Debian Bug report logs -
#502676
CVE-2008-4551: DoS
Reported by: Steffen Joeris <steffen.joeris@skolelinux.de>
Date: Sun, 19 Oct 2008 01:00:01 UTC
Severity: grave
Tags: patch, security
Fixed in version strongswan/4.2.4-5
Done: Mark Purcell <msp@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Rene Mayrhofer <rmayr@debian.org>
:
Bug#502676
; Package strongswan
.
(Sun, 19 Oct 2008 01:00:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Steffen Joeris <steffen.joeris@skolelinux.de>
:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Rene Mayrhofer <rmayr@debian.org>
.
(Sun, 19 Oct 2008 01:00:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: strongswan
Severity: grave
Tags: security, patch
Justification: user security hole
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for strongswan.
CVE-2008-4551[0]:
| strongSwan 4.2.6 and earlier allows remote attackers to cause a denial
| of service (daemon crash) via an IKE_SA_INIT message with a large
| number of NULL values in a Key Exchange payload, which triggers a NULL
| pointer dereference for the return value of the mpz_export function in
| the GNU Multiprecision Library (GMP).
See also this report[1] and the upstream patch[2].
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
Cheers
Steffen
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4551
http://security-tracker.debian.net/tracker/CVE-2008-4551
[1] http://labs.mudynamics.com/advisories/MU-200809-01.txt
[2] http://wiki.strongswan.org/changeset/4345
Reply sent
to Mark Purcell <msp@debian.org>
:
You have taken responsibility.
(Sat, 25 Oct 2008 23:12:06 GMT) (full text, mbox, link).
Notification sent
to Steffen Joeris <steffen.joeris@skolelinux.de>
:
Bug acknowledged by developer.
(Sat, 25 Oct 2008 23:12:06 GMT) (full text, mbox, link).
Message #10 received at 502676-done@bugs.debian.org (full text, mbox, reply):
Version: 4.2.4-5
Package: strongswan
This RC bug was fixed by an earlier upload which includes the upstream CVE
patch.
On Saturday 25 October 2008 22:15:18 Philipp Kern wrote:
> You owe me at least one RC bug fix now.
Philipp || release-team, request you unblock stongswan/4.2.4-5 for inclusion
in lenny. Searching through debian-release, I couldn't find an unblock request
for this version of strongswan.
Thanks,
Mark
strongswan (4.2.4-5) unstable; urgency=high
Reason for urgency high: this is potentially security relevant.
* Patch backported from 4.2.7 to fix a potential DoS issue.
Thanks to Thomas Kallenberg for the patch.
-- Rene Mayrhofer <rmayr@debian.org> Mon, 29 Sep 2008 10:35:30 +0200
Message #11 received at 502676-done@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Sun, Oct 26, 2008 at 10:06:37AM +1100, Mark Purcell wrote:
> This RC bug was fixed by an earlier upload which includes the upstream CVE
> patch.
With the CVE number not mentioned in the changelog and probably nobody
including Security and Release Team were informed, oh well.
Well spotted, though, unblocked.
Thanks,
Philipp Kern
--
.''`. Philipp Kern Debian Developer
: :' : http://philkern.de Release Assistant
`. `' xmpp:phil@0x539.de Stable Release Manager
`- finger pkern/key@db.debian.org
[signature.asc (application/pgp-signature, inline)]
Message #12 received at 502676-done@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Sunday 26 October 2008, Philipp Kern wrote:
> With the CVE number not mentioned in the changelog and probably nobody
> including Security and Release Team were informed, oh well.
Well, there was no CVE number (that I was aware of) at the time of this
upload. It is true that security should have been informed, though.
Rene
[signature.asc (application/pgp-signature, inline)]
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Mon, 16 Mar 2009 10:02:53 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:03:05 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.