strongswan: CVE-2017-11185: Insufficient Input Validation in gmp Plugin

Debian Bug report logs - #872155
strongswan: CVE-2017-11185: Insufficient Input Validation in gmp Plugin

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: strongswan: CVE-2017-11185: Insufficient Input Validation in gmp Plugin

Date: Mon, 14 Aug 2017 19:09:50 +0200

Source: strongswan
Version: 5.2.1-1
Severity: grave
Tags: upstream security patch
Control: fixed -1 5.2.1-6+deb8u5
Control: fixed -1 5.5.1-4+deb9u1

Hi,

the following vulnerability was published for strongswan, just filling
the corresponding tracking bug in the BTS.

CVE-2017-11185[0]:
denial of service in the gmp plugin

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-11185
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11185
[1] https://www.strongswan.org/blog/2017/08/14/strongswan-vulnerability-(cve-2017-11185).html

Regards,
Salvatore

Message #14 received at 872155-close@bugs.debian.org (full text, mbox, reply):

From: Yves-Alexis Perez <corsac@debian.org>

To: 872155-close@bugs.debian.org

Subject: Bug#872155: fixed in strongswan 5.6.0-1

Date: Sun, 03 Sep 2017 13:22:52 +0000

Source: strongswan
Source-Version: 5.6.0-1

We believe that the bug you reported is fixed in the latest version of
strongswan, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 872155@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Yves-Alexis Perez <corsac@debian.org> (supplier of updated strongswan package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 03 Sep 2017 14:38:09 +0200
Source: strongswan
Binary: strongswan libstrongswan libstrongswan-standard-plugins libstrongswan-extra-plugins libcharon-extra-plugins strongswan-starter strongswan-libcharon strongswan-charon strongswan-ike strongswan-nm strongswan-ikev1 strongswan-ikev2 charon-cmd strongswan-pki strongswan-scepclient strongswan-swanctl charon-systemd
Architecture: source
Version: 5.6.0-1
Distribution: unstable
Urgency: medium
Maintainer: strongSwan Maintainers <pkg-swan-devel@lists.alioth.debian.org>
Changed-By: Yves-Alexis Perez <corsac@debian.org>
Description:
 charon-cmd - standalone IPsec client
 charon-systemd - strongSwan IPsec client, systemd support
 libcharon-extra-plugins - strongSwan charon library (extra plugins)
 libstrongswan - strongSwan utility and crypto library
 libstrongswan-extra-plugins - strongSwan utility and crypto library (extra plugins)
 libstrongswan-standard-plugins - strongSwan utility and crypto library (standard plugins)
 strongswan - IPsec VPN solution metapackage
 strongswan-charon - strongSwan Internet Key Exchange daemon
 strongswan-ike - strongSwan Internet Key Exchange daemon (transitional package)
 strongswan-ikev1 - strongSwan IKEv1 daemon, transitional package
 strongswan-ikev2 - strongSwan IKEv2 daemon, transitional package
 strongswan-libcharon - strongSwan charon library
 strongswan-nm - strongSwan plugin to interact with NetworkManager
 strongswan-pki - strongSwan IPsec client, pki command
 strongswan-scepclient - strongSwan IPsec client, SCEP client
 strongswan-starter - strongSwan daemon starter and configuration file parser
 strongswan-swanctl - strongSwan IPsec client, swanctl command
Closes: 866324 866325 866327 866669 872155
Changes:
 strongswan (5.6.0-1) unstable; urgency=medium
 .
   * New upstream release.
     - fix insufficient input validation in gmp plugin, which can cause a
     denial of service vulnerability (CVE-2017-11185)            closes: #872155
   * debian/rules:
     - remove .la files before install
     - don't call dh_install with --fail-missing
     - override dh_missing with --fail-missing to catch uninstalled files
     - apply patch from Gerald Turner to restrict permissions on swanctl folder
       containing private material.
     - replace DEB_BUILD_* by DEB_HOST_* when needed, fix FTCBFS, for example
       when building for ppc64el on x86. Thanks Helmut Grohne.   closes: #866669
   * debian/strongswan-swanctl.install:
     - install the whole /etc/swanctl folder, including (empty) subfolders.
                                                                 closes: #866324
   * debian/charon-systemd.install:
     - install charon-systemd.conf files, thanks Gerald Turner.  closes: #866325
   * Add AppArmor profiles for swanctl and charon-system, thanks Gerald Turner.
                                                                 closes: #866327
   * debian/libcharon-extra-plugins.install:
     - install pt-tls-client in /u/b and also install its manpage.
   * debian/strongswan-swanctl.lintian-overrides:
     - add lintian overrides for private keys directories using 700
     permissions.
Checksums-Sha1:
 3d43348c396e95e3e3f15ddebb80a68ecf12f380 3328 strongswan_5.6.0-1.dsc
 97c1658791a13776c5d588649c2c8304f51f2a9f 4850722 strongswan_5.6.0.orig.tar.bz2
 3810285c1d78fb4c689d6b36c39e5d29c424458e 125636 strongswan_5.6.0-1.debian.tar.xz
 3991191f717f79cb7d50cca8777cd25838b48dfb 17568 strongswan_5.6.0-1_amd64.buildinfo
Checksums-Sha256:
 70b5f9af1777d50d88c6fa89a55d03f57c328d13fbbca8af5f7882f855c3c229 3328 strongswan_5.6.0-1.dsc
 a14dc0d92634ed52730bfc76a76db30943a28ed3c65a560066e1e9f785827b13 4850722 strongswan_5.6.0.orig.tar.bz2
 334b84f3c9276a668638492f039bf26caea164068b16986d83f6ba734d59093b 125636 strongswan_5.6.0-1.debian.tar.xz
 78686d7ff2bf27b0c4a8a76e40ce502b281437835dd328394f9b02fe1a41bd48 17568 strongswan_5.6.0-1_amd64.buildinfo
Files:
 bb653223012a11b8e9db83a16b1f5ac5 3328 net optional strongswan_5.6.0-1.dsc
 befb5e827d02433fea6669c20e11530a 4850722 net optional strongswan_5.6.0.orig.tar.bz2
 8e9e993bfdee44988aa156e0a28a0d59 125636 net optional strongswan_5.6.0-1.debian.tar.xz
 12a81205e3dd474457bd0b450818d5fd 17568 net optional strongswan_5.6.0-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEl0WwInMjgf6efq/1bdtT8qZ1wKUFAlmr/IQACgkQbdtT8qZ1
wKXNxAf/Z20R1A0vZj9YcqSNkayAgTdnp4v8NeXw8Pa5aC0Z1BBfPQSJtH1SXFsS
dpzhnnpP8Xlq5DU4K9IkyBdAfhkeqQo9h6eFXfZcTq/FzQBm2OdKYDFKa4chPU9q
p2/crD5LngQQWZeLa43m0RwRRgRY4CR4rsTq8wo6JIFmzjP4CTJlG6On0b84mT+S
VonFxVZDf00++jttCA5HxQb64x3AjoWJxwpm3cOfaXmqnLnv+G8wlrd7tZ//LBES
m0I9q83hqemkQrfUdWC9/dat65M4U4PxG0Lexy/D/CRkJP8Ldf2wc5nYJ5OnyrRh
7gV98ACJlFIezEQE9eKAD2v0XP7tSA==
=UfQp
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.