[Swan] Cannot compile Libreswan 3.14 and newer on CentOS 5
paul at nohats.ca
Fri Sep 25 02:17:34 UTC 2015
On Fri, 25 Sep 2015, Tomas France wrote:
> I am afraid modifying the patch is beyond my skills. Is there a way how to
> limit the possible impact of the CVE-2015-3240 security issue by different
> means, for the pre-3.15 versions, and without using the patch?
> Unfortunately, some of our servers are stuck with CentOS 5 and they cannot
> be upgraded at this time.
Well, the impact is that someone can run a denial of service against
you. The pluto IKE daemon will hit a passert() in the code and restart.
There is no compromise or either data or the system.
So, you'll notice when this happens. If it happens from a botnet, you'll
be in trouble because you won't be able to firewall all the IP
addresses to prevent the crashes. At which point you'll be forced to put
in a centos6 or centos7 server :P
More information about the Swan