Debian Bug report logs -
#867986
CVE-2016-10396
Reported by: Moritz Muehlenhoff <jmm@debian.org>
Date: Mon, 10 Jul 2017 21:21:02 UTC
Severity: grave
Tags: patch, security
Found in version ipsec-tools/1:0.8.2+20140711-2
Fixed in versions ipsec-tools/1:0.8.2+20140711-9, ipsec-tools/1:0.8.2+20140711-8+deb9u1
Done: Noah Meyerhans <noahm@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, pkg-ipsec-tools team <pkg-ipsec-tools-devel@lists.alioth.debian.org>:
Bug#867986; Package racoon.
(Mon, 10 Jul 2017 21:21:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, pkg-ipsec-tools team <pkg-ipsec-tools-devel@lists.alioth.debian.org>.
(Mon, 10 Jul 2017 21:21:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: racoon
Severity: grave
Tags: security
Please see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10396
Cheers,
Moritz
Marked as found in versions ipsec-tools/1:0.8.2+20140711-2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 13 Jul 2017 19:54:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, pkg-ipsec-tools team <pkg-ipsec-tools-devel@lists.alioth.debian.org>:
Bug#867986; Package racoon.
(Tue, 18 Jul 2017 17:57:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Noah Meyerhans <noahm@debian.org>:
Extra info received and forwarded to list. Copy sent to pkg-ipsec-tools team <pkg-ipsec-tools-devel@lists.alioth.debian.org>.
(Tue, 18 Jul 2017 17:57:03 GMT) (full text, mbox, link).
Message #12 received at 867986@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: tags -1 + pending patch
On Mon, Jul 10, 2017 at 11:18:35PM +0200, Moritz Muehlenhoff wrote:
>
> Please see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10396
>
I believe that the attached debdiff, derived from NetBSD's fix, should
address this problem. It should apply with only metadata modifications
as far back as oldstable.
I'll upload to unstable as soon as I've satisfied myself that the update
doesn't introduce any regressions. I don't believe there's a PoC for the
attack, so I don't know that we'll be able to confirm definitively that
the issue is resolved. If anybody has PoC code or is interested in
putting some together, I'd be interested in testing the fix more
thoroughly...
Uploads targeting (old)stable will follow shortly after unstable,
assuming no issues.
noah
[bug867986.debdiff (text/plain, attachment)]
Added tag(s) pending and patch.
Request was from Noah Meyerhans <noahm@debian.org>
to 867986-submit@bugs.debian.org.
(Tue, 18 Jul 2017 17:57:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, pkg-ipsec-tools team <pkg-ipsec-tools-devel@lists.alioth.debian.org>:
Bug#867986; Package racoon.
(Wed, 19 Jul 2017 14:33:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Antoine Beaupre <anarcat@orangeseeds.org>:
Extra info received and forwarded to list. Copy sent to pkg-ipsec-tools team <pkg-ipsec-tools-devel@lists.alioth.debian.org>.
(Wed, 19 Jul 2017 14:33:02 GMT) (full text, mbox, link).
Message #19 received at 867986@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Tue, Jul 18, 2017 at 01:53:09PM -0400, Noah Meyerhans wrote:
> Control: tags -1 + pending patch
>
> On Mon, Jul 10, 2017 at 11:18:35PM +0200, Moritz Muehlenhoff wrote:
> >
> > Please see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10396
> >
>
> I believe that the attached debdiff, derived from NetBSD's fix, should
> address this problem. It should apply with only metadata modifications
> as far back as oldstable.
>
> I'll upload to unstable as soon as I've satisfied myself that the update
> doesn't introduce any regressions. I don't believe there's a PoC for the
> attack, so I don't know that we'll be able to confirm definitively that
> the issue is resolved. If anybody has PoC code or is interested in
> putting some together, I'd be interested in testing the fix more
> thoroughly...
>
> Uploads targeting (old)stable will follow shortly after unstable,
> assuming no issues.
It sure looks like that patch is not correct. Jiri Bohac from Novell
found that it introduced a regression that could lead to another DoS:
https://bugzilla.novell.com/show_bug.cgi?id=1047443#c1
This was added to the NetBSD bug, but no response yet.
I'll see if I can test this, but hold on to your uploads for now.
A.
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, pkg-ipsec-tools team <pkg-ipsec-tools-devel@lists.alioth.debian.org>:
Bug#867986; Package racoon.
(Tue, 25 Jul 2017 15:15:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Noah Meyerhans <noahm@debian.org>:
Extra info received and forwarded to list. Copy sent to pkg-ipsec-tools team <pkg-ipsec-tools-devel@lists.alioth.debian.org>.
(Tue, 25 Jul 2017 15:15:06 GMT) (full text, mbox, link).
Message #24 received at 867986@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Wed, Jul 19, 2017 at 10:29:41AM -0400, Antoine Beaupre wrote:
> It sure looks like that patch is not correct. Jiri Bohac from Novell
> found that it introduced a regression that could lead to another DoS:
>
> https://bugzilla.novell.com/show_bug.cgi?id=1047443#c1
Updated debdiff is attached. Still haven't been able to perform any
meaningful tests.
[bug867986.debdiff (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]
Reply sent
to Noah Meyerhans <noahm@debian.org>:
You have taken responsibility.
(Thu, 27 Jul 2017 15:24:06 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(Thu, 27 Jul 2017 15:24:07 GMT) (full text, mbox, link).
Message #29 received at 867986-close@bugs.debian.org (full text, mbox, reply):
Source: ipsec-tools
Source-Version: 1:0.8.2+20140711-9
We believe that the bug you reported is fixed in the latest version of
ipsec-tools, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 867986@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Noah Meyerhans <noahm@debian.org> (supplier of updated ipsec-tools package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 26 Jul 2017 22:56:33 -0700
Source: ipsec-tools
Binary: ipsec-tools racoon
Architecture: source amd64
Version: 1:0.8.2+20140711-9
Distribution: unstable
Urgency: medium
Maintainer: pkg-ipsec-tools team <pkg-ipsec-tools-devel@lists.alioth.debian.org>
Changed-By: Noah Meyerhans <noahm@debian.org>
Description:
ipsec-tools - IPsec utilities
racoon - IPsec Internet Key Exchange daemon
Closes: 867986
Changes:
ipsec-tools (1:0.8.2+20140711-9) unstable; urgency=medium
.
* Import NetBSD's patch to address CVE-2016-10396 (Closes: #867986)
* Update to debhelper compat level 10
* Update to policy 4.0 compliance.
Checksums-Sha1:
176443cccd87855d55f4f77e6a6a94d71cd1bc44 2286 ipsec-tools_0.8.2+20140711-9.dsc
950cd6dd1cefef2284decc72714bdb5de68eada0 63828 ipsec-tools_0.8.2+20140711-9.debian.tar.xz
7494962b87d1067989a78239b49a059a40535336 112418 ipsec-tools-dbgsym_0.8.2+20140711-9_amd64.deb
8269d9b4486e1a1afdeb309a09752eed8b9e65e5 7081 ipsec-tools_0.8.2+20140711-9_amd64.buildinfo
79049fd22763da4f59bf4a2c0e29a2c7bb12e0fb 95090 ipsec-tools_0.8.2+20140711-9_amd64.deb
ed0a30e6bd8ac331c27893c5d8c813ad101ab2cf 762474 racoon-dbgsym_0.8.2+20140711-9_amd64.deb
4f1349e97f6539c6ebf65f41e1eb455e0665e37c 385624 racoon_0.8.2+20140711-9_amd64.deb
Checksums-Sha256:
d8dca6866b1c622c1651843620df2ecd80129bfff71ccaa71ad8aeca23c715fd 2286 ipsec-tools_0.8.2+20140711-9.dsc
7d8f71e8b48f931cfef1790c436469cb8344a0336c9c31be55071dad6b0906f6 63828 ipsec-tools_0.8.2+20140711-9.debian.tar.xz
3df8239f025e8901b3fb23cf6398a6a9dc023111c0ebf27aa3be59cb2824a020 112418 ipsec-tools-dbgsym_0.8.2+20140711-9_amd64.deb
f0e31c905cca398bdba3fd5cc2e892ae9d0005374526a8e74d2f1f7a5622220c 7081 ipsec-tools_0.8.2+20140711-9_amd64.buildinfo
d5ad5847af2c42c8766872eb3110489635c5d83e428ab90e992ff659bdf277ca 95090 ipsec-tools_0.8.2+20140711-9_amd64.deb
e23c5dbfe190e6f89344aebe116ec5e12b8d613aab6e865b52c3efec6c853c44 762474 racoon-dbgsym_0.8.2+20140711-9_amd64.deb
a54b1371868f1c41f7488928e44e1e8a81aee67163146d1910efd321337da30e 385624 racoon_0.8.2+20140711-9_amd64.deb
Files:
8d86a66ec94ea287ad56e130c0ceeb3a 2286 net extra ipsec-tools_0.8.2+20140711-9.dsc
22ac88a912f869e9fddfc12bd58696cd 63828 net extra ipsec-tools_0.8.2+20140711-9.debian.tar.xz
e26fa9ccd14160e0f282175de2147d5a 112418 debug extra ipsec-tools-dbgsym_0.8.2+20140711-9_amd64.deb
8e1ade5da2eb56385288d73dc5829732 7081 net extra ipsec-tools_0.8.2+20140711-9_amd64.buildinfo
b55ad1318095bfb0e424f5e722a7b12f 95090 net extra ipsec-tools_0.8.2+20140711-9_amd64.deb
c02b0f78b57fca1be0350d20a29d4d37 762474 debug extra racoon-dbgsym_0.8.2+20140711-9_amd64.deb
c0b4d6aed98b2a68d3eafb6a52e7350b 385624 net extra racoon_0.8.2+20140711-9_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEpNGebtPBMx7yU+olHNjYVP5CUsEFAll6AMQACgkQHNjYVP5C
UsEppw/8D5mhRF8X0t6qW9Jp3qSNv5XSxaD83skGxhuq7XXA6+jLtYu87zJ/sgp3
y5Fn7p8LkJxR5r7J6Xqj/dW2svyeNo1LWfMIKf/e8TA1I31meJNofzn1AvTKw/FU
1TehooVopkbN9PS97W8v5J07ZdBr058a+jcoIGCFUggPmmRAYn7Kv7NvSKV9HLhc
yKlCi8dm7uRAw3AObsgaYMhzFyV7RltzxzIYdlo/AfsxWDqytPRipjl7qvrLLNzt
/mcQZZN+tOveX8s+FA1tQUcx2tUKcE289YJnKexLvGpRbVa6NmhwRYUh9xkERqO5
B/5UKs/ebEUI2niwO8RPUpGWBoMxBMtRa1t5cfN+c4tWpE3HqS6Ev8EDq5r67FZE
yky31GqyLYpC3Qlm/Dk74/BUhRjRJzKO6D3C56/Js95lSKVUUWAkSJlzz/wKJclo
+uWrwJhEvDiTkmJ81biKKExF7OHQlvZSO9NKYG1/0/oBP+QBM2yE0p8RSs6mlZQT
IRxt+rxO3uwIqgpOqK+xmAC7Vdrl44QQb+ITWjQ/gYVLsCPcrEbxO8ovTz9Fyod9
ExtjswDBi69hvrIcwtsRdriSSWzS/6iMSSlm7ikQu+oZM9ozYvItPH2aZHGul0qa
lf5v+M+yK+O+0bFFYbw6wPCeGv99kb6ULEmCtYnmRURS3w+4uCY=
=GQRi
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, pkg-ipsec-tools team <pkg-ipsec-tools-devel@lists.alioth.debian.org>:
Bug#867986; Package racoon.
(Thu, 27 Jul 2017 17:39:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Noah Meyerhans <noahm@debian.org>:
Extra info received and forwarded to list. Copy sent to pkg-ipsec-tools team <pkg-ipsec-tools-devel@lists.alioth.debian.org>.
(Thu, 27 Jul 2017 17:39:02 GMT) (full text, mbox, link).
Message #34 received at 867986@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Mon, Jul 10, 2017 at 11:18:35PM +0200, Moritz Muehlenhoff wrote:
>
> Please see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10396
Hi Moritz. I assume your intent was not to issue a DSA for this since
it's been a known issue for nearly a year. Under that assumption I've
gone ahead with a package update targeting the next stable release
update and am planning on updating oldstable as well. Apologies if I was
incorrect in my assumption.
noah
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, pkg-ipsec-tools team <pkg-ipsec-tools-devel@lists.alioth.debian.org>:
Bug#867986; Package racoon.
(Thu, 27 Jul 2017 18:03:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to pkg-ipsec-tools team <pkg-ipsec-tools-devel@lists.alioth.debian.org>.
(Thu, 27 Jul 2017 18:03:03 GMT) (full text, mbox, link).
Message #39 received at 867986@bugs.debian.org (full text, mbox, reply):
On Thu, Jul 27, 2017 at 10:35:36AM -0700, Noah Meyerhans wrote:
> On Mon, Jul 10, 2017 at 11:18:35PM +0200, Moritz Muehlenhoff wrote:
> >
> > Please see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10396
>
> Hi Moritz. I assume your intent was not to issue a DSA for this since
> it's been a known issue for nearly a year. Under that assumption I've
> gone ahead with a package update targeting the next stable release
> update and am planning on updating oldstable as well. Apologies if I was
> incorrect in my assumption.
Ack, that makes perfect sense.
Cheers,
Moritz
Reply sent
to Noah Meyerhans <noahm@debian.org>:
You have taken responsibility.
(Sun, 06 Aug 2017 12:33:21 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(Sun, 06 Aug 2017 12:33:21 GMT) (full text, mbox, link).
Message #44 received at 867986-close@bugs.debian.org (full text, mbox, reply):
Source: ipsec-tools
Source-Version: 1:0.8.2+20140711-8+deb9u1
We believe that the bug you reported is fixed in the latest version of
ipsec-tools, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 867986@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Noah Meyerhans <noahm@debian.org> (supplier of updated ipsec-tools package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 25 Jul 2017 21:42:30 -0700
Source: ipsec-tools
Binary: ipsec-tools racoon
Architecture: source amd64
Version: 1:0.8.2+20140711-8+deb9u1
Distribution: stable
Urgency: medium
Maintainer: pkg-ipsec-tools team <pkg-ipsec-tools-devel@lists.alioth.debian.org>
Changed-By: Noah Meyerhans <noahm@debian.org>
Description:
ipsec-tools - IPsec utilities
racoon - IPsec Internet Key Exchange daemon
Closes: 867986
Changes:
ipsec-tools (1:0.8.2+20140711-8+deb9u1) stable; urgency=medium
.
* Import NetBSD's patch to address CVE-2016-10396 (Closes: #867986)
Checksums-Sha1:
7031ed2008d692783159fe34d15dd21b607ffbbd 2331 ipsec-tools_0.8.2+20140711-8+deb9u1.dsc
b97a29115ed48ed7e4f9cd62754f28c1ab93048d 63800 ipsec-tools_0.8.2+20140711-8+deb9u1.debian.tar.xz
e5b186a2f6a26474d1bde1bf7bbdd87885a855d7 112384 ipsec-tools-dbgsym_0.8.2+20140711-8+deb9u1_amd64.deb
03fac5108c620233f5b35fa4ca138347b99639d0 7418 ipsec-tools_0.8.2+20140711-8+deb9u1_amd64.buildinfo
43cf1300d8c8a64de602c4b9ab33206f3d18a384 95040 ipsec-tools_0.8.2+20140711-8+deb9u1_amd64.deb
302d79edfe267d88f9740507498f7349e854fa5d 762514 racoon-dbgsym_0.8.2+20140711-8+deb9u1_amd64.deb
bc82a2d99441c76add947b95d625a5466b6867b8 386100 racoon_0.8.2+20140711-8+deb9u1_amd64.deb
Checksums-Sha256:
5d8af46094541a6d09302591f19b062f78118ccfca7e525797a6e1b01b7306ba 2331 ipsec-tools_0.8.2+20140711-8+deb9u1.dsc
98f47c37e5d58ae75acc3e55561783414fa47355d8b964e29ddc8408253e9bc0 63800 ipsec-tools_0.8.2+20140711-8+deb9u1.debian.tar.xz
2962c7afd9c51148d1dc24ceed01fd2d9bd69a30cf17a207562807310971157f 112384 ipsec-tools-dbgsym_0.8.2+20140711-8+deb9u1_amd64.deb
efc9ac06cfa9843cb3531ec25578e1bc2f0e5fcb2202bbf5bc538657fe3a0b89 7418 ipsec-tools_0.8.2+20140711-8+deb9u1_amd64.buildinfo
a785a1f1fad9153f1aedb76241b9ccc25dfc2b846e1417617ea2b43b2106879d 95040 ipsec-tools_0.8.2+20140711-8+deb9u1_amd64.deb
a7ec29f9878496f4b96a98943d92316bd3b5e9ff981a4ab8bc26cc1df8877f3e 762514 racoon-dbgsym_0.8.2+20140711-8+deb9u1_amd64.deb
befa730ccc1294ad020b78c1d3ee11e063e920ac203aa8b39c56228e7ea31302 386100 racoon_0.8.2+20140711-8+deb9u1_amd64.deb
Files:
7f7ac93028172e95d66730c3b9afba26 2331 net extra ipsec-tools_0.8.2+20140711-8+deb9u1.dsc
51ee3d75d737c8243b33a69394f3b28f 63800 net extra ipsec-tools_0.8.2+20140711-8+deb9u1.debian.tar.xz
365129232f678352d391f8b5ebae3ed6 112384 debug extra ipsec-tools-dbgsym_0.8.2+20140711-8+deb9u1_amd64.deb
c2320c9b46002fec126508c5aa102dfa 7418 net extra ipsec-tools_0.8.2+20140711-8+deb9u1_amd64.buildinfo
47f8e516cf083c7951b6669361218865 95040 net extra ipsec-tools_0.8.2+20140711-8+deb9u1_amd64.deb
c60595ada0a9ed18b9b61cea8977c955 762514 debug extra racoon-dbgsym_0.8.2+20140711-8+deb9u1_amd64.deb
71ed9451a676289e65e52668a6c50b10 386100 net extra racoon_0.8.2+20140711-8+deb9u1_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEpNGebtPBMx7yU+olHNjYVP5CUsEFAll6AX8ACgkQHNjYVP5C
UsHVdRAAitZcnqBqn8CbHyue8kFmpGq8w8ZFochh6V3d1CQzK5XzGdi9Fbn6qHfK
8n2obw9uyuGBwAKR4krXynvITd4hStzBmMlC9Q3HbeBQ8aCQ3gDhHwCayBBVbmGe
0T+7gGiZBI5hXk6tMigIS/MF07aucPUZg/9PsgeoCpReIfYq+S2mAN2UKrvHnLzD
DLFImWm5ODjFlif/cF81LaBbe6FJ60cBQOsBvM2H7FIJU++85NJtNycM8rCmUJYW
5uuAsxcXECJN3Ub5x0sUd68+tZc8t6fJbFDyA2UV2JmFd5alXxVCGl46oCMXkNgc
8qtBj9WhvUPHMouKKnO1BV91cIG4PKQMWqtNOIPhK167vNL8/bZzfl2Cz5H/6r7k
LJMJ3AbNt9aP2Gi8p3S6x25ESfby30+R9zicwBurLgjvY/E/ito28ZmpCqj+kcjB
r8w+F5bCUz8E8yrUDUD7/K40LZHYGppCpOEvmcNp5v9yE1fREE4Fk2pQ1GU14ruH
VVFmgZ+LRAVcxn7p3bIgLegkEM9U/CduxRoXZrYHhGeGnbpixoVeiwlCAiWXBgSA
l57dRas2FKJfnEjxhY0urqyBgxaRsftM61HbdEiYh4HvaSxQRYL5CtWo9rTeeOYn
MiwfqELaQbRuC4zWLwKDI5KjKMPGJeMcwQ/IXDJYs33tC6SuBTM=
=XZiW
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 08 Oct 2017 07:33:13 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:43:34 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon