Debian Bug report logs -
#521949
CVE-2009-0790: DoS
Reported by: Steffen Joeris <steffen.joeris@skolelinux.de>
Date: Mon, 30 Mar 2009 23:57:02 UTC
Severity: grave
Tags: security
Fixed in version openswan/1:2.6.21+dfsg-1
Done: Rene Mayrhofer <rmayr@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Rene Mayrhofer <rmayr@debian.org>:
Bug#521949; Package openswan.
(Mon, 30 Mar 2009 23:57:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Steffen Joeris <steffen.joeris@skolelinux.de>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Rene Mayrhofer <rmayr@debian.org>.
(Mon, 30 Mar 2009 23:57:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: openswan
Severity: grave
Tags: security
Hi
>From the DSA:
CVE-2009-0790
Gerd v. Egidy discovered that the Pluto IKE daemon in openswan is prone
to a denial of service attack via a malicious packet.
I've attached the patch from stable-security, please consider including
it for unstable/testing.
Cheers
Steffen
[openswan_stable-security.debdiff (text/x-diff, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Rene Mayrhofer <rmayr@debian.org>:
Bug#521949; Package openswan.
(Tue, 31 Mar 2009 10:51:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Rene Mayrhofer <rene@mayrhofer.eu.org>:
Extra info received and forwarded to list. Copy sent to Rene Mayrhofer <rmayr@debian.org>.
(Tue, 31 Mar 2009 10:51:02 GMT) (full text, mbox, link).
Message #10 received at 521949@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Tuesday 31 March 2009 01:55:46 Steffen Joeris wrote:
> I've attached the patch from stable-security, please consider including
> it for unstable/testing.
Unfortunately, this doesn't apply as dpd code seems to have moved out of
demux.c (I didn't find any of the patch context). Have you had contact with
openswan upstream concerning this bug?
best regards,
Rene
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Rene Mayrhofer <rmayr@debian.org>:
Bug#521949; Package openswan.
(Thu, 02 Apr 2009 11:48:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Steffen Joeris <steffen.joeris@skolelinux.de>:
Extra info received and forwarded to list. Copy sent to Rene Mayrhofer <rmayr@debian.org>.
(Thu, 02 Apr 2009 11:48:02 GMT) (full text, mbox, link).
Message #15 received at 521949@bugs.debian.org (full text, mbox, reply):
Hi Rene
> Unfortunately, this doesn't apply as dpd code seems to have moved out of
> demux.c (I didn't find any of the patch context). Have you had contact with
> openswan upstream concerning this bug?
Isn't the vulnerable code in programs/pluto/ikev1.c?
Cheers
Steffen
Reply sent
to Rene Mayrhofer <rmayr@debian.org>:
You have taken responsibility.
(Fri, 17 Apr 2009 10:21:03 GMT) (full text, mbox, link).
Notification sent
to Steffen Joeris <steffen.joeris@skolelinux.de>:
Bug acknowledged by developer.
(Fri, 17 Apr 2009 10:21:03 GMT) (full text, mbox, link).
Message #20 received at 521949-close@bugs.debian.org (full text, mbox, reply):
Source: openswan
Source-Version: 1:2.6.21+dfsg-1
We believe that the bug you reported is fixed in the latest version of
openswan, which is due to be installed in the Debian FTP archive:
linux-patch-openswan_2.6.21+dfsg-1_all.deb
to pool/main/o/openswan/linux-patch-openswan_2.6.21+dfsg-1_all.deb
openswan-modules-source_2.6.21+dfsg-1_all.deb
to pool/main/o/openswan/openswan-modules-source_2.6.21+dfsg-1_all.deb
openswan_2.6.21+dfsg-1.diff.gz
to pool/main/o/openswan/openswan_2.6.21+dfsg-1.diff.gz
openswan_2.6.21+dfsg-1.dsc
to pool/main/o/openswan/openswan_2.6.21+dfsg-1.dsc
openswan_2.6.21+dfsg-1_amd64.deb
to pool/main/o/openswan/openswan_2.6.21+dfsg-1_amd64.deb
openswan_2.6.21+dfsg.orig.tar.gz
to pool/main/o/openswan/openswan_2.6.21+dfsg.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 521949@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Rene Mayrhofer <rmayr@debian.org> (supplier of updated openswan package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Thu, 09 Apr 2009 17:05:39 +0200
Source: openswan
Binary: openswan openswan-modules-source linux-patch-openswan
Architecture: source all amd64
Version: 1:2.6.21+dfsg-1
Distribution: unstable
Urgency: low
Maintainer: Rene Mayrhofer <rmayr@debian.org>
Changed-By: Rene Mayrhofer <rmayr@debian.org>
Description:
linux-patch-openswan - IPSEC Linux kernel support for Openswan
openswan - IPSEC utilities for Openswan
openswan-modules-source - IPSEC kernel modules source for Openswan
Closes: 521949
Changes:
openswan (1:2.6.21+dfsg-1) unstable; urgency=low
.
* New upstream release
Closes: #521949: CVE-2009-0790: DoS
Checksums-Sha1:
11dbd418222c1805ad28a29c814b742e7c225108 1299 openswan_2.6.21+dfsg-1.dsc
5e59533675868c11c065e8bf40403efae1ddbdbf 6382381 openswan_2.6.21+dfsg.orig.tar.gz
08da9ee0d721f6c0db692ca7e38abb3f69fa34d5 149833 openswan_2.6.21+dfsg-1.diff.gz
eb8c3cbec6f27264ed1411e100e1d273b4f13a0f 481022 openswan-modules-source_2.6.21+dfsg-1_all.deb
aa8252fcf4ccb95115e06b1469449a4ab36562da 869590 linux-patch-openswan_2.6.21+dfsg-1_all.deb
454e6313b2b85021e671b2701da1d339315e3776 3057578 openswan_2.6.21+dfsg-1_amd64.deb
Checksums-Sha256:
de3518ea003827481f1585223d1f99a5239160f014ce18f90f729f770ace6049 1299 openswan_2.6.21+dfsg-1.dsc
5a4d433ff7d93335630d13fd3a103929fdebf35fa612ea33e8f7d5ffa52e0e76 6382381 openswan_2.6.21+dfsg.orig.tar.gz
d31e9def1dcb9b3bed284cc4f3e0dd7611f30c312d089850a539f41e15c6d7c0 149833 openswan_2.6.21+dfsg-1.diff.gz
1b86c60817df35039cd0224b2132c365e4ac1e980c8ea55bf29d35d272d2653f 481022 openswan-modules-source_2.6.21+dfsg-1_all.deb
3c84ac0888d221f23c3601cf64903c1dae52555bbdec8bdd55a6c19ecce67779 869590 linux-patch-openswan_2.6.21+dfsg-1_all.deb
a0217fe8a3cc7978eeb519baf1489e8ecd84ab4ecc39679475e34e78be997264 3057578 openswan_2.6.21+dfsg-1_amd64.deb
Files:
c9b4a6dd51a8fa909a744b08cdeef062 1299 net optional openswan_2.6.21+dfsg-1.dsc
70f3d47f989eb72aedd6aa5ca626cc99 6382381 net optional openswan_2.6.21+dfsg.orig.tar.gz
efabec48c9ab02136929605484a2a004 149833 net optional openswan_2.6.21+dfsg-1.diff.gz
3445f68aa023ca9f0606361b1cd1177a 481022 kernel optional openswan-modules-source_2.6.21+dfsg-1_all.deb
1e7c6acffa14e8d6e084d15efd393df0 869590 kernel optional linux-patch-openswan_2.6.21+dfsg-1_all.deb
083c5fc14e0af65c1587710e824c83e3 3057578 net optional openswan_2.6.21+dfsg-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAknoPkgACgkQq7SPDcPCS96mUQCgtxZ6egzY8oFbI+hvACvnYOOH
xzcAniEva1zD26jxWA1KnuS00WVc2989
=Nr1b
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 16 May 2009 07:39:16 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:21:55 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon