libreswan: CVE-2024-3652: IKEv1 default AH/ESP responder can crash and restart

Debian Bug report logs - #1069194
libreswan: CVE-2024-3652: IKEv1 default AH/ESP responder can crash and restart

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: libreswan: CVE-2024-3652: IKEv1 default AH/ESP responder can crash and restart

Date: Wed, 17 Apr 2024 21:22:39 +0200

Source: libreswan
Version: 4.14-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/libreswan/libreswan/issues/1665
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Control: found -1 4.10-2+deb12u1
Control: found -1 4.10-2
Control: found -1 4.3-1+deb11u4
Control: found -1 4.3-1

Hi,

The following vulnerability was published for libreswan.

CVE-2024-3652[0]:
| The Libreswan Project was notified of an issue causing libreswan to
| restart when using IKEv1 without specifying an esp= line. When the
| peer requests AES-GMAC, libreswan's default proposal handler causes
| an assertion failure and crashes and restarts. IKEv2 connections are
| not affected.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-3652
    https://www.cve.org/CVERecord?id=CVE-2024-3652
[1] https://github.com/libreswan/libreswan/issues/1665
[2] https://libreswan.org/security/CVE-2024-3652/CVE-2024-3652.txt

Regards,
Salvatore

Send a report that this bug log contains spam.