVE-2013-2053: openswan
CVE-2013-2054: strongswan

For a desciption of the issue see:

https://download.libreswan.org/security/CVE-2013-2052/CVE-2013-2052.txt

Current versions of libreswan and strongswan are not vulnerable. Current
version (as of today) of openswan is still vulnerable.

We have backported the libreswan patches to the RHEL version of openswan
that is based on openswan 2.6.32. These patches, which were given to
openswan a week ago, are now available at:

https://download.libreswan.org/security/CVE-2013-2053/

Andreas Steffen has provided patches for the older versions of
strongswan. As I do not see those listed on the strongswan website,
we've made these available at:

https://download.libreswan.org/security/CVE-2013-2054/

I hope that with this information, everyone can successfully upgrade
their IPsec servers, regardless of the *swan version they are using.

Regards,

Paul


More information about the Swan mailing list