A flaw has been found in isakmpd, OpenBSD's implementation of the Internet Key Exchange protocol, that caused Security Associations to be created with a replay window of 0 when isakmpd was acting as the responder during SA negotiation. This could allow an attacker to re-inject sniffed IPsec packets, which would not be checked against the replay counter. For the stable distribution (sarge) this problem has been fixed in version 20041012-1sarge1. For the unstable distribution (sid) this problem has been fixed in version 20041012-4. We recommend that you upgrade your isakmpd package.
A flaw has been found in isakmpd, OpenBSD's implementation of the Internet Key Exchange protocol, that caused Security Associations to be created with a replay window of 0 when isakmpd was acting as the responder during SA negotiation. This could allow an attacker to re-inject sniffed IPsec packets, which would not be checked against the replay counter.
For the stable distribution (sarge) this problem has been fixed in version 20041012-1sarge1.
For the unstable distribution (sid) this problem has been fixed in version 20041012-4.
We recommend that you upgrade your isakmpd package.
MD5 checksums of the listed files are available in the original advisory.