ESB-2018.2907 - [Debian] strongswan: Multiple vulnerabilities 2018-09-27

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.2907
            [SECURITY] [DLA 1522-1] strongswan security update
                             27 September 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           strongswan
Publisher:         Debian
Operating System:  Debian GNU/Linux 8
Impact/Access:     Access Privileged Data         -- Remote with User Interaction
                   Provide Misleading Information -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-16152 CVE-2018-16151 

Reference:         ESB-2018.2901
                   ESB-2018.2864

Original Bulletin: 
   https://lists.debian.org/debian-lts-announce/2018/09/msg00033.html

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : strongswan
Version        : 5.2.1-6+deb8u7
CVE ID         : CVE-2018-16151 CVE-2018-16152


Sze Yiu Chau and his team from Purdue University and The University of
Iowa found several security issues in the gmp plugin for strongSwan,
an IKE/IPsec suite.

CVE-2018-16151

    The OID parser in the ASN.1 code in gmp allows any number of random
    bytes after a valid OID.

CVE-2018-16152

    The algorithmIdentifier parser in the ASN.1 code in gmp doesn't
    enforce a NULL value for the optional parameter which is not used
    with any PKCS#1 algorithm.

For Debian 8 "Jessie", these problems have been fixed in version
5.2.1-6+deb8u7.

We recommend that you upgrade your strongswan packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAlurt2sACgkQhj1N8u2c
KO+jvg/+OqsOCQVXbTzZ+HcaJAK8shxwMQPWUCpNCfxxMm3urs5M6k2G6vOhamp/
kC8ZMdGK9qYQPD2UJYx44TipA3M3PhDlWVESyKtA8FV1LBi63c7NA3tdx6B6u5Ho
AmmngMcgQJZEZXc53obLMnJeh8Bxko9RtHCen5SpQKLyiKDMTlrdCowkG+1gSeAS
gLCbfiSAMg2DD/wngCVQveb0K4lUlQTBpS7zO7y4yRMxGbV7wgqU6Ps2NShjUdKY
MKA3ONXUmTVU19Y1en3oDbUZN3f2ji3VSBQLuIv+54s/4KiZPY7YpNFSrpSixLSS
Myold69/cDnRvr3yp1c/THQf9X8ZFjoLX0tmP8CqwJBADnDywutSNSQ6FqdaVcUs
PJLNi+5ICV2oUyPxumeqlai0hqExTV6QGQ4NLk9lUxgSp68umJBH0Dwy9KTkEpsL
o1KZzF04rxiVt/PMmojx5qQaIhEyUHGxnTMGpOoc8LfpdziGa5ZVJl8yuvTi2Zlw
faJMmexU5bjkEKJeV6v7dk8akh2Yhnpq/boJp/5O30FvV0VGmWM6rp0gburqErWL
FMWIDO9bDqZ/SdW49Izdvfg1Nl+JPg0kZZ3dPjWj1YEm5lwBepDpp0rzSntPjBwX
2WItMFq1aUjESVg2bQiggvCjGgf9KxoyWQPS5r9mHdK2PjSTRCM=
=lFhg
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW6xJ+WaOgq3Tt24GAQiw/xAA3hUCjQZQKUkRgebw+6f7Dnc0SXurdLvU
R3/wd7LyW6ieEoyd270gmr2WXQxPyhsmXvAm7v+I1EFnu1pu6xX/vL/HbedG169Y
CLTosKnfHiqO8hIdMNWofr6nXgVmwEQmefMwQauetW4dUFcebvjugDMP1H7pUUGN
a9H1pyw0WGRapuc2R8gxiitMfY5CgCXgAnVljIcwLorxA5dbOPlgaiPU1B1idBj4
DM0E19IXcdBacXGWMfOcZ8Brnh5Rda0cqXHxqzVHOEv59B6aQ89MD4S88YBj4GEp
LjMBWQ2R5YY25fCKd33EIOLaAIRawRSmT8aUB3Q7S2Tx1XNnYMl+mlchFwCA+vHd
anDvo9ctED6kVY8R4r7H9gGz+QDZhQ1akxD/TJTtqxwiaSYmTe4nfIHRaAUiSQZe
Pw1UtBaiGp4IWbv7Qp6Ou7P0xsILE17VOwRWTm7xBnFIpHKWpTFdDX4d9sYw/W2r
u0XPeWW2copRt3c2SzQD4uYHeURZvZ9BrGRIx+Yfj5IousnFgU3Hexw52B5brBzn
6OCdM1BqQx7nj3k/ZJd6klujeuaFRSI8BEdHNFDuMNkkRzIwDxgMWj+M5HSH9LCG
JzeFJWwOyvUcR4LBlwWtE7pzzkML4yN/60G6knKEmGd7reKl3EuhVuqs2JvcAMuY
587xSsNWfmY=
=JKZp
-----END PGP SIGNATURE-----

« Back to bulletins