[Swan] FYI: openswan-2.6.40 still vulnerable to CVE-2013-6466

Paul Wouters paul at nohats.ca
Tue Feb 18 23:04:50 EET 2014



http://libreswan.org/security/openswan/CVE-2013-6466/

The Libreswan Project offers a backport of CVE-2013-6467 for openswan
users that addresses openswan's CVE-2013-6466. Information about this
vulnerability was disclosed to openswan/xelerance on January 6 2014. The
libreswan patch was given to them on January 10. On January 16, this
vulnerability became public knowledge with the libreswan-3.8 release.

On February 14, openswan-2.6.40 was released, but unfortunately it
DOES NOT fix CVE-2013-6466. A new CVE has been requested for the
openswan-2.6.40 crasher, see:

http://www.openwall.com/lists/oss-security/2014/02/18/1

The patches listed here are based on the work done for RHEL versions of
openswan that DOES address CVE-2013-6466 properly. These patches are
suitable for RHEL 5 and 6 as well as CentOS 5 and 6.

For more information, see:
https://rhn.redhat.com/errata/RHSA-2014-0185.html

This will be the last security patch for openswan made by The Libreswan
Project. We strongly recommend that people using openswan switch to
libreswan immediately




More information about the Swan mailing list