Debian Bug report logs -
#930338
CVE-2019-10155 IKEv1 Informational exchange integrity check failure
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org:
Bug#930338; Package libreswan.
(Mon, 10 Jun 2019 22:03:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Daniel Kahn Gillmor <dkg@fifthhorseman.net>:
New Bug report received and forwarded.
(Mon, 10 Jun 2019 22:03:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: libreswan
Version: 3.27-5
Severity critical
Control: found -1 3.28-1
Control: forwarded -1 https://libreswan.org/security/CVE-2019-10155/
See the attached message from libreswan upstream about this CVE.
I'll fix it in unstable shortly.
--dkg
[Message part 2 (message/rfc822, inline)]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
The Libreswan Project has released libreswan-3.29
This is a security release addressing CVE-2019-10155.
CVE-2019-10155: IKEv1 Informational exchange integrity check failure
https://libreswan.org/security/CVE-2019-10155/
The Libreswan Project has found a vulnerability in its processing IKEv1
informational exchange packets. These packets are encrypted and integrity
protected using the established IKE SA encryption and integrity keys, but
as a receiver, the integrity check value (ICV) was not verified for IKEv1
Informational Exchange packets. The code containing the vulnerability is
also present in openswan and older strongswan releases.
The impact of this vulnerability is low, as it cannot be exploited.
Vulnerable versions: libreswan < 3.29
strongswan < 5.0
openswan - all versions (as of writing: 2.6.51.3)
Not vulnerable: libreswan 3.29 and later, strongswan 5.0 and later, freeswan
This release further contains a fix for auto-detecting the XFRM stack on
distributions without CONFIG_XFRM_STATISTICS, such as Debian/Ubuntu and
a fix for the diagnostic tool "ipsec barf".
For a full list of changes, see below changelog for details.
You can download libreswan via https at:
https://download.libreswan.org/libreswan-3.29.tar.gz
https://download.libreswan.org/libreswan-3.29.tar.gz.asc
The full changelog is available at: https://download.libreswan.org/CHANGES
Please report bugs either via one of the mailinglists or at our bug
tracker:
https://lists.libreswan.org/
https://bugs.libreswan.org/
Binary packages for RHEL/CentOS can be found at: https://download.libreswan.org/binaries/
Binary packages for Fedora and Debian should be available in their
respective repositories a few days after this release.
See also https://libreswan.org/
v3.29 (June 10, 2019)
* SECURITY: Fixes CVE-2019-10155 https://libreswan.org/security/CVE-2019-10155
* programs: Change to /proc/sys/net/core/xfrm_acq_expires to detect XFRM [Paul]
* barf: Fix shell script parse error and small cleanup [Tuomo/Hugh]
* packaging: fedora30 requires gcc to be listed as BuildRequires: [Paul]
* packaging: rhel6 doesn't need USE_AVA_COPY=true or WERROR_CFLAGS= [Tuomo]
* packaging/rhel6: remove -lrt, not needed any more [Tuomo]
* systemd: change Restart default to on-failure [Tuomo]
* building: Makefiles: Use RT_LDFLAGS for glibc < 2.17 support [Tuomo]
* building: userland-cflags.mk: add RT_LDFLAGS= for older glibc [Tuomo]
-----BEGIN PGP SIGNATURE-----
iQJHBAEBCgAxFiEEkH55DyXB6OVhzXO1hf9LQ7MPxvkFAlz+oVATHHRlYW1AbGli
cmVzd2FuLm9yZwAKCRCF/0tDsw/G+dgWD/0RCmGXjIo4Fy7KXDQRzIzXca04Neho
oNfk+5OmsxYZg4o+fAbea7hRymSrIx6VHtc74tqCexhSgPJfcs5y8xIJPJ0VwvkJ
BXUFOan0NQfGnl8O8hW3ZPAUCXVYSW2MlPHpTey1Szyvsr3et0YAX3UHYlTkF/ld
9+NzoBSVFCszCVom1I0bmM4W2QAaT2nCiE+2cl+N/N4EfcBkNHoDAtIdYQdtQ0q1
XaWrVUGdawl73CBpWlXl16UD0sikh4tYpMrNKr3v4YBPtpLEtFX3slmVKJE7YGtQ
3jdcHCSpsjZkZTznZfCXLdO3Z5F45B0xYX26JPIRocdQvOKqny0Ots5sr99k9FxP
n4i4MeHOyBroWiUg1wZ6xgJLmXme7shusP4mdi3EwMJxKrpYOMrkIk4UG9/JgV21
pkUsnzPpVSdiwBko6aGOO/kKFUyGJIJYIK59nmrOu43LzS748CGYwhwyhY+b1JVO
1pINuNATzkYdLam0MY9HcmT5AjTfltZBumlMhIT5GviphSuWm96YFVDaAio5UUsK
TGb0WG2nnA8OVazfdS14zX94SdP4Qqfc6jMdRecQX9XTWiUHjSyssPvg2cCgztAF
ApUd3QNjPwXodzdC2Ls7vd2iObjWwrvxAz+DjbqqeA/JD+cjshz80yDGvzVdZRaw
o3QrNZUzlgSMYA==
=XSEP
-----END PGP SIGNATURE-----
_______________________________________________
Swan-announce mailing list
Swan-announce@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan-announce
_______________________________________________
Swan-dev mailing list
Swan-dev@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan-dev
[signature.asc (application/pgp-signature, inline)]
Reply sent
to Daniel Kahn Gillmor <dkg@fifthhorseman.net>:
You have taken responsibility.
(Mon, 10 Jun 2019 22:21:05 GMT) (full text, mbox, link).
Notification sent
to Daniel Kahn Gillmor <dkg@fifthhorseman.net>:
Bug acknowledged by developer.
(Mon, 10 Jun 2019 22:21:05 GMT) (full text, mbox, link).
Message #10 received at 930338-close@bugs.debian.org (full text, mbox, reply):
Source: libreswan
Source-Version: 3.27-6
We believe that the bug you reported is fixed in the latest version of
libreswan, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 930338@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Daniel Kahn Gillmor <dkg@fifthhorseman.net> (supplier of updated libreswan package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 10 Jun 2019 23:04:05 +0100
Source: libreswan
Architecture: source
Version: 3.27-6
Distribution: unstable
Urgency: medium
Maintainer: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Changed-By: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Closes: 930338
Changes:
libreswan (3.27-6) unstable; urgency=medium
.
* fix CVE-2019-10155 (closes: #930338)
Checksums-Sha1:
769c09ff3e868415f4160edc00f544c2b4040aed 1973 libreswan_3.27-6.dsc
a6a1fc2c78023ae07364d041f3ff243bb491085e 18552 libreswan_3.27-6.debian.tar.xz
2c058bc0d0be2dacac42cbbf0ad9af5da816094e 10110 libreswan_3.27-6_amd64.buildinfo
Checksums-Sha256:
76dd6a211c6e9ebe605a394536f6be8becf7fbb5afd2dc0eab235fee8c6a7f27 1973 libreswan_3.27-6.dsc
3fd35140d9134e1c4af8421e9c88a13decee41b0db2907dbb3513cf9cae1a930 18552 libreswan_3.27-6.debian.tar.xz
b9dc3a14b17e2577bbe484335c4e5b17de2490b4b324875ff266ef2ab113110d 10110 libreswan_3.27-6_amd64.buildinfo
Files:
88114a5a0d65f7162d979fc518ca246a 1973 net optional libreswan_3.27-6.dsc
f80543db47d78b890291a4bd273f2619 18552 net optional libreswan_3.27-6.debian.tar.xz
b3f50001e12988e4819c9f0565c9b7c7 10110 net optional libreswan_3.27-6_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iHUEARYKAB0WIQTJDm02IAobkioVCed2GBllKa5f+AUCXP7ViQAKCRB2GBllKa5f
+K7DAP9W2AZcBmUqNOzukg4zHa2Eb6txW7bGD9TidKuG+y8+ugD+JN8JSqLiiOiT
yWvZqJ7K99Heu04j1CUF/vHMcV0LwgQ=
=4xSF
-----END PGP SIGNATURE-----
Added tag(s) upstream and security.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 11 Jun 2019 05:09:06 GMT) (full text, mbox, link).
Reply sent
to Daniel Kahn Gillmor <dkg@fifthhorseman.net>:
You have taken responsibility.
(Tue, 11 Jun 2019 06:51:11 GMT) (full text, mbox, link).
Notification sent
to Daniel Kahn Gillmor <dkg@fifthhorseman.net>:
Bug acknowledged by developer.
(Tue, 11 Jun 2019 06:51:11 GMT) (full text, mbox, link).
Message #17 received at 930338-close@bugs.debian.org (full text, mbox, reply):
Source: libreswan
Source-Version: 3.29-1
We believe that the bug you reported is fixed in the latest version of
libreswan, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 930338@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Daniel Kahn Gillmor <dkg@fifthhorseman.net> (supplier of updated libreswan package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 11 Jun 2019 07:24:44 +0100
Source: libreswan
Architecture: source
Version: 3.29-1
Distribution: experimental
Urgency: medium
Maintainer: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Changed-By: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Closes: 929916 930338
Changes:
libreswan (3.29-1) experimental; urgency=medium
.
* New upstream release
- fixes CVE 2019-10155 and CVE-2019-12312
(Closes: #930338, #929916)
* refresh patches
* d/watch: avoid development releases
Checksums-Sha1:
9a897e46ef384bce3b54dcac95d0fbfaeec00f36 2001 libreswan_3.29-1.dsc
492cd1cf18c06e47b2864a57a355a7f5393f80cc 3848730 libreswan_3.29.orig.tar.gz
b192b07cfbe1ae25f1f487aba9f2a4d44b6a1443 862 libreswan_3.29.orig.tar.gz.asc
8503c2190e8290f26200eb2e7380876e518c87a4 18484 libreswan_3.29-1.debian.tar.xz
91881ebecbd06a313f060c3fe4c263bd89cfcc1f 10110 libreswan_3.29-1_amd64.buildinfo
Checksums-Sha256:
db03223700a0683d119428e7a3b3c74c2979f75b2666a71071bc1bb9cd631854 2001 libreswan_3.29-1.dsc
d60e4160f43272b6307b697a13f79f56b5ec2bca61d83097ddadd8586a58ab3e 3848730 libreswan_3.29.orig.tar.gz
60af75e5178b0667d00075aa84ff0b14562906417538d59d25a38ff70393880e 862 libreswan_3.29.orig.tar.gz.asc
a5fff20d7aedd8045cff8a560d584186e66df492c09cb8d6f80045cd92a87f48 18484 libreswan_3.29-1.debian.tar.xz
228ba94b6e2499ce7fb53cb659d55c9c9d778f9d7036fc092fcfc40354f4e6a1 10110 libreswan_3.29-1_amd64.buildinfo
Files:
f44b572f8fc05c15d29f6396738bc965 2001 net optional libreswan_3.29-1.dsc
5b35b39a04f63a8e528b965aad515c01 3848730 net optional libreswan_3.29.orig.tar.gz
37ba796f047b2be272f574eba451d8ab 862 net optional libreswan_3.29.orig.tar.gz.asc
d416fb2b31cf646279bc536cf6600379 18484 net optional libreswan_3.29-1.debian.tar.xz
502f510e42a489b8488fb1b5f6b7dac2 10110 net optional libreswan_3.29-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iHUEARYKAB0WIQTJDm02IAobkioVCed2GBllKa5f+AUCXP9NdgAKCRB2GBllKa5f
+Gn+AQDHcxrEGjzLB5upUlhbuePIdjakBRJ1v/2Ftut/GVMjIQD/QhVCgVJ8nC4T
8ZwY18zy0XlcJxKuavgfUB5RBWxkewg=
=8ccY
-----END PGP SIGNATURE-----
Severity set to 'grave' from 'normal'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 12 Jun 2019 19:27:03 GMT) (full text, mbox, link).
Marked as found in versions libreswan/3.28-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 12 Jun 2019 19:27:05 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 12:57:14 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
From: Libreswan Team <team@libreswan.org>To: swan-announce@lists.libreswan.orgSubject: [Swan-dev] [Swan-announce] libreswan-3.29 released to address CVE-2019-10155Date: Mon, 10 Jun 2019 14:30:32 -0400 (EDT)
Vulmon