[Swan] Cannot compile Libreswan 3.14 and newer on CentOS 5

Paul Wouters paul at nohats.ca
Fri Sep 25 02:17:34 UTC 2015


On Fri, 25 Sep 2015, Tomas France wrote:

> I am afraid modifying the patch is beyond my skills. Is there a way how to
> limit the possible impact of the CVE-2015-3240 security issue by different
> means, for the pre-3.15 versions, and without using the patch?
>
> Unfortunately, some of our servers are stuck with CentOS 5 and they cannot
> be upgraded at this time.

Well, the impact is that someone can run a denial of service against
you. The pluto IKE daemon will hit a passert() in the code and restart.
There is no compromise or either data or the system.

So, you'll notice when this happens. If it happens from a botnet, you'll
be in trouble because you won't be able to firewall all the IP
addresses to prevent the crashes. At which point you'll be forced to put
in a centos6 or centos7 server :P

Paul


More information about the Swan mailing list